Research

Just in case you thought supply and demand don’t apply to our little area of the world, think again. It is interesting to read about a $5,000 malware kit targeting Android. Dan Goodin digs into the specifics of the iBanking malware kit, the breadth of its capabilities, and how it proliferates (typically against users already infected with financial malware on their PCs); and resists whitelists to evade detection and prevention. But why does this particular package warrant such a high price? Market opportunity, of course. With the number of Android phones out there, the math indicates it is probably a worthwhile investment, especially given the number of folks doing mobile banking and commerce. See? Supply and demand. Econ 101, folks. Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device’s microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset. There is also a free version of iBanking available, but many attackers opt for the paid version which includes updates and support. That’s awesome, and nicely illustrates that software is software and freemium is a great market-building strategy. Whatever your product does… Photo credit: “excellent visual aid” originally uploaded by arianne Share:

We all fall into the trap of adopting industry lingo to describe various functions. But when you take a step back, and think about mental cues we need to perform our best, sometimes it makes sense to look at things a bit differently. We all call the function of dealing with an attack incident response now. To be clear, respond is a better word than react because it at least implies logical thought about how to respond. But the next step is to manage incidents. Integriography has a good post about this distinction, with an analogy that will warm Rich’s heart – comparing processes to Emergency Management. I knew I have heard that before somewhere… Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. Right. Dealing with attacks is our normal business. So it’s time we start managing to that. It is probably time to update our terminology to reflect this. (h/t to grecs, who pointed me to this post.) Photo credit: “Emergency” originally uploaded by michaelgoodin Share:

As Rich said in last week’s Summary, the blog will be quiet this summer because we are busier than we have ever been before. The good news is that new research and Securosis offerings are usually the result. But that does not stop us from feeling guilty about our lack of blogging. With that, I leave you with a couple thoughts from my world this week on a Friday the 13th: Picture an older Formula 1 car. Blindingly fast. Pinnacle of design in its day. Maybe Stirling Moss or Ayrton Senna drove it to victory. It’s still beautiful and fast, but you can’t race it today because it’s not competitive. It can’t be. In some cases the rules of F1 change so great technologies can no longer be used (i.e., ground effects). In other cases the technologies are longer state-of-the-art. You cannot – and should not – retrofit an old chassis. So what do you do with the car? Seems a shame to relegate an F1 car to the dustbin, but you can’t compete with it any longer. As part of our day jobs we get asked to review products and make suggestions on the viability of platforms going forward. Sometimes product managers want us to vet their roadmaps; sometimes we are asked to support a due diligence effort. Whatever the case, we occasionally find cases where a great old product simply cannot compete or be retrofitted to be competitive. Don’t get emotionally attached because it was the S#!$ in its day, and best not think too much about sunk costs – just go back to the drawing board. A fresh start is your only answer. There are many alternatives to passwords. Some outfits, like nospronos.com have recycled an old idea to do away with user passwords on their World Cup web site. Users each get a ‘secret’ URL to their web page, and a public URL to share with friends. Sound familiar? Public key crypto is the gist here: the user gets a private account, the web site does not need to store or manage user passwords, and they can still share content with friends. Good idea? In the short term it’s great, because by the time the users lose or leak passwords the World Cup will be over. It’s fragile, but likely just secure enough to work just long enough. Well, it would have if they had only remembered to issue HTTPS URLs. Oh well… sans passwords and sans privacy means sans security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mortman quoted in “The 7 skills Ops pros need to succeed with DevOps”. Adrian quoted on Gazzang acquisition by Cloudera. Adrian to present on the Open Source and Application Security Survey next week. Favorite Securosis Posts David Mortman: Open Source development Analysis. Actually – we all selected the Open Source development Analysis this week. Wonder why? Other Securosis Posts Take our IT practices survey and win cool stuff (and free data). Incite 6/11/2014: Dizney. Summary: Summer. Cloudera acquires Gazzang. Favorite Outside Posts Rich: