I think we can firmly declare December 2010 the Month of Pwnage.
Between WikiLeaks, Gawker, McDonalds, and Anonymous DDoS attacks, I’m not sure infosec has been in the news this much since the early days of big data breaches. Heck, I haven’t been in the news this much since I got involved with the Kaminsky DNS thing. To be honest, it’s a little refreshing to have a string of big stories that don’t involve Albert Gonzales.
But here’s the thing I find so fascinating. In a very real sense, most of these high profile incidents are meaningless compared to the real compromises occurring daily out there. Our large enterprise clients are continuously compromised and mostly focusing on minimizing the damage. While everyone worries about Gawker passwords, local bad guys are following delivery trucks and stealing gifts off doorsteps – our local police nailed someone who hit a dozen houses and 50 gifts, and Pepper also had a couple incidents. I can no longer tell someone my profession without hearing a personal – generally recent – story of credit card or bank fraud. Heck, this week my bank teller described how a debit card she cut up months earlier was used for online purchases.
But I guess none of that is nearly as interesting as Gizmodo and Lifehacker account compromises. Or DDoS attacks that don’t cause any real damage. And even that story became pretty darn funny when they tried to attack Amazon… which is sort of like trying to deflect the course of the Sun with a flock of highly-motivated carrier pigeons.
I love my job.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich quoted in the Wall Street Journal.
- Rich also quoted by the AP on the Gawker hack… which made it into a couple hundred publications.. For the record I wasn’t trying to downplay the severity to Gawker, but to contrast vandalism-style attacks (however severe) against financially motivated ones. Some of the context was lost, and I can’t blame the journalist.
- Network Security Podcast, Episode 225.
- Mike quoted in Weighing Optimism vs. Pragmatism.
- Dark Reading on Gawker Goof.
Favorite Securosis Posts
- David Mortman: Market Maturity and Security Competitive Advantage.
- Mike Rothman: Get over it. If we spent half the time doing stuff that we do bitching about it, a lot more would get done. Rich has it exactly right in this one.
- Adrian Lane: Market Maturity and Security Competitive Advantage. Not sure the title captures the essence, but an important lesson in how the security industry is shaped.
- Rich: Sigh. Everyone stole my fave (Market Maturity). I guess we should have written more this week.
Other Securosis Posts
- React Faster and Better: Incident Response Gaps.
- Infrastructure Security Research Agenda 2011 – Part 4: Egress and Endpoints.
- Infrastructure Security Research Agenda 2011 – Part 3: Vaulting and Assurance.
- Incite 12/15/2010: It’s not a sprint….
- Infrastructure Security Research Agenda 2011 – Part 2: Posturing and Reacting Faster/Better.
- Quick Wins with DLP Webinar.
Favorite Outside Posts
- Rich: The Real Lessons Of Gawker’s Security Mess. Daniel nails it with some hype-free, useful in-depth coverage. Some serious pwnage here.
- Adrian Lane: DO NOT poke the bear. And the beauty is that it ends with 1.
- David Mortman: The Flawed Legal Architecture of the Certificate Authority Trust Model.
- Mike Rothman: Can’t measure love. xkcd via Chandler. We can’t measure everything, but we can measure some things. and that’s key to remember for 2011 planning.
- Pepper: Avast! Beware ‘pirates’!. I just wish ‘Avast’ could be the most ‘pirated’ software of all time, because the name is just too perfect.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
Top News and Posts
- Major Ad Networks Found Serving Malicious Ads.
- Backscatter X-Ray Machines Easily Fooled (pdf).
- Back door in HP network storage solution – Update.
- Mozilla Adding Web Applications to the Security Bug Bounty Program.
- Dancing Snowman storms its way across Facebook.
- OpenBSD has FBI backdoor, claims contractor. Most likely a hoax.
- Your email deserves due process.
- Over 500 patches for SAP.
- HeapLocker Tool Protects Against Heap-Spray Attacks.
- Twitter Spam Results from Gawker Leak.
- Gawker Password Pwnage.
- Microsoft to address IE, Stuxnet flaws.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Marisa, in response to Get over it.
Only my dad calls it The BayThreat, Rich. :p
Gal Shpantzer had a great talk at DojoCon also this weekend about the “Security Outliers” and using analogies from other health and safety industries to tackle the subjects of infosec education and adoption. Seems like there is hope out there, and when the security industry is as old as sterilization practices in hospitals we’ll be seeing more trickle down adoption.
Comments