Dr. InfoSec™

QOTD on Digital Communications

2013-05-05T11:38:00.000-07:00

No digital communication is secure.

-- Tim Clemente, former FBI counterterrorism agent

Src: Are all telephone calls recorded and accessible to the US government? | Glenn Greenwald | Comment is free | guardian.co.uk

QOTD on the Data Sharing vs Control

2013-05-02T10:52:00.001-07:00

The reality is, our ability to exchange electronic information is already well beyond our ability to control it.

-- John Leipold, CEO of Valley Hope Technology

Src: Rules on Medical-Record Privacy Face Challenges - WSJ.com

QOTD on Cyber Arms Races

2013-04-22T09:22:00.000-07:00

As long as I have an adversary spending his treasure ... nothing static will remain secure -- that's the nature of arms races. It is a guarantee that the system will be found vulnerable. So I think to a large extent we have to stop fooling ourselves that we actually can create completely secure systems. We certainly need to create the best system we can, but that system cannot remain static. It has to change, morph, grow over time, as we learn about our adversaries' behavior.

-- Dave Aucsmith, senior dir. of Microsoft's Institute for Advanced Technology in Governments

Src: 'Aurora' Cyber Attackers Were Really Running Counter-Intelligence - CIO.com

QOTD - Clapper on Global Threats in 2013

2013-04-11T19:51:00.001-07:00

Threats are more interconnected and viral. Events which at first blush seem local and irrelevant can quickly set off transnational disruptions that affect U.S. national interests. "War" now includes a software variant -- a soft war variation. Arms include cyber and financial weapons, and attacks can be deniable and non-attributable.

-- James Clapper, Director of National Intelligence (US)

Src: remarks on the Worldwide Threat Assessment to the Provided to the House Permanent Select Committee on Intelligence

QOTD on Bypassing AV

2013-03-13T08:41:00.001-07:00

For someone doing a targeted attack, AV is not too much of an obstacle. The fraudster has all the information he needs to run tests against an AV program and ensure he can defeat it. Today you can buy, in the underground market, tests for banking Trojans to ensure they're not detected by AV.

-- Toralv Dirro, security strategist for McAfee Labs

Src: Enhanced Malware Targets Retailers - BankInfoSecurity

QOTD - Worldwide Threat Assessment of the US Intelligence Community

2013-03-12T12:36:00.001-07:00

Threats are more diverse, interconnected and viral than at any time in history. Attacks, which might involve cyber and financial weapons, can be deniable and unattributable. Destruction can be invisible, latent and progressive.

-- James Clapper, Director of National Intelligence

Src: Report: Cyberattacks a key threat to U.S. national security - CNN.com
Direct link to testimony (PDF)

QOTD - On passive attacks

2013-03-11T13:00:00.000-07:00

While many organizations worth compromising for IP theft likely have robust perimeter defenses, not all have controls in place to defense against a scenario (in which) the attackers wait for the victims to come to them.

-- Nicholas Percoco, Senior VP of SpiderLabs (part of Trustwave)

Src: Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple | The Security Ledger

QOTD - Post-Crypto World?

2013-03-02T08:34:00.001-08:00

If someone can own your computer and see everything you're doing, it doesn't matter that the data is encrypted. If you can't trust the computer you're running crypto on, it doesn't matter how good the crypto is.

-- Dr. Matthew Green, Assistant Research Professor, Department of Computer Science, Johns Hopkins University

Src: Are we now living in a post-crypto world? - CSO Online - Security and Risk

QOTD - Shamir on APTs & Crypto

2013-03-01T08:27:00.000-08:00

It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system.

-- Adi Shamir, renowned cryptographer & A.M. Turing Award Winner

Src: Are we now living in a post-crypto world? - CSO Online - Security and Risk

QOTD - EU's Neelie Kroes on Internet Security

2013-02-08T05:08:00.000-08:00

We are all here because we recognise the Internet is important: for our economy, for our values, and for our human rights. We all recognise that insecure systems could harm those benefits. [...]

We rely on the internet for ever more services – from shopping and socialising, to healthcare, education, and smart transport.

But the more we depend on it – the more we depend on it to be secure. Staying open and free is essential to online innovation. And there is no true freedom without security – not when you're walking down the street, and not when you're online.

-- Neelie Kroes, VP of the European Commission responsible for the Digital Agenda

Src: EUROPA - PRESS RELEASES - Press Release - SPEECH - Using cybersecurity to promote European values

QOTD on The Need For a Secure Internet

2013-02-07T08:43:00.001-08:00

As more people come to rely on the Internet, they rely on it to be secure. And as the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free.

-- Neelie Kroes, VP of the European Commission responsible for the Digital Agenda

Src: EUROPA - PRESS RELEASES - Press Release - Speech - Towards a coherent international cyberspace policy for the EU

QOTD on Getting Hacked

2013-02-06T05:12:00.000-08:00

Today, the most common way of getting hit by malware is by browsing the Web.

-- F-Secure in its H2 2012 Report

Src: F-Secure declares 2012 'Year of the Exploit' - applications, security, botnets, exploits, f-secure, software, Exploits / vulnerabilities, data protection - CSO | The Resource for Data Security Executives

QOTD on Dealing with Advanced Attackers

2013-02-05T05:00:00.000-08:00

... Preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in.

