Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “NIST Cybersecurity Framework Workshop Recording Release ”, 2) “Another Quarter of Infosec Joblessness”, and 1) “Announcing the Threat-Agent Platform – Drone, Exfiltrate, Breachbot, and More”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
Your Weekend Security Challenge: Password-Style: Ubiquitous two-factor authentication is still far off and in the meantime we are stuck with passwords. Unfortunately, passwords usually “suck” because most lay people just use the same password everywhere on the web, whether it be for accessing their bank and credit card accounts or joining a social networking site. Worst of all this one password most likely is very weak … probably names or birthdays of family, friends, or pets or some other word of some significance to the user. Yeah, they might append a “1? or “.” at the end to get by sites with password complexity requirements … but these techniques are the first that any attacker would try. Have any luck getting one of your non-infosec friends or family to use a password manager? Let us know in the comments below. (continued here)
CISPA’s Secret Amends: We’ve covered CISPA last year leading up to its defeat in the Senate … but it looks to be back and in the news again if you haven’t already heard. I find the title of this CNET article from Friday a little startling – “House to Amend CISPA in Secret.” Maybe there’s a good reason for this… Maybe not… I’m assuming that the resulting changes that come out of the “secret” session won’t be secret so privacy advocates and others should get their day. Anyone out there know … can there be “secret” laws? (continued here)
NIST Cybersecurity Framework Workshop Recording Released: Per the recent Executive Order 13636, the president called upon NIST to develop a framework that reduces risks for critical infrastructure. The first public workshop for creating this framework was held last week on April 3rd and NIST has just released recordings of the webcast. Thanks to Jack “@sintixerr“ Whitsitt for retweeting this out. Six hours of content is definitely a lot to wade through but it may be worth it given the potential prominence of this framework for the foreseeable future. (continued here)
Another Quarter of Infosec Joblessness?: For those interested in closely following their job security in information security, the Bureau of Labor and Statistics (BLS) always puts out some interesting quarterly data to look at. No there wasn’t 0% unemployment as occurred from Q1 2011 through Q3 2012 but under 2% annualized isn’t too shabby. For the quarter the BLS pegged joblessness at 5.8% however even the they won’t vouch for that figure as the sample size was too small … hence the annualized percentage. (continued here)
What’s Behind that QR code?: I find it odd that these QR codes have been popping up everywhere. It’s especially scary to me when I see children of my friend’s asking for their parent’s phone so they can scan some random QR code. I try to scare them a bit by saying they could get hacked but the overall goal is to just make them more aware of how promiscuous some of these codes could be. Anyway, Bhavesh Naik over at Infosec Institute put together a great summary of how these QR codes are put together as well as some security advice. (continued here)
WordPress.com Adds Two-Factor Authentication: It’s nice to see two-factor authentication catching on… Most recently it was Evernote’s double-timing their two-factor implementation plans and Apple’s deployment two weeks ago. And now WordPress.com is joining this movement according to an article on Help Net Security. Thankfully, they are just reusing the Google Authenticator App rather than requiring their own. They also support SMS for as well. (continued here)
REMunx Malware Analysis Distro Updated: If you have an interest in malware analysis (like myself and some other of our writers), we have big news for you … Lenny Zeltser has just updated REMux to version 4! For those that aren’t familiar with this great Linux distro it is loaded with tools for static analysis as well as various services for simulating networks required for dynamic analysis. Grab the latest copy over at REMnux.org and let us know what you think of it in the comments below. (continued here)
Announcing the ThreatAgent Platform – Drone, Exfiltrate, Breachbot, and More: Joining the number of interesting online services we’ve covered in the past (e.g., Shodan, VPN Hunter, Exploit Search, Nmap-Online, andPunkSPIDER) is a new suite of tools by former NovaBlogger and DojoMeetup/DojoCon founder Marcus J. Carey. Marcus has since moved to Texas and now works for Rapid7 but it also looks like he’s doing a little side-gig with the recent announcement of ThreatAgent. Meant as a platform for launching their current and planned security tools, Marcus announced Drone several weeks ago as their first product but has since followed up with Exfiltrate and Breachbot as well as updates to Drone. Have you tried any of these ThreatAgent services and have any other thoughts? Let us know in the comments below. (continued here)
CISPA Committee Drops Amendment to Strip PII: We covered the pending secret session where a House committee was going to be potentially discussing classified information in order to come to an agreement on a version of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) bill. Looks like it was productive as the committee recently released a revised version with an 18 – 2 vote. PCMag.com has a nice bulleted breakdown of the approved amendments. (continued here)
Hope everyone had a wonderful week. Have a great weekend!