Cybersecurity professionals must keep track of what’s going on. There’s no way you can do it yourself, so e-mail newsletters are a vital tool. But just how much credence should we give the latest scary story?
I ran into a recent example of a cybersecurity bulletin that started out interesting but quickly included enough red flags to make me question everything in it. It became, for me, like a Wikipedia article about a small town where the suspiciously significant attraction is a restaurant (not so coincidentally owned by the most recent editor of the page). Everything within the article itself becomes suspect, although I’m happy to use it to the extent it points me to other, more trustworthy, references.
The article caught my attention as it discussed how the recently discovered Heartbleed vulnerability had been found on the Android platform. But some strangely outdated and even naive statements appeared within the article.
First, there was the reference to “the ultra-secure 3DES encryption algorithm”. Huh? 3DES was published in 1998 and known at the time to only provide 112-bit security due to a meet-in-the-middle attack. By 2007 NIST publication 800-57 Recommendation for Key Management explained that the most commonly used mode of 3DES operation provided security only to the level of an 80-bit symmetric cipher. Plus, 3DES was always a MacGyverish lash-up taking three times as long on the single-core CPUs of its eta.
Meanwhile, AES and its 256-bit key was first published as the Rijndael algorithm in 1998 and adopted as a U.S. government standard in 2001.
OK, so maybe that “ultra-secure 3DES” reference was meant to be ironic. But the article immediately segues to malware spread by ultrasound, very similar to the speculated cross-OS airgap-jumping malware “BadBIOS” reported by a prominent cybersecurity researcher now widely thought to have been either conducting a social engineering experiment or becoming delusional, or at least wildly misinterpreting what he has seen.
Yes, there has been recent work on covert acoustical mesh networks, but it’s an academic demonstration of how such communication could be done, not actual malware commonly spreading from machine to machine over inaudible signals.
The article’s third strike was when it offered some naive advice that provides the appearance of security without providing any security at all. It suggested that if you have an Android device containing sensitive data, and you suspect that it might be susceptible to the Heartbleed flaw, then just restore the device to its factory settings and use it for other purposes, as a factory reset should erase all the user data.
No. A factory reset does no such thing. It makes a sweeping configuration changes, but it does not wipe data from the device.
How can you become a better informed, more cautious reader of cybersecurity news? Learning Tree’s System and Network Security Introduction course would be a good place to start, and the Cloud Security Essentials course addresses issues of security visibility and responsibility when you are considering using one of the major public cloud providers.