QOTD on Insiders

Insiders do not attack – instead they use legitimate accesses in support of their operations.
-- DARPA (US) Broad Agency Agreement for Project CINDER

Src: DARPA-BAA-10-84, Cyber Insider Threat (CINDER) Program | FedBizOps

QOTD on Online Privacy

As social media become more embedded in everyday society, the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions and social slips. But people will not abandon social media, nor will privacy disappear. They will simply work harder to carve out a space for privacy as they understand it and to maintain control, whether by using pseudonyms or speaking in code.
-- Danah Boyd, fellow at Harvard University's Berkman Center for Internet and Society

Src: Why Privacy Is Not Dead | Technology Review

QOTD - Geer on Risk & Dependencies

The root source of risk is dependence — dependence on system state, including dependence on expectations of system state reliability. Indeed, my definition of security has co-evolved with my understanding of risk and risk’s source, to where I currently define security as the absence of unmitigatable surprise. Thus, increasing dependence results in heightened difficulty in crafting mitigations. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
And that is the crux of the matter: our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable. That sounds more apocalyptic than I intend, but the competent risk manager always asks, “How bad could it be?” or, in the altogether American tortious style, “Who will have to pay?”
-- Dan Geer, Chief Information Security Officer for In-Q-Tel

Note: emphasis is mine

Src: Cybersecurity and National Policy | Harvard National Security Journal

QOTD on Disclosure

Thinking that there's no one else out there who knows the details of a given zero-day flaw is one of the things that leads to ridiculously long gaps between disclosure and the release of a patch. Even in the case of a vulnerability for which all of the details aren't public, a bit of information combined with a short window of time before a patch is available can give attackers the head start they need to launch mass exploits.
-- Dennis Fisher, Editor at ThreatPost

Src: Why Vulnerability Research Matters | threatpost

QOTD on Ostriches

If you bury your head in the sand and you're unwilling to learn the methods of the bad guys you're more susceptible to fall for them.

-- Chris Hadnagy, Operations Manager for Offensive Security

Src: Social Engineering 101 (Q&A) | InSecurity Complex - CNET New

QOTD on Security Culture

I find it interesting to compare and contrast the differences in information security emphasise and skills across the world. In the USA, for example, it's clear that technology rules. In the UK, process is King. (Our legacy to the world is ISO 27000). In the rest of the World, however, it's generally people and culture that top the agenda.
-- founding director of the Jericho Forum and the Institute for Information Security Professionals

Src: Security awareness in different cultures - David Lacey's IT Security Blog

QOTD by Google CEO

I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time. [...] I mean we really have to think about these things as a society.
-- Eric Schmidt, CEO of Google

Src: Holman W. Jenkins, Jr.: Google and the Search for the Future - WSJ.com

QOTD on Social Engineering

The thing [about social networking] that hasn't changed is the human factor. People are trusting of other people, especially if there is a request for help. One of the biggest things that worked for the Capture the Flag contest at Defcon was a contestant who said "Can you please help me with this?" Asking people for help, the human vulnerability, has not changed over the years [...] There is an inherent desire for people to help other people. There are trends of a positive nature, but they still get exploited. People are more security conscious today [...] The negative is we're so desensitized to certain attacks that we don't take notice to things that are occurring to us right under our nose.
-- Chris Hadnagy, Operations Manager for Offensive Security

Src: Social Engineering 101 (Q&A) | InSecurity Complex - CNET New

QOTD - Ranum on Terminals

It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.

-- Marcus Ranum, CSO of Tenable Network Security

Src:Ranum: Be Serious about Cybersecurity

QOTD - Code-powered Cars?

It takes dozens of microprocessors running 100 million lines of code to get a premium car out of the driveway, and this software is only going to get more complex.

--Robert N. Charette, writing for IEEE Spectrum

  1. The "100 million" number is based on a quote in the article by Prof. Manfred Broy, a professor of informatics at Technical University, Munich.
  2. The article also lists figures (in millions of lines of code, or MLoC) for other technologies: F-22 Raptor (1.7MLoC), F-35 Joint Strike Fighter (5.7MLoC), and the Boeing 787 Dreamliner (6.5MLoC).

Src: IEEE Spectrum: This Car Runs on Code

QOTD on Malware

They’ll [i.e. hackers will] use the headlines of the day as bait. The malware will install itself on the user’s desktop or laptop, then dial out to another machine and say, ‘I’ve infected this organization, come do something.’

-- Wade Baker, director of risk intelligence for Verizon Business

Src: How hackers use the World Cup and Chelsea Clinton to steal your data -- Washington Technology


When a laptop is stolen, 99 percent of the time the [perpetrator] doesn't know he's got SSNs on it.

-- Thom VanHorn, VP of marketing for AppSec

Note the obvious bias due to the position of the person making the statement. Still, if the number is sound, it illustrates the current state of (in)security due to the lack of oversight of sensitive data.

