My original plan for this week’s summary was to geek out a bit and talk about my home automation setup. Including the time I recently discovered that even household electrical is powerful enough to arc weld your wire strippers if you aren’t too careful.
Then I read some stuff.
Some really bad stuff.
First up was an article in USA Today that I won’t even dignify with a link. It was on the iTunes account phishing that’s been going on, and it was pretty poorly written. Here’s a hint – if you are reading an article about a security issue and all the quotes are from a particular category of vendor, and the conclusion is to buy products made by those vendors, it’s okay to be a little skeptical. This is the second time in the past couple weeks I’ve read something by that author that suffered from the same problem. Vendor folk make fine sources – I have plenty of friends and contacts in different security companies who help me out when I need it, but the job of a journalist is to filter and balance. At least it used to be.
Next up are the multitude of stories on the US Department of Defense getting infected in 2008 via USB drives. Notice I didn’t say “attacked”, because despite all the stories surfacing today it seems that this may not have been a deliberate act by a foreign power. The malware involved was pretty standard stuff – there is no need to attribute it to espionage. Now look, I don’t have any insider knowledge and maybe it was one of those cute Russian spies we deported, but this isn’t the first time we’ve seen government related stories coming from sources that might – just might – be seeking increased budget or authority.
I’m really tired of a lazy press that single-sources stories and fails to actually research the issues. I know the pressure is nasty in today’s newsrooms, but there has to be a line someplace.
I write for a living myself, and have some close friends in the trade press I respect a heck of a lot, so I know it’s possible to hit deadlines without sacrificing quality.
But then you don’t get to put “Apple” in the title of every article to increase your page count.
On another note it seems my wife is supposed to have a baby today… or sometime in the next week or two. Some of you may have noticed my posting rate is down and I’ll be in paternity leave mode.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich and Chris Hoff at RSA 2009. Video of their presentation on disruptive innovation and cloud computing.
- Rich quoted in Bloomberg on the Intel/McAfee deal.
- And also over at Forbes.
Favorite Securosis Posts
- David Mortman: Backtalk Doublespeak on Encryption.
- Adrian Lane: Understanding and Selecting SIEM/Log Management. … of course. Granted it’s long, but if you are selecting a SIEM platform, this is a great primer to start the process.
- Mike Rothman: Data Encryption for PCI 101: Encryption Options. Really like this series because too many folks think encryption is the answer. This series tells you the question.
Other Securosis Posts
- Starting the Understanding and Selecting an Enterprise Firewall Project.
- Incite 8/25/2010: Let Freedom Ring.
- Webcasts on Endpoint Security Fundamentals.
Favorite Outside Posts
- David Mortman: Hoff’s 5 Rules Of Cloud Security….
- Adrian Lane: Hoff’s 5 Rules Of Cloud Security…. I read this after I saw Rich’s link in this week’s Incite … and Chris has nailed it. How many of us have actually tried to set up a secure environment within Amazon Web Services? Great post.
- Mike Rothman: Why the USP for Every Technical Product Sounds the Same. If you think it’s hard to tell one product from another, it’s not you. This is why. And it’s sad, but really really true.
- Rich: Find Evil and Solve Crime. The Mandiant folks are some of the few that really fight the APT, and one of their folks is starting a series giving some insight into their process.
Project Quant Posts
Research Reports and Presentations
- White Paper: Understanding and Selecting SIEM/Log Management.
- White Paper: Endpoint Security Fundamentals.
- Understanding and Selecting a Database Encryption or Tokenization Solution.
Top News and Posts
- Adobe Patches via Brian Krebs.
- Apple Mac OS X Security Patch.
- Visa Makes AppSec Recommendations. We’ll have more to say about this when we get a chance to finish reading the recommendations.
- Verizon Clears Credit Card Cloud Test. Yippee. Credit Cards in the cloud. And our profession needed a new place to hack credit cards to create a boost of excitement (just kidding, guys).
- Hey, watch where you stick that thing. You don’t know where it’s been!
- Researcher Arrested for Disclosure. This case is interesting for a couple different reasons.
- DEFCON Survey Results.
- Toolkit for DLL hijacking.
- Critical Updates for Windows, Flash Player.
- Apple Jailbreak Vuln.
- Wireshark review.
Blog Comment of the Week
I don’t want to give this article too much attention, too much FUD, too few facts, but I thought this was worth a quote:
“…the bad guys do not attack encrypted data directly…”
which is followed up with: “When you encrypt a small field with a limited number of possible values, like the expiry date, you risk giving a determined (and sophisticated) attacker a potential route to compromising your entire cardholder database.” … by attacking the encrypted data directly?
The other point I had was that there are 1 of 2 ways to create the same output given the same input (in “strong” symmetric ciphers), use ECB mode or re-use the same initialization vector (IV) over and over. I think most financial places lean towards the former because managing/transferring the IV is more overhead.
The problem isn’t so much the deterministic output, but that ECB mode allows patterns in the plaintext to be transferred into the cipher text. Wikipedia has a visual on this at http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation