The Week That Was - 11/19/2012

Responsible adulthood sucks.  I've been up to my eyeballs in personal and professional work and the blog had to take a back seat.  I finally got it pushed up the priority list.  Here are the items I was able to come up with last week. The side channel attacks on virtual systems is interesting.  [2], [7], [13]  It seems to be a low probability threat event and is probably not yet of concern to most organizations.  However, anyone with serious intellectual property that would justify the effort to exploit this software weakness should think about the implications.

Another interesting development is the Whonix platform.  [3], [16]  This is an operating system that routes all Internet using applications through TOR.  I'll be curious to see how this develops and is ultimately used.  I wonder if any malcode authors will reuse the platform for their purposes.

The Ponemon Institute is at it again and this time they are partnering with the Edelman group.  [4], [12]  Billed as a risk assessment tool, I think it is more of a peer benchmarking tool.  However, as an information risk professional, you need to know this tool is out there.  It is very executive friendly complete with colorful and blinky graphics.  Take a look at it, understand it, and be ready to discuss how your organization can use it properly if someone else brings it up and you can't make it go away.

WordPress is set to accept online transactions via BitCoin.  [17]  The notable bit is that they have decided to opt out of the need for buyer to confirm a transaction.  That seems  like it just begs for abuse.  I'll be curious to see how this pans out.

Finally, we have porn of the involuntary and make-believe kind.  Yet again, we're reminded of why it's usually a bad idea to take pictures of your naked self.  [9]  We're also reminded that creating anything resembling child pornography is a Bad Idea of Epic Proportions™.  It doesn't matter if you are an attorney or not.  [11]


Link Dump

[1] J. Leyden, “Adobe Connect breach pops lid off ‘Letmein’ logins of gov, army types,” The Register, 16-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[2] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-VM side channels and their use to extract private keys,” 2012, p. 305.

[3] J. Leyden, “Devs cook up ‘leakproof’ all-Tor untrackable platform,” The Register, 13-Nov-2012. [Online]. Available: [Accessed: 15-Nov-2012].

[4] E. Chickowski, “Free Risk Indexing Tool Offers Start For Assessments,” Dark Reading, 16-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[5] K. Zetter, “Gmail Location Data Led FBI to Uncover Top Spy’s Affair,” Threat Level, 12-Nov-2012. [Online]. Available: [Accessed: 12-Nov-2012].

[6] C. Brook, “Google Sheds Light on New Android App Scanner,” ThreatPost, 15-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[7] J. Aron, “How Crypto Keys Can Be Stolen Across the Cloud,” Gizmodo. [Online]. Available: [Accessed: 16-Nov-2012].

[8] B. Donohue, “How-To Video: Facebook Privacy,” ThreatPost, 13-Nov-2012. [Online]. Available: [Accessed: 15-Nov-2012].

[9] T. B. Lee, “‘Involuntary porn’ site tests the boundaries of legal extortion,” Ars Technica. [Online]. Available: [Accessed: 15-Nov-2012].

[10] D. Kerr, “Obama reportedly signs secretive cybersecurity policy directive,” CNET, 14-Nov-2012. [Online]. Available: [Accessed: 15-Nov-2012].

[11] C. Farivar, “Ohio attorney creates fake child porn for case, now must pay $300,000,” Ars Technica, 09-Nov-2012. [Online]. Available: [Accessed: 12-Nov-2012].

[12]“Privacy risks,” Edelman. [Online]. Available: [Accessed: 16-Nov-2012].

[13] B. Schneier, “Stealing VM Keys from the Hardware Cache,” Schneier on Security, 16-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[14] A. Shostack, “The ‘Human Action’ argument is not even wrong,” The New School of Information Security, 15-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[15] D. Goodin, “Virtual machine used to steal crypto keys from other VM on same server,” Ars Technica, 06-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].

[16]“Whonix,” Sourceforge. [Online]. Available: [Accessed: 15-Nov-2012].

[17] S. Sharwood, “Wordpress to accept Bitcoin without confirmations,” The Register, 16-Nov-2012. [Online]. Available: [Accessed: 16-Nov-2012].