Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Draft Cybersecurity Executive Order ‘Leaks’ ”, 2) “Apple UDID Source Revealed by Local”, and 1) ”A Little Bit of PGP History”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
AppSecDC Makes it to Prime Time … or at least Vimeo: Hey … here’s something to do with your downtime this weekend between social events. As you may remember … the Open Web & Application Security Project (OWASP) held it’s third annual AppSecDC conference, right here in our backyard this past April. This was a much anticipated and talked about conference with speakers coming straight out of our Twitter base and blog authors, including our very own @grecs. Now, you can relive those moments, or for those who didn’t attend, see firsthand what it was all about. What did you think about the video? Post your comments below. (continued here)
Draft Cybersecurity Executive Order “Leaks”: Well maybe not an official leak of the whole document that we can point you to however some good paraphrasing has come about… Previously we’ve briefly touched on this idea of the president using an Executive Order (EO) to implement some of his provisions after the failed legislation earlier this year. Since then this option looks more and more like the course of action the president will take. Overall, we find this EO idea fascinating as it’s the first one most of us will probably live through … at least in our field as responsible adults. It’s sort of like the first impeachment some of us had to endure during the Clinton presidency. Should we really be using EOs to bypass failed legislative efforts? Let us know in the comments below. (continued here)
Seven Days & Counting for ISC2 BoD Petitioners: With less than 7 days left it’s getting crunch time for the infosec community’s petitioners to get over that magic 500 signature mark so that they can appear on the upcoming ISC2 Board of Directors (BoD) ballet. First things first … if you are interested in change at the ISC2 and reconnecting this organization to the professionals that live it, please head over to our petition tracking page and submit your electronic “signatures” to endorse as many of “The Four Horseman” (@gattaca, @krypt3ia, @jadedsecurity, @indi303) as you feel appropriate. Let’s bring in some new blood and make the CISSP mean something again! Post your comments below. (continued here)
Apple UDID Source Revealed by Local: Looks like all the hard work paid off for local NoVA Blogger David “@darthnull” Schuetz as he discovered the source of the Apple UDID leak last week. Apparently, there’s a small Florida-based private company called BlueToad that touches a lot of what we do on our smartphones. David, who works with Intrepidus Group on mobile security, contacted BlueToad last week and they immediately began an investigation. Earlier today their CEO confirmed that the data was theirs and that the attack took place two weeks prior. So what about the other 11 million claimed UDIDs? Do they exist? If so, are they from the same source? Let us know in the comments below. (continued here)
Special Publication 800-40 Revision 3 Drafted: After seven long years, the National Institute of Standards and Technology (NIST) has finally updated the Special Publication 800-40. Now in it’s third revision, titled, Guide to Enterprise Patch Management Technologies (PDF), NIST encourages management to approach patches as more then part of core IT function and hopefully embrace security by encouraging them to identify, acquire, install and verify security updates for systems and applications. What do you think of NIST’s latest guidance? Just documenting what people are already doing or is there anything really new there? Let us know in the comments below. (continued here)
Monthly NIST Updates: Since our last article in August regarding NIST drafts, there have been several new publications that we thought we would summarize and bring to your attention. While most of these releases are the tried and true drafts or publications of the Special Publications (SP) we are all familiar with, we did come across an ITL Security Bulletin as well. The topics addressed include cryptography, Bluetooth, incident response, and hashing. For the drafts we’ve also highlighted the date that comments are due. Are the NIST drafts helpful to you? Post your comments below. (continued here)
A Little Bit of PGP History: Over the weekend we came across the original post that Phil Zimmerman put out way back in 1991 on why he created PGP. In this section of the PGP Users Guide, he touches many topics we are all (still) too familiar with. Phil brings up the postcard vs envelop comparison, mentions the safety in numbers concept, uses a fishing analogy to describe eavesdropping (perhaps a reference to his infamous “basomatic” algorithm), and quotes the often heard “You shouldn’t care if you don’t have anything to hide.” statement. He also provides a nice history up until and beyond 1991 (yes, it was updated in 1998). In particular, Phil discusses such topics as CALEA, the beginning of Einstein, the Clipper chip, (pseudo-)failed export controls, and the outlawing non-approved crypto. Has that much changed in the past 20 years? Let us know in the comments below. (continued here)
Convincing US Airways Phish Related to BlueToad?: Yesterday we came across a pretty convincing phishing message from US Airways. As you can see below they’ve done their research. They know our location as they mention Reagan National airport (DCA) and have even timed the message well with the flight being for the next day. Now, I’ve never received a real US Airways confirmation message so we’re curious what those look like. It would be interesting to compare the two. If there are any malware analysis experts out there, we’d appreciate your thoughts on what else we could have done. Just let us know in the comments below. (continued here)
‘Plan X’ Proposers’ Day Workshop Delayed: A few weeks ago we published an article on Darpa’s ‘Plan X’ programand in that we mentioned the Proposers’ Day Workshop. Unfortunately, it has been postponed … but that’s good we guess as there’s so much interest in it they had to rejig their plans. Initially planned to be delivered in two session on just one day, it will now be held over two days, October 15th and 16th. What do you think of the legality of the government deploying offensive cyber-technology? Let us know in the comments below. (continued here)
Shamoon Has Been Cancelled: I wish the security vendors would rename this recent strain of malware attacking oil and utility companies in the Middle East. Every time I see a story about it I immediately read it as “ShmooCon” and think there’s some big new announcement. Unfortunately, although The Shmoo Group announced the dates and location a few weeks back, there haven’t been any more details released. My second reaction is to read it as “Shamu” and maybe that’s more appropriate given that she’s a killer whale. In this case the “Shamoon” malware “kills” the data on the machines it infects. Now, I’m no expert on this new malware but fellow NoVA Blogger Richard “@taosecurity” Bejtlich had this to say in a recent interview with DarkReading.com. What do you first think of when you read articles about Shmoocon? Let us know in the comments below. (continued here)
Cyber Attack Is the New Black: Lately there seems to a highly focused intent on cyber warfare. Offense, defense, sit on the bench … the government wants to get in the game and not just be a part of a fantasy league. The government’s newest revelation is to build a “virtual community that would prompt computers worldwide to instantly, en mass, suppress cyberattacks, sometimes without humans at the keyboard.” Do you think that anything that requires worldwide buy-in could become a reality? Let us know what you think in the comments below. (continued here)
Hope everyone had a wonderful week. Have a great weekend!