More Breaches and More Accusations Against the Chinese
This past week several very prominent American news organizations publicly admitted having their computer systems hacked into, and explicitly blamed the Chinese government:
“Chinese hackers suspected in attack on The Post’s computers” – The Washington Post
“A Cyberattack From China” – The New York Times
“Chinese Hackers Hit U.S. Media” – The Wall Street Journal
There are several aspects of these events that seem to herald a change in this now familiar story of computer breaches reportedly being conducted by the Chinese. First is the public acknowledgement of the targeting of an apparent industry / sector – by that sector itself. (Obviously, the oil and financial services sectors have been explicitly targeted previously, but companies within those sectors did not…
Another Wireless Security Problem
For years now, information security professionals have worried about the security of wireless connectivity to our organizational networks. “Wireless” has typically been defined, informally at least, as Wi-Fi. We have tended to discount security concerns about Bluetooth because of its supposedly short range – officially stated as approximately 1 to 100 meters, depending upon class of the device. That is in spite of the known threat of so-called Bluesniping. (See, for example, “Rifle’ Sniffs Out Vulnerability in Bluetooth Devices”.)
Because most WI-FI WAPs (wireless access points) have very limited processing and storage capabilities, authentication to WAPs is generally handled as a shared secret by the WAP itself, or through the external interface of a firewall connecting to an internal…
Structured Threat Information eXpression (STIX)
As we enter a new year, there is acronym that you need to be familiar with: STIX. STIX is the Structured Threat Information eXpression language; it is not a program, policy, system, or application. It is XML for security.
The goal of STIX is to automate the sharing of cyber attack information. And, while the language is new, the concept is not. In fact, we’ve already been down this path at least twice before. ‘First’ (though there may have been earlier efforts) we had IODEF, Incident Object Description Exchange Format (RFC 5070) in December 2007. Then we had RID, Real-time Inter-network Defense (RFC #6046) in November 2010.
So, while there is clearly a need to automate this…