When writing about the flaw in Apple’s account recovery process last week, something set my spidey sense tingling. Something about it seemed different than other similar situations, even though exploitation was blocked quickly and the flaw fixed within about 8 hours.
You read stories about badasses tracking down trolls and showing up at their houses, and you get fired up about attribution. The revenge gene is strong in humans and there is nothing like taking that Twitter gladiator out the woodshed for a little good old fashioned medieval treatment. Now, payback daydreams aside, Keith Gilbert asks a pretty important question about attribution. Do you really need to know exactly who the attacker is?
According to The Verge, someone discovered a way to take over Apple IDs using only the owner’s email address and date of birth.
What happened to the guru? The magician? The computer expert at your company who knew everything. I have worked at firms that had several who knew IT systems inside and out. They knew every quirky little trick of how applications worked and what made them fail, and they could tell you which page of the user manual discussed the exact feature you were interested in. If something went wrong you needed a guru, and with a couple keystrokes they could fix just about anything. You knew a guru by their…
The next chapter in our Threat Intelligence arc, which started with Building an Early Warning System and then delved down to the network in Network-based Threat Intelligence, now moves on to the content layer. Or at least one layer. Email continues to be the predominant initial attack mechanism. Whether it is to deliver a link to a malware site or a highly targeted spear phishing email, many attacks begin in the inbox.
I try to read a variety of different non-security resources each week, to stay in touch with both technology and startup culture. Of course, we at Securosis are kind of a startup. We are small and we’re investing significantly in software (which is late and over budget, like all software projects). But we choose not to deal with outside investors and to have reasonable growth expectations, since ultimately we do this job because we love it. Not because we’re trying to retire any time soon.
All you IT professionals out there who want to divert attention, give your exec’s a warm and fuzzy feeling you’re saving money and making you’re users experience better, just do what the DHS did. Margaret Graves, DHS deputy CIO, pulled a page from Star Trek and flummoxed Congress with some Techno-Babble. From Network World:
I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that.
Microsoft confirms ‘high-profile’ employee Xbox Live accounts hacked
Major vulnerability in EA’s Origin platform lets hackers overtake PCs
Anyone surprised? Games made an estimated $25.1B in 2010 in the US alone. This is an industry under constant attack – just ask Sony. I’d love to learn more security lessons from them.
Galaxy Note II security flaw lets intruders gain full device access.
Confirmed: iOS 6.1.3 Has Another Passcode Security Flaw
The iOS one in particular is very limited, but I am continuously astounded by the creativity of some of these passcode flaws. Give me SQL injection or heap sprays any day…