I skipped the past few weeks … I mean months … however am finally back for more with another Weekly Rewind post… If you missed anything or happened to be offline, we hope you find this post useful as a quick reference. For some of those readers that may not have noticed, I actually tack on commentary to the industry articles … so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
INFOCON Yellow – Microsoft RDP – MS12-020: As we feared the MS12-020 bulletin from last black Tuesday caused a race for finding an exploit. The last few evolutions in that process cause our worries to increase significantly. In order to help raise awareness and call administrators to action, we’re raising our INFOCON to YELLOW for 24 hours. (continued here) (@grecs: I think this has only happened four or five times … ever.)
DuQu Mystery Language Solved With the Help of Crowdsourcing: A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues. (continued here) (@grecs: Ummm … it was C compiled in MS Visual Studio 2008.)
Meet The Hackers Who Sell Spies The Tools To Crack Your PC: At a Google-run competition in Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin. (continued here) (@grecs: They didn’t give in for $60K of “chump change.”)
10 Women in Information Security That Everyone Should Know: While still outnumbered in the boardroom, especially in technology firms, women are making inroads within the tech field. In January, CEO Virginia Rometty became the first female to be given the top job at IBM. A few months earlier, former eBay chief Meg Whitman was asked to take over the CEO post at Hewlett-Packard. Despite these major milestones, technology remains a heavily male-dominated field, and even more so sectors like information security. (continued here) (@grecs: Congrats to @SecBarbie, @jjx, and @stacythayer.)
Can the NSA Break AES?: In an excellent article in Wired, James Bamford talks about the NSA’s codebreaking capability. “According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”” (continued here) (@grecs: I’d say … probably not.)
How to Read and Act on the 2012 Verizon Data Breach Investigations Report: Verizon just published their excellent 2012 Data Breach Investigations Report, and as usual, it’s full of statistical goodness. As we did last year, we will focus on how to read the DBIR, what it teaches us, and how should it change what you do – we’ll leave the headline fodder for others to rehash. If you happen to check back to our old post you might notice a bit of cut and paste, because once we reach the advice section, many things are unchanged since last year. (continued here) (@grecs: Usual warning with corporate funded studies applies here.)
Our Blog Posts
Stalker App Strikes Back at iPhones & Starbucks: Smartphones Exposing WiFi ConnectionsSurprised there wasn’t more coverage on this story in the news on Friday… Basically, Mark Wuergler of Immunity Inc. found that the iPhone advertises the last three SSIDs it connected to, exposing the MAC addresses of those routers/access points as well. With this information anyone could then use a service like Google Location Services or Wireless Geographic Logging Engine to pinpoint exactly where a particular user has been. (continued here)
Mobile Password Managers … Fail: I found this report by ElcomSoft pretty interesting. You know all the password managers we rely on? Well the good folks over at ElcomSoft did an in-depth analysis of those that have mobile phone versions of their apps. Focusing on the iOS and Blackberry OSs, they ended up finding that many of the apps were not worthy of being used over the default device lock feature. (continued here)
Poll: What’s Your Favorite Locally Based Infosec Podcast?: With the various RSA “best of” awards behind us as well as part of an update to our infosec blogs/podcasts resource page, I thought I’d do a little poll to see what everyone’s favorite “local” podcasts are. To be considered “local” at least one member of the podcast must reside in the Metro DC area and regularly appear on it. In the survey below I’ve included several that we currently list on our infosec blogs/podcasts page as well as a few people notified me of based on an earlier tweet I sent out. (continued here)
DoD – Information Assurance Scholarship Program: As we know, information assurance and information security is very important to our national defense. Last week, DOD published a final rule document executing an Information Assurance Scholarship Program (IASP) as part of helping to meet the expected future demand in this area. For those interested in becoming cybersec pros but need tuition assistance, DoD might have a solution for you. (continued here)
Job: InfoSec Engineer in Chantilly, VA: If you have you have full tickets and looking to find that next step in year career, here is something we came across. Doesn’t look too glamorous but definitely a good move for someone looking to expand their understanding of the security engineering side of things. Think mostly C&A, SSPs, ATOs, etc. And don’t forget … if you organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details. (continued here)
Building an Infosec Career: A while ago, we talked about different ways one can jump-start a career in infosec. The first formal approach was the university way,which involved attending any of the CAE Schools, while the other approach was on the job training of existing employees. Jason Andress of EthicalHacker.net recently posted an article with similar arguments. In order for employers to meet the high demand of infosec professionals, Andress suggests employers can hire “out of the box” graduates with no experience in the IT field or can cross-train existing IT specialists. (continued here)
Where to Learn More about Infosec?: Well, we seem to be on a career kick the past few days… With this in mind I thought I’d point out another great piece of content – this time an 8 minute video – from InfosecCynic that he put out a few weeks ago. In this episode he answers the question “How do I learn more about infosec?” (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!