The Seven Most Dangerous New Attack Techniques, and What’s Coming Next
When it was announced, back in July, that the Ashley Madison site was hacked, like many, I thought about the fact that a bunch of people would be getting their just desserts. However, when the data was leaked (and continues to be leaked) a couple of days ago I started to think more about privacy than karma. All the jokes about those affected by the Ashley Madison breach are distracting us from the fact that people’s lives are being negatively affected by a criminal act over which they had no control. People who had an expectation of privacy, Ashley Madison bragged about it a lot, lost that because someone else decided that a cheating spouse deserves less privacy than someone else. Today it’s a site that caters to people who have different morals from many of us (or none at all depending on your point of view), tomorrow it could be the site you’re using to find a new job while still working the one you have.
Data breaches are happening so often these days that people are trying to group them into which ones are more serious than others. Is stealing nude photos from a celebrity’s phone worse than stealing credit cards from an adult website? If you shop at Target are you more deserving of having your credit card information stolen than if you shop at Neiman Marcus? Most people would scoff at those comparisons and say; “They’re all bad.”. So why do we think that people who signed up for Ashley Madison, whether they used it or not, are more deserving of losing their privacy than those who’ve signed up for Match.com?
We’re losing our privacy, or ability to have any, at an alarming rate these days. Tying privacy to morality, socio-economic level, social status, or anything else means that someone will always consider us undeserving of it. Everyone needs privacy and no one but the person requesting that privacy should get to decide whether they “deserve” it or not.
This is the best explanation I’ve seen yet of how Heartbleed works.
While the title of the linked article is clearly link bait, the message is very important. We talk so much about logging everything that we forget that we actually need to pay attention to that stuff. It’s easy to check off the compliance box that says “centralized logging”, but it’s much harder to actually do something useful with that information.
This comes up almost every time I teach a class. If you’re never going to look at it, is it really worth spending all that time and money to build a logging system? You might as well just dump those logs to /dev/null and be done with it. At least that way you won’t look bad when the forensic results show that you missed 60,000 alarms.
Of course, the most prudent solution is a happy medium. Maybe that includes having your own SIEM and staffing it with trained people 24×7. It could be outsourcing the management and monitoring of the system. Regardless, there is a goldmine of valuable information in those logs and alerts, make sure someone is able and willing to take the appropriate action when needed.
“In the case of the BP Oil rig disaster in the Gulf of Mexico in 2010, it was discovered that an alarm to warn of explosive gas has been intentionally disabled. A crash on the Washington Metro system a year earlier, which killed nine people, happened partly because train dispatchers were overwhelmed by extraneous notifications. Similarly, much has been written about hospitals that are grappling with the massive quantities of alarms that are generated by a wide variety of sensors. Hospital alarms are crucial – they provide notifications of a patient’s condition but only a small percentage of such alarms are issued for new, clinically significant changes.”