So the idea of the micromort is about conceptualizing risk. A one in a million probability that something will kill you? That’s 1 micromort. Not the most difficult math, but it helps normalize risk (as for quantifying it, you’re still on your own), so (at least in some sense) the idea that hang-gliding generates the equivalent risk of death as driving 3000 km (~1800 mi) in a car. There does seem to be a time element missing, as well as some way to account for mitigating elements (I can drive a lot better than I can hang-glide). I saw this concept referenced on Bruce Schneier’s blog, who in turn credits the Stubborn Mule blog.
I’ve been catching up on my reading, and I’m surprised I haven’t heard more about these malware attacks from August, although it does seem to have affected primarily petro corporations who have a vested interest in this information not being made public, and a better chance than the government to make that stick. Since it doesn’t seem to be a government sponsored attack, does that make it passe?
This is getting ridiculous, but to help boost awareness….
Lifehacker is reporting that eHarmony and Last.fm have also had password leakage recently. If you use those services, it’s a good idea to be proactive and reset your password. The Lifehacker article also recommends a password management tool called LastPass and some other solutions. If you’re not using them, they might be worth a look.
Following up on my earlier post about reports of compromised LinkedIn user data, LinkedIn essentially confirmed yesterday on their blog that user account information had been leaked. They are disabling accounts with passwords that may have been compromised and are reaching out to those users.
There have certainly been worse data leak stories, but Aaron Souppouris at The Verge is reporting that a user in a Russian forum claims to be in possession of details for roughly 6.5 million LinkedIn accounts, including passwords, that were intercepted. As proof of their claim, the hashed passwords were published online. LinkedIn is investigating, and reports are trickling in that lend veracity to the statement.
The good news is that the passwords were hashed with SHA-1, but you should still be concerned. If you have a strong password (it’s not “Linkedin”, is it?), the hash should buy you enough time to change your password, just in case.
The Flame malware attacks continue to generate some interesting reactions on the web. One the one hand, they seem to be all over the place, and, yet, I am having a hard time disagreeing with most of them. Probably a good sign that we still may not know enough, or what we know hasn’t been analyzed enough to gain much consensus. Or simply the fact that, as they say in management, the 10,000 foot view can be very different than the view when you’re on the ground.
In Parmy Olson’s Disruptors blog for Forbes.com, talks about 3 takeaways about Flame; one of them being that what is happening now between governments will likely be an indicator of what corporate espionage will look like soon (if not already), and another being that some adversaries of nations will be forced to go low tech (a la bin Laden, a tactic we have seen repeatedly already in cases of terrorism and asymmetric warfare).
Meanwhile, Johannes Ullrich posted a diary entry at the ISC (Internet Storm Center) on Flame is almost derisive toward Flame and the attention it is receiving. His analysis of the toolset is that it is fairly clumsy compared to some malware tools available. It seems a lot of network administrators are asking how to detect whether they have Flame infections, and perhaps this is what sparks the author’s rant. He has a good point we should all keep in mind: focusing on a single, obscure threat is no way to design a network defense strategy. Granted, I can understand that these admins are probably going to be asked by an executive about Flame, because it is receiving enough media attention to cross into general awareness.
Last, but certainly not least, there is a longer article on Wired by Mikko Hypponen, the Chief Research Officer at information security company F-Secure, titled “Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet“.
I’m still mulling all this over, but I’m planning to come up with an opinion piece down the line.
Just when I thought FLAME would push Stuxnet out of the spotlight, the New York Times is reporting that the Stuxnet was a joint venture between the US and Israel to attack the Iranian nuclear program. I’m not surprised about the parties involved, it was speculated that this was the case from early on; but I am surprised that they were able to get anything official on it. This information is apparently being adapted from a book by David E. Sanger, called Confront and Conceal being published next week. It will be interesting to see if the revelation withstands scrutiny, or whether this is a marketing ploy to bump book sales.