Thursday, October 08, 2015

So the world didn't end yesterday, but the e-commerce world may end tomorrow - What I am reading 10/8/2015

Ars Technica - SHA1 algorithm securing e-commerce and software could break by year’s end -
SHA1 has long been considered theoretically broken, and all major browsers had already planned to stop accepting SHA1-based signatures starting in January 2017. Now, researchers with Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore have released a paper that argues real-world attacks that compromise the algorithm will be possible well before the cut-off date. The results of real-world forgeries could be catastrophic since the researchers estimate SHA1 now underpins more than 28 percent of existing digital certificates.
This is a  pretty big deal given that most banking and e-commerce sites are secured by SHA1 certificates and as far as I know the change over to something more secure has barely started.  I would be very careful with your online transactions for awhile.

WiredSteve Jobs and Tech’s God Complex -
Most biopics tend to mythologize their subjects. Jobs came pre-mythologized—by himself as much anyone else—so maybe it’s appropriate that Steve Jobs takes the opposite tack, demystifying the mystic and underscoring his very human failings. In this way, it’s more like one of those postmodern Westerns—McCabe & Mrs. Miller or Unforgiven—deconstructing America’s self-image by poking holes in the stories it tells about itself. Yeah, Jobs may have made good computers, this movie says, but that hardly matters, because—whatever Jobs might believe—machines are secondary to our work as humans, not extensions of it. “What you make isn’t supposed to be the best part of you,” Kate Winslet’s Joanna Hoffman tells Jobs. “Your products are better than you are, brother,” Woz spits. “I’m poorly made,” Jobs confesses.
Personally I think Steve Jobs was overrated as a person and a creative genius and that Apple is overrated by it's fans, but that's me.  I think one reason that these movies keep getting made is people want to reconcile their hero worship with the actual assholishness of the person.  I can't find the article now but I saw one yesterday where Jony Ives was complaining that by presenting the dark sides of the Jobs story it impinges on his legacy, which kind of proves my point.

The Register - Understand 'Safe Harbor', Schrems v Facebook in under 300 words -
As Snowden's leaks showed, there is no law legitimising the interference by the National Security Agencies, so one does not know whether any interference on their part is necessary.
'Safe Harbor' is unsafe because such agencies in the USA can access personal data without due process, and because the US has no law that limits the use of personal data by them.
So there ya go a quick and easy primer.

SANS - S+P Could Downgrade Banks with Inadequate Cybersecurity (September 29, 2015) -
Standard & Poor's (S+P) said it could downgrade banks that do not employ adequate cybersecurity measures even if the banks have not experienced a breach. Although S+P has not yet downgraded a bank over a breach, it could take action if the breach damaged the institution's reputation enough to lose customers and/or capital. 
-http://ww2.cfo.com/cyber-security-technology/2015/09/banks-weak-cybersecurity-do
wngraded-sp/
-https://www.globalcreditportal.com/ratingsdirect/renderArticle.do?articleId=1455
510&SctArtId=343857&from=CM&nsl_code=LIME&sourceObjectId=9348447
&sourceRevId=2&fee_ind=N&exp_date=20250927-20:56:45
510&SctArtId=343857&from=CM&nsl_code=LIME&sourceObjectId=9348447&sourceRevId=2&fee_ind=N&exp_date=20250927-20:56:45
[Editor's Note (Pescatore): Not very meaningful if S&P downgrades only after a breach damages a bank's "reputation" and only after breaches. That will be like when S&P and others downgraded the banks *after* the last financial crash. ]
Linux Botnet (September 29, 2015)
The XOR DDoS botnet comprises infected Linux computers. The botnet targets education and gaming websites with traffic up to 150 gigabits per second. The majority of the targeted sites are in Asia. In some of the attacks, the IP address of the bot is spoofed to make it appear to be part of the targeted network. 
-http://arstechnica.com/security/2015/09/botnet-preying-on-linux-computers-delive
rs-potent-ddos-attacks/
rs-potent-ddos-attacks/
Network World - Report: Target failed to execute security basics -
Verizon consultants probed Target’s network for weaknesses in the immediate aftermath of the company’s 2013 breach and came back with results that point to one overriding – if not dramatic - lesson: be sure to implement basic security best practices.
  • Failed to Segment Networks
  • Poor Password Policy Enforcement
  • Weak Passwords
  • Lax Patch Management
  • Running Outdated Vulnerable Services
  • Insufficient Authentication Requirements
So basically every poor security management practice possible short of actually just selling the data to the Russian Mafia.  Someone really needs to be held criminally responsible.



Post a Comment

What I am reading (or maybe watching) 10/18/2017

DefCon - ICS Village: Grid Insecurity and How to Really Fix This Shit - I tried to see this talk while at DefCon, but the room they ...