After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal. Our job isn’t to fix everything, but to manage risk and fix things in the right order. Mike Rothman: The CSO’s Failure to Lead. Is the inability to execute on a security program the fault of the CISO? Maybe. Maybe not. Causation is not correlation. Dave Lewis: ISS’s View on Target Directors Is a Signal on Cybersecurity. If you are keeping score at home we have a number of firsts: CIO dismissal, credit rating downgrade, CEO dismissal, and boardroom shakeup. That is a lot of firsts – this is a Sputnik moment for security. David Mortman: Here’s How You Pick the “Unpickable” Bike Lock. Adrian Lane: 10 things: #1 Parameterize Database Queries. Jim Bird is going through the OWASP Top 10 and explaining the whys and hows to protect against these issues. It’s a series, and this is the first post. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet?. Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts GameOver Zeus botnet disrupted by FBI, Microsoft 14-Year Olds Hack ATM With Default Password More Fun with EMV Adobe, Microsoft Push Critical Security Fixes iOS 8 to stymie trackers and marketers with MAC address randomization ‘NSA-proof’ Protonet server crowdfunds $1m in under 90 minutes SSL/TLS MITM vulnerability CVE-2014-0224 TweetDeck wasn’t actually hacked, and everyone was silly Can You Track Me Now? Blog Comment of the Week This week’s best comment goes to Marco Tietz, in response to the Open Source Development and Application Security Analysis. That is pretty cool, looking forward to your coverage. As I’m working with Sonatype right now on a couple of things, I can confirm that they know what they are doing and that they are in fact in a pretty unique position to provide insights into open source usage and possible security implications. Share:

Thanks to the cloud, mobility, and emerging practices like DevOps, I don’t think anyone would argue we aren’t in one of the most rapidly evolving IT eras since the emergence of the World Wide Web. Like it, hate it, or anywhere in between, everyone I speak with knows the winds have changed. Personally I believe these disruptions are more impactful than our first tenuous connections to the Internet but that’s fodder for another post. It is clear we don’t yet know fully how these advances will change existing IT practices across different kinds of organizations. That’s why we are partnering with JumpCloud to get a better sense of these evolving technologies; along with the impact of, and approaches to, internal practices and DevOps. This isn’t a vendor-licensed or -sponsored study. JumpCloud is on the operations side, Securosis on the security side, and we are both looking for a better idea of what’s going on out there, so we decided to partner up. You can take the survey here. As usual, we will release all the raw data (anonymized, of course) back to the community. We are also giving away cool stuff to random winners who complete the entire survey (and leave contact info). An Amazon Fire TV, Samsung Gear 2 Neo Smartwatch, or a Fitbit Flex. (We decided to change things up from the usual Apple giveaway). So please spread the word and take the survey. Share:

This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations. First of all, it’s expensive to hang out with the Mouse. We get a great deal on tickets to the parks and it still costs a metric crap ton of coin to be there for a couple days. Then you throw in food, bottled water, and the bargain $8 ponchos (which are a bargain during the 20 minute daily downpours) – and it’s not a cheap vacation. Next you have people of all shapes, sizes, nationalities, languages, cultures, etc. If you think America in general is a great melting pot, spend a little time at Disney. You see young and old. Extended families. Those from the US and those not. Newlyweds. Bachelorette parties and all sorts of other groups. Most of these families have group t-shirts on. I just don’t get that. Do you think they wear that T-shirt any other time? Okay, don’t answer that. Actually the best shirts we saw all week were on a family that said, “We don’t believe in family trip t-shirts.” On all 20 of them. Hilarious. The diversity you see is really cool. The downside for me is varying levels of hygiene. I have a pretty sensitive nose and it can get a little steamy in June in Orlando. So standing on line for 40 minutes to ride Peter Pan (I’m still peeved at XX1 about that) next to a group that don’t get deodorant is unpleasant to say the least. You can also see the impact of mobile technology. We let XX1 roam around EPCOT with her dance friends one of the days. We always knew how to get in touch with her. The expectation was that she would check in every hour or so. And worst case we could always use Find My Friends to see where she was. I noticed loads of people with heads down on mobile devices as they walked the park. They were missing the experience, but that’s the culture today. Same goes for folks who watch rides or their kids dancing through the viewfinder of a camera. That doesn’t