• My Tweats

    • Flickr Photos

    Sunday Information Security Links

    Jeff Hayes has Lock Picking Analogy:

    In the world of locks, the same premise holds true. Some locks are designed and tested much better than others. The lock picking hobbyist — the lock hackers — do us all, including the manufacturers, a service in assessing the security of these products. If the manufacturer demonstrates a weak design and QA process, then society at large is fully in its rights to bring those flaws to light.

    He also has a post on the principle of Least Privilege:

    The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. This is done to enhance protection of data and functionality from faults and malicious behavior.

    Some things make me want to change fields: Security Focus on Quantum Computer Security:

    In the weird world of quantum computing, the state of computer systems networked together is so fragile that a read access to a single quantum bit, or qubit, on one machine would require a network-wide reset. It’s no wonder, then, that two researchers who are working on ways of defending against the future possibility of malicious attack assume that any unauthorized access to a quantum computer constitutes a catastrophic failure.

    Quantum computers make use of quantum physics, the rules of subatomic particles and light, to create a computing system. Where a classical computers uses binary values of 0 and 1, a quantum system can be in a state that represents either 0 or 1, or a probabilistic blend of both states, known as a “superposition,” so that it has the potential to be either 0 or 1 with its value only be determined at time of measurement. These quantum bits of information, or qubits, essentially take on all possibilities until measured, when the state of the qubits collapse to an actual value.

    The science behind quantum computing gets even weirder…

    There is no telling what such an attack might look like. Destroying data or circumventing a calculation on a quantum computer is the easiest course. Attackers could operate a rogue computer on the quantum network or coopt the communications line, he said.

    “We deliberately stay away from specifics of malware, such as Trojan horses, et cetera,” Lidar said. “So, quantum malware to us just looks like any malicious instruction set sent to an attacker.”


    Multiple Sources for Boarding Passes And Bad Security: Here, here, here, and here:

    Last week Christopher Soghoian created a Fake Boarding Pass Generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, flight. This action got him visited by the FBI, who later came back, smashed open his front door, and seized his computers and other belongings. It resulted in calls for his arrest

    WatchYourEnd has USB Flash Drives Contain Evidence of a North Korean Spy Ring:

    A pro-North Korean group is under increased suspicion in South Korea, of providing a significant amount of information, including state secrets, to Pyongyang recently after large amounts of evidence were found on USB flash drives in their offices.

    Dark Reading on Strategic Security:

    Most C-level executives still view security as an operational issue, not a strategic issue, according to “Navigating Risk: The Business Case for Security.” The study, which researched the attitudes of some 213 top-level corporate, non-security executives, found that most security organizations are still operating in silos that are far removed from their highest-ranking decision makers.

    Despite frequent news about security breaches, most C-level executives report that they still have little direct responsibility for most aspects of security. And the few executives who do understand the issues often do not have the influence needed to do something about it.

    Dark Reading: Increasing Spam With New Malware Techniques:

    Unlike traditional methods of spamming, where each botnet sends out spam emails one at a time, SpamThru uses templates that lets them send millions of emails from a single bot-infected computer, MessageLabs’ Wood says. “The template approach is the equivalent to a mail merge.”

    What can be done:

    • Corporate firewalls should only allow mail servers to send email out along with desktop firewalls controlling applications and traffic.
    • ISPs should require residential accounts to only relay email through them (with authentication).
    • Shared Distributed Blackholes of IP space that can dropped at perimeters
    • InfoSec Lawfare against enablers of bots.

    Security Focus on Employee Privacy, Employer Policy:

    Mark Rasch looks at two recent court cases where an employee’s reasonable expectation of privacy was more important than the employer’s ability to read any employee’s e-mail – despite a privacy policy that clearly stated any company e-mail can, and will, be monitored.

    A book review of Identity Crisis (something that has been on my to-do list.

    A reminder about the importance of power from SANS.

    More on Botnets from SecurIT.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: