security – Page 7 – Observations Along the Road

Are You Feeling Cybersecure?

Posted onSunday, July 19, 2015Authorcahwyguy

userpic=security Continuing the cleaning of the collected links, here are a few articles and comments related to cybersecurity. Note: Those who read my post yesterday on iPods and other Digital Audio Players should revisit it — I’ve updated it with lots more info.

Training the Next Generation. A few interesting articles relating to the training of new Cybersecurity experts — at least ones that caught my attention because of their connections. First, Caltrans is getting involved with Cybersecurity. Sponsored by Caltrans and the California Transportation Foundation, the 2015 CyberCIEGE Competition challenged high school-aged teams to deal with a realistic simulation of a workplace environment that teaches project management and computer network security concepts. Students hired and trained employees, purchased and configured workstations and network devices and defended against cyber attacks while managing their budget. Also focusing on high school students, a program at NSA is working with a number of schools, including UC Berkeley, to educate high-school students about cybersecurity careers. I happen to know one of the folks at NSA behind that program — I’ve known Steve LaFountain for years, going back to when I was at SDC. With Steve involved in this program, you know it is doing good work.
Investing in Cybersecurity. In what is surely a sign of the times, there is a new Exchange Traded Fund (ETF) that focuses on Cybersecurity.The fund seeks investment results that correspond generally to the price and yield of an equity index called the Nasdaq CEA Cybersecurity Index.This new ETF includes companies primarily involved in the building, implementation and management of security protocols applied to private and public networks, computers and mobile devices in order to provide protection of the integrity of data and network operations. It is an interesting notion and cybersecurity is a growth field, but as to how this index will perform… I’m not sure about that.
Building Blocks. About a year and a half ago, there was an effort to create a NIST FFRDC. It now exists, and I’ve seen the first announcement of its output: a series of building blocks that have been released for community review and comment. The building blocks cover cybersecurity implementations that apply to multiple industry sectors and will eventually be incorporated into many of the National Cybersecurity Center of Excellence’s sector-specific use cases. The two that have been released are: (1) “Domain Name System-Based Security for Electronic Mail“, which proposes using the DNS-based Authentication of Named Entities (DANE) protocol to help prevent unauthorized parties from reading or modifying an organization’s email or using it as a vector for malware; and (2) “Derived Personal Identity Verification (PIV) Credentials“, which proposes a way for mobile devices to use two-factor authentication without specialized card readers, which read the identity credentials embedded in on-card computer chips to ensure authorized access to computer systems or facilities. With derived credentials, mobile device users could get the same level of security with their mobile devices that desktop users get with card-reader access.
Government Cybersecurity. An article on Slashdot today teased with the headline: “Despite Triage, US Federal Cybersecurity Still Lags Behind“. The article demonstrated Slashdot’s usual journalistic sensationalism, stating: “According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is “doing something” than to fix the long-standing problems with how it handles security. “After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.” What the Slashdot article fails to acknowledge is that the government, by definition, cannot easily be bleeding edge in this area. There are so many legacy IT systems across the entire Government that it is difficult to secure them all, especially when many are old and did not have security engineered in. Budgeting for improved cybersecurity is only now getting attention, and Government funding exhibits the battleship problem: it is slow to turn around. Add to that the delays inherent in any large bureaucracy, and you’ve got what we’ve got. In short, governments cannot be nimble. You might think one could only focus on the critical systems; alas, we all know that critical systems are often attacked from stepping stone systems that play the role of trusted connections. The answer isn’t easy, but a lot depends on pushing to engineer security in from the start; to consider security as important as any other mission functionality requirement. More importantly, even if you can’t get it engineered in, you need to get everyone thinking about it: education, enforcement of policies, and emergency resilience can be as important as what is engineered in. Hmmm, seems like I climbed up onto a soapbox — the view is interesting from here. Articles like this can do it to you. Perhaps I’ll climb down now. Carefully.

Independence Weekend News Chum Stew

Posted onSunday, July 5, 2015Authorcahwyguy

Observation Stew It’s been stewing on the stove for two weeks because I’ve been so busy. Let’s hope it is still tasty and flavor-right. Here’s your news chum stew for the last two weeks:

Going For a Ride in my Car-Car. As you probably know, I’m in a vanpool. So when I saw a headline that read “Long commutes make you fat, tired, and miserable“, I was curious. The article notes that spending more than two hours of your day commuting — as 8.3 percent of American workers now do — will probably make you miserable. But there’s research that suggests doing it with other people will make it far less unbearable. As for the “fat”, it isn’t the commute that does it. Rather, it was the fact that commuters were less likely to get exercise. When you get home after a long commute, you’re too beat to exercise. Now, add to the fact that the touted “driverless” cars may mean we will be willing to commute longer — alone — and… well… you do the math.
Sorting it Out. Penn and Teller once did an episode of Bullshit noting that people really want to recycle, even if it is meaningless separation. It turns out that our not sorting — that is, putting all recyclables into a single blue bin, is leading to recycling stalling in America. The cost to separate is so high, and the value-return for recyclables is so low, that it is cheaper to make new. What a waste… but then again, we often forget we need to waste a lot of energy to recycle. There is a better solution. Use less in the first place.
Out, Out, Damn USB. Have you ever tried to get Windows to eject a USB device, but it keeps refusing. Here’s a list of what to do when Windows is recalcitrant.
Graphic Subtleties. You may not have noticed it, but Facebook is sporting a new logo. Look closely. Its subtle.
Celiac Disease Riddles. Here’s an interesting article about celiac disease, where they may have found the underlying culprit. It turns out that it is an immune response, and the heredity pattern with celiac disease is very similar to the pattern with other autoimmune diseases.
Food and Fun. Three interesting food related articles. The first explores how to cook ribs in the pressure cooker. The second talks about high fat foods that might be healthy for you. The last looks at outstanding mom and pop restaurants in the San Fernando Valley.
Drought Landscaping. If you live in California, you’ve probably seen a major visual effect of the drought: people replacing their lawns with either plastic grass or gravel. We know plastic grass is bad — ~~you can’t smoke it~~ it is isn’t porous, and prevents water from being absorbed into the water table. But it turns out gravel is equally bad. What’s worse is one company, Turf Terminators, has made a business taking rebates and making yards ugly. If we go to xeriscaping, I’d like something prettier than gravel, except perhaps in selected paths.
Bubble Wrap No More. Do you enjoy popping bubble wrap? Soon you might not be able to do so. The company behind Bubble Wrap, sealed air, is exploring a new wrap that is shipped flat and inflated on site. There’s a major advantage to this: shipping costs depend on size of the package, and inflated bubble wrap rolls are too expensive to ship distances.
iPod Solutions. Why, oh why, can’t Apple make an iPod with an SD slot. 200GB storage is getting affordable.
Underwriters Lab for Cybersecurity. Mudge has left Google to try to create an Underwriters Laboratory for Cybsersecurity. The problem is: we already have one. What’s worse is that most people don’t know about it.

Saturday News Chum: Lastpass, Food Waste, Celiacs, Music, and Sons

Posted onSaturday, June 20, 2015Saturday, June 20, 2015Authorcahwyguy

userpic=lougrant It’s Saturday, and that means it is time to clear out the links. These are articles I found interesting during the week, but either didn’t have the time or the inclination to write about then:

The Lastpass Hack. One of the big security items last week was the hack of Password Manager “Lastpass” (which happens to be the password manager I use and recommend). There was word about how hashed Master Passwords may have been leaked, as well as password reminders. But as usual, Lastpass provided the best explanation on why and whether you should worry, and showed why people still don’t understand risk — In response to the question “Was my master password exposed?”, their response was:
“No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.” In other words, what may have been exposed was a deep one-way hash of an already deeply one-way hashed password. You’re really only at risk if they could guess your password, and that comes from a dumb password reminder. Still, they recommended changing your master password. I did so, and I changed it in the few other places I use it (none of which are web accessble; it is for similar non-web application vaults).
Going to Waste. We are an incredibly wasteful country. Two articles from NPR on that subject. The first deals with a grocery chain in Northern California, that has decided to sell “ugly produce” that would otherwise go to waste at deeply discounted prices. The second deals with a landfill of lettuce — salad tossed because it might not make it to market in time. In this time of drought, and considering the amount of water that goes into growing and raising food, we should work hard to make sure that all food, ugly or not, is put to good use. We have loads of families in need that could benefit from just-in-time delivery of fresh, but ugly, vegetables and similar food products.
The Celiac Cry. I’ve been pressing this point for a while, but this article expresses it really well: why the gluten free fad dieters are a bad thing for Celiacs. People think they know GF, but don’t do complete checking and poison those for home it really makes a difference.
Buying Music Is For Old People. This article really saddened me. It posited the notion that only old people buy music these days. The “younger generation” wants more and more variety, and they can get that by streaming their music from music services anywhere anytime. Of course, this is like AM radio of old, but we won’t tell them. The problem is that streaming doesn’t work everywhere, doesn’t cover all audiences, and tends to cost money (both subscriptions and data). It also puts what you listen to in the hands of the streaming services. No thank you. I’ll keep owning my music, making copies of my digital music as backups, and listening to it whenever and whereever I can.
Architecture in the West. Two architectural articles. The first deals with interesting undiscovered architecture in Tucson. The second deals with another product of the 50s to go away: first it was drive-ins, not it is bowling alleys. There aren’t many left in the valley; Mission Hills Bowl is now gone. Bowlers will miss it.
Sons!. My first live theatre that I saw on stage was the LACLO’s production of The Rothschilds, which I still love to this day. This week news came out that a revamped version is in the works.