-- Dennis Fisher, Editor-in-chief, Threatpost.com

Src: How the RSA Attackers Swung and Missed at Lockheed Martin

QOTD on Security for Android Devices

2013-02-04T12:15:00.001-08:00

You don’t need a zero-day to attack Android if consumers are running 13-month-old software.
[... ]
With Android, the situation is worse than a joke, it’s a crisis.
[... ]
Outside the geek space, consumers don’t know the problem exists. They may realize they’re not getting feature updates, but they may think security updates are happening in the background, or they don’t realize security updates are important.

-- Chris Soghoian, Principal Technologist and a Senior Policy Analyst with the Speech,
Privacy and Technology Project at the American Civil Liberties Union

Src: Wireless Carriers Put on Notice About Providing Regular Android Security Updates

QOTD on Anti-Virus

2013-02-03T08:52:00.000-08:00

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.
[...]
Anti-virus software alone is not enough.

Src: Symantec Statement Regarding New York Times Cyber Attack

QOTD - Neelie Kroes on Importance of Cyber Security

2013-01-17T10:01:00.001-08:00

Cybersecurity is too important to leave to chance, to the good will of individual companies.

-- Neelie Kroes, European Union commissioner for the digital agenda

Src: Europe Weighs Requiring Firms to Disclose Data Breaches - NYTimes.com

QOTD - Corman on e-Toasters

2012-12-18T06:57:00.000-08:00

We’re putting IT on everything and while some people think IT on everything is a dream, I kind of think its a nightmare. If you have a toaster, there’s a certain risk that it will burn your house down. If you put software on it, it’s a vulnerable toaster. If you connect it to the Internet, its a vulnerable and exploitable toaster.

-- Josh Corman, Director of Security Intelligence at Akamai Technologies

Src: New Year’s Resolution: Do Software Better

QOTD on Cyberspace as the New Battlefront

2012-10-24T06:49:00.001-07:00

States at the moment seem to have little self-restraint in cyber.
This is very dangerous... The consequence may be that... we find ourselves with a redefinition of 'war' - one that is never declared, seldom visible but effectively constant.

-- Alexander Klimburg, cyber security expert at the Austrian Institute for International Affairs

Src: Cyberspace the new frontier in Iran's war with foes - Yahoo! News

QOTD on Stuxnet

2012-10-24T06:48:00.001-07:00

Stuxnet was effective, but it wasn't a knockout blow. What it has done, however, is open a new front.

-- Ilan Berman, VP of the American Foreign Policy Council and former CIA &Pentagon consultant

Src: Cyberspace the new frontier in Iran's war with foes - Yahoo! News

QOTD - Kaspersky on Cyberwarfare

2012-10-16T07:07:00.001-07:00

We can’t let cyber-warfare stall human progress, as it threatens not only governments and businesses, but regular people as well.
[...]
In the long run, cyber-warfare is where all parties lose: attackers, victims and even uninvolved observers. Unlike traditional weapons, tools used in cyber-warfare are very easy to clone and reprogramme by adversaries.

--Eugene Kaspersky, CEO and co-founder of Kaspersky Lab

Src: Kasperksy to launch own operating system | GulfNews.com

QOTD - Bits & Bytes

2012-10-11T19:12:00.002-07:00

The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs.

-- Gen. Martin Dempsey, Chairman of the Joint Chiefs of Staff (US)

Src: WHY IT MATTERS: Cybersecurity - Yahoo! News

QOTD - Stuxnet & the genie in the bottle

2012-10-09T07:23:00.003-07:00

Once the genie was out of the bottle with Stuxnet then it was always going to be a case of we must have our own variant or we will get left behind.

I think what people are missing is military theory. Sun Tzu, the ancient Chinese military general, said that 'to subdue the enemy without fighting is the essence of skill', and [Carl von] Clausewitz said 'war is the continuation of policy by other means', and cyberspace is perfect for those ideas. It allows you to do something better with another tool...

-- Commodore Patrick Tyrrell

Src: State-sponsored cyber espionage projects now prevalent, say experts | Technology | guardian.co.uk

QOTD on Big Data vs Privacy

2012-09-06T10:18:00.001-07:00

...soon companies will know things about us that we do not even know about ourselves. This is the exciting possibility of Big Data, but for privacy, it is a recipe for disaster.

-- Paul Ohm, Associate Professor at the University of Colorado Law School

Src: Don't Build a Database of Ruin - Paul Ohm - Harvard Business Review

The undetected malware issue

2012-08-29T12:50:00.001-07:00

For every Stuxnet or Flame that turns up, there likely are dozens or hundreds of analogous tools sitting undetected on systems around the world.

-- Dennis Fisher, Editor-in-chief, Threatpost

Src: Gauss, Flame Highlight Problem of Defeating High-End Malware | threatpost

QOTD - InfoSec and The CFO

2012-08-18T06:01:00.001-07:00

Security is not just an IT risk, it’s a business risk. As CFO, your responsibility is to understand the business risks and how the organization is set up to mitigate those risks.

-- Jason Pett, co-author of the PwC report entitled "Fortifying your defenses The role of internal audit in assuring data security and privacy"

Src: C-Suite Slipping on Information Security, Study Finds