The Week That Was - 3/10/2013

I am back.  Here are the items that caught my eye last week.  Here are some highlights. In a victory for the 4th Amendment, the U.S. 9th District Court ruled that willy-nilly searching of travelers' bags at border crossings is unconstitutional.  What is constitutional is conducting those searches with probable cause.  [3], [28]  In this case the same court ruled that if you have a record of sex offense and have password protected files on your laptop, the authorities have probable cause to search your laptop.  In this case it was warranted and the authorities found child pornography on the laptop.  Another interesting note is that they found the kiddie porn not by forcing the owner to disclose the password or by brute forcing the password.  They checked the slack space on the disk for the pictures.  Slack will get you every time.

Mike Rothman over at Securosis had an interesting piece on becoming CISO and is worth a read.  [5]  He also links to a Tripwire video from RSA 2013 asking people what they'd do as CISO.  I'm really curious if Tripwire cherry picked these folks or if it was representative of the opinions they received.  [29]  It looks like the video is currently unavailable.  It's worth checking in later to see if it's back up or not.

We'll wind up with Alex Hutton's widely quoted sound bite "Governance without metrics is just dogma."  [12]  Nothing like an inflammatory statement to get some attention.  But it's good attention.  We need to grow up as a profession and objectively measuring our performance is an important part of the maturation process.  I attended the session when he uttered this sound bite and it fit perfectly.  Measuring security is not impossible.  As a wise man told me, "You have more data than you expect and you need less data than you think."


Link Dump

[1]  S. Few, “A Pie in the Face for Information Visualization Research,” Visual Business Intelligence, 05-Feb-2012. [Online]. Available: [Accessed: 14-Feb-2013].

[2]  E. Chickowski, “An Auditor’s Thoughts On Access Control,” Dark Reading, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[3]  J. Mullin, “Appeals court raises standard for laptop searches at US border,” Ars Technica, 08-Mar-2012. [Online]. Available: [Accessed: 13-Mar-2013].

[4]  D. Fisher, “At Pwn2Own, Browser Exploits Getting Harder, More Expensive to Find,” ThreatPost, 06-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[5]  M. Rothman, “Be Careful What You Wish for…Now You’re CISO,” Securosis, 04-Mar-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[6]  S. Sposito, “Burger King Hack Justifies Banks Twitter Caution,” American Banker, 04-Mar-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[7]  R. Lemos, “Cybercriminals Predicted To Expand Use Of Browser Proxies,” Dark Reading, 06-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[8]  L. Constantin, “Deutsche Telekom unveils real-time map of global cyberattacks,” InfoWorld, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[9]  D. Slater and M. Brandel, “ERM: The basics,” CSO Online, 01-Mar-2013. [Online]. Available: [Accessed: 04-Mar-2013].

[10]  N. Mattise, “Evernote resets user passwords after being hit by ‘coordinated’ hack,” Ars Technica, 02-Mar-2013. [Online]. Available: [Accessed: 04-Mar-2013].

[11]  “Global Information Security Workforce Study,” (ISC)2, Feb-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[12]  E. Chickowski, “Governance Without Metrics Is Just Dogma,” Dark Reading, 05-Mar-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[13]  “Hidden data trick could be malware writer’s boon,” The Frontline, 08-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[14]  D. Fisher, “How Facebook Prepared to Be Hacked,” ThreatPost, 08-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[15]  D. Johnson, “How Insurers Can Improve Wildfire Risk Evaluations,” Claims Journal, 04-Mar-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[16]  B. Schneier, “How the FBI Intercepts Cell Phone Data,” Schneier on Security, 07-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[17]  K. Fisher, “Majority of doctors opposed to full access to your own electronic records,” Ars Technica, 09-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[18]  J. Leyden, “Malware devs offer $100 a pop for ‘active’ Google Play accounts,” The Register, 08-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[19]  J. Leyden, “Malware-flingers can pwn your mobile with OVER-THE-AIR updates,” The Register, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[20]  D. Engberg, “Security Notice: Service-wide Password Reset,” Evernote Tech Blog, 02-Mar-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[21]  “Security training an urgent priority in $100bn battle against hackers.” [Online]. Available: [Accessed: 07-Mar-2013].

[22]  J. H. Sawyer, “Sharpening Endpoint Security,” Dark Reading, 04-Mar-2013. [Online]. Available: [Accessed: 04-Mar-2013].

[23]  “,” Deutsche Telekom, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[24]  M. Suby, “The 2013 (ISC)2 Global Information Security Workforce Study.” (ISC)2, 2013.

[25]  J. Grossman, “The Web Won’t Be Safe or Secure until We Break It,” ACM Queue, 06-Nov-2012. [Online]. Available: [Accessed: 07-Mar-2013].

[26]  M. Mimoso, “Twitter OAuth API Keys Leaked,” ThreatPost, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].

[27]  C. Brook, “Two Texas Bills Could Shape Mobile Privacy,” ThreatPost, 08-Mar-2013. [Online]. Available: [Accessed: 13-Mar-2013].

[28]  M. M. McKeown, “United States of America v. Howard Wesley Botterman,” United State Courts for the Ninth Circuit, 08-Mar-2013. [Online]. Available:

[29]  “What Would You Do If You Became CISO?,” 27-Feb-2013. [Online]. Available: [Accessed: 05-Mar-2013].

[30]  “World’s first automatic protocol selection technology for any environment,”, 07-Mar-2013. [Online]. Available: [Accessed: 07-Mar-2013].