Education in one of the hard physical sciences can benefit a risk intelligence analyst later in life by providing structured thinking. This is especially useful when detecting ones own cognitive biases and those of others. Among the structured thinking lessons was, “correlation does not imply causation.” One blogger, with no independent confirmation, correlates network outage at an un-named company + SecurID token refresh = causation = RSA data breach = old tokens completely compromised = TEOTWAWKI.  Computerworld names the company as Lockheed Martin, again with no apparent independent confirmation.  Now this may all be absolutely accurate, but the reasoning is out-to-lunch.  In the last twelve hours world+dog are taking the story and running with it, all without confirmation.  As it stands it is simply another sensationalized tale of a nascent hypothesis and cannot reasonably be regarded as actionable intelligence.  It may represent an opportunity for EMC/RSA to set a positive example for communications among security professionals, but it also represents a danger because thus far, they have failed to communicate to our profession enough unambiguous information upon which to make decisions to defend our principals. The result is yet another round of cries that “the sky is falling.” Only RSA can see to it that it becomes the last.

In 2008, we wrote a three-part series advising against the use of antivirus software on systems running Mac OS X. In those posts, we suggested that the cost of running antivirus software on OS X was often higher than the cost of not running it. Our study of the subject showed that far more users lost data on their Macs at the hands of their AV software than they lost to actual malware. Mac AV software had no accountability, lacking third-party testing and significant real-world opportunities to protect users. We’ve been tracking OS X security since the beta version of that operating system was released over ten years ago, and we had long recommended against using Mac AV to our customers. (more…)

Mobile devices were the closest thing we had to a trend or theme this week. ESet tried to calm some of the hand-wringing over a No Threat configuration in Android, and Google is promising to push out a fix. The MIT Blog opined that iPhone and Android mobile apps “will soon be dead.” Kaspersky joined the “Android security model is hopeless” club this week. By definition, any more remarks here contradict the idea that this was an unusually unremarkable week in InfoSec risk.

We would like to congratulate all of the 2011 cover challenge winners!  For those of you who are still working through the puzzle, or have not yet started, spoilers lurk ahead.  The winners are:

First place: Dan  Caselden and Jon Erickson of Maryland

Second place: Michael Oglesby of Oklahoma (also last year’s winner – see his write-up)

Third place: Joerie de Gram of the Netherlands

Honorable mention:  Michael Czumak III of New York

Much to our surprise, all of these gentlemen solved the puzzle within one week of the DBIR release (compared to just under one month for last year’s challenge).  I must admit that the RISK team practically spewed their morning coffee on their respective keyboards when we found Dan’s email in our Inbox on April, 20.  For those of you scoring at home, that is one day after the report was released. (more…)

“Zebras don’t change their stripes.” K-OTiK, a group of “researchers” known for producing more problems than solutions changed their name about five years ago to FrSIRT and tried to reimage themselves as an incident response team. Almost no one bought it. So they changed their name to VUPEN and they had free and for-pay vulnerability information. Their stripes were showing this week when they announced vulnerabilities in Google’s Chrome browser but didn’t exercise a thing some people call “coordinated disclosure.” Color me shocked. Google updated Chrome last Friday and Thursday of this week, but not for these vulnerabilities. Adobe patched Flash, and other products, again. Color me exasperated. Microsoft issued two security bulletins and an 89 page Security Intelligence Report. Color me joyful. Do not color me in black and white stripes.

Microsoft will begin rolling out a security update to Windows Phone 7 that will prevent the device from accepting fraudulent digital certificates issued after Comodo had an intrusion. In terms of new InfoSec risk intelligence, that’s just about it for this week. No journeyman InfoSec professional should have been surprised when international events were used for SEO poisoning and malware. Nor should one be surprised Sony has yet to extricate itself from the PR quicksand it’s been in over the PSN data breach. Europol says organized crime is using the Internet—it would be surprising if they didn’t. More non-news: a court found it’s OK to fire an employee for viewing porn at work. Lastly, Microsoft seems to be returning to their big-little-big-little cycle for security bulletins with only two next week. No surprises; life is good!