PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.
The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.
The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.
Worlde.net's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:
The map for computer virus is also interesting:
I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.
One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".
That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.
How then, can an information technology security professional stay relevant?
If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.
If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.
The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.
The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.
Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.
If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.
Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.
Google
First, you can build and submit a removal request for information, images, outdated or inappropriate content.
Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.
Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.
Yahoo!
With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.
Ask (formerly Ask Jeeves)
Ask only provides robot.txt support, and has no formal published removal process.
Bing
Microsoft's new search engine has recently published removal instructions.
AltaVista
Per AltaVista's support information,
"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to legal-support-uk@av.com to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines."Archive.org / the Wayback Machine
President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below:
Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.
Am I particularly concerned about this as an attack against my organization's resources? Of course not!
We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.
The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.
Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.
For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.
