Friday Summary, February 8, 2013: 3-dot Journalism VersionBy Adrian Lane
Every now and again I can’t decide what to discuss on the Friday summary, so this week I will mention all items on my mind.
First, I live near a lot of small airports. There are helicopters training in my area every day, and hardly a week goes by when a collection of WWII planes doesn’t rumble by – very cool! And 20 or so hot-air balloons launch down the street from me every day. So I am always looking up to see what’s flying overhead. This week it was a military drone. I have never given much thought to drones. We obviously have been hearing about them in Afghanistan for years, but it certainly jerks you awake to see one for the first time – overhead in your own backyard. Not sure what I think about this yet, but seeing one in person does have me thinking!
I watched the Super Bowl on my Apple TV this year. I streamed the game from the CBS Sports site to the iMac, and used AirPlay to stream to the Apple TV. That means I got to watch on the big plasma, and the picture quality was nearly as good as DirecTV. Not to give a back-handed compliment, but CBS Sports got a clue that people are actually using this thing they call “The Internet” for content delivery. The only downside was that I had to watch the same three bad commercials every 2 minutes for the entire freakin’ game. But hey, it was free and it was decent quality. Too bad the game sucked. Ahem. Anyway, happy the big networks are less afraid of the Internet and realize they can reach a wider audience by allowing access to content instead of hoarding it. All I need now is an NFL package on the Apple TV and I am set!
If I was going to write code to exfiltrate data from a machine, I think I’d try to leverage Skype. Have you ever watched the outbound traffic it generates? A single IM generated 119 UDP packets to 119 different IP addresses over some 40 ports. It’s using UDP and TCP, has access to multiple items in the keychain, maintains inbound and outbound connections to thousands of IPs outside the Skype domains, occasionally leverages encrypted channels, and dynamically alters where data is sent. I used a network monitor and can’t make heads or tails of the traffic or why it needs to spray data everywhere. That degree of complexity makes hiding outbound content easy, it has a straightforward API, and its capabilities allow very interesting possibilities. Call me paranoid, but I’m thinking of removing Skype because I don’t feel I can adequately monitor it or sufficiently control its behavior.
I’m really starting to look forward to the RSA Conference – despite being over-booked! Remember to RSVP for the Disaster Recovery Breakfast!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s DR Post: Restarting Database Security.
- Rich quoted in Twitter, Washington Post targeted by hackers.
- Dave Mortman quoted in Enhancing Principles for your I.T. Recruiting Practice.
Favorite Securosis Posts
- Mike Rothman: RSA Conference Guide 2013: Key Themes. Yup, it’s that time again. We’re posting our RSA Conference Guide incrementally over the next two weeks. The first post is Key Themes. Let us know if you agree/disagree, love/hate, etc.
- Adrian Lane & David Mortman: The Increasing Irrelevance of Vulnerability Disclosure.
Other Securosis Posts
- Network-based Threat Intelligence: Following the Trail of Bits.
- The Increasing Irrelevance of Vulnerability Disclosure.
- Bamital botnet shut down.
- The Fifth Annual Securosis Disaster Recovery Breakfast.
- The Problem with Android Patches.
- Network-based Threat Intelligence: Understanding the Kill Chain.
- Incite 2/6/2013: The Void.
- Latest to notice.
- New Paper: Understanding and Selecting a Key Management Solution.
- Great security analysis of the Evasi0n iOS jailbreak.
- The Data Breach Triangle in Action.
- Understanding IAM for Cloud Services: Architecture and Design.
- Prepare for an iOS update in 5… 4… 3….
- If Not Java, What?
- Improving the Hype Cycle.
- Getting Lost in the Urgent and Forgetting the Important.
- Twitter Hacked.
- Oracle Patches Java. Again.
- Apple blocks vulnerable Java plugin.
- A New Kind of Commodity Hardware.
- Pointing fingers is misleading (and stupid).
Favorite Outside Posts
- Mike Rothman: The “I-just-got-bought-by-a-big-company” survival guide. As some of you work for vendors, may you have such problems that Scott Weiss’ great advice comes into play. I’ll get out my little violin for you…
- Adrian Lane: Mobile app security: Always keep the back door locked.
- James Arlen: Here’s How Hackers Could Have Blacked Out the Superdome Last Night.
- David Mortman: Infosec Incidents: Technical or judgement mistakes?
RSA Conference Guide 2013
Project Quant Posts
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
- Pragmatic Key Management for Data Encryption.
- The Endpoint Security Management Buyer’s Guide.
Top News and Posts
- Pete Finnegan launched a new Oracle VA scanner.
- The evolution of code. Or defining an evolvable code concept. Esoteric, but interesting.
- PayPal fixes a SQL injection vulnerability, pays researcher $3,000 reward for discovery
- Amazon.com Goes Down, Takes Short Break From Retail Biz. A bit of a surprise to get the “HTTP/1.1 Service Unavailable” page.
- Hajomail – Mail for hackers. Brought to you by the NSA. Eh, just kidding.
- Show off Your Security Skills: Pwn2Own and Pwnium 3 3 meeleeon in prizes *me laughs evil laugh*
- Microsoft, Symantec Hijack ‘Bamital’ Botnet via Krebs.
- Mobile-Phone Towers Survive Latest iOS Jailbreak Frenzy via Wired
- Employees put critical infrastructure security at risk
- Department of Energy hack exposes major vulnerabilities
- Super Bowl Blackout Wasn’t Caused by Cyberattack
- Twitter flaw allowed third party apps to access direct messages
Blog Comment of the Week
This week’s best comment goes to Ajit, in response to Getting Lost in the Urgent and Forgetting the Important.
“These are things you cannot do in 140 characters, and we need something between a Tweet and a Whitepaper to have an industry conversation”
I am really hoping that we will see a stable platform similar to Google wave that can bridge the gap between a blog comment and a tweet to engage in that 1:1 conversation and still have a conversation flow.