Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Will Selling Your 0-Days Soon Be Illegal?”, 2) “Recommended Presentations from Cyber Defense Summit 2014”, and 1) “Stop Blaming Users for Choosing Dumb Passwords”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference. A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered remote-access.
Painful Lessons from the Cloud: The media is in a tizzy over the latest celebrity kerfuffle. Seems that nude photos of some prominent actresses were posted on 4Chan on August 31st. The interesting part of the story is the claim that hackers obtained the material through an iCloud hack. Media reports have focused on a (recently patched) vulnerability in the “Find My iPhone” service to brute force password attacks, leading to the compromise of AppleIDs. Apple fixed the bug two days after security researcher, Alexey Troshichev, reported the vulnerability and released an exploit called iBrute. (continued here)
Inventing Email: There’s a feud going on between The Huffington Post and some guy claiming to have invented email in 1978. Arguments aside … what I found interesting was a bit of history on the invention of email. (continued here)
Recommended Presentations from Cyber Defense Summit 2014: I wasn’t at the SANS Cyber Defense Summit (full agenda – pdf) last month but found some of the presentations interesting as you might expect. No videos have been released as far as I know but here’s a quick link to the slides. My favorite decks included “OODA Security” by Kevin Fiscus, “Developing Cyber Threat Intelligence” by Adrien de Beaupre, and “Delivering Security from the Cloud” by John Pescatore. What were your favorite slide decks? Let us know in the comments below. (continued here)
The Sad Truth About Breaches: We’re All Target: Recently, a writer from a B2B technical publication, who occasionally uses me for comments on the industry, emailed me a question about the epidemic of security breaches. She wanted to know if better network security could have prevented or mitigated many of them. I thought about my response a long time and then sent the following: (continued here)
Will Selling Your 0-Days Soon Be Illegal?: We covered this Wassenaar Arrangement thing before. The latest version of the agreement included 0-days, exploits, and backdoors as regulated and export-controlled “dual-use” technologies. Previously, the US wasn’t recognizing these most recent additions but that is all changing come later this month according to a recent Federal Register notice (pdf). The notice states that the US will be adopting changes made to the list of dual-use items made in December 2013 as of August 4th. The cybersecurity category is getting a bit more time with further guidance and details coming in a separate “rule” in September. So … it looks like you’ll soon need an export license to sell your 1337 0-days to foreign entities. (continued here)
Stop Blaming Users for Choosing Dumb Passwords: Microsoft put out a nice paper (pdf) last week countering many of the common password authentication best practices. The main point is that we need to stop blaming users for choosing dumb passwords (they just don’t care) and instead beef up our defenses against password based attacks. The last paragraph pretty much sums up what we as an industry need to start doing. (continued here)
Because Information Security Is Like a Steaming Pile of Dog Poo….: In the midst of all the news about the Home Depot breach, Bloomberg released an interesting follow-up story about the JPMorgan Chase compromise in June. For Greg Rattray, who had just started as CISO, it was an inauspicious beginning. The previous individual in that role had exited, following about five other senior execs, to join First Data Corp. Seems like the position was vacant for a few months while the bank tried to fill the role. (continued here)
Video of the Week – Forgot Password: A few days ago @joeklein tweeted this video titled “Forgot Password.” Yeah, it’s a comedy routine but it does provide a good perspective on how average people view all those complex passwords and other authentication rigmaroles we force upon them. (continued here)
Hope everyone had a wonderful week! Have a great weekend!