Unpatched iPhones/iPads secure connections not so secure | Naked Security.
Yesterday I wrote about Apple’s latest fixes for iWork and iOS and encouraged folks to update. Now that more information is available it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls.
The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apple’s description of their fix: “This issue is addressed through improved validation of X.509 certificate chains.”
Do not do any e-commerce or banking transactions until you upgrade.
Crowd Sourcing Cyber Investigations: Untapped Potential or Risky Business? | SecurityWeek.Com.
For many years law enforcement turned to the public for aid in identifying and tracking criminal suspects. This was done through famous WANTED posters and, later as technology progressed, featuring them in television shows such as “America’s Most Wanted”. If we put it in today’s terms, law enforcement use crowd sourcing in criminal investigations and manhunts, receiving leads of the criminal’s identity and whereabouts from the public when such leads were not obtained through the normal course of the investigation. Surprisingly, in the world where some individuals from the public have as much knowledge and resources at their disposal than the law enforcement investigators, crowd sourcing isn’t done enough. I’m talking, of course, about the world of cybercrime.
The article goes on to describe a couple of situations where crowd sourcing of cyber investigations played a role in apprehending the perpetrator.
Could crowd sourcing cyber investigations be done in a more organized way?
An Analysis of Anonymity in the Bitcoin System: Bitcoin is not Anonymous.
Bitcoin is not inherently anonymous. It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified. We have performed an analysis of anonymity in the Bitcoin system and published our results in a preprint on arXiv.
This blog is written by Fergal Reid and Martin Harrigan. We are researchers with the Clique Research Cluster at University College Dublin. The results in this blog are based on a paper we wrote that considers anonymity in the Bitcoin system. A preprint of the paper is available on arXiv.
To illustrate their case, they focus on the alleged thief who stole 25,000 Bitcoins. They make extensive use of flow visualizations.
Zurich seeking immunity from covering Sony over breach – SC Magazine US.
Zurich American Insurance, Sony’s general liability insurance carrier, is contesting any obligation for costs related to the 58 class-action lawsuits against Sony related to the 100 million user breach of Sony’s PlayStation Network.
Zurich argues that it is not liable to indemnify Sony for these costs because its policy with the company only covers claims for bodily injury, property damage or personal and advertising injury. Sony’s policy contains “certain exclusions” related to “class-action complaints and miscellaneous claims,” according to the complaint, filed Wednesday.
Maybe this is why companies like Sony do not seem to address their information security responsibilities.
Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog.
Barracuda compares Google+ vs Facebook with respect to SSL and Secure Headers. Google+ wins.
Calif. Co. Sues Bank Over $465k eBanking Heist — Krebs on Security.
Village View Escrow is suing Professional Business Bank for losses of $465,000 resulting from “26 consecutive fraudulent wire transfers to 20 individuals around the world who had no legitimate business with the firm.
The precedent is the Experi-Metal case against Comerica.
Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.
Lenny Zeltser on Information Security — Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones.
Lenny Zeltser received some very good answers as to why there are fewer scams on LinkedIn than Facebook.
I think this is the best answer:
People’s LinkedIn interactions have a professional perspective. This frame of mind doesn’t generate the same social/emotional response as Facebook, which makes them more resistant to being tricked, suggested @adamshostack. In addition, @marypcbuk pointed out that people tend to pay more attention to their LinkedIn interactions, because they police their professional activities more carefully than personal ones.
Facebook interactions are much more free flowing and emotional while LinkedIn, being professionally oriented, interactions are more thoughtful. On LinkedIn people are more cautious because they are more concerned with their reputations.
The other answers definitely have merit as well.
Lenny Zeltser on Information Security — 3 Reasons Why People Choose to Ignore Security Recommendations.
Lenny Zeltser relates a general psychology paper on Information Avoidance ($30 if you want to read the paper) to why security recommendations are ignored.
Here are the three reasons outlined in the paper:
(a) the information may demand a change in beliefs,
(b) the information may demand undesired action, and
(c) the information itself or the decision to learn information may cause unpleasant emotions or diminish pleasant emotions.
On the third point, Lenny hits on one of the age old concerns – the unpleasant emotion of “I bought the wrong security products.”
While this could be true in some situations, the more likely issue is that the security landscape has changed and obsoleted the purchased security product in question before it’s fully amortized.
We are seeing this today with respect to firewalls. The changes in the way browser-based applications communicate with servers and the related attack vectors have left traditional port-based firewall policies helpless to defend the organization.
RSA FraudAction News Flash: Trojan Add-On Forces Zombie PCs into Slavery to Mine Bitcoins « Speaking of Security – The RSA Blog and Podcast.
RSA is reporting that SpyEye and Zeus trojans have been enhanced to use botnet zombie computers to mine Bitcoins.
This article provide a nice introduction to Bitcoin if you are not familiar with this form of digital currency and then discusses the Bitcoin “stealing” enhancements to the two botnet trojans.