The Week That Was - 2013-03-19

We have some good ones this week. Andrew Hay and Ray Umerley have some interesting points about brining up the next generation of information security professionals.  [2], [9]  As a profession we tend to focus on the technical aspect of the problem and encourage folks to specialize in one particular area of the profession.  We tend not to value the human aspect of our job as much as the technical.  This also leads us to see the information security profession as a function independent of business operations.  There are certainly some exceptions to this statement, but generally speaking, it tends to be true.  These two authors suggest we need to expand our awareness as information security professionals to understand our role in the business, develop the skills and knowledge needed to be a successful business unit, and teach the next generation of security professionals to do the same.  I tend to agree.

Next up we have trojanized Adobe Photoshop plugins.  [18]  This isn't what you think.  Dove, the skin and hair care company, has a corporate social vision.  Here is what they have to say on their web site:

Dove® is committed to building positive self-esteem and inspiring all women and girls to reach their full potential—but we need your help.

As a part of achieving this mission they distributed Adobe Photoshop plugins purporting to add a healthy glow to photographic subjects.  In fact, this plugin undoes all the photo retouching work and editor does to enhance the appearance of the subject.  Then it informs the editor that he or she is contributing to the distorted view of the ideal female body shape.  Nothing like a little corporate sponsored hacktivism.

And, this one is really interesting.  Genesco, Inc. is suing Visa.  [5], [6]  Genesco feels the  noncompliance penalties Visa levied against it are unfair and scam-like.  I've always felt like the PCI compliance routine felt a little suspect myself and figured it would be a matter of time before it wound up in court.  Well, I guess we'll get to see how this falls out.  I'm glad to see someone challenging the PCI Council on their enforcement practices.

Security pundit Brian Krebs got SWAT-ed.  [17]  I didn't even know what SWATing was until I read this article.  Nothing like looking down the barrel of a loaded gun to liven up your day.  Fortunately, Mr. Krebs was OK and no one was harmed.

Finally, it looks like hacker angst is an intercultural phenomenon.  [3], [11]  The Chinese hacker your are just as disillusioned as their American counterparts.

That's all for this week.


Link Dump

[1]  L. Spitzner, “5 myths about awareness,” CSO, 11-Feb-2013. [Online]. Available: [Accessed: 18-Mar-2013].

[2]  A. Hay, “Andrew Dreams of Security,” Andrew Hey | the man, the myth, the blog, 04-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[3]  B. Demick, “China hacker’s angst opens a window onto cyber-espionage,” Los Angeles Times, 12-Mar-2013. [Online]. Available:,0,7978305,full.story. [Accessed: 15-Mar-2013].

[4]  S. Few, “Data Held Hostage,” Visual Business Intelligence, 16-Mar-2013. [Online]. Available: [Accessed: 18-Mar-2013].

[5]  Genesco Inc v. Visa U.S.A.; Visa Inc; and Visa International Service Association. .

[6]  T. Wilson, “Genesco Sues Visa Over $13 Million In PCI Noncompliance Penalties,” Dark Reading, 14-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[7]  M. Cobb, “Heading Off Advanced Social Engineering Attacks,” Dark Reading, 18-Mar-2013. [Online]. Available: [Accessed: 18-Mar-2013].

[8]  R. Thomas, M. Antkiewicz, P. Florer, S. Widup, and M. Woodyard, “How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches,” Social Science Research Network, Rochester, NY, SSRN Scholarly Paper ID 2233075, Mar. 2013.

[9]  R. Umerley, “It Starts with Us,” SecJitsu: The Art of Security, 14-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[10]  “Lessons in Design and Strategy from China’s First Emperor,” Brain Pickings. [Online]. Available: [Accessed: 15-Mar-2013].

[11]  M. Memmott, “Life Of A Chinese Hacker: Work Is Awful, Pay Is Lousy, Boss Doesn’t Understand : NPR,”, 13-Mar-2013. [Online]. Available: [Accessed: 15-Mar-2013].

[12]  B. Schneier, “Nationalism on the Internet,” Schneier on Security, 14-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[13]  R. Thomas, “New paper: ‘How Bad Is It? — A Branching Activity Model for Breach Impact Estimation’,” The New School of Information Security, 17-Mar-2013. [Online]. Available: [Accessed: 18-Mar-2013].

[14]  B. Schneier, “Our Security Models Will Never Work — No Matter What We Do,” Wired Opinion, 14-Mar-2013. [Online]. Available: [Accessed: 15-Mar-2013].

[15]  K. Zetter, “Retailer Sues Visa Over $13 Million ‘Fine’ for Being Hacked,” Threat Level, 12-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[16]  K. Zetter, “Spy Agencies to Get Access to U.S. Bank Transactions Database,” Threat Level, 13-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[17]  B. Krebs, “The World Has No Room For Cowards,” Krebs on Security, 13-Mar-2013. [Online]. Available: [Accessed: 18-Mar-2013].

[18]  C. Jarvis, “Trojan Horse Hidden ‘Beautify’ Photoshop Action Reverts Women’s Bodies to Un-retouched State,” Chase Jarvis Blog, 07-Mar-2013. [Online]. Available: [Accessed: 15-Mar-2013].

[19]  J. Clark, “US national vulnerability database hacked,” The Register, 14-Mar-2013. [Online]. Available: [Accessed: 14-Mar-2013].

[20]  L. Seltzer, “You’ve Been Hacked, But For How Long?,” Dark Reading, 14-Mar-2013. [Online]. Available: [Accessed: 15-Mar-2013].