The Seven Most Dangerous New Attack Techniques, and What’s Coming Next
Here’s a good look at what the Signal protocol is all about.
“WhatsApp recently announced that client communications are now end-to-end encrypted using Open Whisper System’s “Signal Protocol” (previously Axolotl). This has received quite a bit of press lately due to WhatsApp’s massive user base, along with the controversial going dark debates. Less importantly, the crypto-nerd in me loves Signal. Because of all of this, I thought I would write a blog series on some of Signal’s design decisions that I feel are well-designed.”
When it was announced, back in July, that the Ashley Madison site was hacked, like many, I thought about the fact that a bunch of people would be getting their just desserts. However, when the data was leaked (and continues to be leaked) a couple of days ago I started to think more about privacy than karma. All the jokes about those affected by the Ashley Madison breach are distracting us from the fact that people’s lives are being negatively affected by a criminal act over which they had no control. People who had an expectation of privacy, Ashley Madison bragged about it a lot, lost that because someone else decided that a cheating spouse deserves less privacy than someone else. Today it’s a site that caters to people who have different morals from many of us (or none at all depending on your point of view), tomorrow it could be the site you’re using to find a new job while still working the one you have.
Data breaches are happening so often these days that people are trying to group them into which ones are more serious than others. Is stealing nude photos from a celebrity’s phone worse than stealing credit cards from an adult website? If you shop at Target are you more deserving of having your credit card information stolen than if you shop at Neiman Marcus? Most people would scoff at those comparisons and say; “They’re all bad.”. So why do we think that people who signed up for Ashley Madison, whether they used it or not, are more deserving of losing their privacy than those who’ve signed up for Match.com?
We’re losing our privacy, or ability to have any, at an alarming rate these days. Tying privacy to morality, socio-economic level, social status, or anything else means that someone will always consider us undeserving of it. Everyone needs privacy and no one but the person requesting that privacy should get to decide whether they “deserve” it or not.
Want an excuse to spend a week in New York City this summer? SANS is bringing MGMT512 – Security Leadership Essentials for Managers to New York in the Community format. Find details here.
After a great time in Nashville (minus all the problems caused by snow the week prior) I’m heading to Toronto to teach another round of 566. If you are looking to implement or audit the 20 Critical Controls, you need to register for this class. The SANS material is excellent and gives you plenty of tools to start the process on your own. The Toronto course runs April 13-17, details here.
A quick teaching update. SANS MGMT512 in Ottawa/Gatineau was a great group last month, thanks to those of you who attended. If you’re interested in implementing the 20 Critical Controls, I’ll be teaching SANS SEC566 (Implementing and Auditing the 20 Critical Controls) in Nashville starting March 9. If you’re in Canada, watch for Canadian events coming soon.
This looks like it is going to be a great blog post series.
This is my favourite –
Myth #3 This Is a Technology Problem