work for me but it’s common. One dude got it right and had a GoPro camera affixed to his kid’s stroller. I guess to record the reactions to seeing Mickey and the like. That was pretty cool – like a second set of eyes. I didn’t see anyone with Google Glasses on, so there’s that. Last summer I rued missing XX1’s first experience riding a big roller coaster. I did make amends by doing the Rock and Roller Coaster with both the girls and then the Tower of Terror. The girls couldn’t be more different. XX1 was cursing up a storm on both rides (though she did ask before spewing profanity – manners first). I wonder where she got that from? The Daredevil (XX2) was laughing throughout both rides. And best of all, I was right next to the Boy as we rode the Everest coaster in Animal Kingdom. He was scared, like I was the first time I rode a coaster. Which was a little curious given he has no issue doing a 5-story drop at the water park. He cried a little as we boarded the car, much to the chagrin of the family behind us – who thought I was a monster forcing my son onto the ride. I was in his ear the whole time assuring him it was going to be great. As we made the first climb, he ducked a little to not see much of anything. Then we were off, and as he squeezed my hand through the backwards drop and as we pulled a G or 2 through the curves and drops. You know what? He survived. And he loved it! I loved being there right next to him as he experienced it. That’s what being a Dad is all about. The reason we went to Orlando also worked out marvelously. Despite raining pretty much all day, the sun came out and shined during their performance. And the girls shined as well. I have mentioned there are few things more gratifying than seeing your kids excel at something they are passionate about. So as long as they want to dance in Disney, I’ll be down there every two years, contributing to the Mouse economy and riding roller coasters with all my kids. And loving every minute of it. –Mike Photo credit: “Mickey Mouse Magician” originally uploaded by Alain The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 2 – Sputnik or Sputnot May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed

Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, something I have participated in the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I’m just one developer voice among thousands. But I have also benefitted from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on these shared data points. Crazy, I know, but it’s another way to leverage the community. But I am equally interested in the survey questions asked, as they hint at what the sponsors are most interested in learning about their community. The organization that conducts this survey is Sonatype, and the 2014 survey was their 4th annual review of open source usage. This year’s survey was co-sponsored by Contrast Security, Rugged Software, NEA, and the Trusted Software Alliance. What piqued my interest is that this year is that I noticed more questions regarding security and vulnerabilities than in previous years. Even the name of the survey changed. But another interesting facet is that the survey was conducted right when OpenSSL’s Heartbleed vulnerability was discovered. It takes a lot for a security vulnerability to make mainstream news, but Heartbleed managed it. For any of you reading this who were not aware of it, OpenSSL is an open source implementation of the SSL protocol. The disclosure simultaneously illustrated that open source components are in use just about everywhere – across industries and organizations of all sizes – and disrupted IT practitioners’ blind faith in this ubiquitous cryptographic module. But Heartbleed is not the story here – the more interesting thing is how it affected people’s understanding of open source software and security. My question was “Did the vulnerability change the survey results?” In past years Sonatype provided us with a pre-briefing before they announced the survey results, and this year was no different. And after going through the survey myself I was extremely interested in the results. As we went through the data and discussed what it all meant, Sonatype said they were interested in getting someone to perform an independent analysis of the data. You don’t have to ask me twice – I jumped at the chance! As a security practitioner who has built software and managed development teams for a couple decades, I could offer some perspective. And we are beginning to see changes in developer attitudes and participation with security, not to mention a disruption of development approaches with DevOps, so I am eager to go through the data to better understand what developers are doing and what issues they face – in both security and product development. So over the next couple days I will discuss the results, with a focus on two key areas: Security Trends Analysis: The survey poses several questions about security and open source policies as they relate to security, vulnerability tracking, and responsibilities. We will examine tools