Saturday Stew: 10, 512, H20, 2, 0, and 0219

Posted onSaturday, June 6, 2015Saturday, June 6, 2015Authorcahwyguy2 Comments

Observation Stew Well, it’s late Saturday night, and I’m home from my first Fringe show. That writeup will be tomorrow morning — tonight, it’s time to clear out the links so we can make some news chum stew. Are you hungry yet?

Windows 10 is Coming. Quick, get a Dixie Cup. OK, so it’s an old joke and in bad taste. But we’re talking Windows here. Seriously, if you have a Windows 7 or Windows 8 system, you might see a new little icon so you can sign up to get the latest and greatest Windows when it is released on July 29. You’ll have a year to upgrade for free. So I’ve got a collection of articles that I found of interest on the upgrade. First and foremost, there are a number of features that will not work or will be removed when (if) you upgrade. Second, here’s an article on what to expect when the upgrade happens. Supposedly, you’ll need to do a clean install. What I haven’t seen yet is how well the upgrade process works for an in-place system, or seen a good list of what other older software will not work. My advice: You’ll have until July 2016 to request the upgrade. I’d suggest waiting a good two months and letting everyone else be the guinea pig.
Apple, are you listening? Having talked about Microsoft, let’s now talk about Apple. This week brought the news that Microdia will be selling a 512GB micro-SD card for around $1000 (and you can expect the price to go down as others start manufacturing, plus there are reminders that the extra-capacity SDXC format allows for up to 2TB cards. OK, Apple, here’s your challenge. Do you want to win back all the people that loved the iPod Classic for their music? Do you want to prevent these folks from migrating to any of the other large capacity players? Here’s a simple answer: sell an iPod Touch that can take a micro-SD card up to 2TB. Not only can folks store their music, they have room for loads of apps, and loads of photos (they will be grabbed by photographers). Think of all the money you can make backing that up to the cloud.
Water Water Everywhere. Here are three articles related to water. The first explores how to find the control room for the Bellagio fountains. There are loads of facts in the article; my favorite was the following: “The water they use for the fountains is a self-sustained source that used to be used for the old Dunes golf course before they took it down.” I had read in another book on Vegas that Wynn bought the land for the Bellagio because it had its own springs. Speaking of piping water, when you hear Budweiser, what do you think of? I know, watered-down beer. Did you know in emergencies that AB doesn’t add the beer (of course, how would you know?). Seriously, those of us in LA know that AB canned water during the big earthquake. Well, with the recent damage in Texas, they switched to canning water as well. Lastly, I found a real good collection of stories at the Times on drought gardening.
A-One. A-Two. If you are security aware, you turn on two-factor authentication whereever you can. But how do you do it? Here’s an article with information on turning on two-factor authentication on over 100 sites. In particular, it links to a step-by-step guide to turning on two-factor authentication.
Illusions in the Air. Here’s an interesting (well, to me) discussion of Avatar Airlines, an airline that is too good to be true. Just like the recently panned (and rightfully so) Bitter Lemons Imperative (plus one, two, three), here’s an idea that might have sounded good on a surface read, but when you dig deeper, it is fraught with problems. This really goes to show why you need to think an idea out thoroughly before you put it on the net. [I didn’t earlier today, and learned my lesson]
A Burnin’ Issue. OK, Grammar Geeks. Here’s one for you (h/t Andrew D): Which unicode character should represent the apostrophe? The answer is easy to get wrong, as the Unicode committee did. They chose ’ (U+2019), which is RIGHT SINGLE QUOTATION MARK (as opposed to ‘ (single quote)), as opposed to ʼ (U+02BC), which is MODIFIER LETTER APOSTROPHE. Why is this significant? The former creates a word boundary; the latter does not. Now you know why your capitalization routine changes it’s to It’S.

