If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
How Apple and Microsoft Armed 4,000 Patent Warheads: In many ways, Scott Widdowson is your typical electrical engineer. Most days, when the weather’s good, he bikes the 15 miles along the Ottawa River to his company’s offices in the west end of the Canadian capital. Once there, he settles in for a day of reading technical specifications, poring over computer textbooks, or prying apart consumer electronics — logic probe in one hand and a soldering iron in the other. (continued here) (@grecs: This sort of activity just seems wrong. Maybe a future blog post…)
Flame: Massive Cyber-Attack Discovered, Researchers Say: Russian security firm Kaspersky Labs told the BBC they believed the malware, known as Flame, had been operating since August 2010. The company said it believed the attack was state-sponsored, but could not be sure of its exact origins. They described Flame as “one of the most complex threats ever discovered”. (continued here) (@grecs: Started as a big to-do … now everyone seems to be poo-pooing it. Still pretty bad if you are one of the targeted though…)
Top 374 Keywords the U.S. Government Monitors: Three months ago, a list of keywords was released by the Dept. for Homeland Security after the Electronic Privacy Information Center (EPIC) sued the government for withholding the document. The story has stirred up again by a couple of recent media reports have gotten the social networks sharing the media reports like wildfire. This got me thinking. (continued here) (@grecs: Blogged about this … probably not the best solution however there aren’t any better options out there.)
Alan Turing Papers on Code Breaking Released by GCHQ: It is believed Turing wrote the papers while at Bletchley Park working on breaking German Enigma codes. A GCHQ mathematician said the fact that the contents had been restricted “shows what a tremendous importance it has in the foundations of our subject”. It comes amid celebrations to mark the centenary of Turing’s birth. (continued here) (@grecs: Older story but this article resurfaced this week… Turing may have bested both Tesla and Einstein.)
How a Trio of Hackers Brought Google’s reCAPTCHA to Its Knees: Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy. (continued here) (@grecs: They couldn’t break the “visual” captcha so they attacked the “audio” captcha instead.)
Our Blog Posts
Video of the Day – You Down With BGP?: Kind of cheesy but does a pretty good job of explaining Border Gateway Protocol to the tunes of some old school Naughty by Nature. It’s under 5 minutes so it shouldn’t be too painful. The video was part of the campaign against SOPA, PIPA, and ACTA several months ago. Some of my favorite lines include: You do a trace and then you notice there’s a routing loop? There’s no room for adjacencies, there’s just room to ROUTE IT! If you want to read along during the song (or are brave enough to try to karaoke it), check out there lyrics here. (continued here)
Kid Hacking – Learning the Computer: As a follow-up to our recent post on teaching your kids some intro programming, I thought I’d also put out some notes on introducing the kiddos to computers in general. A while back I put out a call on the NoVAHackers distro list for Linux OSs that kids could learn on. They two most popular recommendations were: Qimo Edubuntu Both of these distros have tons of learning-to-program games as well. The big difference between them is that Qimo was designed for stand-alone computers while Edubuntu was designed for networked computers in a classroom environment. (continued here)
More Google Adwords Bans: In light of my recent complaint of not being able to post a Google Adwords ad with the term “infosec,” I thought this article, titled “Google sees ad bans top 134 million,” seemed relevant. I’m all for banning ads leading to malware but the term “misleading” is … well … misleading … in an overly broad sense. I’m sure the Adwords Terms of Service makes it much clearer. Further down the article notes that they ban users for trademark violations such as those attempting to advertise counterfeit items. Ummm? I wonder who I’d be trying to counterfeit with the term “infosec?” (continued here)
Facebook/Twitter Cause Workforce Shortage at NNSA: The National Nuclear Security Administration (NNSA) faces a major fallout in recruiting, developing, and retaining a federal and contractor workforce. Although the NNSA is known for recruiting young professionals and paying competitively, a recent study by the Government Accountability Office (GAO) reports that the NNSA might soon face a shortage of skilled workers. The report found that the lack of social media access within the NNSA confines to be the primary contributor to this finding. The younger professionals simply do not want to be unplugged from their familiar social tools. (continued here)
Stuxnet, Duqu, & Now Flame: Unless you’ve been off the interwebs this weekend, the big news is Kaspersky’s recent discovery of potentially the next Stuxnet and Duqu. Named Flame … it’s being called an “industrial vacuum cleaner” based on its data collection activities. Kaspersky discovered Flame as part of its Skywiper analysis associated with compromised computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company. Although Flame’s goals are quite different from Stuxnet and more inline with Duqu, it’s made a massive impact across the Middle East and Eastern Europe. (continued here)
Keyword Monitoring’s Lost Cause: I’m sure you’ve read about the the recent publishing of 374 keywords that our government recommends monitoring for on social networking sites. For a quick list of the cyber security related words, click the image to the right. After three months of legal wrangling, EPIC was finally able to obtain this listing as part of an previously denied FOIA request. Although governments have been doing this for decades … and vendors have been offering solutions for this type of monitoring as part of their DLP offerings, the idea of triggering an alert based on some set of keywords without any context just does not work. (continued here)
Never Decide … Advise: As you progress higher and higher in your infosec career you’ll start to see that people stop blowing you off and actually start listen to what you say. It can be quite startling when this happens the first time. With this power comes great responsibility though. Tell that corporate suit what to do and you may be needlessly putting your accomplished career out on the line. Later if you-know-what hits the fan, they have the perfect out by just blaming you. Now this isn’t a post about avoiding blame and not being responsible for your decisions; it’s about being smart and not sticking your neck out on the line where it really shouldn’t be … and that’s making business decisions in this case. (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!