Here are a few articles I found interesting this week:

Fake CNN Spam Use Boston Marathon Bombing as Lure

“Researchers in the AV Labs have found several malicious spam arriving onto user inboxes and banking on the disaster that happened during the Boston Marathon, an annual event held in eastern Massachusetts every Patriots’ Day.” As with any tragedy, be it natural, accidental, or willful and heinous, it is often followed by a slew of scams using email, instant messaging, or text messages. The malware authors and those seeking to profit from the chaos are simply marketers targeting their prey. It is always good to pause and take an extra step to validate any enticing link you receive, even if it seems that time is of the essence. Below are some of the headlines that are being used to reel in victims:

  • Aftermath to explosion at Boston Marathon
  • Explosion at Boston Marathon
  • Explosions at the Boston Marathon
  • Runner captures. Marathon Explosion
  • 2 Explosions at Boston Marathon
  • Video of Explosion at the Boston Marathon 2013
  • BREAKING – Boston Marathon Explosion

Beware of these subject lines and those that are similar in nature as the tragedy unfolds and new subjects are sure to evolve with it.

Closing the Door on Hackers

“Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed. Instead of focusing solely on employees who accidentally open e-mails, we should also be pressuring software makers to make significant investments in their products’ security.” I really like this opinion piece on the root of the “hacker problem”. It is really well-organized, well-worded, and well-informed. The author explains some of the history of software security issues (software security vulnerabilities leading to high profile worms and viruses such as Slammer and Melissa), explains the pivotal point where software security moved to become an industry focal point (2002’s “Trustworthy Computing” memo), and tied it back to today’s events- where Oracle and Adobe are at the forefront of security ire. I also like how the article points out just how much software security greatly affects government, and yet shouldn’t require governmental mandates to make software security a priority.

Your Weekend Security Challenge: Password-Style

“Ubiquitous two-factor authentication is still far off and in the meantime we are stuck with passwords. Unfortunately, passwords usually “suck” because most lay people just use the same password everywhere on the web, whether it be for accessing their bank and credit card accounts or joining a social networking site.” This article puts forth a great challenge on how to help mitigate the password problem plaguing people perusing the Internet-password managers. A password manager can be a powerful tool for creating, generating, and using complex passwords unique to each resource guarded by a password for authentication- whether a news reading site or an online banking site. Here is the essential challenge: Setting the tone Each person that is aware of the virtues of password managers must find a way to help at least one other person set up and start using a password manager in order to get the ball rolling on stronger passwords!

National Provider Directory: Why Needed?

“The New York eHealth Collaborative is developing a national provider directory to ensure that electronic queries for patient data go to the right place and privacy is protected, says the group's leader, David Whitlinger.” While I wholeheartedly agree with Mr. Whitlinger’s statement that "privacy and security is really paramount, and it succeeds best when as much control as possible can be given to the patient," the paranoid part of me wonders what happens if (or when) there is a breach of this system due to any number of issues ranging from human error to malfunctioning technology. If this occurs, information that is potentially spread across different systems will be all in one highly desirable target. Applicable here is the statement that haunts me: the bad guys have all the time in the world and only need to find a single vulnerability, while the good guys need to stay on time and under budget, yet mitigate as much risk as possible.