usage, with trending data from prior years where applicable. Because the survey was conducted during the Heartbleed and Struts vulnerability disclosures, we can examine the data for important differences between responses, before and after disclosure. Development Trends and Operations Management: The survey data contains several important questions on development policies around open source management and use. These trends may not have specific security implications, but they impact how teams manage open source and the general quality of their releases. I will discuss trends in open source policy management, licensing, and security testing approaches; as well as where security testing occurs within the development process. I will highlight key takeaways and make recommendations. Finally, for those of you in security who are not familiar with Sonatype, think Apache Maven and Nexus. Their founder built Maven, which is probably the most widely used build automation tool out there. The company also builds the Nexus repository manager, used by over 40,000 organizations for storing and organizing binary software components, including management of policies for their use and automated health checks for security vulnerabilities. As the steward of the Central Repository, which handled over 13 billion requests for open source components last year, they are in a unique position to monitor use of open source development components – including version management, license characteristics, update frequencies, and known security vulnerabilities. This perspective helped them formulate the survey and reach the 3,300+ development professionals who participated. Next week I will cover the report’s security trend analysis. And if you’re interested I will also do a webcast with Brian Fox of Sonatype to discuss the highlights, comparing and contrasting our views on the results. Check it out! Share:

Rich here, When I grew up in New Jersey, summer didn’t really start until June 25th, the day we got out of school. It was weird to me when I moved to Colorado and school ended in May and started in August, but people also used the word “pop” to describe soda, so I figured it was a wacky cultural thing. These days I live in Arizona. Today is June 5 and the temperature should hit 110F. Yesterday it was over 90F by the time I finished breakfast. This. Is. Wrong. I think summer for us started somewhere around the end of January. We have since moved on to a fifth season I fondly call “Ohforfu**’ssakeum”. It isn’t in the books but I am working up a Wikipedia entry. Summer for my children will be very different than I what I grew up with. There’s no simple wandering around the neighborhood looking for your friends, because within a block their shoes will melt and adhere them to the middle of the street, only to be run over by an Amazon delivery truck or one of the 950 landscapers patrolling the area. They’ll get plenty of time at the pool but we need to keep a close eye on them and make sure they jump out every now and then to cool off in the air-conditioned bathroom. Arizona isn’t all bad. For most of the year the weather is about as perfect as you could want. Plus you save a lot on winter clothes. On the downside I miss sweatshirts, and the nearly 20 years I spent cultivating a fleece-based fashion identity is totally wasted. We will be spending a lot of time outside the state this summer. A trip to the Irish festival in Lawler, Iowa (no, I’m not kidding). Then the month of July in Boulder. Then Black Hat and DEF CON for me, and kindergarten for my oldest a week after I get back. But I’m sad for my kids. Summers growing up in Jersey could get pretty hot and muggy, but you could still wander around the neighborhood looking for other kids without having to refill your Camelback 8 times. Then again, rumor is no one lets their kids wander around and experience life any more, so I suppose it won’t make much difference that mine will do the same overly-structured activities as everyone else, but with better air conditioning. But if you make it up to the Irish fest, let me know, and vote for my kids in the Little Lass and Laddie contest. On to the Summary: A quick note: Our posting volume is down to balance some pretty insane demand for our services against family summer time. Don’t worry, we have cool things in store for you coming up. Besides, we still write more than pretty much anyone else who doesn’t get paid by page views. Webcasts, Podcasts, Outside Writing, and Conferences I wrote an article for Macworld on what I learned about upcoming Apple security from WWDC. Favorite Securosis Posts Adrian Lane: Firestarter: Sputnik or Sputput. Sputnik? Nyet! Mike Rothman: Firestarter – Even though I wasn’t there, the show must go on. And it did – admirably. Rich: Cloudera acquires Gazzang. Because it’s good analysis. And the only other thing we posted. Favorite Outside Posts Adrian Lane: Peek Inside a Professional Carding Shop. It’s a good read and I can’t help laugh at the clever use of the McDonalds meme. Mike Rothman: A Hacker Looks at 40. Really good post by Shack. Great to see gratitude, not whining. And there is no question Shack knows exactly who he is. Rich: Rob Graham asks Can I drop a pacemaker 0day? Very well thought out as usual, and hard questions society probably isn’t ready to deal with. Dave Lewis: John Oliver’s net neutrality rant may have caused FCC site crash. You really need to watch it – pure genius. David Mortman: Lego to produce female scientist minifig set. Finally. Gunnar Peterson: Adam Carolla versus patent trolls going after podcasters. Bonus outside link: it takes a minute, but pure awesome once you figure it out. Behold, this is the greatest GitHub software repository of all time. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts Another big OpenSSL bug. Violet Blue has good details. GameOver Zeus botnet disrupted by FBI. Network Security, Build To Fail. Mounties join crack down on Russian cyber crime. Pirate Bay Founder’s Computer Was “Hacked”, Investigation Reveals. US cybercrime laws being used to target security researchers. DARPA Cyber Grand Challenge Finale Set For DEF CON 2016. Share:

Today Cloudera announced that they have acquired Austin-based data encryption vendor Gazzang. From the press release: While Cloudera customers will continue to have a choice of a broad range of cross-platform data protection methods available from Cloudera partners, Cloudera now offers encryption for all data-at-rest stored inside the Hadoop cluster – using an approach that is transparent to applications using the data, thereby minimizing the costs associated with enabling encryption. Cloudera plans to focus the efforts of the Gazzang team on additional security challenges in Hadoop. The team will become the heart of the Cloudera Center for Security Excellence focusing exclusively on Hadoop security. The “Big Data” market is growing rapidly, and for good reason. The ability of leverage inexpensive NoSQL databases like Hadoop, running atop cheap commodity/cloud hardware, means companies can do all sorts of analysis that was previously economically unfeasible. From large enterprise to small startups, companies are adopting NoSQL platforms for just about every use case imaginable. And while these companies won’t necessarily admit to the presence of sensitive data on these clusters, it’s there. This creates a genuine need for security with NoSQL platforms, something which the open source community has not really delivered. If you remember our series on securing Hadoop and NoSQL clusters in 2012, one of our principal recommendations was to use transparent encryption for NoSQL. That’s because you get data security while still allowing big data to maintain scalability and input velocity. Those may seem like obvious requirements, but they are not givens for most security products. Gazzang is, at its core, is a transparent data encryption tool with key management. Enterprises are adopting big data solutions, despite what some mainstream publications have stated, but only when they can satisfy data security and compliance requirements. Cloudera’s ability to address the enterprise’s most critical security requirement – data encryption – directly on the platform is a big win for security sensitive customers. Even better, Gazzang’s transparent encryption scales right along with NoSQL clusters so Cloudera customers get data security at big data scale. Cloudera is one of a growing group that includes MapR, Hortonworks, Datastax and Zettaset, positioning security as a differentiator to enterprise customers. Bundling encryption and key management capabilities into platforms will make them faster and easier to deploy – a win for customers. I usually have a handful of risks and downsides for every acquisition, but it is hard to criticize this deal because there are not that many possible downsides. This is an astute acquisition by Cloudera. Share:

Mike is off giving a giant mouse all his money, so Rich and Adrian ran the Firestarter as a duo this week. The question of the day is: Are we in a Sputnik moment? Did the Target breach shake things up so much that security is moving up the chain? Or are these short-term reactions, which will fade with our memories of what happened? We keep these notes short, but here is a link to the Reuters article we mention. The audio-only version is up too Share:

I am a pretty upbeat person, and despite my tendency towards snark I am optimistic by nature. You might find that surprising, given my profession of computer and software security, but it’s not. I have gotten a daily barrage of negative news about hacks, breaches, and broken software for well over a decade now. Like rainwater off a duck’s back, I let the bad news wash over me, and continue to educate those interested in security. Sure, I have had days where I say “Crap, security on everything is broken – and worse, nobody seems to get it.” Which is pretty much what Quinn Norton said last week with Everything is Broken. But her article was so well-written that it got to me. It is a testament to the elegance and effectiveness of her arguments that someone as calloused as I could be dragged along with her storyline, right into mild depression. It didn’t help that my morning reading consisted of that and this presentation on how the Internet and always-on connectivity may be making our lives worse. Both offer a sober look at the state of security and privacy; both were well done, with provocative imagery and text. And I admit, for the first time in a long time, I allowed them to get to me. Powerful posts. I think most people in security get to this same point of frustration at some point in their career. Like Quinn, I try to un-frack my little corner of the world whenever possible. Perhaps unlike Quinn, I accept that this is a never-ending game. Culture is not broken – it is in its natural state between civilization and chaos. It just pisses us off that it’s our own government spending our tax money to create so much of the chaos. Computers and electronic systems are probably a bit more secure from Joe Hacker than they were in 2001 – about when I came to this realization – but government hackers and criminals are much better too. For most folks the daily grind is a balancing act, where things are only unbroken enough to work most of the time. Those of us in security think that if you don’t control your systems, they are essentially non-functional and broken. But for the people people who own the systems, software, and devices there are many competing priorities to worry about; so they put just enough time, effort, and money in to patch things up to achieve their acceptable level of dysfunction. In the balancing act I can apply some affect momentum, but not define the balance point. At least that’s what I tell myself as I swing in my hammock, shaking off the blues. On the totally opposite end of the spectrum is Shack. And thank $DEITY for that! His post this week – A Hacker Looks at 40 – is a classic. Reading it is like surfing the banzai pipeline. “First, the industry we’re in. WOW. What a shit show … Yeah, it is volatile, and messy, and changes all the time. Thank goodness.” It’s all that an more. Loved Shack’s #1 takeaway: Learn Constantly. That is one of Rich Mogull’s too. You may be tired of hearing about cloud, mobile, and big data as disruptive tech; and the term DevOps makes many wince, but once you jump in it’s awesome and exciting. What a great time to be in security! They say there is no such thing as bad press, but Ubisoft’s promotion of Watch Dogs got pretty close. Apparently they anonymously mailed a black safe to several media outlets, including Ninemsn. Locked, of course. Then they mailed an anonymous letter telling the recipients to check their voicemail. And left anonymous voicemail with the PIN to open the safe, but not before it started beeping. Cool, right? But Homer Simpson was not there to open the safe for them, so Ninemsn called the bomb squad. After the initial panic and clearing of the building, a copy of the new Watch Dogs game was found. Ah, good times! The presence of booth schwag is unconfirmed. I am just disappointed that the bomb squad wouldn’t say whether they liked the new video game or not. I mean, getting the word out was the whole point, right? On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in Do you really think the CEOs resignation from Target was due to security?. Favorite Securosis Posts David Mortman: What You Need to Know About Amazon’s New Volume Storage Encryption. Adrian Lane: What You Need to Know About Amazon’s New Volume Storage Encryption. I say “Cheap, Fast, and Easy” wins, and AWS made volume encryption just that. Mike Rothman: What You Need to Know About Amazon’s New Volume Storage Encryption. Amazon is pushing things forward pretty quickly. Pay attention to their new stuff. And what Rich didn’t mention is that every time Amazon changes stuff, he has to update our CCSK training screenshots. So I think he’s secretly hoping for slower innovation… Other Securosis Posts Incite 5/28/2014: Auditory Dissonance. Translation Machine: Responding to (Uninformed) Bloggers. Summary: A Thousand Miles. Favorite Outside Posts Dave Lewis: ISS’s View on Target Directors Is a Signal on Cybersecurity. If you are keeping score at home we have a number of firsts: CIO dismissal, credit rating downgrade, CEO dismissal, boardroom shakeup. That is a lot of firsts – this is a Sputnik moment for security. David Mortman: Postmortem for outage of us-east-1. <– Joyent accidentally reboots an entire data center. Not a pure security issue, but input validation (or the lack thereof) strikes again James Arlen: TrueCrypt’s demise. Kees Leune nails the TrueCrypt thing in this post. Adrian Lane: A Hacker Looks at 40.. Mike Rothman: Tribal organizing (right and wrong, slow and fast). It has been a while since I linked to Godin. This is a good one about building a community – the right way. I love how he calls out folks for using invented urgency. We see that every day in security. Every. Single. Day. Rich: Why NSA Critics Are Wrong About Internet Vulnerabilities Like ‘Heartbleed’. I don’t agree completely with Aitel,