The Week That Was – 10/1/2012

This is actually a link dump for the past two weeks. Last week completely got away from me.

All the cool kids were bashing passwords the past two weeks. [2], [22-23], [28], [40]  I agree that passwords are not the ideal authentication tool. However, it seems that history has shown that passwords strike the right balance between security and usability. Some of you might say that is a sad commentary on the advancement of security technology.  I’d counter by saying that the password’s persistence speaks volumes of the risk tolerance our businesses are comfortable with.  It also speaks volumes about where the masses prefer the balance between security and usability.  As security pros we all want to get it perfect.  We need to make peace with the fact that good enough is sometimes all we need.  Send counterpoints to the Comments.

Now let me talk out of the other side of my mouth. Passwords are important, especially in the realm of mobile devices. When the bad guys have physical control of the device, many times that password is the only thing between them and the data. The Certified Secure guys were able to crack the iPhone to get address book, photos, videos, and web history but still weren’t able to get the other data stored on the device.  [19] Had Certified Secure obtained the password somehow, they would have had the keys to the kingdom.  Password security is the long pole in the mobile device security tent.    Here’s hoping the user doesn’t leave a bunch of greasy finger prints on the screen showing the attacker which keys to push.  (Ed. Note: Please notice I said “password” and not “PIN”.  While passwords might be good enough, I don’t think PINs are. [25])

Finally, there were some interesting risk assessment and management articles in this batch.  NIST has issued its guide for conducting risk assessments.  [10], [20] I’ve not yet read it so I will not issue any opinion.  Still, if you’re in the government sector I’d start getting used to it.  Jay Jacobs and Jeff Lowder have some insightful comments on creating a risk management organization. [1] Wrapping things up, take a look at the article on Cyber Liability Insurance.  [8]  Risk Transference has been a control we’ve been unable to take full advantage of in the security space.  Cyber Liability insurance is giving us some new options.  While it isn’t right for all situations, it could be right for some.  You’ll have to do you homework to find the answer for your organization.

