If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
A Closer Look into the RSA SecureID Software Token: Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms. (continued here) (@grecs: Wow, this is a major ding in their soft token market. Come on RSA … what were you thinking?)
Nmap 6 Released: The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. (continued here) (@grecs: Tons of new features and cool things to play with in their first major release in three years.)
New White House Cybersecurity Chief Largely an Unknown: Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. (continued here) (@grecs: Makes sense as that intel guys don’t like to be out in the public too much.)
Anatomy of a hack: 6 separate bugs needed to bring down Google browser: An exploit that fetched a teenage hacker a $60,000 bounty targeted six different security bugs to break out of the security sandbox fortifying Google’s Chrome browser. The extreme lengths taken in March by a hacker identified only as Pinkie Pie underscore the difficulty of piercing this safety perimeter. (continued here) (@grecs: Awesome accomplishment by an extremely talented student. This guy is going straight to the pros.)
Notifying Users Affected by the DNSChanger Malware: Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, … (continued here) (@grecs: Huge mistake to even set these servers up in the first place. Now Google has to step in to hopefully warn enough people of them loosing the interwebs.)
Our Blog Posts
Video of the Week – How DNS Works: DNS has progressed a long way from just being a file on your computer that maps domain names to IP addresses. We came across this fairly simple 2:27 minute video that explains the basics of DNS well. (continued here)
Kid Hacking – Learning to Program: The successes of several HacKid conferences and the first ever DefCon Kids last year got me thinking about starting to teach my kid a little bit more about computers than he probably learns in school. Programming seemed like the obvious choice to me as that is where I started years ago. Yeah, it was only Basic but at least I learned the concepts. With a little bit of Googling the top choice seemed to be a language called Scratch hosted over at MIT. At this point I didn’t really know much about it so I put a call out to the Twitterverse since I know many of us have elementary-aged kids. (continued here)
“Infosec” Trademark Dampens Google’s Adword Revenue: Ok … so maybe the title is a little off … but it did dampen their revenue … at least some. Specifically, they’ve been loosing $10 a day from us. A few weeks ago I decided to try the whole Google AdWords thing out to help spread the word about NovaInfosec.com. I signed up and muddled around trying to understand everything and after a bit of stumbling around I was able to create an ad. It was nothing big as you can see below. So at this point I was pretty happy and next went into generating keywords. This activity took a bit but I came up with around 12 keywords that seemed to fit what I was looking for. It did take a while to come up with those 12 keywords though. (continued here)
Contemplating the Meaning of Offensive Job Postings: Huh? First there was the unspoken “O” word. Then it finally started making it’s way into speeches of high-ranking current and former government officials. And now it’s in job posts. Of course a private company actually performing offensive activities would likely be illegal in most cases … although I’m sure there’s a sneaky way around that (e.g., re-terming it as “active defense” or something).” However most likely this person would be serving some government agency in some capacity … so who knows… It’ll be interesting to watch how “offensive” trends in the coming months and years. And with all this press I’m sure NG is getting lots of applications for this position. (continued here)
Poll: Would You Give Up Your Facebook Password for a Clearance?: So last week we did a post on the whole Facebook password turnover thing. Overall legislation is popping up all over the place at the state and federal level preventing employers from asking for such information. Even though somehow this practice crept into practice at companies, clearly almost everyone is against it. A lot of people that I’ve spoken with recently around the DC area were pretty much dead against turning over passwords to an employer. The thing that I think makes DC a little different though is that much of our work involves some type of security investigation. (continued here)
NSA Looking to Train Students in Cyber Ops: The NSA has long run the National Center of Academic Excellence (CAE) program in Information Assurance Education (CAE-IAE) and more recently in Research (CAE-R) however they are reaching into new grounds by formalizing a new Cyber Operations (CAE-Cyber) distinction for colleges and universities. We’ve written about the CAE program before … and although it isn’t the be-all end-all, it’s definitely a good place to start if you are considering where to get your undergrad or graduate degrees. For the new CAE-Cyber program so far the NSA has only designated four schools (highlighted below) as meeting its requirements. (continued here)
Is Moving-Target Defense a Security Game Changer?: I came across this interesting article and audio interview today on research being done on the topic of moving-target defense. Coined in 2008 as a game changing technology in security, I’ve only been recently hearing about this concept and was looking for more details on the topic. This article from GovInfoSecurity.com provided a nice overview and followed with additional details in an 11 minute audio interview with one of the researchers that receive a $1 million grant. The concept is based on the assumption that enterprise networks and systems generally remain static over time. (continued here)
Job: Senior Security Consultant in Washington, DC / Virtual: This challenging position from GuidePoint Security looks to be very flexible and provides great benes however 40% travel might be a little much for some. But if you want to see lots of places and meet lots of people … maybe this is the job for you. The benefits package includes 100% coverage on healthcare (don’t see that too often) with lots of goodies (e.g., MBA/MBP and an iPhone). They seem to be looking for a jack-of-all-trades type security person so I see this as the type of job where if you don’t know it, you better be willing to learn on-the-fly. They also encourage speaking at conferences so that may be a plus for some. The company has been around for a year and is based in Reston, VA. (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!