Sunday Security Maxim
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
"The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed," the researchers warned. "Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms." - via Dan Goodin, writing at Ars Technica
via journalist Malena Carollo reporting for the eponymous Christian Science Monitor, comes an astonishing news item of what is perhaps the single most egregious failure in federal information security this century (so far...).
"Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability." "That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability." - via Malena Carollo reporting at the Christian Science Monitor
Israel Hayom is reporting the Israel Defense Forces (IDF) plans to create an entirely separate and new branch of the State of Israel's primary military defense targeting cyberwarfare. The decision to create a separate military service targeting electronic warfare appears to be one of the first of it's kind worldwide, and significantly forward-thinking.
'The new branch will join the Israeli Air Force, Navy, and GOC Army Headquarters as a main service branch that will oversee the military's cyberwarfare strategy, as well as its proactive cyber efforts, which are currently headed by Military Intelligence, and its cyberdefense efforts, currently headed by the C4I Corps.' - via Israel Hayom's Lilach Shoval and Israel Hayom Staff.
RAND Corporation, has published a not-entirely-surprising study targeting what appears to be the highly unsuccessful security postures of organizations under scrutiny. Entitled "The Defender's Dilemma: Charting a Course Toward Cybersecurity". Apparently, the notion of "Come And Take It" is not a particularly successful stratagem in modern electronic warfare...
Citation Libicki, Martin C., Lillian Ablon and Tim Webb. The Defender's Dilemma: Charting a Course Toward Cybersecurity. Santa Monica, CA: RAND Corporation, 2015. http://www.rand.org/pubs/research_reports/RR1024. Also available in print form.
Good news from the Cloud Security Alliance - the organization has decided to begin work on Version 3 of it's eponymous Security Guidance for Critical Areas of Focus in Cloud Computing document, targeting 'critical areas of focus'. Hence the CSA Call for Volunteers, and the contracting of the Securosis team (comprised of Adrian Lane, Rich Mogull and Mike Rothman) for wordsmithing duty. Outstanding.
Plug into the Formula Maxim: Engineers don’t understand security. They tend to work in solution space, not problem space. They rely on conventional designs and focus on a good experience for the user and manufacturer, rather than a bad experience for the bad guy. They view nature as the adversary, not people, and instinctively think about systems failing stochastically, rather than due to deliberate, intelligent, malicious intent. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Gossip Maxim: People and organizations can’t keep secrets. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
t2 has issued a Call For Papers, in this instance to fulfill their t2 infosec conference, slated for October 29th to the 30th (inclusive), in stunningly beautiful Helsinki, Finland. (Helsinki, Finland) - October 29 - 30, 2015. Viihtyä!!
"Why spend your valuable conference time in the longest lines you have seen in your life, getting a sun burn or totally lost in the canals with your rental boat, being deprived of chewing gum or waking up in Nong Palai without any recollection how you got there? Helsinki offers you the safe and comfortable low-temperature alternative with a chance of first snow. Finland, the home country of many things you thought came from Japan." via t2
News, of the surfacing of John McAfee at last week's Infosec 2015 confab in London, United Kingdom; at which, oddities ensue, mayhem kept at a minimum. All in all, a good time was had by all... Read the full story here.