| |
Current Topic: Computer Security |
|
People in the Loop: Are They a Failsafe or a Liability? |
|
|
Topic: Computer Security |
2:29 pm EST, Feb 10, 2012 |
This Dan Geer piece is a great read, with much food for thought. That being said, I'm only excerpting this quote because it gives me a smug self-flagellating feeling of awesomeness... cybersecurity is the most intellectually difficult profession on the planet
People in the Loop: Are They a Failsafe or a Liability? |
|
Facing a cyber threat | Video | Reuters.com |
|
|
Topic: Computer Security |
10:55 am EDT, Jun 7, 2011 |
Reports of cyber attacks against U.S. companies by Chinese hackers cause concern within the U.S. government.
This video contains a sound bite from me, sharing my theory that China's activities in cyberspace are part of their deterrence strategy. Facing a cyber threat | Video | Reuters.com |
|
Can naming, shaming curb China cyber attacks? - Technology & science - Security - msnbc.com |
|
|
Topic: Computer Security |
1:28 pm EDT, Jun 6, 2011 |
They are also relentless, said Nick Levay, associate director of information security and operations at the Center for American Progress, a Washington think tank. "Those who have been targeted by China have dealt with a certain level of persistence and seen these attacks take place over long periods of time, where all signs point back to China and it really feels like they're not even trying to hide that it's them anymore," he said. Levay said Chinese cyber attacks noticeably escalated after the 2008 Beijing Olympics and "expanded pretty much across all sectors: the financial sector, the tech sector, the non-profits involved in government policy." "So far when breaches occur, like the ones with Google, the people who were breached condemn the attacks and say they were attributable to China and China turns around and denies that anything happened at all," said Levay. "So far there hasn't been a downside for them (China)," he said, suggesting that cyberspace be made a formal part of military dialogue between the United States and China.
Can naming, shaming curb China cyber attacks? - Technology & science - Security - msnbc.com |
|
Siemens Provides Stuxnet Update | News | Automation World |
|
|
Topic: Computer Security |
12:42 pm EDT, Sep 23, 2010 |
Siemens has isolated the virus on a test system to carry out more extensive investigations. Based on previously analyzed properties and the behavior of the virus in the software environment of a test system, this does not appear to be the random development of one hacker, but the product of a team of experts. The company suspects that this team is comprised of IT experts with corresponding engineering knowledge of industrial controls based on the virus deployment in industrial production processes. The extent of the threat to industrial systems still posed by Stuxnet following the implementation of the security updates will, however, remain uncertain until further investigations into the Trojan and its mode of operation are complete. Siemens does not yet have any leads as to the source and origin of this malicious software, but analyses are ongoing.
This whole Stuxnet business is highly intriguing. For those not following it, I highly suggest Googling around about it. Bullets in the cyberwar are certainly whizzing by in all directions these days... Siemens Provides Stuxnet Update | News | Automation World |
|
Chrome 6 Beta Boasts Stupid New Features |
|
|
Topic: Computer Security |
6:25 pm EDT, Aug 13, 2010 |
Chrome can also remember credit card numbers, but you have to explicitly add them in the autofill feature’s preferences.
This is "not smart". I can't wait for the shitstorm that comes when someone figures out how to phish cc#s from the browser without the user knowing it... Chrome 6 Beta Boasts Stupid New Features |
|
What The Fuck Is My Information Security Strategy? |
|
|
Topic: Computer Security |
1:41 pm EDT, Aug 4, 2010 |
What the fuck is my information security "strategy"? Making it up so you don't have to Prioritize risk by training developers and facilitating executive support to invest in perimeter protection and log correlation
For the WIN! What The Fuck Is My Information Security Strategy? |
|
Chinese hackers launch “virtual jihad” against South Korea boy band fans | The Observers |
|
|
Topic: Computer Security |
4:24 pm EDT, Jun 11, 2010 |
Dozens of website and forums that mention South Korean pop music have been hacked by Chinese web users. Why? Because of a stampede outside a Korean boy band's gig in Shanghai, which hackers say made a fool out of China. The gig took place in the South Korea pavilion at the Shanghai Expo on 30 May. The band, "Super Junior", attracted thousands of fans, who queued for hours to get one of the 5,000 promised tickets. For reasons unknown, only 2,000 people were allowed in. So outraged were the thousands of devoted supporters left outside the pavilion, that they began a massive protest, allegedly trying to stampede a human police barrier and clawing at officers. Chinese web users - in particular World of Warcraft players - took to the net to express their outrage over the "braindead" behaviour of the fans, known as K-fans. After much condemnation, it was decided that the forums and websites of pop bands and fans should be hacked. The plan, or self described "jihad", came into action on Wednesday evening, and within an hour, it was reported that "all forums liked by Korean pop fans have now been blasted". Some 24 hours after the offensive, and many of the 40 hacked pages, along with their varying degrees of offensive warnings, Chinese flags and porn, are still in place.
Ok, that's funny. :) Chinese hackers launch “virtual jihad” against South Korea boy band fans | The Observers |
|
TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem |
|
|
Topic: Computer Security |
2:58 pm EDT, Jun 10, 2010 |
I really like Richard Bejtlich. He is one of the few security bloggers that truly gets practical infosec. There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done. The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve." This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros. My opinion? This is a jobs program for security training and certification companies.
Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers: Train Federal non-IT managers first. What do I mean? Well, do you really think the problem with digital security involves people on the front lines not knowing what they are supposed to do? In my opinion, the problem is management who remains largely ignorant of the modern security environment. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies. Let's say you still think the problem is that people on the front lines do not know what they are supposed to do. Whose fault is that? Easy: management. A core responsibility of management is to organize, train, and equip their teams to do their jobs. In other words, in agencies where IT workers may not be qualified, I guarantee their management is failing their responsibilities. So why not still start with training IT workers? Simple: worker gets trained, returns to job, the following conversation occurs: Worker to boss: "Hey boss, I just learned how terrible our security is. We need to do X, Y, and Z, and stop listening to vendors A, B, and C, and hire people 1, 2, and 3, and..." Boss to worker: "Go paint a rock." Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives. Unleash competent Blue and Red teams on their agencies, perform some tactical security monitoring, and then bring the results to a class where attendees sign a waiver saying their own activity is subject to monitoring. During the class shock the crowd by showing how insecure their environment is, how the instructors know everyone's Facebook and banking logins, and how they could cause professional and personal devastation for every attendee and their agency. We need to help managers understand how dangerous the digital world is and let them allocate budgets accordingly.
I also like the fact that he frequently compliments my friends on their work. :) TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem |
|
Cyberattack on Google Said to Hit Password System - NYTimes.com |
|
|
Topic: Computer Security |
10:19 am EDT, Apr 20, 2010 |
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications. In Google’s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored. They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees.
This fits with what I've seen of APT's MO. They consider valid user credentials to be their holy grail. Most of their efforts are focused on having a reliable source for valid credentials, which they them use to impersonate users for logging into webmail and using whatever means of remote access organizations provide to users. Cyberattack on Google Said to Hit Password System - NYTimes.com |
|
It’s Cyberwar! Let’s Play Bingo! | Threat Level | Wired.com |
|
|
Topic: Computer Security |
12:19 pm EDT, Apr 8, 2010 |
While it’s clear from the cyberwar news that we are living in a war zone when we turn on our computers, we at Wired.com refuse to surrender — even at the risk of taking an e-bullet in the name of Freedom. So strap on your iFlak jackets and use this Wired.com CyberWar bingo card the next time you go to read a Cyberwar story.
Wonderful! It’s Cyberwar! Let’s Play Bingo! | Threat Level | Wired.com |
|