Two items caught my eye this week.  The first is a great example of one of the big risks you should consider when outsourcing your data or services to the cloud, as I discussed in my presentation about DRaaS in class two weeks ago:

A Nirvanix Post Mortem - Why There's No Replacement For Due Diligence

My key take-away sentence: "The bottom line is that no one cares about your data more than you do – there is no replacement for a robust due diligence process and robust thought about avoiding reliance on any one vendor."  (emphasis added)

Read the article here: http://www.forbes.com/sites/benkepes/2013/09/28/a-nirvanix-post-mortem-why-theres-no-replacement-for-due-diligence/

The other article is from a local Omaha company:  

  Solutionary SERT to Produce Daily Threat Intelligence Blog Series During National Cybersecurity Awareness Month

"Throughout October, blog topics will include the following:

• Malware Mondays: Focusing on the latest malware trends and cyberattacks targeting enterprise networks.
• Tip Tuesdays: Featuring tips from SERT on the actions that IT security professionals can take to best secure their enterprise networks.
• White Hat Wednesdays: Profiling SERT researchers to give the IT security community a closer look at the people behind the intelligence.
• Thoughtful Thursdays: Offering predictions about the future of cybertrends and attacks, including such topics as malware, mobile security and hacktivism.
• Follow Friday: Providing review and analysis of the week's cybersecurity headlines. "

I think this sounds cool and plan on checking the blog each week here:  http://www.solutionary.com/resource-center/blog/tags/National-Cyber-Security-Awareness-Month.

 I'll let you know if I think it lives up to the hype.

"Good night and good luck" to us all.

Mark V2

Well, that didn't take long.

"Hackers from the Chaos Computer Club (CCC) say they have successfully bypassed the biometric security of Apple's recently released TouchID on an iPhone 5s."(Mike Lennon, Security Week, 21 Sep 2013)

See the complete article on how they did it here: http://www.infosecisland.com/blogview/23397-Hackers-Defeat-Apples-TouchID-on-an-iPhone-5S.html

On the dirty tricks front (NSA) there weren't any new revelations this week, just reaction:

"Security firm RSA sent an advisory to their developer customers warning against use of a toolkit that employs an NIST encryption algorithm by default that is suspected to have been “backdoored” by the NSA." (Anthony Freed, InfoSec Island, 21 Sep 2013)

This is an example of the damage to trust I believe the NSA has wrought, and trust in the strength of the encryption algorithms used to secure so much of the underpinnings of the internet is vital. I don't think the Law of Unintended Consequences has run it's course yet.

"Goodnight and goodluck"--to all of us.

Mark V2

League of government sneaks and cheaters (LoGSC)

Continuing my rant from last week, what does this headline:

FBI admits what we all suspected: It compromised Freedom Hosting’s Tor servers

have in common with this one:

New York Times provides new details about NSA backdoor in crypto spec

other than that they're both from Ars Technica?

They're both reports about the abuse of power in the pursuit of lofty goals (national security).  Next the abuses will be in pursuit of base goals (the preservation of power), if history is any guide.  I'm not saying there's anyway back-I believe we're already over the precipice.  I'm just pointing out the road signs as we slide by, into a dark and ugly future.  The wheel turns.  

Or maybe not:  NIST: "we are not deliberately... working to undermine or weaken encryption."  At least one government agency, and it's still one of my favorites, doesn't appear to be in the League....yet.  

Maybe I'm a cynic, or have read too much dystopian sci-fi, but I'm reminded of this poem, by William Butler Yeats:

The Second Coming

Turning and turning in the widening gyre   

The falcon cannot hear the falconer;

Things fall apart; the centre cannot hold;

Mere anarchy is loosed upon the world,

The blood-dimmed tide is loosed, and everywhere   

The ceremony of innocence is drowned;

The best lack all conviction, while the worst   

Are full of passionate intensity.

Surely some revelation is at hand;

Surely the Second Coming is at hand.   

The Second Coming! Hardly are those words out   

When a vast image out of Spiritus Mundi

Troubles my sight: somewhere in sands of the desert   

A shape with lion body and the head of a man,   

A gaze blank and pitiless as the sun,   

Is moving its slow thighs, while all about it   

Reel shadows of the indignant desert birds.   

The darkness drops again; but now I know   

That twenty centuries of stony sleep

Were vexed to nightmare by a rocking cradle,   

And what rough beast, its hour come round at last,   

Slouches towards Bethlehem to be born?

To paraphrase the poignant words of Edward R. Murrow, "Goodnight and goodluck"--to all of us.

Mark V2

So the top InfoSec news of the week has to be the revelation that not only has the NSA been scooping up all the inter-bits, everywhere, all the time, but that they can decrypt all most all of them.  They do this not only by (limited) brute-force cracking, but by "acquiring" commercial keys, by hook or by crook.

What chafes my butt about this is that to paraphrase Pres. Obama, we HAD this "public discussion" back in the '90s when NSA wanted to require the CLIPPER chip. The subject was debated, extensively, by all stake-holders, and the DEMOCRATIC decision was that we valued our privacy more than the government's need to provide security.

Apparently, the NSA decided they are above the law, and so they subverted the will of the people and reached their goals anyway.

"Power tends to corrupt, and absolute power corrupts absolutely."  - Lord Acton