Wednesday, June 6, 2012

Security Smorgasbord, vol 4 no 3

If you use LinkedIn, change your password now:
A Russian hacker says he has stolen 6,458,020 encrypted passwords and posted them online (without usernames) to prove his feat. The breach comes on the heels of news that LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers.
What's the big deal if there are no user names associated with the passwords?  Simples: he's running up the price of the information he's selling by establishing credibility.  It's not that he doesn't have the user account names, just that he didn't post them.  His clients have to pay for that.

So get changing.  By the way, LinkedIn really hides the "Change Password" feature so I'm hot-linking it here.  It's really quite shameful how cavalier they are about their user's security.  At least they have a blog post about it, but nothing when you log in.


The first rule about Cyber Attack Plans is that there are no Cyber Attack Plans:
CyCon 2012 NATO does NOT need cyber-offensive capabilities, according to a senior military commander.

Major General Jaap Willemse, who was speaking at the International Conference on Cyber Conflict (CyCon), said launching barrages of computer-based attacks is off the agenda for the Western military alliance, at least for the immediate future.
Well OK then!  Boy, that's a relief.  Pay no attention to that man behind the curtain.  The Great and Powerful Willemse has spoken ...


I keep telling people that they shouldn't attach critical systems (like SCADA process controllers) to Al Gore's series of tubes.  It's trivial to find them using this point and drool interface.

We're entirely screwed.


Apple is finally starting to get serious about security.  IT types, you'll want to grab their iOS Security Guide.


It seems that the FBI put together a file on Richard Feynman.  Interesting.  Remember, if I come across as paranoid, I was trained that way by the finest minds in the Free World.


Alan said...

I had to tell some last week that a VLAN was not a way to secure a SCADA network.

"You mean VLANs aren't encrypted?"


wolfwalker said...

"It seems that the FBI put together a file on Richard Feynman. Interesting. Remember, if I come across as paranoid, I was trained that way by the finest minds in the Free World."


A) note that per the first page, Feynman was being checked out for membership on President Eisenhower's Science Advisory Committee, a position that apparently required some level of security clearance.

b) have you ever read Feynman's autobiographies? The guy was a nut. Brilliant beyond human ken, and a gloriously funny man with a joie de vivre that I can only envy ... but a nut nonetheless. During the Manhattan Project he made a habit of screwing with the minds of the resident security personnel, in ways that (if I were a security man paid to be paranoid) would have given me cause to wonder if he was in fact a security threat.

DaddyBear said...

It's nor paranoia if you're right!

And thanks for the iOS guide. It'll come in handy.

AnarchAngel said...

Currently security operations lead for a tri-state electric utility.

Actually I'm the secops manager, but I'm an outside contractor, and in my clients org, only internal FTE can be managers... and managers "don't do work, they manage work and workers".

That's a direct quote by the way.

Security, on SCADA networks? Yeah... Right... Ummm.... Well...

Tom Lindsay said...

In 1995, when I had the great adventure of building a new chemical plant, I had them intentionally NOT permanently connect the plant PLC system to the internet. There is a port one can connect to, but my instructions were that the cable was to be unplugged unless the Plant Manager gave the word.

Second, Feynman is my hero. The image of him pulling the shuttle O ring out of the cup of ice and taking the clamp off is, to me, the model of smart-ass. It's what America should be.