Src: Six Florida Colleges Victims Of Widespread Data Breach - DarkReading

QOTD by Google CEO

If I look at enough of your messaging and your location, and use Artificial Intelligence, we can predict where you are going to go.

Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the Internet? You've got Facebook photos!

-- Eric Schmidt, CEO of Google

Src: Google CEO Schmidt: "People Aren't Ready for the Technology Revolution": "- Sent using Google Toolbar"

QOTD on Security Skills

[Information security] professionals today are required to quickly detect and understand relationships and patterns within information and data to enable accuracy, timeliness and reliability of information to decision-makers for effective response.
They need to understand the dynamics of their environment, gather metrics to know whether their controls are working, and then have the time to perform tool gap analysis to determine if a new technology or tool suite would fit better in their environment.
This calls for a complete situational awareness across technology silos that enables detection of complex information and data patterns to quicken response time within organizations.
-- Seth Kulakow, former CISO for the Colorado Governor's Office of Information Technology

Src: Situational Awareness: A Must | BankInfoSecurity.com

QOTD on Hackers Winning

Why do hackers succeed? They're lucky, they're patient and they're brilliant. They're also better funded than you.
-- John Stewart, vice president and chief security officer, Cisco

Src: Hackers winning the security battle, says Cisco - Yahoo! News UK

QOTD on Cyber-crime & 0-day flaws

The cybercrime ecosystem continues to thrive without the need for zero day flaws, and it will continue to as long as millions of end users continue getting exploited with 6+ months old flaws.
-- Dancho Danchev, writing for ZDNet

Note: the entire article is worth reading as it provides a balanced perspective on zero-day exploits and their use in known cyber-crimes.

Src: Seven myths about zero day vulnerabilities debunked | ZDNet

QOTD - Hayden on The Cyber World

You guys made the cyber world look like the north German plain, and then you bitch and moan because you get invaded. We all get treated like Poland on the web, invaded from the west on even-numbered centuries, invaded from the east on odd-numbered centuries.

The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense. That really affects how you think about it when you're a GI.
-- Michael Hayden, retired General, former head of the CIA & NSA

Src: Fog of cyberwar: internet always favors the offense • The Register

QOTD on SmartGrid's Off-Switch

We’re about to acquire a significant new cyber-vulnerability. The world’s energy utilities are starting to install hundreds of millions of ‘smart meters’ which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and
implementing rolling power cuts at times of supply shortage.

The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker – whether a hostile government agency, a terrorist organisation or even a militant environmental group – the ideal attack on a target country is to interrupt its citizens’ electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.

Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability[...]
From the abstract section of a paper by Ross Anderson and Shailendra Fuloria entitled "Who controls the off switch?"

Src: Light Blue Touchpaper » Blog Archive » Who controls the off switch?

QOTD - Hayden on Cyber

Cyber is a domain like land, sea, air, and space. The difference is that God made four and you made the last one. God did a better job.
-- Michael Hayden, retired General, former head of CIA & NSA

Src: US flank exposed on cyber war front: Hayden - Yahoo! News

QOTD on State of Security

Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future...

While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they're finding new and interesting ways to stay hidden all the time.
-- Dennis Fisher, editor at Threatpost.com

Src: Persistent, Covert Malware Causing Major Damage | threatpost

QOTD by FBI AD on Cyber-Underground

The potential for considerable profits is enticing to young criminals, and has resulted in the creation of a large underground economy known as the cyber underground. The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language, a set of expectations about its members’ conduct, and a system of stratification based on knowledge and skill, activities, and reputation.

One of the ways that cyber criminals communicate within the cyber underground is on website forums. It is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly professionalized, organized, and have unique or specialized skills.
-- Gordon M. Snow, Assistant Director, U.S. Federal Bureau of Investigation

Src: Federal Bureau of Investigation - Congressional Testimony

QOTD - Dealing with Today's Threats

You have to assume they're going to get in.
So, the art form here [i.e. dealing with the current attack landscape] is to figure out who's in your network, good or bad, figure out what they're doing, identify whether it is consistent with or contrary to all the policies you have to put in place to protect all of your information and systems. And, finally, once you determine if somebody is in there and doing something that you don't like ... figure out how to stop it, and figure out how to stop it quickly so that they don't do more than acceptable levels of harm. That's a new model; that's an entirely new prospect, and it requires new kinds of skills, new monitoring and controls technologies and new kinds of responses.

-- Preston Winter, former NSA CIO

Src: Living with IT Security Breaches | BankInfoSecurity.com:

QOTD on SmartPhone Hacking

Eventually, virus writers will realize it is easier to make money by infecting phones than it is by infecting computers...
And, of course, there are more phones on this planet than there are computers.
-- Mikko H. Hyppönen, F-Secure Chief Resource Officer
Src: AFP: Smartphones tempting new targets for hackers