1. The prefix ‘cyber’ will continue to be greatly overused by the non-technical, especially the media.
2. Something (malware, infiltration, data breach), will occur that will be declared the most complex/dangerous/expensive of all time.
3. Infosec professionals will continue to complain about how bad a cert the CISSP is.
4. Infosec professionals will continue to obtain CISSP certifications en-masse.
5. Some new wicked-cool feature, toy, or tool will be released that everyone in the world will want. Security people will try to warn the public of the risks this new device poses, and will have no impact on the new device’s adoption or sales.
6. ‘Privacy experts’ will continue to warn the public and gain media attention, and the public will continue to ignore them.
7. Users will continue to choose weak passwords, and we’ll pretend that this shocks us.
8. OWASP will continue to be awesome.
9. We will continue to be hampered by lack of information, and unbridled complexity, and will somehow manage to do our jobs anyway.
10. The earth will continue on it’s orbit around, water will be wet, summer will be hotter than winter, babies will be born, people will die, taxes will always be too high, and next year we’ll do it all again. Have a great 2011!

Seen at OWASP appsec dc

Originally uploaded by bachrach44

This sign pretty much speaks for itself. Something about the very specific and non-legalistic warning message really speaks to me.

On a related note, I’m going to be talking at AppSecDC in November on Domino security. Come check it out.

Hello, my name is Lawrence Siegell. [note: email sent from Evan Franklin]
I’ve just viewed your resume and would like to offer you a part-time job based on work at home.
Our company name is Manpower East Gmbh. Job title is Stuff Manager.

We’re a small courier company based in Europe.
We help our clients to order some goods or things at low prices and safety ship packages to the client side.
Our experience shows it’s easier to order something using our service.
We’re looking for a good support representative to process our packages in the USA.

The stuff (like clothes, musical instruments) will be shipped from the online stores, auctions or some of warehouses via regular or express delivery services like USPS, UPS and etc. You will have to handle these packages and resend it to us or our couriers.
Your salary will be $20 USD for each handled package but you will get $50 USD for each package, marked as important. Of course, you will have some bonuses if you work hard and complete your tasks in time.
You will receive 5-20 parcels weekly, trial period (first 4 weeks) includes processing of 2-5 packages.
Maximum packages weight is 20lbs, max size lenght+width+height < 80 inch, usially 5-12lbs, 8*14*18 inch. For heavy parcels you will be paid with additional (bonus) salary.
We pay monthly or per 20 sent packages. If you have PayPal account, you will be paid via PayPal instant transfer, if don’t have then via Western Union or Moneygram.

All shipping charges will be paid by our company.
No investments required, we will cover all your expenses including shipping charges.
If you’re interested in our offer give me your contact phone # and the best time to reach you at. Or contact me via email.
I also want to inform you that sometimes the international calls from Germany have no caller ID that’s why I ask you to answer the unknown phone calls.

Best regards,
Lawrence

update: Since a lot of people seem to be finding this page, I figured I would add a link to this article from workathomescams.com which describes how the scam works, and mentions that if you participate, you may find yourself to be an accessory to a crime.

“Most organizations are struggling with the rising tide of email attachments, which can rapidly consume all available email storage when left unchecked.”

They attributed this quote to Matthew Cain, which I can’t verify, but my only response is: Really? I mean really? In this day and age? Are you sure this quote isn’t from…. 19992?

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.

1 – people assume that because something is written down it must be true.

2 – disreputable people will always find new and creative ways to take advantage of the above.

Courtesy of Emails from crazy people (and further variants on snopes) comes the newest evolution of the Nigerian 419 scam. Absolutely astounding.

I want you to read this message very carefully, and keep its content secret till further notice, you have no need of knowing who I am, where am from, till I make out a space for us to see, I have been paid $50,000.00 in advance to terminate your existence with some reasons not listed in my contract by my employer, this employer is one you may call family, I have been in close surveillance for one week and three days now and have seen that you may be innocent, which really is not for me to decide.

Note that for your safety do not think of contacting the police or F.B.I or try to send a copy of the message to them, because seeing an alert on this massage will force me to do what I do not intend doing (Believe me it will seem like an accident to even the F.B.I forensics) As this is the first time am betraying a client.I will be needing a retirement fee from you to return to my country ASAP as I can not stay any longer in your country after this.

Now, listen very carefully I will arrange a location for you to pick up tapes and pics of me and my employer for court evidence, and also meet with you face to face if you promise you won’t involve the police or F.B.I. Contact this email within 48hrs as I do not have much time. *****@yahoo.

Be careful of who you think you are showing this massage to, we are watching and listening to every move you make.

You don’t need my phone contact for now till am assured you are ready to comply good.

A few weeks ago, Charlie Miller, Alex Sotirov, and I [Dai Zovi] arrived on a new meme: No More Free Bugs.

Therefore, reporting vulnerabilities for free without any legal agreements in place is risky volunteer work.  There are a number of legitimate alternatives to the risky proposition of volunteering free vulnerabilities and I have already mentioned a few (I don’t want to turn this into an advertisement or discussion on the best/proper way to monetize security research).   There just need to be more legal and transparent options for monetizing security research.  This would provide a fair market value for a researcher’s findings and incentivize more researchers to find and report vulnerabilities to these organizations.

Although there are many solutions, including having a third party review built into the outsourcing contract, one obvious solution that comes to mind is having third party certifications, similar to the common criteria or DITSCAP.