Top Infosec Reads

Top 5 #InfoSec Reads: May 27-June 4

APWG and Cyveillance publish phishing reports,  data protection for mobile users on an SD card, Steve Albini on music and copyrights, and a web hacking methodology are this week's Top 5 #infosec reads.

APWG Publish Global Phishing Survey H2 2014

Another fine study by Greg Aaron and Rod Rasmussen. Quick and sobering statistics: Phish domains at all time high. Top 10 most phished brands are attacked relentlessly but phishers are attacking more brands than ever. Phishing attack uptime increased. Phishing in new TLDs began slowly but is increasing. 

Cyveillance Phishing Report: Top 20 Targets - May 25, 2015

Cyveillance produces a weekly Top 20 most targeted brands, so this is a useful report to visit regularly. This week, AOL, Apple, Paypal, Google and Dropbox filled the Top Five. This report is  an indicator of weekly activity. How about business segments? Payment systems rank number one. 

Google’s Project Vault is a secure computing environment on a micro SD card, for any platform

Vault is Google's attempt to provide secure OS with data privacy and protection features on an SD card. Google chose SD so that the OS could be used in mobile devices, especially phones. Vault complements the security features embedded in mobile phone for mobile operator use by providing a similarly secure environment for data users want to safeguard. Google's releasing an open source development kit and an enterprise product first, with a consumer product soon to come.

Steve Albini: The music industry is a parasite... and copyright is dead 

Why is an article about copyrights a top infosec read? Because the music industry has enormous influence in policy and legislation and many bills (SOPA, CISPA, etc.) that security communities worldwide criticize as ill conceived, impossible to implement, or riddled with unintended consequences have origins in the music industry. Why this article in particular? Because Steve Albini is informed, factful, andadmirably frank. I like frank.

GironSec's Web hacking 101

Joe Giron hosts a white paper at that describes a methodology for tactical web application penetration. The methodology describes the sequence of pen testing actions that will rigorously examine all elements of a web application and hosting environment. Giron does a nice job of explaining not only the automated aspects of the pen test, but the manual (question asking) aspects as well. Where applicable, Joe helpfully includes links for selections of pen testing utilities that can be used to complete the phase. Use ethically please.

Top 5 #InfoSec Reads: May 19-26

Imperfect Forward Secrecy, DDoS made simple, Richard Stallman takes issue with abusive developers, malware spikes during holidays and a US Freedom Act smackdown are this week's Top 5 #InfoSec reads.

Logjam is latest security flaw to affect secure communication protocols

Vulnerability investigators and exploit kit developers are exposing critical flaws in secure communications protocols at an alarming rate  in 2015. GHOST, JASBUG, FREAK, and VENOM all reveal flaws in protocols that employ TLS. has identified yet another vulnerability, Logjam, which takes advantage of weaknesses in Diffie-Hellman key exchange implementations. These force a downgrade of negotiated encryption to 512-bit export grade, which can be defeated in a man-in-the-middle attack to allow passive eavesdropping. The investigators suggest that such MITMs could be used to support state actor surveillance as well as criminal activities. A detailed report,  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice is available from

Storm Kit - Changing the rules of the DDoS attack

Distributed denial of service (DDoS) attack kits have until recently provided administrative "consoles" to manage the potentially very large numbers of infected ("botted") computers that generated the attack traffic. Storm Kit provides an even simpler management experience for DDoS attackers, allowing them to launch DDoS attacks with very high volume from a smaller (manageable) set of compromised servers or rented virtual private servers (VPS). Storm kit supports volumetric and resource depletion attacks including SYN/UDP/HTTP flood, DNS or NTP amplification.

Malware isn't only about viruses: companies preinstall it all the time

Richard Stallman is exorcised over the widespread abuse he sees in software that embeds functionality that does not benefit users but exposes them to disclosure of personal information without notice or consent or otherwise mistreats users. I agree with Richard but I'd prefer that we refer to this 'ware as abuseware so that we can at least attempt to distinguish criminal activity from infuriating-close-to-criminal activity. I also love Richard's missive to us all:

"We can resist:

"Individually, by rejecting proprietary software and web services
that snoop or track.

"Collectively, by organising to develop free/libre replacement systems and web services that don’t track who uses them.

"Democratically, by legislation to criminalise various sorts of malware practices. This presupposes democracy, and democracy requires defeating treaties such as the TPP and TTIP that give companies the power to suppress democracy."

Malware infections spike on Memorial Day in DC

DcmalwareMalware infections increased nearly 51% on Memorial Day in Washington, DC.  As this graphic from Federal Times illustrates, this statistic is an outlier among the already dramatic uptick in infection rates on US holidays in general. Enigma Software bases these findings using infections detected by their consumer security suite software, which is not used in government systems.  A lesson from this report? Relax during your holiday time off but remain diligent to avoid being phished or infected. 


Senate votes down USA Freedom Act, putting bulk surveillance powers in jeopardy

The US Senate voted down USA Freedom Act. Barring (un)heroic efforts by supporters like Mitch McConnell, it is likely that many Patriot Act powers will automatically expire on June 1. How unpopular had the US Freedom Act become? Imagine any other issue where the American Civil Liberties Union (ACLU) and the Tea Party Patriots would cooperate to create a TV advertisement, warning Americans, They've gone too far!