• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Anonymous Hacker Group Strikes Again

  • Subject: Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
  • From: Todd Heberlein <email@hidden>
  • Date: Mon, 10 Sep 2012 14:43:58 -0700

On Sep 10, 2012, at 1:21 PM, "Villano, Paul Mr CIV USA TRADOC" <email@hidden> wrote:

We're spendng a lot of time off topic today. To bring it back on topic, is any of the data breached (credit card numbers, passwords, etc.) and does that make it a federal issue? When does it become a Homeland Security issue if the finances of millions are affected?

Issue 1 (DOS Attacks): About a decade ago when I was doing some DARPA work, one of the common scenarios we used was DOS attacks against a network service during high tempo operations. For example, imagine an Air Tasking Order (ATO) server distributing relevant information to each component during the initial invasion phases (Iraq, Iran, etc.). A DOS attack against such an ATO server could real screw things up.

If your organization provides a time-critical service, it is probably a good idea to watch what happens in cases like GoDaddy and determine if you have a similar vulnerability. Is your site better off than GoDaddy?


Issue 2 (Data breaches): On data breach, I think the recent iCloud breach and wiping out the reporter's computers serves as a cautionary tale that needs to be looked at. The attack was made possible by essentially combining information available at two or more sites. Each site might think, "I'm not giving out enough information to be a threat", but when the databases are effectively combined, enough information can be inferred to carry out attacks.

No single database may give out enough personally identifying information, but collectively they do.

Consider how many sites' security questions can be answered by doxing a person, especially including information posted on Facebook, ancestry.com, etc.  "What was your school's mascot?"  Come on, how easy can that be extracted from their Facebook information? (if they don't post their high school on facebook, it can be inferred from their friends list)

Protecting against aggregation and inference is a challenge.

I look forward to how Apple starts using its recently acquired fingerprint technology. If done right, this could be a better answer than those pesky security questions.

Todd

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
      • From: Todd Heberlein <email@hidden>
References: 
 >[Fed-Talk] Anonymous Hacker Group Strikes Again (From: "Pike, Michael (IHS/HQ)" <email@hidden>)
 >Re: [Fed-Talk] Anonymous Hacker Group Strikes Again (From: Todd Heberlein <email@hidden>)
 >Re: [Fed-Talk] Anonymous Hacker Group Strikes Again (From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
  • Next by Date: Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
  • Previous by thread: Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
  • Next by thread: Re: [Fed-Talk] Anonymous Hacker Group Strikes Again
  • Index(es):
    • Date
    • Thread