Friday Summary; October 31, 2014By Adrian Lane
I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really?
This will be the one of the shorter Friday Summaries I have written because … it’s here. The puppy I predicted would be landing in my home has arrived. Early, in fact. I am sure it’s because the breeder was exhausted by him. He is slightly ornery, possessed of limitless energy, and fearless. Which means he is into everything all the time. Say hello to ‘Satchmo’:
I don’t usually talk about my pets much on this blog, but it has been years since we had a new puppy in the house, and you forget all the lifestyle changes that come with a new puppy. Plus he’s very cute, and seems to get along with everyone great. He has only been here a short time but he’s worn me out. And my wife. And my adult Boston. And everything else that lives here … except the Boxer. Boxers never get tired, so I think the rest of us are going to take a nap while those two play.
Happy Halloween all! Halloween on a Friday is the best, so have fun!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: Incite 10/29/2014: Short Memory. I am actually FAV-ing my “Card of the Sith” Incite in this week’s post.
- Rich: [Building an Enterprise Application Security Program New Series. Ho boy, is this a big topic. Adrian jumps into one of the most painful issues for enterprises to deal with: internal apps.
- Mike Rothman: Firestarter: It’s All in the Cloud. I had fun recording this week’s Firestarter. Though we did miss Adrian. There was no one to keep Rich and me on track!
Other Securosis Posts
- Building an Enterprise Application Security Program: Use Cases.
- Apple Security and Privacy Updates.
- New Research Paper: Trends in Data Centric Security.
- Old School (Computer).
Favorite Outside Posts
- Adrian Lane: Challenges With Randomness In Multi-tenant Linux Container Platforms. Containers seem to have caught fire, and I expect them to be the ‘struts’ of this generation. But stressing any hot new approach turns up systemic flaws. A good discussion by James Bayer.
- Rich: Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize. This is interesting. I did an interview on the tool, based on a high-level description (trust me – I warned the reporter I would need to see it working for a real assessment). It sounds like a Chef/Puppet competitor. But this gathers different information, which is more security relevant, and then enables you to query it like a database. That is very interesting. Might have to play with it!
- Mike Rothman: SHE’S A WRECK. What a courageous post by aloria, baring her issues with brutal honesty and candor. Thankfully she made it through, but understand that her bipolar disorder is a daily battle. Rarely do we get to see the people behind the avatars, the unvarnished challenge of being imperfect and human. as we all are.
- Pepper: AT&T, Verizon Using ‘Perma-Cookies’ to Track Customer Web Activity. I didn’t think I needed a VPN but I am now considering paying for Cloak.
Research Reports and Presentations
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
Top News and Posts
- UPnP Devices Used in DDoS Attacks
- Chip & PIN vs. Chip & Signature
- Adobe’s e-book reader sends your reading logs back to Adobe–in plain text. *sigh*
- Automated NoSQL exploitation with NoSQLMap
- CurrentC for mobile payments and exclusivity
- CurrentC site hacked
- Alleged Dropbox hack underlines danger of reusing passwords
Blog Comment of the Week
This week’s best comment goes to Pat Bitton, in response to Old School.
I always hark back to the operating code for dBase II and WordStar both fitting on a single 360K floppy.