Salted Links: 08 March 2014 (Weekend Update)

Salted Links is a recap of the week's most popular posts on the CSO blogs, as well as a recap on other news and information from around the Web.

RSA Conference organizers accused of attempting to sabotage TrustyCon [Salted Hash]

An article in the New York Times alleges that RSA Conference organizers phoned in warnings to venue management in order to have TrustyCon shutdown. Alex Bender, the GM of the RSA Conference, told the Hash that a member of the RSAC security team made the calls about TrustyCon.

First goto fail, now something Gnu [Brick of Enlightenment]

Dave Lewis examines the lack of noise in the echo chamber concerning the GnuTLS vulnerability, which was arguably worse than Apple's goto fail bug. To recap, a flaw in GnuTLS, which enables an attacker to bypass certificate validation checks, was patched last week and no one seemed to care. Said patches have been pushed to all major distributions.

From points A to Z: Examining random Phishing email [Salted Hash]

While in the process of my daily news gathering routine, a Phishing email sparked my interest. The more a started to dig, the easier it became to track the message back to its place or origin – a compromised school district in Texas.

Refusing to see the elephants on the lawn [Brick of Enlightenment]

In this post, Dave Lewis falls down the stairs at the airport, leading him to recall an InfoSec incident from the past.

"When someone finally did go for help I was struck by the parallel I have seen in information security so many times. A problem exists in some piece of software or say in the perimeter. It is a bad one. But, no one does anything about it. They jam their heads in the sand hoping that no one will notice the elephant that is sitting on the lawn."

Target CIO resigns as company moves to recover from breach [Salted Hash]

Beth Jacob, Target's Chief Information Officer during the largest retail breach on record, has resigned from her post in the wake of the incident. Jacob has been the CIO at Target since 2008, after being promoted to the position from VP of guest operations. In a letter released to the media, she said the decision to resign was difficult, but added that "this was a time of significant transformation for the retail industry and for Target."

Was this a case of falling on the sword, done to appeal to the shareholders, or was this a smart business move?

Why your security incident reporting process matters [Translating Security Value]

Michael Santarcangelo addresses awareness programs, noting that the only expected outcome of security awareness is reporting suspected incidents. "That means the reporting process needs to work for people in an open, transparent, and effective way."

The NSA overstepped their mandate, and I'd hire Edward Snowden

Thycotic Software conducted a brief survey during the RSA Conference last week, which included 341 attendees. According to the results, 48 percent of the respondents said that the NSA overstepped its boundaries in its surveillance of U.S. citizens.

Moreover, 21 percent said that the government needs to be aware of an individual's communications data in order to better protect them from terrorist activity, and 31 percent said they're conflicted about the issue. While they have nothing to hide, they are concerned about a loss of privacy.

Additionally, addressing the topic of RSA Conference boycotts (TrustyCon), 75 percent of the respondents said the boycotters had a right to their opinion, nearly 10 percent considered joining them, and 17 percent said they were nothing but attention seekers.

Finally, 20 percent of the respondents said that if given the option, they would hire Edward Snowden, despite his actions.

Trusteer: Half of all exploits targeted Java

An interesting stat from Trusteer shows that 50 percent of all application vulnerabilities in December 2013 targeted Java. Adobe was the second most popular target, followed by Oracle.

"Since organizations can’t eliminate Java from their environments, it’s important to secure these applications and prevent the execution of malicious Java code. However, the native Java protections that are available today are very limited in their capabilities, especially against zero-day threats." - 2014 IBM X-Force Threat Intelligence Quarterly report

Stealth IT and the pain of managing devices that aren't viewed as computers

According to Internet security research organization Team Cymru, a group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers.

Commenting on the story for Salted Hash, Nathaniel Couper-Noles, Principal Security Consultant at Neohapsis, pointed out that this incident highlights the stealth IT problem.

"It's a dirty secret of the IT business that any IT organization of reasonable size has a large number of ‘stealth’ assets in their networks. These are typically embedded systems, such as printers, webcams, punch clocks, or datacenter monitoring equipment. Sometimes stealth IT includes badging systems, smart thermostats, and embedded controllers for various devices like generators, serial consoles, battery backup systems and air conditioners that make modern IT datacenters run."

"While they are pervasive, stealth IT and embedded systems are not always easy to manage or operate. Many IT organizations don't keep accurate inventories of them, and most IT organizations I've worked with would be hard pressed to manage or even assess whether the configuration was secure or whether the version is current. In many cases, management is difficult or even impossible. And vendor support is sometimes spotty."

Patrick Thomas, security consultant at Neohapsis added:

"This is another data point in the ongoing trend of consumers being surrounded by devices that they don't think of as computers. Home routers, televisions, and even basic appliances are beginning to include general-purpose computers inside them. All of the security concerns with normal desktop computers exist with these devices, but neither consumers nor manufacturers have adjusted to thinking this way.

Complex systems will always have vulnerabilities, so security on these sorts of devices comes from being able to update the software easily and reliably. Unfortunately, these mechanisms simply aren't in place for most of the ‘smart’ devices that are arriving in consumers' homes.

Microsoft didn't get a handle on the security of the Windows ecosystem until they had solid automatic updates. Similarly, web browsers and their plugins were a security nightmare until all of the major browser vendors rolled out reliable auto-update approaches. In general, consumers lack the expertise and initiative to manually maintain software versions on their devices, so the onus is on vendors to build sane updating into anything that might possibly need it."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)