Your Facebook account gets compromised. Your browser flags your favorite sports site as a malware distributor. Your Twitter account is hacked through a phishing scam. You get AV pop-ups on your machine, but cannot tell which are real and which are scareware. Your identify gets stolen. You try to repair the damage and make sure it doesn’t happen again, only to get ripped off by the credit agency (you know who I am talking about). Exasperated, you just want to go home, relax, and catch up on March Madness. But it turns out the bracket email from your friend was probably another phishing attempt, and your alma mater suspends a star player while it investigates derogatory public comments – which it eventually discovers were forged. Man, it sucks to be Generation Y.
There has been an incredible cacophony over the last couple weeks across the mainstream media about social networks being manipulated for fun, personal satisfaction, and profit. Even the people my my semi-rural area are discussing how it has affected them and their children, so I know it is getting national attention. What I can’t figure out is how their behavior will change – if at all. RSnake discussed a Microsoft paper recently, expanding on its discussion of why training users on the dangers of unsafe browsing often does not make economic sense. Even if it was viable, people don’t want to learn all that stuff, as it makes web browsing more work than fun.
So what gives? I believe that our increasing use of and dependency on the Internet, and the corresponding increases in fraud and misuse, require change. But will people feel differently, and will this drive them to actually behave differently? Will the changes be technological, legal, or social? We could see tighter or looser privacy rules on websites, or legal precedents or new laws – we have already seen dramatic shifts in what younger people consider private and are willing to publicize online. The paper asserts that “The wisdom of the crowd discerns that ignoring some threats brings little actual harm …” which I totally agree with, and describes Twitter phishing and Facebook hacks. Bank accounts being drained and cars being shut down are a whole different level of problem, though. I really don’t have an answer – or even an inkling – of what happens next. I do think the problem has gotten sufficiently mainstream that we will to see mainstream impacts and reactions, though. Interesting times!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian on Database Dangers in the Cloud on Dark Reading.
- Video interview with Rich on endpoint security, agents, and best of breed technologies.
- Project Quant in Database Security Metrics Project Needs Community Input
Favorite Securosis Posts
- Rich: FireStarter: IP Breach Disclosure, No-Way, No-How. I’m surprised this generated so little debate for a FireStarter. When I explain this verbally to people, it never fails to generate a vigorous response.
- David Mortman: FireStarter: IP Breach Disclosure, No-Way, No-How.
- Mike Rothman: Mogull’s Law. If Rich has the stones to name a law after himself, then I’m in. Not sure how proportional the causation is, but clearly users do whatever hurts the least.
- Adrian Lane: Network Security Fundamentals: Egress Filtering.
Other Securosis Posts
- LHF: Quick Wins with DLP – the Conclusion
- Incite 3/17/2010: Seeing the Enemy
- Database Activity Analysis Survey
- LHF: Quick Wins in DLP, Part 2
Favorite Outside Posts
- Rich: Conversations With a Blackhat. The best takeaway from RSnake’s summary of talking with some bad guys is that at least some of what we are doing on the security side is actually working. So much for the “security is failing” meme…
- David Mortman: Three Steps to a Rational Security Budget.
- Mike Rothman: Why I’m Skeptical of “Due Diligence” Based Security. I have no idea what Alex is talking about, but he has a picture of Anakin, Obi-Wan and Yoda with the glowing ghosts of John Lennon and George Harrison. So it’s my favorite of the week.
- Adrian Lane: Walkthrough: Click at Your Own Risk. Analysis of privacy and the manipulation of public impressions through social media. An excellent piece of analysis from … a football statistics site. Long but very informative, and a perspective I don’t think a lot of people appreciate.
Project Quant Posts
Top News and Posts
- What I thought was the biggest news of the week: HD Moore’s post on The Latest Adobe Exploit and Session Upgrading. – AL
- Penetrating Intranets through Adobe Flex Applications.
- A study highlights efforts to take down ISPs that allow malicious activity. This is a boon to reputation-based filtering. To be honest, I used to be skeptical of the idea but I’m slowly becoming a convert. –RM
- Zeus Trojan Now Has Hardware Licensing Scheme.
- Microsoft, security vendor clash over Virtual PC bug.
- Hacker Disables Over 100 Cars Remotely. Former employee using someone else’s login. Now where have we heard that before?
- Emerging Identity Theft Market. The $10 million number seems high to me, but the trends are not surprising.
- Facebook Password Scam.
- We have been talking about the Internet subsuming television for years. Google’s Set-top Box is an attempt to watch closely, because television is all about advertising, which is Google’s strong suit (although they have not been a TV player to date), and this would enable a new kind of advertising. Should be interesting!
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Andy Jaquith, in response to RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars. When a comments makes me laugh out loud, it usually gets my vote!
I’ve been using the phrase “Advanced Persistent Chinese” lately. It sounds good, it’s more accurate, and it’s funny. What’s not to like?
I completely agree that the displays of vendor idiocy around APT are far too widespread. You can’t have a carnival without the barker, apparently.
Good seeing you, by the way, Any – albeit far too briefly.
Comments