The Week That Was - 9/17/2012

We've got a bumper crop this week.  There are the obligatory links to the GoDaddy affair.  I get the distinct feeling that the GoDaddy event was not nearly as sensational as the security community would have liked.  Still it's a sad commentary when your best PR move was to claim self-inflicted gunshot wound to the foot.   [11], [12] It looks like the fine folks who brought us the BEAST attack have now given us CRIME.  Juliano Rizzo and Thai Duong have developed yet another attack against SSL.  This one is a side channel attack focusing on compression ratios.  Does this make anyone else feel nervous about the protocol holding the global e-commerce system together?  [4], [5]

There is an interesting article about BMW being sued for a weakness in their technology for creating ignition keys.  Car thieves figured this one out and started stamping out their own keys.  This is a new twist on an old problem. I'm just not sure if the problem is copying hard keys or copying mag stripe data.  [3]

I'll wrap it up with some mobile device articles.  It looks like Apple's cryptosystem for iOS devices have crossed a threshold.  Is iOS good enough for enterprise security now?  [2]  Also, there is research suggesting around half of Android devices contain known software weaknesses.  [19]   That in turn drive the growing underground economy for installing applications on mobile devices.  [17]

As always, I'd love to hear from you in the comments!

Link Dump

A. Savvas, “20% of IT staff admit to accessing unauthorised executive data,” Computer World, 12-Sep-2012. [Online]. Available: [Accessed: 12-Sep-2012].
“Apple phones are AES-tough, says forensics expert,” [Online]. Available: [Accessed: 13-Sep-2012].
B. Yirka, “BMW forced to respond to BBC report showing its cars at easy risk of being stolen,”, 14-Sep-2012. [Online]. Available: [Accessed: 14-Sep-2012].
D. Fisher, “CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions,” ThreatPost, 13-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
CRIME vs startups. 2012.
“Developing a Capability Framework for a Healthy and Resilient Cyber Ecosystem Using Automated Collective Action.” U.S. Department of Homeland Security, National Protection and Programs Directorate in conjunction with U.S. Department of Commerce, National Institute of Standards and Technology, 10-Sep-2012.
G. Keizer, “Elite hacker gang has unlimited supply of zero-day bugs,” Computer World, 07-Sep-2012. [Online]. Available: [Accessed: 10-Sep-2012].
P. Reitinger, “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action.” Department of Homeland Security, 23-Mar-2011.
T. B. Lee, “FCC defends its ‘trojan horse’ approach to net neutrality,” Ars Technica, 13-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
A. Sternstein, “Get ready for computers worldwide to automatically smother cyber strikes -,” NextGov, 10-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].
D. Goodin, “GoDaddy outage makes websites unavailable for many Internet users (Updated),” Ars Technica, 10-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].
J. Dohnert, “GoDaddy outage not caused by hackers,”, 11-Sep-2012. [Online]. Available: [Accessed: 12-Sep-2012].
M. Mimoso, “Google Adds Online Malware Scanner VirusTotal To Security Lineup,” ThreatPost, 07-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].
L. Constantin, “Leaked Apple UDIDs were stolen from digital publishing firm,” Computer World, 10-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].
Sendatsu, “Looking inside your screenshots,” OwnedCore - World of Warcraft Exploits, Hacks, Bots and Guides. 16-Dec-2012.
A. Sternstein, “Pact sends highly sensitive spy agency data to the cloud,” NextGov, 12-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
D. Walker, “Pay-per-install pays big bucks in the mobile world,” SC Magazine US, 12-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
J. Baker, “Permanent cybersecurity team established for EU institutions,” Computerworld, 12-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
D. Fisher, “Research Shows Half of All Androids Contain Known Vulnerabilities,” ThreatPost, 13-Sep-2012. [Online]. Available: [Accessed: 14-Sep-2012].
T. Wilson, “Security Skills Shortage Creates Opportunities For Enterprises, Professionals,” Dark Reading, 11-Sep-2012. [Online]. Available: [Accessed: 12-Sep-2012].
N. Silver, “Sept. 9: Call It as You See It,” FiveThirtyEight. 10-Sep-2012.
G. O’Gorman and G. McDonald, “The Elderwood Project.” Symantec, 2012.
Symantec Security Response, “The Elderwood Project,” Symantec Connect Community. 07-Sep-2012.
D. Zaruk, “The inherent negativity of risk,” The Risk-Monger, 11-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].
C. Brook, “University of Miami Hospital Confirms Second Patient Info Breach This Year,” ThreatPost, 12-Sep-2012. [Online]. Available: [Accessed: 13-Sep-2012].
G. Peterson, “What Identity And Access Management Can Learn From Car Talk,” Dark Reading, 10-Sep-2012. [Online]. Available: [Accessed: 11-Sep-2012].