 Link Dump

1.
Hulme G. 7 common risk management mistakes [Internet]. CSO Online. 2012 [cited 2012 Sep 27]. Available from: http://www.csoonline.com/article/print/717341
2.
Chickowski E. Bashing The Hash: IBM X-Force On Password Follies [Internet]. Dark Reading. 2012 [cited 2012 Sep 21]. Available from: http://www.darkreading.com/identity-and-access-management/167901114/security/news/240007730/bashing-the-hash-ibm-x-force-on-password-follies.html
3.
China cyberattacks hit Japan in island row: police [Internet]. Phys.org. 2012 [cited 2012 Sep 20]. Available from: http://phys.org/news/2012-09-china-cyberattacks-japan-island-row.html
4.
Krebs B. Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent [Internet]. Krebs on Security. 2012 [cited 2012 Sep 26]. Available from: https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29
5.
Johnston C. Cops don’t need a warrant to see your e-mail—but they might soon [Internet]. Ars Technica. 2012 [cited 2012 Sep 26]. Available from: http://arstechnica.com/tech-policy/2012/09/cops-dont-need-a-warrant-to-see-your-e-mail-but-they-might-soon/
6.
Chickowski E. DBAs And Developers Need To Better Segment Data Access [Internet]. Dark Reading. 2012 [cited 2012 Sep 20]. Available from: http://www.darkreading.com/database-security/167901020/security/news/240007661/dbas-and-developers-need-to-better-segment-data-access.html
7.
Saita A. Developer Warns Millions of Virgin Mobile Subscribers About Authentication Flaw [Internet]. ThreatPost. 2012 [cited 2012 Sep 18]. Available from: http://threatpost.com/en_us/blogs/developer-warns-millions-virgin-mobile-subscribers-about-authentication-flaw-091712
8.
Jackson-Higgins K. Don’t Waste Your Money On Cyber Breach Insurance [Internet]. Dark Reading. 2012 [cited 2012 Sep 27]. Available from: http://www.darkreading.com/database-security/167901020/security/security-management/240008014/don-t-waste-your-money-on-cyber-breach-insurance.html
10.
Ross RS. Guide for Conducting Risk Assessments [Internet]. National Institute of Standards and Technology; 2012 [cited 2012 Sep 20]. Available from: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091
11.
Mimoso M. “Historic” DDoS Attacks Against Major U.S. Banks Continue [Internet]. ThreatPost. 2012 [cited 2012 Sep 28]. Available from: https://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks-continue-092712
12.
Donohue B. How-To Video: Securing Facebook [Internet]. ThreatPost. 2012 [cited 2012 Sep 19]. Available from: https://threatpost.com/en_us/blogs/how-video-securing-facebook-091812
13.
McGee B, Ivey B, Hagermann C, Horanburg C, Schneider C, Merrill D, et al. IBM X-Force 2012 Mid-year Trend and Risk Report [Internet]. IBM; 2012 [cited 2012 Sep 20]. Available from: http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03014usen/WGL03014USEN.PDF
14.
Jackson-Higgins K. Internet Explorer Blocks More Malware Than Firefox, Chrome, Safari [Internet]. Dark Reading. 2012 [cited 2012 Sep 28]. Available from: http://www.darkreading.com/risk-management/167901115/security/client-security/240008100/internet-explorer-blocks-more-malware-than-firefox-chrome-safari.html
15.
Ullrich J. iOS 6 Security Roundup [Internet]. ISC Diary. 2012 [cited 2012 Sep 21]. Available from: https://isc.sans.edu/diary.html?storyid=14152&rss
16.
Michael M. Latest IE Zero-Day Flaw Tied to Nitro Hackers and Recent Java Zero-Day Exploits [Internet]. ThreatPost. 2012 [cited 2012 Sep 18]. Available from: http://threatpost.com/en_us/blogs/latest-ie-zero-day-flaw-tied-nitro-hackers-and-recent-java-zero-day-exploits-091712
17.
Brook C. Massachusetts Hospital Agrees to Pay $1.5m After Stolen Laptop HIPAA Violation [Internet]. ThreatPost. 2012 [cited 2012 Sep 20]. Available from: https://threatpost.com/en_us/blogs/massachusetts-hospital-agrees-pay-15m-after-stolen-laptop-hipaa-violation-091912
18.
Mimoso M. Microsoft Releases Out-Of-Band IE Zero-Day Patch [Internet]. ThreatPost. 2012 [cited 2012 Sep 24]. Available from: https://threatpost.com/en_us/blogs/microsoft-releases-out-band-ie-zero-day-patch-092112
19.
Naraine R. Mobile Pwn2Own: iPhone 4S hacked by Dutch team | ZDNet [Internet]. ZDNet. 2012 [cited 2012 Sep 20]. Available from: http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/
20.
New NIST publication provides guidance for computer security risk assessments [Internet]. Phys.org. 2012 [cited 2012 Sep 20]. Available from: http://phys.org/news/2012-09-nist-guidance.html
21.
