If you missed anything or happened to be offline this past week, we hope you find this post useful as a quick reference. For those readers that may not have noticed, I actually tack on a bit of commentary to some the industry articles – so check out my italicized/bolded opinions and let me know if you agree in the comments.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that I haven’t covered.
Largest-Ever Password Study: We Are All Idiots: The largest-ever study on user-selected password security shows that no matter how old you are or what language you speak, your password probably sucks. The study, conducted by Joseph Bonneau at the University of Cambridge, analyzed the password strength of about 70 million Yahoo users. (continued here) (@grecs: This data set is a few years old but still relevant.)
To Hide Android Malware Apps From Google’s ‘Bouncer’, Hackers Learn Its Name, Friends, And Habits: The antivirus scanner that polices Google’s Android Market is named Miles Karlson. It has one friend, Michelle K. Levin, and a cat. And it seems to be a fan of Lady Gaga. Those are a few of the many personal characteristics that security researchers Charlie Miller and Jon Oberheide have spent the last several months learning … (continued here) (@grecs: Very interesting research here.)
Google Starts Showing Users Alerts For Accounts Hacked By “State-Sponsored Attackers”: Here’s a message from Google some Gmail users can expect to see in the near future, and that the rest of us hope we never will: “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.” On Tuesday, Google announced in a blog post that it will now display that alert to users whose accounts it believes have been hacked by government-tied cyberspies. (continued here) (@grecs: Good … I guess … although not many details released yet on how they do it.)
Romney Team: Authorities Probe Possible Email Hacking: Authorities are investigating whether Mitt Romney’s private email account was hacked, his presidential campaign said Tuesday. The website Gawker reported Tuesday that an anonymous hacker had signed into Romney’s personal Hotmail account. (continued here) (@grecs: Will we ever learn that secret questions just do not work?)
8 million Leaked Passwords Connected to LinkedIn, Dating Website: An unknown hacker has posted more than 8 million cryptographic hashes to the Internet that appear to belong to users of LinkedIn and a separate, popular dating website. The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. (continued here) (@grecs: I still can’t believe these password hashes weren’t salted. At least they are doing it now.)
Our Blog Posts
Forthcoming Book Claims US Created Stuxnet: This has been quite an active week. First Flame on Monday… That continued for a few days with everyone (except AV vendors) poo-pooing it later in the week. And now there are reports that we created Stuxnet. Of course all this comes in the form of a New York Times teaser story from a soon-to-be released (as in this coming Tuesday) book titled “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power” by David Sanger. Mmm .. something seems phishy here. (continued here)
NIST Reports 23 “Open Issues” in Cloud Computing: Last week NIST released Special Publication (SP) 800-146, Cloud Computing Synopsis and Recommendations. Weighing in at 81 pages, this document is the follow-on to infamous SP 800-145 that defines what a cloud is but goes further by defining its “characteristics.” It goes on to discuss issues with typical commercial terms of service (big, big, big problem here) as well as an introduction to general cloud environments (e.g., on-site vs outsourced and public vs private vs community). (continued here)
US Federal Employees’ Information Compromised: We’ve been reading about this for the past week or so. As a one-time federal employee with a TSP account, I imagine my stuff is out there now. Not good. Of course I’m guessing that my data was probably already out there through some other breach. Regardless, it’s pretty sensitive in this case with almost 40,000 names and associated SSNs tied together. (continued here)
Security Plays Key Role in Coming IT Skills Revolution: We really enjoyed this post from Computer World on preparing for the coming IT skills revolution. Infosec was mentioned throughout as being a great area for the foreseeable future. We also liked their analysis of whether to be a specialist or a generalist. The general thought was that at this point companies are looking for employees that have sufficient skills in two or three areas rather than specializing in just one. (continued here)
White House Announces New Botnet Initiatives: As we all know, botnets are collections of compromised computers widely used to maliciously generate spam, flood networks, or even relay viruses. It looks like we have some great news as the Obama administration has announced a series of initiatives to combat botnets (with a notable exception for Stuxnet and it’s siblings I guess 😉 ). DHS, DoC, the White House Cybersecurity Office, and the Industry Botnet Group (IBG) are collaboratively supporting these initiatives through several campaigns. (continued here)
LeakedIn Passwords Linked: LinkedIn has been having problems as of late. Earlier this week it was their iOS app sending calendar data back to their servers (bad) and further transmitting it unencrypted (bad, bad). And now it appears that around 6.5 million LinkedIn password hashes have appeared on a Russian forum. We usually don’t report on stuff like this however since we often post out articles on managing your career and since LinkedIn is one way people do that, it seemed fitting. (continued here)
Dramatic Rise Expected in Future Infosec Workforce: As an extension to our post earlier this week, we came across another article that stresses the need for those with qualified IT skills. This time the post focuses exclusively on “cybersecurity” (everybody drink 😉 ) overall and discusses the various efforts the government it is taking to get from the current 2.5 million infosec pros to the needed 4.5 million in two years. Yikes! It also mentions the need for “hunters and tool builders – the creative people who can identify the problems and develop answers.” (continued here)
Hope everyone had a wonderful week. Have a great weekend! See ya!