Friday Summary: September 28, 2012 (A weird security week)By Rich
There was a lot of big news this week in the security world, most of it bad. Even if you skip the intro, make sure you read the Top News section.
Growing up I was – and this might shock some of you – a bit of a nerd. I glommed onto computers and technology pretty much as soon as I had access to them, and when I didn’t I was reading books and watching shows that painted wonderful visions of the future. I was a hacker before I ever heard the word, constantly taking things apart to see how they worked, then building my own versions.
Technology is thus very intuitive to me. I never had to learn it in the same way as people coming to computers and electronics later in life. I began programming so early in life that it keyed into the same (maybe) brain pathways that allow children to learn multiple languages with far more facility than adults. While my generational peers are far more comfortable with technology and computers than our parents, I generally still have a leg up due to my early immersion.
I naturally assumed that the generations following me would grow up closer to my experiences than my less geeky peers. But much to my surprise, although they are very comfortable with computers, they don’t have the damnedest idea of how they work or how to bend them to their own will. Unless it involves cats and PowerPoint. Lacking teachers who understood tech, they grow up learning how to use Office, not to program or dig into technology beyond the shallowest surface levels.
As I have started raising my own kids, I worry about how to get them interested in technology, and algorithmic thinking, in a world where iPads put the entire Disney repository a few taps away. I’m not talking about forcing them to become programmers, but taking advantage of their brain plasticity to reinforce logical thinking and problem solving, and at least convey a sense of deeper exploration.
This really did worry me, but over the past few months I have realized that as a parent I have the opportunity to engage my children to degrees my parents couldn’t possibly imagine.
It was a big deal when I got my first Radio Shack electronics kit. It was even a bigger deal when I made my first radio. My kids? This past weekend my 3.5 and 2 year old got to play with their first home-built LEGO robot. Yes, I did most of the building and all the programming, but I could see them learning the foundation of how it worked and what we could make it do. Building a robot to play with our cat is a hell of a lot more exciting than putting a picture of a cat in a PowerPoint.
This is barely the start. I grew up pushing ASCII pixels on screens. They will grow up programming, and perhaps designing, autonomous flying drones with high-definition video feeds. I grew up making simple electric candles that would turn on in a dark room. They will be able to create wonderful microcontroller-based objects they then embed into 3-D printed housings.
There’s no guarantee they will actually be interested in these things, but social engineering isn’t just for pen testing. Hopefully I can manipulate the crap out of them so they at least get the basics. And, if not, it means more stock fab material for me.
I’m biased. I think most of my success in life is due to a combination of logical thinking, the exploratory drive of a hacker, and a modest facility with the written word. As a parent I now have tools to teach these skills to my children in ways our parents could only dream about.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: My Security Fail (and Recovery) for the Week. Gave me a moment of panic.
- Mike Rothman: Securing Big Data: Architectural Issues. This series is critical for you to learn what’s coming. If it hasn’t already arrived.
- Rich: David Mortman’s Another Inflection Point. The more we let go of, the more we can do.
Other Securosis Posts
- Defending Against DoS Attacks: The Attacks.
- Incite 9/27/2012: They Own the Night.
- New Research Paper: Pragmatic WAF Management.
Favorite Outside Posts
- Adrian Lane: OAuth 2.0 – Google Learns to Crawl. For someone learning just how much I don’t know about authorization, this is a good overview of the high points of the OAuth security discussion.
- Mike Rothman: 25 Great Quotes from the Princess Bride. 25 YEARS! WTF? I don’t feel that old, but I guess I am. Take a trip down memory lane and remember one of the better movies ever filmed. IMHO, anyway.
- Rich: Connect with your inner grey hat. The title is a bit misleading, but the content is well stated. You need to change up your thinking constantly.
Research Reports and Presentations
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- Understanding and Selecting Data Masking Solutions.
- Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks.
- Implementing and Managing a Data Loss Prevention Solution.
- Defending Data on iOS.
- Malware Analysis Quant Report.
- Report: Understanding and Selecting a Database Security Platform.
Top News and Posts
- The big news this week is the compromise and use of an Adobe code signing certificate in targeted attacks. Very serious indeed.
- Banks still fighting off the Iranian DDoS attacks.
- OpenBTS on Android. This is the software you use to fake a cell phone base tower.
- Smart grid control vendor hacked. Yes, they had deep access to their clients, why do you ask?
- An interview with the author of XKCD. Sudo read this article.
- PHPMyadmin backdoored.
- PPTP now really and truly dead.
- More Java 0day. Seriously, what the hell is going on this week?
- And to top everything off, a Sophos post on selling exploits to governments.
Blog Comment of the Week
Agreed. We have done this and it is working. Two of our NOC engineers have MS degrees in Information Assurance and another comes from a military info sec background. They are network and operations staff but they get security and do a great job with patching, FWs and IDS etc. A bigger hurdle is the SDLC but that is in process where we intend to interject vulnerability scanning into the QA / release process. Security is everyone’s responsibility and it is definitely the way to go but it often leaves me with sane predictable days (and less interesting). The CISO level role is also going to have to adjust – depending on the org it may not be hyperactive or needed full time in the weeds once the new model is in place. I am navigating those waters now – wish me luck.