This was another eventful news week in the security world – stories about hacks on two, prominent newspapers, and a widespread hole in UPnP, a technology that all of us use, but never pay much attention to. (Always a dangerous combination.)
Let’s face it, Friday is a time for decamping from the office, not taking on some weighty new mental project or thought provoking issue. But, come Sunday morning over coffee, you might just be ready to switch your higher cognitive functions on again. If so, here are some Security Ledger picks for good weekend reads:
Hacking the Old Gray Lady – Slate.com
The top security story this week was the string of revelations about sophisticated, targeted attacks against leading U.S. newspapers, including The New York Times and The Wall Street Journal. The Washington Post may also have been infiltrated, according to a report on Krebsonsecurity.com. The attacks by so-called “Advanced Persistent Threats” (a.k.a “China”) were long-lasting and apparently designed to monitor those papers’ coverage of China and the Chinese Communist Party. We’ve already noted that the Times hack shone a spotlight on balky antivirus software, which failed to detect 44 of 45 pieces of malware used in that attack. Slate.com goes a bit deeper: wondering whether the attacks will put fear into the hearts of journalists that would cover China and, especially, the doings of Chinese Communist Party leaders. “Journalists are on notice. If you investigate the Chinese government, Chinese hackers will come after you,” Farhad Manjoo (@fmanjoo) of Slate writes. A reporter myself, that sounds more like an invitation than a threat, but who knows.
IPMI: Freight Train To Hell (Fish2.com)
OK – the title here is a bit ambiguous, but Dan Farmer’s recent paper on security vulnerabilities in the Baseboard Management Controller (or BMC) is a big deal. The BMC is a ubiquitous and rarely considered component of most modern motherboards. Farmer’s paper is quite detailed, but the long and short of it is that the BMC is an embedded, often Linux-based computer that runs independent of a system’s operating system with complete control over the server’s hardware, including system memory and I/O space. Even worse: the BMC continues to run even if the server is powered down. The BMC is essentially invisible. But, given its privileged access to the server hardware, it is an ideal vantage point from which to spy on one or more servers that might be clustered together. you don’t feel like reading through it, I’d point you to Bruce Schneier’s succinct write-up.
Brogrammer Killed The Requirements Engineering Star (Veracode.com)
OK – full disclosure here: I wrote this piece for Veracode’s blog. But I point you to it for a couple of reasons. First: I wrote it. Second: it asks an important question which is: has the culture of programming moved us in a direction that has made it harder to produce secure and, even, quality software? The post looks at the (recent) cultural phenomenon of the ‘brogrammer’ – the super hip, booze-swilling guy’s guy who can code. This image got a lot of exposure in Aaron Sorkin’s (really good) film The Social Network, which depicted Mark Zuckerberg’s rise to fame and riches. And, third: it’s also worth a read for the link to Leslie Lamport’s article in Wired: “Why We Should Build Software Like We Build Houses.”
Five Security Holes Almost Everyone Is Vulnerable To (Lifehacker.com)
I love wrap-stories that link to other wrap stories. That’s why I’m using this “weekend reads” wrap to link to this really nice piece on Lifehacker.com by Thorin Klosowski: Five Security Holes Almost Everyone is Vulnerable to. First up: this week’s mega UPnP hole. Also: WPA (the wireless “encryption” that’s easy to hack and…passwords. They don’t really protect you. Worth reading all five!
Cooking Up The Connected Kitchen (ITWorld.com)
Finally, check out Esther Schindler’s great piece over at ITWorld, “Cooking up the connected kitchen.” Yes, I know – this isn’t really a security story, per se. But I think the topic of wired homes (and kitchens) is a rich one, and one that will be a security story soon – just not yet. Beyond that, I think Schindler asks the right questions. Rather than a starry-eyed round-up of CES do-dads that somehow might have a place in the kitchen, she asks the big questions: “What do people want their kitchen equipment to do?” And “do we really want technology to do it for us?
“Unlike the remote-control automation of security tools, cooking is not binary. It might be nice to turn on the oven before you leave work, so that it’s pre-heated by the time you get home, but nothing is going to put the food in the oven for you.,” she writes. “Nor do you necessarily want it to do so; many of us like chopping vegetables and stirring and so on.”
Among her recommendations for would-be intelligent cooking device makers: reduce complexity and focus on design and interoperability. It’s a good read.