Prince B. Obama Cybersecurity Executive Order Nears Completion As Legislative Saga Continues [Internet]. Dark. 2012 [cited 2012 Sep 24]. Available from: http://www.darkreading.com/advanced-threats/167901091/security/news/240007817/obama-cybersecurity-executive-order-nears-completion-as-legislative-saga-continues.html
22.
Bonneau J. Password cracking, part I: how much has cracking improved? [Internet]. Light Blue Touchpaper. 2012 [cited 2012 Sep 19]. Available from: http://www.lightbluetouchpaper.org/2012/09/03/password-cracking-part-i-how-much-has-cracking-improved/
23.
Bonneau J. Password cracking, part II: when does password cracking matter? [Internet]. Light Blue Touchpaper. 2012 [cited 2012 Sep 19]. Available from: http://www.lightbluetouchpaper.org/2012/09/04/password-cracking-part-ii-when-does-password-cracking-matter/
24.
Kellerman T. Peter the Great Versus Sun Tzu [Internet]. TrendMicro; 2012 [cited 2012 Sep 28]. Available from: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/spotlight-articles/op_kellermann_peter-the-great-vs-sun-tzu.pdf
25.
Berry N. PIN number analysis [Internet]. DataGenetics. 2012 [cited 2012 Oct 1]. Available from: http://www.datagenetics.com/blog/september32012/
26.
Jackson-Higgins K. Profiling The Cybercriminal And The Cyberspy [Internet]. Dark Reading. 2012 [cited 2012 Sep 28]. Available from: http://www.darkreading.com/threat-intelligence/167901121/security/vulnerabilities/240008081/profiling-the-cybercriminal-and-the-cyberspy.html
27.
Fisher D. Published Threat Intelligence, Not Cybersecurity Laws, Is What’s Needed [Internet]. ThreatPost. 2012 [cited 2012 Sep 26]. Available from: https://threatpost.com/en_us/blogs/published-threat-intelligence-not-cybersecurity-laws-whats-needed-092512
28.
Schneier B. Recent Developments in Password Cracking [Internet]. Schneier on Security. 2012 [cited 2012 Sep 19]. Available from: http://www.schneier.com/blog/archives/2012/09/recent_developm_1.html
29.
Researchers detect fraud with highest accuracy to date [Internet]. Phys.org. 2012 [cited 2012 Sep 18]. Available from: http://phys.org/news/2012-09-fraud-highest-accuracy-date.html
30.
Brook C. Samsung Fixes Remote Wipe Flaw in Galaxy S III Smartphones [Internet]. ThreatPost. 2012 [cited 2012 Sep 27]. Available from: https://threatpost.com/en_us/blogs/samsung-fixes-remote-wipe-flaw-galaxy-s-iii-smartphones-092612
31.
Rothman M. Security Intelligence = Table Stakes [Internet]. Dark Reading. 2012 [cited 2012 Sep 26]. Available from: http://www.darkreading.com/blog/240007917/security-intelligence-table-stakes.html
32.
Lemos R. Services Can Help Identify Mobile Vulnerabilities [Internet]. Dark Reading. 2012 [cited 2012 Sep 18]. Available from: http://www.darkreading.com/security-services/167801101/security/security-management/240007491/services-can-help-identify-mobile-vulnerabilities.html
33.
Schneier B. SHA-3 to Be Announced [Internet]. Schneier on Security. 2012 [cited 2012 Sep 24]. Available from: https://www.schneier.com/blog/archives/2012/09/sha-3_will_be_a.html
34.
Ullrich J. Some Android phones can be reset to factory default by clicking on links [Internet]. ISC Diary. 2012 [cited 2012 Sep 26]. Available from: https://isc.sans.edu/diary.html?storyid=14173&rss
35.
Study outlines supply chain challenges for lithium future [Internet]. Phys.org. 2012 [cited 2012 Sep 24]. Available from: http://phys.org/news/2012-09-outlines-chain-lithium-future.html
36.
Schneier B. The NSA and the Risk of Off-the-Shelf Devices [Internet]. Schneier on Security. 2012 [cited 2012 Sep 20]. Available from: https://www.schneier.com/blog/archives/2012/09/the_nsa_and_the.html
37.
Stanley J. The President Reads His Daily Brief on an iPad (and Other Lessons From the NSA) [Internet]. American Civil Liberties Union. 2012 [cited 2012 Sep 20]. Available from: http://www.aclu.org/blog/technology-and-liberty/president-reads-his-daily-brief-ipad-and-other-lessons-nsa
38.
Donohue B. Video: Locking Down iOS [Internet]. ThreatPost. 2012 [cited 2012 Sep 26]. Available from: https://threatpost.com/en_us/blogs/video-locking-down-ios-081312
39.
Burke K. Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open [Internet]. Kevin Burke. 2012 [cited 2012 Sep 18]. Available from: http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/
40.
Goodin D. Why passwords have never been weaker—and crackers have never been stronger [Internet]. Ars Technica. 2012 [cited 2012 Sep 19]. Available from: http://arstechnica.com/security/2012/08/passwords-under-assault/

Leave a Reply

%d bloggers like this: