If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
FBI: Updates Over Public ‘Net Access = Bad Idea: The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms. (continued here) (@grecs: Wow, gonna start having to run things in a disposable VM when at hotels.)
Bitcoins Worth $87,000 Plundered in Brazen Server Breach: More than $87,000 worth of the virtual currency known as Bitcoin was stolen after online bandits penetrated servers belonging to Bitcoinica, prompting its operators to temporarily shutter the trading platform to contain the damage. (continued here) (@grecs: Tough business to be in if the product you’re holding gets stolen. No way to trace anything.)
Avira Antivirus Update Cripples Millions of Windows PCs: German security company Avira is experiencing serious technical difficulties. A defective antivirus update that has been downloaded millions of times is bringing Windows XP, Windows Vista, and Windows 7 computers to a screeching halt across the world, according to user reports. (continued here) (@grecs: Was much worse than just a bad signature set … it was the whole AV product.)
Byron Sonne Cleared of All Charges: If it can’t explode, can we call it an explosive? If you didn’t detonate an explosive, and you didn’t make an explosive, can you be guilty of possessing explosives? If you publicly announce that a fence can be climbed, are you encouraging people to climb that fence? Is it credible that a grown man would be passionate about model rocketry and gardening? (continued here) (@grecs: Tough time but glad to see him cleared.)
Best Buy’s Surprisingly Insecure Approach to New PC Setup: A basic rule of password-based security is “don’t write down your password.” A second rule might be “don’t train people to write down passwords.” And a third rule, which few follow, is “don’t adopt password policies that lead to people writing their passwords down” (over-aggressive change requirements often have this effect, for instance). Best Buy hasn’t received the memo, apparently. (continued here) (@grecs: Yes this was dumb but I see why they were doing it. Still doesn’t make it right though…)
Our Blog Posts
Video of the Day – IP for Peace: Ahhhh … a classic video from back in the day. Most of us have probably forgotten about it but maybe a new generation of infosec pros will find it useful. My favorite scene is the router at 3:15. Here are some of my other favorite quotes. (continued here)
Introducing the Site Formally Known as NovaInfosecPortal.com: For those that might not have noticed we changed our name from NovaInfosecPortal.com to NovaInfosec.com over the weekend. This whole transition started about two weeks ago when a few people at OWASP NoVA mentioned shortening it. Personally, I had to agree as it’s always been sort of a pain to spell it out to people. So last week we held a quick poll and after bugging enough people to vote on it, the results echoed the comments from the OWASP meeting with over 90% of people selecting to shorten it. The naming update process wasn’t too complicated as we chose the least obtrusive manner possible. It just involved changing the name of the site in the blog settings and redirecting any calls to novainfosec.com from there to novainfosecportal.com. (continued here)
Google, Privacy, & DuckDuckGo: I came across an article tweeted by @theprez98 about two months ago on an up and coming search engine called DuckDuckGo and was intrigued because their focus on privacy. And with all the kerfuffle on Google and their privacy practices, it seemed like a good time to check them out. Launched in 2007 they advertise not tracking users or bubbling up results based on a profiles. DuckDuckGo basically doesn’t recognize a user from one search to the next as they store almost nothing identifiable (not even your IP address or browser user agent strings). And by default search terms and other user information are not saved or passed along to resultant websites. Reviews have been very positive in terms of search results. They have their own crawler but mainly integrate results from other niche search engines from within particular verticals. (continued here)
Can Asking for Your Facebook Password Save the Economy?: If you haven’t heard already tons of state and federal laws are being written and/or have passed to address the recent string of stories about companies asking employees for their Facebook usernames and passwords as part of the interview process. And you thought just being asked to friend your boss was bad… Although some companies have been doing this for some time, the incident that brought it to national attention all started back in 2010 with Robert Collins. Back in 2010, Robert Collins was returning to his job as a security guard at the Maryland Department of Public Safety and Correctional Services after taking a leave following his mother’s death. During a reinstatement interview, he was asked for his login and password, purportedly so the agency could check for any gang affiliations. (continued here)
PHP Insecurity Notes: As part of some investigations I’m doing, I pulled together some quick notes on PHP security to chat about at the local NovaHackers meeting this past week. Overall, there seem to be a lot of great security features built into modern versions of PHP. Unfortunately, you need admins good enough to harden the software stack (e.g., OS, webserver, and PHP install) as well as great developers to program securely. And guess what? It still ain’t easy. Like almost any other application development effort if you want something really secure, you have to spend the resources to get it to that level. (continued here)
Duck … Duck … VI: Following-up from our post the other day on DuckDuckGo, I found they have a lot of nice search features beyond just their privacy benefits. In particular, one of the nice things I really like are the custom keyboard shortcuts. This really shows that they have kept the techie in mind when designing the search interface. They basically follow the familiar “vi” syntax to keep your hands on the keys for improved efficiency. There are dozens of different shortcuts but the bullets listed below provide a quick flow-based rundown of how I’ve been using them to cut through my workload faster. DuckDuckGo doesn’t do everything so I do still rely on a few Firefox-based shortcuts as well (i.e., the ones not bolded below). (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!