Executive Summary for June 2011: Security

Why Do We Trust RSA: Pete Herzog has long argued that the way we “do security” is crazy, and I’m afraid I believe him. You can, and should, consider a different model, namely trust analysis. Think in terms of the questions, Whom do we trust? Why do we trust them? With what do we trust them? And finally, how many controls are necessary, given this trust?

A whole lot of people have trusted RSA Security, vendors of SecurID. See this InfoSec Island article, “Broken Trust Part 1: Reflections on RSA’s SecurID” at
https://www.infosecisland.com/blogview/14652-Broken-Trust-Part-1-Reflections-on-RSAs-SecurID.html. And you will likely never trust RSA again.

Do-It-Yourself Malware Kits: The BBC reports on an outbreak of infections arising from a nice $500 trojan software kit you can buy online. Doesn’t that make you feel comfortable?

And while you’re at the BBC, check out this article about a new malware category name: scareware. Only the name is new; the tactic has been around since the beginning:

Strong Passwords? Forget It: Those ripping GPUs (graphical processing units) in contemporary video cards are useful for more than graphics. How about harnessing them for cracking passwords? The friendly open-source cracking community already has the software. Strong passwords? Soon there will be no such thing.

What Did You Expect Dept.: ZDNet reports “China claims US started global ‘Internet war’ after Google attack”
Uh, you attacked us so we started a war? Gee.

This Is War: ABC News tells us the “Pentagon Gets Cyberwar Guidelines,” which certainly makes me feel safer:

At Least We Aren’t Counting on the FBI: see the Reuters article
describes how they don’t have, and won’t have, the resources to deal with the massive wave of cracking.

Australia unveils cybercrime laws to combat global threat“, also from Reuters:
I know our laws are certainly keeping us secure.

And Finally, A Note Of Hope: OpenSource.com’s article “Telecomix, Anonymous, anarchy, and getting things done through the do-ocracy” at
which says in part:

[Pete Fein] describes what Telecomix, which he is an agent for, did during the revolution following the Mubarak regime’s blackout in Egypt. While the Internet was still up, they built mirrors and proxies and used IRC as a manual relay to Twitter for Egyptians who couldn’t do so. When it went down, they worked with ISPs to set up hundreds of dialup modem lines. They established radio communications and sent communications and medical information to fax machines and set up reverse faxes to get information out of the country.

They’ve reused much of this work in Libya, Yemen, other countries, and even at the recent protests in Wisconsin.