The Week that Was - 10/28/2013

Last week had a number of interesting developments.  Two of them involved the law, privacy, and security implications. First, the Third Circuit Court ruled that GPS tracking devices attached to vehicles require a probable cause warrant. [9]   I think this is an important ruling for privacy and the 4th Amendment.  I'm a proponent for keeping tabs on the bad guys, but I'm a bigger proponent of maintaining the rights and principles on which we founded the United States.  Unreasonable search and seizure is one of the reasons that the United States decided to declare its independence in the first place.  The fact that we would act in a cavalier manner towards our constitutional right to privacy should give us all pause.  We've developed incredible technology to monitor and investigate our population.  We can certainly develop technology to expedite the management of those investigations in a manner consistent with our Constitution.

Related our responsibility to maintain and uphold our founding principles is this piece from Bruce Schneier.  [25]  He makes an astute observation that the government's ability to monitor its citizens is quickly beginning to merge with private companies' capability.  This is significant given the data stores that the likes of Google, Facebook, Twitter, and Amazon have amassed.  Given the impressive analytic capabilities developed in concert with their databases, there is a compelling argument that these private companies understand your activity and preferences better than you do.  That provides a powerful surveillance and investigation tool.  What are the checks and balances to manage this growing partnership?

Former Secretary of Homeland Security, Michael Chertoff, asserts that cybersecurity is the most significant threat we face presently.  [6]  He made this statement at the PCI Annual Meeting.  (Note: This particular PCI refers to the Property and Casualty Insurers Association of the Americas.)  As you might expect, he feels that the insurance industry can provide significant value to the American economy as a means to mitigate risk related to cybersecurity events.  Underwriting cybersecurity risks could be a good way to enforce a common set of standards.

There was another interesting article about Malwarebytes releasing its enterprise edition product.  [16]  They tout its zero day protection.  I agree this is an important feature, however, we need to nail down known vulnerabilities first.  If our patching programs aren't keeping up, the bad guys don't need to bother with zero day vulnerabilities.  They can use the old stuff that has been laying around since 2009.  Why spend $10,000 to $250,000 on a zero day exploit if you can get a functioning old one for free that accomplishes the same result?  Hacking is a business.  Make yourself a cost prohibitive resource.

In the vein of new product offerings, LinkedIn just released a new feature for its iPhone application.  [15]  This feature integrates with the Mail client to include contact information from your LinkedIn contacts.  The interesting thing is that Apple is very particular about its core applications like Mail.  Nobody touches these applications but Apple.  So how did LinkedIn get their information integrated into your Mail communications?  They used a man-in-the-middle attack.  Their application basically proxies your email before it sends it to its final destination.  What else are they doing with your email before it reaches the recipient?  Be careful out there, folks.

Finally, here is a bit of fun from Skully Helmets. [24]  Skully manufactures motorcycle helmets with Google Glass-like heads up displays integrated.  It is a really cool application of technology and I can see it as a boon to motorcyclists.  The Bluetooth connectivity gives me some pause, but I suppose if you configure it correctly, it's just as safe as Bluetooth connectivity in your car.  The only problem I see is that distractions on a motorcycle seem more dangerous than distractions in a car.  Discuss.  Here's a video demo:

Link Dump

[1]  I. Winkler and S. Manke, “4 ways metrics can improve security awareness programs,” CSO, 23-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[2]  A. Schaub, “A Brief Rant Regarding Facebook Privacy,” SCHAUBA SEC, 21-Oct-2013. .

[3]  A. Zeeberg, “A Computer Program That Hacks Language & Exposes US Secrets,” Nautilus, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[4]  B. Krebs, “Breach at PR Newswire Tied to Adobe Hack,” Krebs on Security, 16-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[5]  J. Leyden, “Call yourself a ‘hacker’, lose your 4th Amendment right against seizures,” The Register, 23-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[6]  C. Hemenway, “Chertoff: Our Biggest Threat is Cyber Security; Insurance Industry Can ‘Play a Pivotal Role’,” PropertyCasualty360, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[7]  P. Muncaster, “Chinese hotel guests find data spaffed all over the internet,” The Register, 22-Oct-2013. [Online]. Available: [Accessed: 22-Oct-2013].

[8]  “CISOs’ Role Becoming More Strategic, But there Are Growing Pains,” Infosecurity, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[9]  K. Zetter, “Court Rules Probable-Cause Warrant Required for GPS Trackers,” Threat Level, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[10]  J. Leyden, “D-Link hole-prober finds ‘backdoor’ in Chinese wireless routers,” The Register, 22-Oct-2013. [Online]. Available: [Accessed: 22-Oct-2013].

[11]  “Facebook data mining tool uncovers your life,” Help Net Security, 21-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[12]  D. duChemin, “Follow Your Passion?,” David duChemin - World & Humanitarian Photographer, Nomad, Author., 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[13]  “How to social engineer a social network,” Help Net Security, 22-Oct-2013. [Online]. Available: [Accessed: 22-Oct-2013].

[14]  “‘Likely service disruption’ strikes Facebook,”, 21-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[15]  M. Mimoso, “LinkedIn Intro App Equivalent to Man in the Middle Attack, Experts Say,” Threatpost - English - Global -, 24-Oct-2013. [Online]. Available: [Accessed: 25-Oct-2013].

[16]  “Malwarebytes Growth Validates Need For Zero-Day Protection -,” Dark Reading, 23-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[17]  “Most young adults not interested in a cybersecurity career,” Help Net Security, 24-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[18]  B. Donohue, “NIST Publishes Cybersecurity Framework Draft, Seeks Public Comment,” Threatpost - English - Global -, 23-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[19]  I. Thomson and 22nd October 2013, “NSA-friendly cyber-slurp law CISPA back on the table with new Senate bill,” The Register, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[20]  D. duChemin, “On Authenticity, Again.,” David duChemin - World & Humanitarian Photographer, Nomad, Author., 18-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[21]  B. Donohue, “Report: UN Nuclear Regulator Infected with Malware,” Threatpost - English - Global -, 23-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[22]  J. Leyden, “Scared yet, web devs? Google smears malware warnings over,” The Register, 24-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].

[23]  B. Schneier, “Schneier on Security: Defending Against Crypto Backdoors,” Schneier on Security, 22-Oct-2013. [Online]. Available: [Accessed: 22-Oct-2013].

[24]  D. Lowney, “Skully reveals Google Glass-like motorcycle helmet [w/video],” Autoblog, 23-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[25]  B. Schneier, “The Trajectories of Government and Corporate Surveillance,” Schneier on Security, 21-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[26]  S. Sharwood, “US Veep’s wireless heart implant disabled to stop TERRORIST HACKERS,” The Register, 21-Oct-2013. [Online]. Available: [Accessed: 21-Oct-2013].

[27]  E. Chickowski, “Visualizing Security Analytics That Don’t Stink,” Dark Reading, 22-Oct-2013. [Online]. Available: [Accessed: 23-Oct-2013].

[28]  S. A. Mathieson, “Why Bletchley Park could never happen today,” The Register, 25-Oct-2013. [Online]. Available: [Accessed: 25-Oct-2013].

[29]  “Young employees don’t care about corporate policies,” Help Net Security, 24-Oct-2013. [Online]. Available: [Accessed: 24-Oct-2013].