Ashley Madison Hack – A New Level of Impact

Real computer information security is highly dependent on the awareness and concern of individual computer device users. But people don’t view the security of their computers, pads and smart phones the same way they view the security of their cars, or houses or kids. On the whole, we are apathetic about the subject.
I have often tried to figure out why this is true, and I’ve heard several reasons such as: “Computers and technology are just too complicated and technical. I feel inadequate to the task.” Or “I have too many things to worry about already. I don’t need anything else to take a bite out of my quality time.” Or “So what if I get hacked!? The worst that can happen is that I’ll be embarrassed a bit or lose some of my money – I’ll still have my health, my family and my life!” Of all these mistaken ideas I think the last one is the most dangerous; not believing that anything really bad will happen to me and mine because of a hack.
For years my compatriots and I have discussed the idea that what will truly shock society awake is a hacking incident so severe that nobody can just ignore the subject anymore; a kind of cyber-Pearl Harbor. But none of us actually want to see “the big one” occur. We are hoping that smaller but still significant incidents will get the ball rolling.
The Ashley Madison hack is a small step in this direction that I hope people will embrace and learn from, because the consequences of this hack are a cut above what has been experienced by the everyday user in the past. Think of the marital unrest this has caused – think of the divorces, the tears, the kids that no longer feel safe and secure. Then there are the legal entanglements and lost jobs (both present and future) to consider. Awful!
But the biggest consequence of all is the loss of human life that has (and will in my opinion) come about because of this exposure. There have been a number of suicides already that are directly attributable to the Ashley Madison debacle, and I would be amazed if there weren’t some murders to accompany them as well. Is it worth human lives to be apathetic and unaware!? Let’s hope that folks decide it isn’t and take steps to protect themselves.

3 Things You Should Be Reading About

Just a quick post today to point to 3 things infosec pros should be watching from the last few days. While there will be a lot of news coming out of Derbycon, keep your eyes on these issues too:

1. Chinese PLA Hacking Unit with a SE Asia Focus Emerges – This is an excellent article about a new focused hacking unit that has emerged from shared threat intelligence. 

2. Free Tool to Hunt Down SYNful Knock – If you aren’t aware of the issues in Cisco Routers, check out the SYNful Knock details here. This has already been widely observed in the wild.

3. Microsoft Revokes Leaked D-Link Certs – This is what happens when certificates get leaked into the public. Very dangerous situation, since it could allow signing of malicious code/firmware, etc.

Happy reading! 

How to pick your next employee

MSI seems to be growing every day. As we bring on new staff, we are working hard to make sure that we maintain our existing corporate culture. It can be difficult to identify whether or not an individual has the necessary traits to be a successful employee. However, it’s important to think of the hiring process as an opportunity rather than a challenge.

The first thing I look for in a new employee is curiosity. To me, this is far more important than intelligence. An employee can always learn about how to support a specific system or perform a process. I think it’s much more important to find an individual that wants to understand WHY we use a specific process or HOW a system works. This is a trait that can’t be taught.

The next thing I look for is the ability to adapt. The Information Technology field changes rapidly. The latest and greatest piece of technology seems to be obsolete soon after it is published. It’s worthwhile to identify an individual that can handle these changes well.

IT professionals typically have to wear many hats. In my short career, I’ve served as an Information Security Officer, Help Desk Manager, Systems Administrator, Penetration Tester, Security Consultant, Infrastructure Manager, Intelligence Engineer and Pre-Sales Engineer. Typically those roles weren’t assigned until after I accepted a position. Due to the frequent shift in responsibilities, an IT professional must be flexible.

You may be wondering how you can spot these traits in an during an interview or by viewing the individual’s resume and LinkedIn profile. To discover a potential employee that is curious, look to see if they list diverse interests. If you’re attempting to identify an employee who has the ability to adapt to changes and remain flexible, look and see if they’ve supported a wide variety of systems and processes during their career.

Finally, it’s important to consider whether or not you enjoy spending time with this person. In some cases, you’ll spend more time with them than your own family. You could discover an employee with all the right traits and skills but will be in a difficult situation if your personalities clash. In short, take some extra time to look past someone’s employment history and discover whether or not they have the skills that can’t be taught.

Podcast Episode 8 is Out

This time around we riff on Ashley Madison (minus the morals of the site), online privacy, OPSec and the younger generation with @AdamJLuck. Following that, is a short with John Davis. Check it out and let us know your thoughts via Twitter – @lbhuston. Thanks for listening! 

You can listen below: