Unconventional Risk Vectors

Each episode we’re going to be talking about information security and technology security issues that matter to business, not just the technologists. Our theme this episode is unconventional risk vectors – risks you might not normally consider, but that could be something to look out for.

In this episode we catch up on the three major security conferences in Vegas that happened earlier this month: BlackHat, DEF CON and BSidesLV. There were some interesting talks there, including research done on the computer systems that actually control your cars, medical devices and a hack that can get access to your mobile phone just by plugging it into a charger. We also talk about the Syrian Electronic Army (SEA) takeover of Twitter and New York Times, research on USB modems, fundamental flaws in Android, the “internet of things” and paper-based data breaches.

Security Industry News

Cisco acquires SourceFire. $2.7Billion on revenues of $223M

An 8,000 lb gorilla buys an 800 lb gorilla. And at 12x revenue that’s a huge premium! What’s the play? From the article:

In the past, “you had a point [security] product for everything you could think about,” [Christopher Young senior vice president, security group for Cisco] said. “This is no longer a market where point product leadership is going to win out.”

He’s right and I think that the realization is that security has to be more integrated and embedded than a point product. If you miss a single point your security has a hole. If you can integrate security controls in a layered defense and can have everything talking to each other you can make more of a mesh – something more like a biological model of defensiveness, but still with human controllers to make decisions. But to realize that vision I think you’ve got to rip apart Sourcefire as it exists today. And that should scare their customers.

This move seems to be putting blood in the acquisition waters for the big sharks as there’s talk of more acquisitions. For instance, Checkpoint, Palo Alto and Fortinet.  

IBM acquires Trusteer

Is this simply a play towards banking or do they have bigger aspirations? One gap for Trusteer has always been that it misses everything that the endpoint can’t see. IBM can bring the broader scope and perspective with back-end technologies that can look for fraud patterns, update blacklists in realtime, take adaptive measures on the server side, integrate well with business processes, etc. So could be a really good move, as long as they don’t try to make a broader endpoint protection play. As noted above, endpoint protection has its limits and is a fairly saturated market.

Stories of Interest

Attack on 3G USB modems compromises computers

A researcher demonstrated an attack on 3G USB modems that allowed him to gain control of the connected computer. This is an interesting attack vector, as it uses SMS text messages sent to the modems as the attack vector. This is probably not a risk or threat considered by most, but the danger here is evident. Millions of people and computers could be affected.

Android Random Number Generator (RNG) vulnerability reduces security

The primary focus of the article is Bitcoin wallets, but the implications are much farther reaching. The RNG is used in cryptographic functions, meaning potentially any encryption on or used by the device may be affected. Not many people are talking about this issue, but it could be an important one to watch, as it could allow sensitive information stored on or accessed by the device to be leaked.

Lightbulbs the latest in the “internet of things” to yield to attacks

This is kind of a fun story for a change, but it has implications for the future of Internet-connected devices. A researcher has demonstrated that Philips HUE lightbulbs can be made to turn off immediately after being turned on, every single time. As more devices have network communications built in, we will see more of these types of issues. That’s something to keep in mind when you’re adding a new copier/printer, toaster or medical device to your environment.

Vast majority of data breaches from paper documents

A new study out says that 96-98% of data incidents come from information on paper, not on computers. In all this focus to protect against hacks, the continuing story of breaches is that most of the incidents and most of the records lost across all industries is not from malicious outsiders it’s from loss or theft of unprotected data storage (paper or technology).

Twitter and New York Times sites taken over by Syrian hacking group

The Syrian Electronic Army (SEA), a hacking group associated with the current administration in Syria, made headlines by effectively taking over control of the Twitter and New York Times domain names. It seems that a reseller account for the companies’ domain name registrar was compromised and used to take ownership of the domains. The lesson here is that the partners of your partners can potentially affect your security.