The Week That Was - 10/18/2013

I'm getting back in the saddle this week.  Sorry for the long break. I have a bit of a mix this week.  Some are security-related and others aren't, but they are still worth looking at.  Here are some items of note:

There is big news from Oracle. The have issued a Patch-a-lanche™ for Java.  [8]  This update contains 127 patches and 50 of those are remotely exploitable.  Wow.  The good news is that we at least have a fix for them.  Get those updates out there as soon as you can and be sure to send a little pizza and coffee to the QA Department to say thanks for the late nights spent regression testing all the critical apps.

Apple's iCloud protocols seem to have been compromised.  [1]  The compromise doesn't surprise me as there is significant economic incentive to do so. The guys at Elcomsoft who achieved the crack are legit researchers driving a respectable business.  That's one economic driver.  I'm sure there are other, less legit organizations out there working on the same thing to use for black market purposes, which is the other economic driver. The take away is that vendor-supplied encryption for Cloud services constitutes table stakes.  Vendors just need it to compete.  However, there are many highly motivated entities out there working to crack the encryption and other protection schemes.  The bad guys will succeed eventually.  We as consumers need to take matters into our own hands and make sure that we have protected our data appropriately before flinging it into the Cloud.

Hackers breached Adobe's networks pretty thoroughly.  [5]  Not only did they access customer data but also source code to some of its most popular applications.  I doubt the compromised source code will result in an avalanche of new vulnerabilities flooding the market.  However, I have no doubt that analysis of the code will yield a number of new and interesting vulnerabilities.  Just remember, sharing those new goodies widely is just not good business.  Whoever executed the breach would be best served to find the new vulnerabilities, keep the good ones for themselves, and sell the rest discretely to interested parties.  That's how the bad guys make money of a breach like this.

Is nothing sacred?  [3]  TruCrypt has been a go-to tool for security data in one-off situations.  There is a lot of trust in the tool but that trust is now questioned.  I know the golden rule of cryptography is Never Write Your Own Crypto, but we might have to revisit that rule in certain circumstances.  It might make sense to roll your own if we continue to suspect NSA backdoors at every turn.  I'm not say that it's cheap or easy, but for your high-value data, it might be worth having an in-house crytpographer to cook up some custom algorithms.  Feel free to discuss in the comments.

Tech-savvy pirates have a new weapon in their arsenal.  [4]  Researchers can compromise the Automated Identification System (AIS), which is responsible for exchanging position data with other vessels.  I see how this could be really handy if you had a promising career as a high seas pirate.  At the very least, this weakness could compound the already intense confusion of a pirate attack.  At worst, I could see it causing a navigational error that results in physical damage to the ship.  The vendor response has been less than confidence inspiring.  Be careful out there, folks.

Link Dump


“Apple’s iCloud protocols cracked and analyzed,”

Help Net Security

, 17-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


S. Tappin, “Can Angela and Tim Create Apple 3.0 -- Or Not?,”


, 15-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


J. Leyden, “Can you trust ‘NSA-proof’ TrueCrypt? Cough up some dough and find out,”

The Register

, 15-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


“Digital ship pirates: Researchers crack vessel tracking system,”

Help Net Security

, 16-Oct-2103. [Online]. Available: [Accessed: 17-Oct-2013].


K. Jackson-Higgins, “Hacking The Adobe Breach -,”

Dark Reading

, 07-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


“Infosecurity - EU’s Data Protection One-Stop-Shop Inches Forward,”


, 08-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


“Most pirated flicks are those Hollywood will not sell,”


, 17-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


M. Mimoso, “Oracle Quarterly Update Includes Patches for 50 Remotely Executable Java Bugs,”


, 16-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


Kerr, “Samsung Galaxy Round brings curve to smartphones,”


, 08-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


B. Schneier, “Schneier on Security: How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID,”

Schneier on Security

, 07-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


A. McDuffee, “Special Ops Uniform Will Transform Commandos Into an Iron Man Army,”

Danger Room

, 11-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].


H. G. Buffet, “Warren Buffet’s Warning: Don’t Lose the Game by Trying to Bat a Thousand,”


, 15-Oct-2013. [Online]. Available: [Accessed: 17-Oct-2013].