Friday Summary: June 28, 2013—“Summer’s here” editionBy Adrian Lane
Normally by this time of year things slow down, people go on vacation, and we get to relax a bit, but not this year. At least not for me. It has been seven days a week here for a while, playing catch-up with all the freakin’ research projects going on. And I have wanted to comment on a ton of news items, but have not had the time. So this week’s summary consists of comments on a few headlines I have not had any other the chance to comment on. Here we go:
All I can think about when I read these stories on NSA spying and Snowden news items: It is criminal for you, the public, to know our secrets. But it’s totally okay for us to spy on you. Nothing to worry about. Move along now.
Love Square. Great product. Disruptive payment medium. But it has been reported they want to create a marketplace to compete with eBay, Amazon and – my interpretation, not something they have stated – craigslist. So let me ask you: Are they friggin’ nuts?
Speaking of crazy, why would anyone claim HP is too late to enter the big data race? Has their tardiness in rolling out big data or big-data-like technologies hurt them in the SIEM space? No question. But general big data services is a very new market, and the race for leadership in packaged services has not even begun yet.
Was I the only one shocked to learn RSA’s call for papers started this week? WTF? Didn’t I just get back from that conference? We are still a month away from Black Hat. It is currently 109F here in Phoenix, and all I want to do is find a cold beer and keep out of the heat. This just does not feel like the time to be thinking about presentation outlines… But if you want to present next February consider this a friendly reminder.
For those three of you who have been emailing me about passwords and password managers because of my comments during the Key Management webcast last week, it’s okay. We will continue to use passwords here and there. I like password managers. Corporate and personal. I use them every day. But passwords will be replaced by tokens and identity certificates for Internet services because a) identity tokens allow us to do much more with identity and authorization than we can with passwords, and b) tokens remove the need to store password hashes on the server. Which is a another way of saying passwords can’t do what certificates do.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s white paper on 10 Common Database Vulnerabilities.
- Mike’s DR Post: The Slippery Slope Of Security Invisibility.
- Rich’s DR Post: Security Needs More Designers, Not Architects.
- Adrian’s Dark Reading post Database Configuration Standards.
- Adrian’s Key Management webcast.
- Rich’s Macworld article on Apple’s Security Strategy.
- It’s older, but I just saw Mike’s Security Myth-busting video and it’s funny.
Favorite Securosis Posts
- Rich: Adrian on SQLi. He gets a little pedantic, but that’s what we love about him.
- Mike Rothman: Security Analytics with Big Data: Deployment Issues. Adrian did a fantastic job with this series. Read all the posts and learn about the future of SIEM…
- Adrian Lane: Top 10 Stupid Sales/Press/Analyst Presentation Tricks. We see stupid human tricks every week and I don’t think most companies understand how they or their slide decks are perceived.
Other Securosis Posts
- Database Denial of Service [New Series].
- API Gateways: Developer Tools.
- iOS 7 Adds Major Data Security Improvements.
- Incite 6/26/2013: Camp Rules.
- The Black Hole of DLP.
- Automation Awesomeness and Your Friday Summary (June 21, 2013).
- Full Disk Encryption (FDE) Advice from a Reader.
- Talking Head Alert: Adrian on Key Management.
- How China Is Different.
- Microsoft Offers Six Figure Bounty for Bugs.
- Project Communications.
- Network-based Malware Detection 2.0: Deployment Considerations.
Favorite Outside Posts
- Adrian Lane: Data Leakage In A Google World. People forget that Google is a powerful tool, which often finds data companies did not want exposed. It’s a tool to hack with, and yes, a tool to phish with.
- Chris Pepper: Solaris patching is broken because Oracle is dumb and irresponsible. Feh.
- Mike Rothman: Wences Casares: Teach Your Children to be Doers. Great post here by a start-up CEO about how to teach your kids to get things done. If only all those “entitlement kids” got a similar message from their parents.
- Dave Lewis: Opera Software Hit by ‘Infrastructure Attack’; Malware Signed with Stolen Cert
- Rich: TheStreet on Brian Krebs. I think it’s awesome that Brian is doing so well – he writes circles around everyone else on the cybercrime beat. Needless to say, we are fans of the low-overhead direct model. Seems to be working for us at least.
Research Reports and Presentations
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
- Pragmatic Key Management for Data Encryption.
- The Endpoint Security Management Buyer’s Guide.
Top News and Posts
- Oracles releases critical security update for Java, Apple follows suit.
- The DEA Seized Bitcoins In A Silk Road Drug Raid.
- Turkey seeks to tighten control over Twitter.
- Why Snowden Asked Visitors in Hong Kong to Refrigerate Their Phones.
- Snowden distributed encrypted copies of NSA docs around the world.
- Pentagon’s failed flash drive ban policy: A lesson for every CIO.
- U.S. Surveillance Is Not Aimed at Terrorists.
- Attackers sign malware using crypto certificate stolen from Opera Software.
- Software Flaw Threatens LG Android Smartphones.
- South Korean cyberattacks.
- Researcher nets $20K for finding serious Facebook flaw.
- Vast majority of malware attacks spawned from legit sites. More from Google’s Safe Browsing disclosures.
- Google Adds Malware and Phishing Data to Transparency Report.
- HP Confirms Backdoor In StoreOnce Backup Product Line.
Blog Comment of the Week
This week’s best comment goes to Guillaume, in response to iOS 7 Adds Major Data Security Improvements.
The share sheet thing is pretty big. A big issue a lot of users have with “BYOD” apps that are in their own little gardens is the user experience is not good (UI, usage of other resources on the machine like contacts and calendars, etc).
With this we can hopefully have a great way to allow users to use Mail.app as you mentionned while preventing the user from opening attachments in Dropbox.