Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Cleartext is Dead”, 2) “Building a Successful Infosec Careet”, and 1) “The Logic of Purposely Using Poor English in Scam Emails”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered remote-access.
The Logic of Purposely Using Poor English in Scam Emails: I am not sure of the original source of this graphic but it illustrates an interesting analysis of why scam emailers actually use bad English on purpose. The off kilter language serves as a simple method of filtering out the more highly desirable “gullible” marks from the rest of the crowd. As in the example graphic below, scammers only have to deal with a one to two responses at a 70% conversion rate rather 100 responses with only a 0.07% success rate. Mathematically it is simply a more efficient way to work. Now if we as operational defenders could only work such statistical magic to reduce all those false-positives we waste time on…Have any other interesting security stats we should share? Let us know in the comments below. (continued here)
Building a Successful Infosec Career: This article from DanielMiessler.com is one of the most well put together set of suggestions for handling your infosec career I’ve seen in a while. I really appreciate the advice of forgoing all the new fangled “cyber” degrees and instead sticking with a traditional computer science one. Combine this with several years of hands-on experience in networking, system administration, and/or programming and you have one of the strongest foundations possible on top of which to build your infosec career. Creating this base harkens back to the old “if you can’t configure it, you can’t secure it” philosophy. (continued here)
Cleartext Is Dead: On Friday the Washington Post published a nice writeup covering how US defense contractor CloudShield worked with the Gamma Group in the UK to create tools that could easily plant spyware on adversary computers. Victims just needed to view a regular website over HTTP and the tools could inject one of 250 Trojans into the target computer. Of course the big take-away in defeating such attacks is to always use an encrypted channel. Yeah, it could be circumvented for a targeted attack but enabling encryption by default is our best defense overall. The general theme here as noted in the article is that “cleartext is just dead.” (continued here)
Heartbleed Leads to Health System Failure: Looks like my initial thoughts on how the industry overreacted to the whole Heartbleed thing was totally wrong. According to a post on TrustedSec, the infamous vulnerability and subsequent attacks were the cause of the recent Community Health Systems (CHS) breach that affected nearly 4.5 million patients. (continued here)
Hope everyone had a wonderful week! Have a great weekend!