Saturday Chum Stew: Water, Vegas, Revolts, and Death. A Typical Week.

Posted onSaturday, May 16, 2015Saturday, May 16, 2015Authorcahwyguy

userpic=observations Saturday, and time to clear out the news links before a busy weekend. Hopefully, you’ll find something of interest in these:

“Whiskey is for drinking but water is worth fighting over”. Four interesting articles related to the drought in California. Anyone who has used an automated toilet has run across the first waste of water: Phantom Flushing. Here’s an op-ed that opines that we should go back to non-automatic flushes, which will save water. The next scourge: unmetered households. Here’s an article about how a few communities are using a loophole in the law to fight water meters and keep their flat rate. The third scourge: bottled water. Want that Crystal Geyser that is advertised so heavily? Siskiyou County Water. But here in LA? We’re conserving so well we don’t need additional restrictions (for now).
Death of an Icon. Two articles related to the death of the Riviera. The first is a really nice piece about the last days of the Riv. The second is an opinion by Penn Jillette (who is doing his part for Vegas history by selling “The Slammer”) about how what is built in Vegas blows up in Vegas.
Art is Revolting. No, not in that sense. I mean standing up for their rights and fighting back. At first, it was the intimate theatre community. Now, the entire USC First-Year MFA class has quit. They say it best: “We are a group of seven artists who made the decision to attend USC Roski School of Art and Design’s MFA program based on the faculty, curriculum, program structure, and funding packages. We are a group of seven artists who have been forced by the school’s dismantling of each of these elements to dissolve our MFA candidacies. In short, due to the university’s unethical treatment of its students, we, the entire incoming class of 2014, are dropping out of school and dropping back into our expanded communities at large”
Death is Complicated. Here’s another complication: How do you keep up your websites after you’re dead? After all, you can’t pay the bills, you can’t update the registration, you can’t update the site. But they might be a vital piece of web history.
Coffee May Be Bad For Your (Financial) Health. Do you drink coffee? Do you drink Starbuck coffee? Do you use the Starbuck app? If you said yes to all three, disable auto payments immediately.
Coloring Your View. The infamous dress is back. More specifically, there’s an interesting science report about how the environment we work in colors our view of how we color the dress.

A Day Late and a Dollar… Saturday Stew on Sunday

Posted onSunday, May 3, 2015Authorcahwyguy

Observation Stew The smell of stew cooking in the crockpot reminded me I need to post a stew of my own; with vacation and such, it’s been a few weeks. So let’s clear out those links…

