ISOC, Why Routing Security Matters →
Yes, Virginia, routing security is fundamental. via Andrei Robachevsky, Technology Program Manager at the Internet Society.
USENIX Research, Behavior Comparison of Security Experts vs. Non-Experts
via the Google (NasdaqGS: GOOG) Online Security Blog comes this interesting USENIX Research Paper, detailing security related behaviors between and betwixt so-called 'security experts' and laymen... Enjoy.
NCCoE Releases NIST Cybersecurity Practice Guide Targeting Health Records →
The National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NIST NCCoE) has released a new draft practice document entilted NIST Cybersecurity Practice Guide, Special Publication 1800-1: "Securing Electronic Health Records on Mobile Devices".
Targeting health care records (stored electronically), these artifacts are well-crafted first-rate (but draft, after all) information security documents. Available in both sections and in full (a compressed file also containing a manifest, and a number of template files is noted later in this post).
The Comment Period is open until September 25, 2015 (inclusive). The NCCoE has committed to allowing comments to be submitted anonymously, will be make public those commentaroes after review. Submit comments online or via email to HIT_NCCoE@nist.gov.
Sections Available
(1) SP 1800-1a: Executive Summary (2) SP 1800-1b: Approach, Architecture, and Security Characteristics (3) SP 1800-1c: How-To Guide (4) SP 1800-1d: Standards and Controls Mapping (5) SP 1800-1e: Risk Assessment and Outcomes
Full Zip Document Archive
Coming to A Script Kiddie Near You... →
Sunday Security Maxim
Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary—exactly backwards from a reasonable approach. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Saturday Security Maxim
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Automakers Foment New Blinders →
Apparently, US Automobile makers (including farm machinery manufacturers) do not want independent research delving into the entrails of the downside risk represented by the systems built-into their automobiles, trucks, et cetera. Read all about it on AutoBlog, via author Peter Bigelow. Evidently, enforced ignorance is bliss in the Motor City.
Machines, Rise of
Yes, Bunky, this is the true Real Rise of the Machines... Hopefully, the Engineers of our robotic future will not forget The Three Laws.
FTC Targets Application Developer
Apparently, Google Inc.'s (NasdaqGS: GOOG) and Amazon.com Inc.'s (NasdaqGS: AMZN) App stores anti-fraud mitigation activities let a bad actor's apps through the guantlet... In this case, a hijack app, that apparently stole cycles from the devices it was installed on, to mine for BitCoin. Luckily the United States Federal Trade Commission and the Office of the New Jersey Attorney General stepped-up-to-the-plate, eh Sergey?
The FTC and the Office of the New Jersey Attorney General took action against two software app developers, Equiliv Investments and Ryan Ramminger, alleging their mobile app, called “Prized,” hijacked people’s phones to mine for virtual currencies. Users thought they could earn prizes by playing games and taking surveys through the app. But the FTC alleges the app had malware that sapped the phone’s computing power, made phones run slower, drained battery life, and used up data plans – all so the developers could secretly make money mining virtual currencies. - via the FTC
DevOps, The Security Mythos →
The remarkable truth about Information Security within DevOps driven organizations, and why, per se, those organizations are not secure with the utilization of DevOps integration of Development and Operations teams leading to continuous deployments. If you read anything about DevOps today, read George V. Hulme's interview of Adam Muntner an Application Security Engineer at Mozilla and the creator of FuzzDB (the interview is also posted at Adam's Blog). Absolutely Outstanding.
Use of Secret Communications is an "Ancient Liberty"
Presented for your consideration - a 1997 paper entitled The Use of Encrypted, Coded and Secret Communications is an "Ancient Liberty" Protected by the United States Constitution, published by the University of Virginia Journal of Law and Technology]*.
John Fraser III the author of this superlative screed (now an attorney in Washington, DC) presents his fascinating argument on encryption, and the 'ancient right' to utilize cryptographic artifacts in the course of communications, protected, of course, by our nations' Constitution. Today's Must Read.
*Va. J.L. & Tech. 2 Fall 1997 1522-1687 / © 1997 Virginia Journal of Law and Technology Association
Bring Your Own Exploit →
DevOps' writer Chris Riley (Chris - aka @HoardingInfo) is a technologist and DevOps analyst for Fixate IO), regales us with s tale of the Rugged DevOps crypt - at least from the viewpoint of semi-like-minded security operators...