Four things I'm reading this week:
Fighting Credit Card Theft with Dynamic CVVs: This is a brilliant, simple idea: make the CVV on the back of your credit card dynamic. That’s exactly what two French banks have done. The CVVs on their credit cards change every hour, and there’s enough juice in the card itself to keep generating the CVVs for three years. We need more innovation like this.
- What to Think About Yahoo? Too Early to Tell: Newspapers and Twitter have been full of debates about Yahoo’s purported government-mandated surveillance this week. The problem with this discussion right now? We don’t know what actually happened. Even the two primary stories about it (via Reuters and New York Times) directly contradict each other. With the details largely uncertain, anyone can read into this Rorschach test whatever they want to believe, or spin almost any story about what it might mean. This is largely what is happening now. We all should take a step back, and try not to reason too far ahead of the facts that we know. I’m reading: “Holding Off on that Yahoo Email Story.”
- Calling for an NIH for Cybersecurity: I don’t know that I would pick the NIH as my model, but the essential point of Dan Kaminsky’s call is completely sound: everyone knows the organizations with the mission to innovate in cyber offense (NSA), but what is the organization that has the mission to innovate in cyber defense? This could be DHS, NIST, DARPA, but there is no consistent answer. And the fact that we don’t agree on this tells me that there isn’t really an institution that has both resources, profile, and mission to push the envelope on cyber defense. And that’s a problem. I’m reading: “The internet is breaking. Here’s how to save it.”
- Understanding the Technical Aspects of Attribution: With the continuing string of political intrusions seemingly coming out of Russia, attribution seems to come up in every cybersecurity conversation. But what does “attribution” really mean in the context of online activity? Our image of this process is built mainly from CSI and the image of hackers flying through a mocked-up Hollywood vision of a data center. The reality is much more complicated, and much more important. This interesting analysis from Kaspersky walks through common technical attribution techniques, and gives a flavor for how attribution actually happens. An excellent read for understanding the cat-and-mouse of anonymized cybercrime. I’m reading: “Wave your false flags! Deception tactics muddying attribution in targeted attacks.”