Burger Continental is Gone. We discovered this as we returned home from the Ren Faire a few weeks ago: BC has closed their doors. No more can Adrian, their long-time waiter (and one of the owners, from what I’ve heard) flirt with my wife. They were a reliable dinner when we were going to the Pasadena Playhouse. I’ll miss them.
Airline Safety, Take 1: Fitting In The Butts. As we all know, airlines are squeezing passengers closer and closer together, both through thinner seats and decreased pitch. The big problem: That may not be safe. A consumer advisory group has asked DOT to look into the matter.
Airline Safety, Take 2: Reading the Signs. An interesting airline risk has just come to light — significant if you are flying Boeing 787s. It appears there is a software glitch that could cause power units (APUs) to go into failsafe mode after running continuously for more than 8 months. Specifically, if all four APUs were started at the same time, and run for 248.55 hours… they shut down. 248.55 just happens to be the point where a signed 32-bit integer holding time in hundreths of a second overflows and goes negative. No problem: That age old advice still works: “Have you tried turning it off, and back on again?”
Cleaning Out the Stash. One of the problem when your parents die is cleaning out what they left at the house. That problem turns weird when you discover their adult stash — i.e., their porn collection. Yes, your parents think about sex — who do you think made you the horndog you are? Yes, I’m looking at you. Luckily, there is an adult bookstore in London that will take that porn off of your, umm, hands.
Ah, Catherine the Great. As you probably remember, I loved Steve Allen’s Meeting of Minds. Therefore, it is with sad news that I report the passing of Mrs. Steve Allen, better known as Jayne Meadows, who started in numerous episodes. She made it to 95 and had a good life. I thank her for her contributions.
Security and Maturity. Here’s an interesting metric: Brian Krebs on measuring a company’s security maturity level.
Damn. Yesterday was National Naked Gardening Day. Here’s an interesting article on a garden rework in Beverlywood that not only saves water, but grows vegetables. For future reference…
Where to Go For Dinner. Another “for future reference”: Here’s a listing of 20 recommended places to eat in the Valley. We’ve actually been to about 2/3s of these.
But What Will I Watch in Hawaii. I don’t know what you did when you visited Hawaii in your college years, but I…. programmed. I have fond memories of listening to the Jerry Lewis Telethon (back in the late 1970s, mind you) and programming for the UCLA Computer Club. Today’s children will have to find something else to do: MDA has cancelled the Labor Day Telethon. I’ll note that it had really gone downhill without Jerry Lewis and the folks he drew in, and MDA parted ways with him a few years ago.

That’s your stew for this Sunday. Now go work out….

Musings on Sony, The Interview, and North Korea

Posted onFriday, December 19, 2014Friday, December 19, 2014Authorcahwyguy

userpic=security As I sit here eating my lunch, I’m thinking about all the articles I’ve read over the last week concerning the Sony cybersecurity attack, the movie “The Interview”, and the reaction thereto. Thoughts are starting to gel together, so I thought I’d share them:

How Could America Give In Like This? This is a question I’ve seen throughout Facebook, with an appropriate share blaming Obama for all these troubles. The response, however, shows a lack of critical thinking — for it is asking the wrong question. America — at least the government — has no connection to the capitulation to the hacker’s threats. That’s squarely on Sony’s shoulders. Further, Sony isn’t necessarily completely wrong. Put yourself in Sony’s shoes. A hacking group — which you believe to be connected to an unstable government — makes threats intimating mass casualties at theatres showing this movie. Further, a number of your exhibitors are publicly deciding not to show the film. So which is better: Show the film, and if god forfend an attack occurs, deal with all the lawsuits… or take the economic hit for pulling it now (and possibly have insurance cover the loss). Sony made the correct business decision. Where they erred was stating the film would never be released, in any form. That’s stupid. Release it on video-on-demand across multiple platforms — there’s no way the adversary can attack all those individual homes, or all the individual servers serving the media (ETA: of course, after Obama’s statement, now Sony says they may do that). Put CDs in every Target and Walmart and Costco. Pulling it 100% is giving in to FUD (Fear, Uncertainty, and Doubt). I’m not only looking at Sony here — Paramount pulling Team America has given into the same FUD. Want another perspective? Read Ken Davenport. Oh, and by the way, Obama says Sony shouldn’t have pulled it.
But this permits (name your county) to censor our movies! Oh, and you think your movies aren’t censored now? The government may not censor them, but studio executives do every day when they decide which projects to green light and which to stop. The MPAA does it when they rate movies and amp violence over sex. What happened here will not stop such movies from being made. What it will curtail is major studio distribution of such movies, making them harder to find. That, by the way, is where studios really “censor” — in what they agree to distribute or not. There are many movies that remain unseen for lack of a distribution partner.
But how could this happen? Isn’t the government supposed to protect us? The government’s job is to protect government systems. There have been repeated attempts to strengthen overall cybersecurity, but they have never made it through Congress as they would involve private corporations working closer with government, and sharing information. This also appears not to be the result of a simple cracker; this seems to be a targeted attack by a determined nation state. Bruce Schneier has a good analysis of this. He also has some very good conclusions:

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its starsor if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations, gossip, medical conditions, love lives exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.

