Blog Blog

 
And now , the moment you’ve all been waiting for!   Yes, it is here… The blog about my blog.  What did I write about?  Where did I get my information from?  And, to whom would this whole thing be useful?  This is an interesting exercise, a fairly rare look back at something to see what was gained. 

My intention at the beginning was to find a theme and stick with it throughout the semester, to gain a deeper knowledge about one or two topics.  This isn’t what ended up happening.  In reality, what I seemed to do was browse around, and the first time I found a topic that interested me, I wrote about it.  Topics were truly all over the board – simply whatever grabbed my interest.  Some had very little personal input, while some had a little more of my philosophy.  I think the best was when I found a story by someone else, and then looked to see if outside facts supported the claims – if I had to do it over again, I would do that more often.

My approach to finding material was simple.  If I didn’t get curious about something during the week – I simply started clicking on the recommended links from the first week until something grabbed my eye.  If I read it, and was interested, that became my topic for the week.  I guess the approach was close to leafing through a newspaper and commenting to others in the area about it.  My biggest sources ended up being Infosec Island and Security Week.

I really don’t know if a security professional would get much out of my blog – perhaps some weeks, but I think a lot of it would be simply “Well, duh” stuff to a professional.  I would really recommend starting with a theme (or 2-3 related themes), sticking to them, and doing more investigating of topics.  I have to admit that, at 20 points per week, I tended to give this lower priority than I should have.  Usually, I would complete my post late on Sunday, think “This was fun, I’ll get a head start on it next week!” and then all my good intentions would go for naught.  I’d really recommend students do this for themselves – really think of a way they can create something they can be proud of, and might even want to continue after the class is done.

 

Us vs Them

Gant Redmon recently published an interesting piece on privacy issues (http://www.securityweek.com/simple-guide-privacy-outrage), a topic which seems to come up more frequently every day.  He indicates there are 4 main privacy perceived threats for most people - the US government, foreign powers, social media, and e-mail providers.  Individuals are likely to feel threatened by some or all of these sources, depending on their perception of them.  If one trusts the US government is acting purely to protect the nation, for example, they probably aren't concerned about NSA looking at their e-mails.  If they believe Facebook just wants to make sure they find out about products they want, then they probably are ok with targeted advertising.  This really comes down to Us vs Them - Whoever we consider to be 'Us' we probably don't mind if they peek into our business a little - if it is Them though, we are outraged.

Old and in the way

Reading about the Athena botnet at http://blogs.mcafee.com/mcafee-labs/athena-botnet-shows-windows-xp-still-widely-used got me thinking - if I wanted to create a general attack, I'd go after the oldest operating system I could.  Why go after the brand new machines, with the latest protections?  Why not go after an old operating system, with no internal protection?  Many of these computers might have no protection at all!

Even More Linked In

LinkedIn has a new app which will route all of your e-mails through their servers http://www.infosecisland.com/blogview/23444-LinkedIns-Email-Proxy-Scheme-Described-as-Man-in-the-Middle-Attack.html.  In effect, this works as a man in the middle attack.  While technically users are okaying this, it is likely most don't really realize what is happening.  I would expect this will cause many companies to block LinkedIn from company phones - which would probably cause many users to leave the service.

Seven Habits of Cyber Security

How much of security is just habit?  Many things that seem like a big hassle are actually very minor if you simply make them a habit.  Reading http://www.securityweek.com/seven-habits-security-conscious got me thinking about just how easy it is for the typical person to keep reasonably safe.  None of these steps take much time - really, if they are all added up, it might only be a few hours per year.  In comparison with the actual costs in time and money of not following these steps... Virtually nothing!  It reminded me of how much of a hassle it seemed to be to put on a seat belt once laws starting to be passed enforcing wearing them.  It seemed like a pain.... Now I can't actually even remember the last time I put one on!  Not because I don't wear one, but because it has become such a habit it is subconscious.  This should be our goal with many security habits - make them subconscious!

Security Shutdown?

Is it possible that the government shutdown has left us more open to cyber terror?  According to Security Week, http://www.securityweek.com/us-government-shutdown-creates-serious-cyber-risks-experts this is the case.  While essential employees were to stay on duty, many governmental sites have shut down or been reduced in scope - and security personnel have been furloughed.  With the reduction in user traffic, is the reduction in security justified?  Are the claims that security personnel shouldn't have been furloughed simply self interest?

Opt-In??

Often when you go to order something online, just before you click on "Order" there are some boxes along the lines of "Please add me to your mailing list" and "Please send me information on more products I might like."  These boxes can be opt-in (not pre-checked) or opt-out (pre-checked).  One of my pet peeves is when I notice the Opt-Out box just after I click 'Send'.  What does this have to do with anything?  Read here - http://www.infosecisland.com/blogview/23414-Why-iOS7s-AirDrop-Is-Risky-for-Business.html to learn about some of the risks of using AirDrop.  In a nutshell, what if comes down to is one has to 'Opt Out' to keep files safe on mobile devices.  When we get a new phone, tablet, etc, how many of us actually spend a lot of time to consider how secure our information is?  Would it be smarter to have all of the neat 'convenience' options be opt in, so that people aren't less secure than they think?