“Still, the worst thing about Mirai is that it leverages the horrible security decisions made by a handful of manufacturers of Internet-connected devices.”
This sentence is really an understatement by the author Sean Gallagher in an article published on Arstechnica. It speaks to the global problem in attitude manufacturers have toward security and making secure products. Now a days one would think everyone would have the realization that if something connects to the internet, it is now open game for attack. That’s the world we live in. Let me be really clear—if a device connects to the internet, or is internet aware, it is open for attack. The Mirai IoT botnet attack that occurred last week did nothing more than put a period on that sentence.
Recall the Mirai attack managed to control millions, yes millions, of devices that connect to the internet. Now to be fair, traditional thinking probably permitted that.
The world has a new app that actually gets people off the couch and into the world. These game players actually have to walk and are secretly getting exercise. I wonder if the game maker has a secret agenda to get exercise into people. It just might work. What on earth is going on out there? I’ve already fielded a couple of questions about the security of this app, and of the safety. So I pulled some details together.
A Joseph Bernstein article pointed out that Pokémon Go can tell a lot of things about you based on your movement as you play: where you go, when you went there, how you got there, how long you stayed, and who else was there. And, like many developers who build those apps, Niantic keeps that information.
There has been much written and talked about in the news regarding the open letter Apple’s CEO Tim Cook wrote about the FBI’s request for Apple to install a back door into the iPhone. When I first read that letter I shook my head and believed that was the wrong decision. I mean the FBI is only trying to follow any lead the investigations bring with the San Bernadino terrorist case. Their goal is to protect us and keep us safe.
But then I decided to take a step back and think about this from other angles. Maybe Apple is actually taking the right stand to protect us and keep us safe. I would think with a pretty strong certainty the FBI could hire some deeply skilled hackers, I mean Information Security Professionals, who could leverage their hacking techniques to gain access into the phone. Continue Reading
There are tons of articles out there now talking about the security breach at the OPM. One such article from the Wall Street Journal points out an attack vector coming in from a third party vendor. Wow.
I think in this day and age of computing there really is no excuse for when breaches occur. It’s one thing to have the latest and greatest tools in place and the right mix of human analysts looking the data over. It’s quite another to leave the doors open with old or outdated technology.
How does a government organization, or even a regular commercial business, get these things fixed? The answer is very simple. Criminalize the data loss and hold CEO’s or top government brass accountable; meaning they will be prosecuted for some kind of criminal liability.
Wouldn’t that change the focus on how information security is implemented? If you, as top boss, knew you could go to jail because you didn’t put enough of a priority on securing the data you work with, don’t you think you would make different decisions?
The other day, the president of RSA, made the comments that he believes security has failed. He goes on to admonish defense-in-depth strategies as not keeping up with the need.
I’ve been thinking about what Amit Yoran has said and I’d like to say I disagree with his comments and belief.
It’s interesting. I stepped off the INFOSEC wagon in 2010 after I was severed from my job. I didn’t want to relocate to New Jersey or Texas so they let me go. When that happened I realized how burned out I was from technology and managing. So, I decided to open a business following my other passion of holistic wellness. Fast forward to today. I’m back on the wagon of doing Information Security and I’m loving it. I started a new position this past February and found drawn to the job as it was scoped out; and the company made me a really fair offer right out the gate. That says a lot about a company I think. Continue Reading
I read an interesting article in the latest SANS Ouch, Vol. 5 No. 10. It points out the results of a couple of surveys done by McAfee which show many of the 378 computer users interviewed by phone were undereducated when it comes to recognizing threats the Internet poses to their computers and to their personal privacy. Go take a look the article and follow the links to the full report.
I attended a presentation last week and heard the phrase, "The server is secure. It has a password."
Never mind I was at a security meeting. What hits me is that simple phrase being used. But then, why should I be surprised?
I figured it would only be a matter of time before something would pop dealing with information security and VP nominee Governor Palin. The news is all over the Internet by now.
If anything, this should be used as a wake up call for any and all businesses. What is the call? Don’t permit web based emails to be used from within the company or from company resources. Even in Palin’s case, it shows some general dialog between Palin and others in the Alaskan government. Additionally, information and pictures of her family were posted on the Internet.
It’s been awhile longer than I like to admit for posting. I suspect I’ve been befallen like many others…staying up late night to watch the Olympics. I’ve enjoyed them more this year for some reason than in years past. Maybe I have a greater appreciation for the amount of work it takes these athletes to prepare for competition. And it’s heart breaking when they make a mistake and know it. They continue on even when they recognize their dream of medals is over.