Mythos of IPv6, It's Too New to be Attacked... →
More IPV6 myths exposed by ISOC's Deploy360 Director Chris Grundemann. This time focusing on the myth that IPv6 is too new to be attacked. Today's MustRead!
Trust in the Cloud, Do Not
...or, why Kirk McElhearn advises against utilizing Apple Inc. (NasdaqGS: AAPL) iCloud. Read the sorry tale at mcelhearn.com. The economic component discussed runs the gamut of the obvious lost data to why customers should avoid purchasing iCloud enabled apps. Today's Must Read.
Over One Billion Served →
Suprised by the largest heist in history? Concerned about Carbanak APT? Clearly, proof-positive that advanced persistent threats are deeply evil - and highly efficient when coupled with other complimentary and stealth-like methodologies (aka Hiding in Plain Sight). Read on...
Cerfs' Worries →
via PCWorld's Katherine Noyes, comes this well crafted examination of what some may call a magnificent obsession. In this case, that obsession is Vinton Cerf, Ph.D.'s predeliction to worry the upcoming Digital Dark Age to a nubbin... Today's Must Read.
I Hunt SysAdmins
This Shmoocon presentation by Will Schroeder is a classic. Today's' MustSee security video.
Box Crypto, Key Conveyance →
Well now, this is good news [of coursepurely dependent upon where your place is within the transaction, and future issues of both key management and governance related challenges] as Box has commenced with provisioning customers with their encryption keys. Gotta admire the transfer of risk in this action, all under the guide of enterprise key management...
'Today, Box says it has a new product that gets the job done. Called “Enterprise Key Management (EKM),” the service puts encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center. The Box service still must access customer’s data in order to enable sharing and collaboration, but EKM makes sure that only happens when the customer wants it to, Box says.' ArsTechnica's Jon Brodkin
NIST Releases First Revision for Media Sanitization Guidelines
News, via Pat O'Reilly of the National Institute of Standards and Technology Computer Security Division [NIST CSRC]; in which, the good Mr. O'Reilly notifies us of the release of NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization. MYou can also view and download any previous NIST ITL [Security] bulletins, and their associated documentation and special publications at the NIST Computer Security Divisions' Computer Security Resource Center.
IPv6 Security Myth: No NAT Means No Security
Astoundingly, myths still arise in this epoch of science, strangely so, when dealing with new technologies [Read: new means new in the final two years of the last century as IPv4 was originally codified by the IETF in 1981, with the acceptance of RFC 791] - in this case the vaunted move to IPv6. Now, arising from the ashes of IPv4 exhaustion hysteria, comes a current popular myth surrounds the utilization NATs in IPv4 and the lack of a counterpart construct in IPv6.
Government of Canada, Data From Canada Mandated To Remain In Canada →
Dr. Michael Geist (Law Professor at the University of Ottawa, and the current holder of the Canada Research Chair in Internet and E-commerce Law) holds forth on current cloud cogitation up north (at least within the data confines of the Government of Canada / Gouvernement du Canada).
Supercalifragilistic Reidentifiability →
Well documented paper on the capability to identify entities via credit card metadata [i.e., the identification is based on what was once thought to be anonymous big data...]. Time to move back to currency transactions. Tout Simplement Incroyable.
DeepFace and the End of Privacy
In a new series (typically, behind Science Magazines' pay-wall, but free access to February 5th, 2015), comes this particularly disturbing revelation of Facebook Inc.'s (NasdaqGS: FB) DeepFace system which is now, apparently, as accurate as human's at facial recognition.
Turn's Undead Cookie
In a posting published by ProPublica, online advertising leviathan TURN is utilizing the dreaded zombie cookie, pioneered by those friendly folks at Verizon Wireless. ProPublica is also reporting that TURN's actions were originally discovered by Stanford University computer scientist and attorney Jonathan Mayer, and then tested by ProPublica staffers.
IPv6 Mythos
Absolutely spot-on IPv6 security analysis by the Deploy360 section at ISOC, detailing security misconceptions - now full-blown myths - of IPv6 infrastructure. Along with the clarification efforts regarding IPv6 and the ramifications for what security componentry has been baked-in to the network protocol, comes the highly enhanced and approximate 3.4×10 to the 38th power addresses as compared to the measly 4.3 billion capability IPv4 address space.
Leaving the gargantuan IPv6 address space benefits for another discussion, the issue of security flaws resident within the protocols' structure must be managed effectively on such an old addressing specification. After all, the original Internet Engineering Task Force [RFC 2460], the “Internet Protocol, Version 6 (IPv6) Specification” possesses a date of December 1998...
"In order to make IPv6 as simple and interoperable as possible, it uses a minimalist standard packet header. In order to make IPv6 as extensible as possible, it allows “extension headers,” additional chunks of meta-data that can be strung behind the IP header to provide additional features and functionality. IPsec leverages the extension header mechanism to carry necessary authentication and encryption data, for one example. Unfortunately, having extension headers designed into the protocol for extensibility also means having security flaws designed in along with them." - via the ISOC Deploy360 Myth#2 Post
Criminalization of Cryptography →
If you read anything today about cryptography today, read the work of Stanford University's Center for Internet and Society's Jeffrey Vagle, JD [Mr. Vagle is also a Lecturer in Law and the Executive Director of the Center for Technology, Innovation and Competition [CTIC] at the University of Pennsylvania Law School]; in which, Mr. Vagle examines the criminalization of cryptography [snippet of his work appears below].
'We've heard this story from governments before, of course, from the "crypto wars" of the early 1990s to recent claims by the FBI that encryption allows networks to "go dark," and prevent legitimate law enforcement efforts. But as the leaked security memo asserts, without strong crypto and secure networks, we're all put at greater risk. It is crucial that we keep this in perspective as the world's legislative bodies rush to do something--anything--in the face of these crises.' - via Jeffrey Vagle writing at the Center for Internet and Society, at Stanford University
The Sleeper Awakens →
Evidence, via George I. Seffers of indications that the United States Department of Defense has awoken to the realization, that with nearly ubiquitous connectivity, comes potentially lethal levels of vulnerability, leading to in extremis scenarios.