The Week That Was - 2013-11-05

I'll get this regular publication thing down yet.  I'm shooting for every Friday.  One of you data nerds out there find a good over/under number for the days past Friday I post a Week That Was article. Now for the content.

Last week I talked about the fact that LinkedIn’s new application called “Intro” included its content in Apple’s Mail application via man-in-the-middle (MITM) attack. This article [4] does a great job of explaining the detail behind this new feature. Keep your eyes on the warning messages Google throws at you. They really work to let you know when strange behavior is afoot that warrants caution.

Bruce Schneier has an interesting piece entitled The Battle for Power on the Internet.  [11]  I found it very thought-provoking.  The Internet entered the scene as a disruptive force for public communication and commerce just about 20 years ago.  It is not settling in to its role in society and there are two major groups in this organization: The Quick and The Strong.  The Quick are the small activist groups that are the new disruptors.  The Strong are the government and corporate entities that have harnessed and institutionalized the Internet for marketing and surveillance objectives1. Security, risk, and data professionals are the soldiers in this fight. What does that mean for us?  What side are we on?  Did we choose that side or did it choose us?  Do we care?  Should we be principle-driven soldiers or mercenaries?  Some really interesting existential questions in this article.  It's a long read but worth it.

This next issue will be a significant tipping point in the battle between the Quick and the Strong.  The United States is still trying to determine if forcing a suspect to disclose his or her  password is a violation of the 5th Amendment.  [5]  This is huge.  Encryption is incredibly important for both sides and the ability to compel someone to decrypt their secure data is a huge boon for the Strong side of the equation.  The question at the core of the matter is whether a password is more analogous to a physical key or a piece of incriminating knowledge.  That is a tough question with far-reaching repercussions.  I guess that is why the Supreme Court Justices get paid the big bucks.  And, as a side note, biometric authentication is considered a physical key and the court can compel you to open data systems locked via biometrics.  Think about that when you buy a new iPhone.

However, the Quick side of the equation is not encumbered with the restrictions of the U.S. Constitution or any other laws for that matter.  They are free to use social engineering techniques freely and with remarkable success.  They have ways of making you talk and you might not even know you're talking.  This point is illustrated in the The DEF CON 21 Social-Engineer Capture the Flag Report brought to us by the fine folks at  [17]  There are some really interesting and troubling results described in this report.  Defending against social engineering is a tough one because you rely on people for your defense.  This is like relying on your database to protect itself from compromise.  This one is worth a read.

The last item today is a tool you can use in your organizations.  It's a video from Akamai CEO Andy Ellis explaining a Zero Day vulnerability.  [19]  I think it could be useful in user awareness training or a clarifying tool for business executives that need a quick explanation to review at their convenience.  I hope you find a good use for it.


Side Note: I'm not convinced there is a huge difference between marketing and surveillance.  That's probably a post all by itself.

Link Dump

[1]  L. Vaas, “‘You can’t have your privacy violated if you don’t know your privacy is violated’,” Naked Security, 31-Oct-2013. [Online]. Available: [Accessed: 31-Oct-2013].

[2]  A. Brading, “Adobe breach THIRTEEN times worse than thought, 38 million users affected,” Naked Security, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[3]  “Agents of Change: Women in the Information Security Profession.” (ISC)2, Oct-2013.

[4]  T. Hunt, “Disassembling the privacy implications of LinkedIn Intro,” Troy Hunt, 31-Oct-2013. [Online]. Available: [Accessed: 31-Oct-2013].

[5]  M. Mimoso, “EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption,” Threatpost - English - Global -, 31-Oct-2013. [Online]. Available: [Accessed: 01-Nov-2013].

[6]  P. Ducklin, “Firefox moves up to Version 25, fixes a bunch of memory mismanagement problems,” Naked Security. [Online]. Available: [Accessed: 30-Oct-2013].

[7]  “FoxOne Free OSINT Tool - Server Reconnaissance Scanner,” Darknet - The Darkside, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[8]  “Hidden spots: Michigan’s best-kept secrets of trout streams and fishing holes,” [Online]. Available: [Accessed: 29-Oct-2013].

[9]  P. Ducklin, “Please don’t spread the Facebook ‘giraffe picture’ hoax!,” Naked Security, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[10]  B. Schneier, “Schneier on Security: NSA Eavesdropping on Google and Yahoo Networks,” Schneier on Security, 31-Oct-2013. [Online]. Available: [Accessed: 01-Nov-2013].

[11]  B. Schneier, “Schneier on Security: The Battle for Power on the Internet,” Schneier on Security, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[12]  K. Jackson-Higgins, “Social Engineers Pwn The ‘Human Network’ In Major Firms,” Dark Reading, 30-Oct-2013. [Online]. Available: [Accessed: 31-Oct-2013].

[13]  “Thanks to a False Sense of Security, Small Businesses Are Skipping Cyber-Protection,” Infosecurity, 01-Nov-2013. [Online]. Available: [Accessed: 01-Nov-2013].

[14]  P. Ducklin, “The ‘BadBIOS’ virus that jumps airgaps and takes over your firmware – what’s the story?,” Naked Security, 01-Nov-2013. [Online]. Available: [Accessed: 01-Nov-2013].

[15]  B. Kasanoff, “The Best ‘Positioning’ Statement Ever,” LinkedIn, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[16]  R. Barnes, “The Conditional Complexity of Risk Models,” The State of Security, 29-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[17]  M. Fincher and C. Hadnagy, “The DEF CON 21 Social-Engineer Capture the Flag Report.”, Oct-2013.

[18]  B. Brenner, “Video: What’s a Zero-Day Vulnerability? - The Akamai Blog,” The Akamai Blog, 30-Oct-2013. [Online]. Available: [Accessed: 30-Oct-2013].

[19]  “What is a Zero Day Vulnerability with Akamai Chief Security Officer Andy Ellis,” YouTube. [Online]. Available: [Accessed: 30-Oct-2013].

[20]  D. Melancon, “Whose Responsibility is CEO ‘Tech Literacy?’,” The State of Security, 30-Oct-2013. [Online]. Available: [Accessed: 31-Oct-2013].

[21]  “Women crucial for taking INFOSEC industry to next level.” [Online]. Available: [Accessed: 30-Oct-2013].