It's true. I peeked. I killed Schrödinger's cat. I'm sörry.
Thursday, August 21, 2008
Tuesday, August 19, 2008
Our Homeland Threatened: USAF Cyber Warfare closed
Whoa, who would have thought that one of the premier Information Warfare organizations in the world would just shut their doors and kick 6000 people to the curb? Beyond belief.
Did we forget so quickly the lesson learned after the cold war, and the KGB influx into cybercrime in the power vacuum that was (is?) Russia? What are these 6000 patriots going to do? My guess -- they're going to displace less patriotic infosec persons in the workplace, some of whom are less ethical or patriotic, and are then ripe for recruitment.
Am I panicking? By no means. However, 6000 highly-trained Information Warriors suddenly pumped into the US market is a game-changer.
Did we forget so quickly the lesson learned after the cold war, and the KGB influx into cybercrime in the power vacuum that was (is?) Russia? What are these 6000 patriots going to do? My guess -- they're going to displace less patriotic infosec persons in the workplace, some of whom are less ethical or patriotic, and are then ripe for recruitment.
Am I panicking? By no means. However, 6000 highly-trained Information Warriors suddenly pumped into the US market is a game-changer.
Security Social Engineering Hack
My buddy Hugh Thompson (star of HBO's Hacking Democracy) just posted a pretty cool write-up of a social engineering hack. Admittedly, this isn't rocket surgery, but he did tie together several logical leaps, intuition, and knowledge of open sources to achieve the compromise. The devestating nature of this isn't that it's some twisted bit of fiendishly difficult code that creates a compromise (though Hugh does have 1337 ninja gung fu). Nope, the frightening aspect of this was how simply Hugh stripped his friend naked (digitally, of course) through this attack.
I know lots of professionals that either publish gmail/Yahoo/Hotmail accounts, or redirect through their public websites (jon.public@jonpublic.com) that still goes to a webmail account. I'm also reminded of the cluelessness of a prior employer, who didn't want me to tell people where I was employed when I was speaking in public, which is pretty dumb, since a 10-second Google search readily found my resume, and it's on Monster.com. However, in their naive perspective on our wired world, my true identity was undiscoverable. Pfffft. Anyone with a dot.clue knows that Google is the Sauron of the Internet, the all-seeing eye, particularly when coupled with archive.org and the WayBackMachine. 1 2 3 4
Why pick the lock on the front door when the back porch just has a screen door?
Perhaps we should all take a page from GunBroker.com that requires your account to be initiated through an ISP account, and remember that at least your ISP knows where you sit. Er, or, at least where your open WiFi network is parked. ;-)
Painfully obvious lesson time here:
- Seemingly innocuous data about your life posted to a blog or social site can readily be used against you. Blogging anonymously is a good idea if you simply must mention specifics.
- Using web-based e-mail carries certain risks that are glossed over by the majority of Internet users in the presence of a compelling usability model.
- Password reset risks and the use of webmail remains ill-addressed by the banking industry, and flies in the face of the FFIEC guidance for multi-factor authentication.
- Password reset components should always be treated equivalent to passwords themselves.
- Even more generally, access to a resource and access to the access to the resource are equivalent, though often not protected equally.
Subscribe to:
Posts (Atom)
