The Week That Was - 2013.11.15

This week we have a wide spectrum of topics.  Facebook subtly calls out Adobe.  We discuss the nuance of malicious code on the International Space Station (ISS), which includes our first ever Bonus Link at no additional cost!  We briefly mention some new published research papers and take a trip in the Way Back Machine to World War II.  And, for those of you who are so inclined, there is a neat data visualization of the Bourbon Whiskey family tree buried in here too.  I'm making you hunt for it though.  Now, for the news... The Adobe breach was bad enough that Facebook wanted to make sure the affected Adobe users were not using the same passwords at Facebook. [7]  Facebook checked to see if their users used any of the Adobe passwords. If they found any, they isolated the offending users until they changed passwords. Seems like a great idea until you ask yourself “Wait a minute. How is Facebook checking my password? Can they read it?” The good news is no, they can’t read your password. Facebook stores passwords properly and can’t read them. Instead they took all the plain text passwords from Adobe and ran them through the normal code they use to hash passwords. If your password hash matched and Adobe password hash, you were sent to the penalty box. Kudos to Facebook for proactive user protection.

The Pwn2own guys are at it again.  [19]  This is why we can’t have nice things. Security researchers continue to find new and creative ways to use mobile devices in ways the designers never intended. That’s a nice way of saying everybody's hacking these things six ways to Sunday and we don’t know what they’re going to do next. I console myself by saying that this is the same pattern we went through in the late 90s and early 2000s.  We'll eventually get our act together enough to keep the benefit outweighing the cost.

And speaking of challenges keeping your act together, the International Space Station fell into a bit of a kerfuffle this week. [20]   When you get a computer virus, troubleshooting normally involves an updated antivirus definition and a reboot. If it’s really bad, you need to reinstall the operating system from scratch. That’s much trickier when you live in your computer and it happens to be an over grown beer can whirling around the Earth at 17,100 MPH held in place by a tenuous thread of gravity. Use that example with your users next time the grouse about rebooting to apply a security patch.

Bonus Link: Interview with Astronaut Chris Hadfield, ISS Commander He talks about things going wrong when they upgraded the ISS operating system. Also other cool stories about living on the space station for extended periods.

We had some good research published last week for those of you who like data.  Microsoft issued their Security Intelligence Report (SIR) v15.  [23]  It includes some interesting data on denial of service attacks.  Tripwire also published The State of Risk-Based Security Management: U.S. & U.K. 2013 [27], which impressed me with its data transparency.  You know the sample size, they discuss the opportunities for error, and generally present their findings in an up-front manner.  I've not had a chance to review these documents in detail yet, but I am looking forward to doing so.

I’m still not sure if the general population truly understands the importance cryptography played in sculpting the events of World War II. This conflict arguably changed the course of human history more than any other. As a cryptanalyst deciphering Enigma-encoded messages, Mavis Batey made significant contributions to the Allies’ victory and she must be recognized for her efforts. Cryptography continues to play a huge role in the course of human events as evidenced through the Edward Snowden leaks. This is a quick and fascinating read that is worth your time.

Link Dump

[1]  T. Hunt, “Adobe credentials and the serious insecurity of password hints,” Troy Hunt, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[2]  C. Watson, “AWS Security Guidance and Information,” Web Security, Usability, and Design, 13-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[3]  C. Spoelman, “Chart: The Family Tree of Bourbon Whiskey,” GQ. [Online]. Available: [Accessed: 15-Nov-2013].

[4]  P. Muncaster, “Chinese Bitcoin exchange DISAPPEARS, along with £2.5 MEEELLION,” The Register, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[5]  M. Rawat, “e-Whoring: Darker Way to Earn Money - InfoSec Institute,” INFOSEC Institute, 15-Nov-2013. [Online]. Available: [Accessed: 15-Nov-2013].

[6]  “Exploring risk-based security management in the industrial sector,” Help Net Security, 13-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[7]  L. Vaas, “Facebook locks users in a closet for using same passwords/emails on Adobe,” Naked Security, 13-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[8]  “Free mobile security scanning apps and SDK,” Help Net Security, 13-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[9]  L. Vaas, “Google: US data requests have more than tripled since 2009,” Naked Security, 15-Nov-2013. [Online]. Available: [Accessed: 15-Nov-2013].

[10]“hashcat - Multi-Threaded Password Hash Cracking Tool,” Darknet - The Darkside, 13-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[11]  “How Classified NSA Exploit tools RADON and DEWSWEEPER Work,” InfoSec Institute, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[12]  P. Ducklin, “In memoriam - Mavis Batey MBE, codebreaker extraordinaire at Bletchley Park,” Naked Security, 15-Nov-2013. [Online]. Available: [Accessed: 15-Nov-2013].

[13]  X. Mertens, “Keep an Eye on Your Amazon Cloud with OSSEC | /dev/random,” /dev/random, 15-Nov-2013. [Online]. Available: [Accessed: 15-Nov-2013].

[14]  “Malware Analysts have the Tools to Defend Against Cyber-Attacks, But Challenges Remain.” ThreatTrack Security, Nov-2013.

[15]  B. Schneier, “Microsoft Retiring SHA-1 in 2016,” Schneier on Security, 13-Nov-2013. [Online]. Available: [Accessed: 14-Nov-2013].

[16]  D. Batchelder, J. Blackbird, D. Felstead, P. Henry, B. Hope, J. Jones, A. Kulkarni, M. Lauricella, R. McRee, C. Mills, N. Ng, D. Pecelj, A. Penta, T. Rains, V. Sekhar, H. Stewart, M. Thomlinson, T. Thompson, and T. Zink, “Microsoft Security Intelligence Report, 2013-1H.” Microsoft Corp., Jun-2013.

[17]  T. Wilson, “New IE Vulnerability Found In The Wild; Sophisticated Web Exploit Follows -,” Dark Reading, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[18]  “Prediction of sexual orientation through Facebook friends,” Flowing Data, 13-Nov-2013. [Online]. Available: [Accessed: 14-Nov-2013].

[19]  I. Thomson, “Pwn2Own crackers leave iOS and Samsung mobe security IN RUINS,” The Register, 14-Nov-2013. [Online]. Available: [Accessed: 14-Nov-2013].

[20]  R. Jennings, “Russians infect space with USB malware, Stuxnet found in nuclear reactor,” Computerworld, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[21]  L. Vaas, “San Diego quietly slips facial recognition into the hands of law enforcers,” Naked Security, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[22]  B. Schneier, “Schneier on Security: Defending Against Crypto Backdoors,” Schneier on Security, 22-Oct-2013. [Online]. Available: [Accessed: 22-Oct-2013].

[23]  “Security Intelligence Report (SIR) v15 Now Available - Cloud Computing | Microsoft Trustworthy Computing Blog - Site Home - TechNet Blogs.” [Online]. Available: [Accessed: 12-Nov-2013].

[24]  B. Crocker, “Six Degrees of Separation: Why Your Data is More Valuable than You Think,” FireEye Blog, 04-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].

[25]  K. Jackson-Higgins, “Survey Exposes The Dirty Little Secret Of Undisclosed Breaches -,” Dark Reading, 07-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[26]  “The operations of a cyber arms dealer,” Help Net Security, 12-Nov-2013. [Online]. Available: [Accessed: 12-Nov-2013].

[27]  “The State of Risk-Based Security Management: U.S. & U.K. 2013.” Tripwire, 2013.

[28]  C. Morello and T. Mellnik, “Washington: A world apart,” Washington Post, 09-Nov-2013. [Online]. Available: [Accessed: 13-Nov-2013].