But why would they do this? A good question. This isn’t just because the movie makes fun of the leader of North Korea. That’s been done before. Vox has a good analysis of the reasons behind this. The short summary is: To show they can. North Korea gains much of its power through its military, and by presenting the appearance of that power outwardly and inwardly. Outwardly it does it through threats and intimidation; inwardly it does it to justify spending on military rather than the people. Vox summarizes it thusly:

This is belligerence meant to deter the much stronger South Korea and US, and to draw international attention that North Korea can use to bolster domestic propaganda portraying Kim Jong Un as a fearless leader showing up the evil foreign imperialists. It is meant to foment the isolation and tension that has allowed the Kim family to hold onto rule, impossibly, for decades. It has nothing to do with Sony’s film, however offensive it may be, with the film’s portrayal of Kim, or with free speech in America. In believing North Korea’s rhetoric strongly implying a connection, we are buying into the country’s strategy and helping Kim succeed.

[…]

This strategy of portraying itself as crazy is remarkably effective at securing North Korea’s strategic goals. But it is also quite dangerous. By design, the risk of escalation is high, so as to make the situation just dangerous enough that foreign leaders will want to deescalate. And it puts pressure on American, South Korean, and Japanese leaders to decide how to respond — knowing that any punishment will only serve to bolster North Korean propaganda and encourage further belligerence. In this sense, the attacks are calibrated to be just severe enough to demand our attention, but not so bad as to lead to all-out war.

Over on the Kapersky blog, they put it this way:

“It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.”

So what is the long term impact? As with anything, I believe there will be both good and bad impacts. On the bad side, we may see artists reluctant to tackle hard subjects in major films, knowing they will have difficulty getting them through the studio system. We may also see studios much more reluctant to distribute controversial films (for example, film studio New Regency has cancelled its planned movie adaptation of acclaimed graphic novel Pyongyang). This may end up being a boon for Science Fiction films, as they can often make the same point using metaphors without naming real countries and real people. More significantly, on the bad side, is the message this sends: For the controversial stuff that gets through, are we going to see more threats and intimidation? If some fundamentalist group doesn’t like the subject of a movie, can they just threaten a 9/11-type attack and have it pulled? This is bad, very bad — and it might even lead to the death of large-screen cinema (as you can’t attack video-on-demand with such threats — only large groups of people). On the good side, it may make corporations much more aware of the need for Cybersecurity, and it may help government efforts related to cybersecurity. In fact, the senate and house just passed a new cybersecurity bill that will bolster cyber research and development, the cyber workforce through training and education and technical standards for cybersecurity through NIST. It’s a start. It may also move controversial subjects back onto the live stage, as such performances often attract much less attention.

A Week of Security

Posted onThursday, December 11, 2014Authorcahwyguy

userpic=security I’ve been at ACSAC all week, and it has been a great conference. The committee and the Universal Hilton have a lot of work to do to top this year’s conference at the Hyatt French Quarter. But I’m confident they/we will. So what is more appropriate than some security-related articles:

Remember Benford’s Law. Here’s an interesting summary of an article about how accountants are using Benford’s Law to fight fraud. Benford’s Law, for those that don’t recall it, refers to the frequency distribution of digits in many (but not all) real-life sources of data. In this distribution, 1 occurs as the leading digit about 30% of the time, while larger digits occur in that position less frequently: 9 as the first digit less than 5% of the time. Benford’s Law also concerns the expected distribution for digits beyond the first, which approach a uniform distribution. The accountants looked at a log of financial ATM transactions for an ATM with a limit of $50, and saw an abnormal number of first digits that were 4. This led them to find financial fraud. Think about this for analysis of audit trails…
Two-Factor Authentication. One point that has been continually made this conference relates to the value of two-factor authentication. We even heard from Avi Rubin on how to use two-factor in online poker. However, there is a major problem with two factor: what happens if you lose the second factor. Here’s an article that explains what to do. Now that you know what to do, you have no excuse. Enable two factor authentication.
Cyberphysical Attacks. One major theme of the conference has been cyberphysical security. You probably think it was Stuxnet. Wrong. A recent article points to a 2008 Turkish pipeline explosion, which was caused by a cyberattack that overloaded the pressure on the pipe. As Avi pointed out, as we get more and more devices in our houses and lives that are network connected, how susceptible will we be to cyberattacks.

Want to learn more about these problems? Come to the 2015 ACSAC, December 7-11 2015 at the Universal Hilton. Paper submissions, training submissions, workshop submissions, and similar stuff are all due around June 1, 2015. As Local Arrangements and Tutorial Chair, I look forward to seeing you for what will be my 25th ACSAC on the Conference Committee!