AVT vs APT: the revenge of the acronyms

Start-up company Triumfant has been warning about the new AVT (advanced volatile threat), which is “a more sophisticated and dangerous attack vector” than your average common or garden APT.

Really? OMG, that’s some threat. But is it really for real? Is it really VB, or just NVG? And what about AV?

I did a guest blog for Lumension where I try to put the new volatile threat into context. So keep calm and carry on over to Lumension: Advanced Volatile Threat – Is an Old Threat the New New Threat?

Senator Keith Alexander predicts the foretold cyber attack

Strange little article in ZDNet today: Senator warns banks of cyberattack risk, Chase Bank targeted within minutes.

It’s strange on several counts. Firstly, it seems that General Keith Alexander, head of the U.S. military’s Cyber Command, has been promoted (or demoted) to Senator – for it seems to be he who issued the warning.

Then he was gifted with prescient superpowers. He warns of further attacks on the banks.

As if in silent agreement, hackers — potentially with a morbid sense of humor — decided to attack Chase Bank’s website within minutes of the speech, and this was later confirmed by the bank to CNBC. It is unknown whether the cyberattack was connected, but either way, the timing was ironic.

The attack itself was, predictably, a denial-of-service (DoS) attack, although it is unclear whether any financial or account data has been compromised or stolen.
Senator warns banks of cyberattack risk, Chase Bank targeted within minutes

Hmm. How clever of the general to foresee this attack. Who else – certainly not ZDNet apparently – would have had the intelligence to translate the al-Qassam Cyber Fighters’ public statement last week that phase 3 of their operation against US banks had started; and that, as before “a number of american banks will be hit by denial of service attacks three days a week, on Tuesday, Wednesday and Thursday during working hours” into an actual attack on an actual US bank on an actual Tuesday.

I’d like to predict, based on my superhuman knowledge of the current threatscape, that a US bank will be hit on Thursday – and if not on Thursday, then next Tuesday or Wednesday or next Thursday. The motivation, however, is not a morbid sense of humour, but simple, plain, good old indignation.

Prenda Law rebuffed by WordPress

I wish to express my admiration and gratitude towards WordPress, who host this site, and EFF, who unconditionally defend justice.

On Friday I reported Prenda Law’s subpoena on WordPress (actually Automattic, Inc, the owner of WordPress) in Infosecurity Magazine (Copyright trolls will not go quietly). In a nutshell, Prenda Law has demanded the IP addresses of everyone who has visited the WordPress-hosted DieTrollDie and FightCopyrightTrolls websites – two organizations that offer help and support to victims of copyright trolling; especially via Prenda Law.

That same afternoon, WordPress general counsel responded to Prenda Law’s Paul Duffy. No, he said. “Your subpoena is legally deficient and objectionable for numerous reasons, enumerated below, and Automattic will not produce any documents in response to this subpoena.” Of course, if the subpoena is upheld, Automattic will simply have to disclose the information.

But in the meantime WordPress has given Prenda Law (reproduced by Fight Copyright Trolls) five legal reasons for its non-compliance, and a further four reasons by which it finds the subpoena objectionable. And just to add further complications for Prenda, the Great Defender of 21st Century Justice, EFF, has joined in:

EFF takes issue against Prenda Law

It is to be hoped that the courts currently adjudicating on Prenda Law do not merely throw the book but the entire legal library – first at Prenda Law, and then at all other copyright trolls.

JASH – just another Saturday hack

Evernote (announced it) got hacked on Saturday – joining an illustrious 2013 line-up. New York Times, Wall Street Journal, Washington Post, Twitter, Facebook and Bank of America just off the top of my head.

These are all major companies holding vast amounts of our data – companies you would hope to be hack-proof. Clearly they aren’t, which lends weight to the idea that once you’re targeted, you will be breached.

But if that’s the case, what’s happening with the banks (not counting BofA, of course) and our financial accounts? Are they not being targeted, or is there a cost level to genuine security that the banks achieve, but hardly anyone else?

Are ‘free’ services like Evernote, Twitter, Facebook and the newspapers simply not viable if they have to provide genuine security? Have we reached the stage where ‘free’ means ‘insecure’?

Or are the banks getting breached but just not telling us?