Downclimb: Summit Route’s Weekly Infosec News Recap
2016.03.27 – 2016.04.03: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“Defense in depth isn’t defense against an attacker, it’s defense against IT/OPS failing to correctly manage one of your control surfaces.” Rich Tener

“we shouldn’t deploy boxes that look vulnerable on the network, we should deploy boxes that look valuable” Haroon Meer on honeypots

Top stories

DHS requesting input on cyber insurance

As the Federal Times reports “The Department of Homeland Security has a mandate to help the private sector — and particularly critical infrastructure — secure itself from cyberattacks but has little authority to actively do so. To meet this mission, DHS is looking at alternatives to incentivize better security in various industries and is looking at cyber insurance as one of those means.” The DHS is requesting information about cyber incidents to anonymize and provide better data to insurers, which would potentially help reduce costs by creating more accurate models. However, the DHS, and federal government in general, has no ability to regulate the insurance industry due to the McCarran–Ferguson Act of 1945, so all they can do is collect and provide data.

I am personally interested in cyber insurance due to it’s ability to better quantify costs, and hopeful that it will help drive improvements.

Business

• Florida exempting public disclosures of breaches: Whereas California and 46 other states require companies to disclose breaches to it’s residents if they are victims, Florida took the opposite route by passing a law allowing Florida to attract businesses with bad security practices.

Newspaper news

• How to Hack an Election: Story about a man that “stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware” in order to help South American leaders win elections.
• FBI drops case to get into San Bernadino shooter’s iPhone: The FBI has supposedly obtained access to the San Bernadino shooter’s iPhone without the help of Apple.
• TrueCrypt author was supposedly criminal mastermind Paul Le Roux: This article makes the claim that the man behind an international drug and gun empire was also the original creator of the TrueCrypt encryption software.
• Hack the Pentagon: The Department of Defense has released info about it’s bug bounty program, the first such US government program. You have to have a US tax payer identification number to participate.

Conference materials and publications

• Black Hat Asia slides: This conference took place in Singapore in this weekend.
• Troopers slides and videos: This conference took place in Germany in mid-March.

Other reads

• Push vs Pull Security: A fun read from September, 2015, by Bob Lord, who is now CISO of Yahoo, about a hypothetical situation in which a Red Team gets paid minimum wage but if they can get certain critical assets of the company, they collect the bonuses that those teams otherwise would have received, resulting in those other teams actually caring about security.
• These Chrome extensions spy on 8 million users: Research into chrome extensions that beacon home info about every site a user browses to. These have now been pulled from the Chrome web store but are still active on the hosts they were installed on.