Posted on

Someone buy Zoom a book on Secure Development?

I think there are a couple of lessons here.

Media love to dogpile on a tech company that gets security wrong publicly, and Zoom certainly got it wrong (secure development is not really a new concept guys). That said, I wouldn’t go so far as to call this malware as some articles have. It represents a need for everyone to know the full extent of their supply chain for not only the products and hardware they own, but also the services they consume.

That said, if you are using Zoom right now to easily allow grandma to communicate safely with the grandkids during these times, more power to you. If you are conducting sensitive company meetings over the platform, well…….maybe stop for now?
#infosec #securedevelopment
https://www.nytimes.com/article/zoom-privacy-lessons.html

Posted on

Poking holes in encryption

Yeah, well……we kinda did really. 

Don’t get me wrong, I think something needs to be done to provide a balance for genuine law enforcement requirements, but as we have seen with technology related legislation of the last few years, it is generally not very good and not really what was sold to the Australian public (looking at you metadata retention legislation!). If a bad actor truly wants to avoid the impact of this legislation they just use a third party encryption product readily available in their multitudes via Google. 

Technology related legislation is necessary but it takes time and it also takes consideration of what type of society we want to create for ourselves. Both of which have yet to surface so far. 

https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html

Posted on

Social Media or Information Warfare?

Ok, so it was only 30 million accounts and not 50 million…..that’s ok then!

Interesting conjecture as to who was behind the attack. Further evidence I think that identifies FaceBook as no longer being a social media platform but a tool for Cyber Enabled Information Warfare. Whether you use it illegally like these threat actors have or go in as a legitimate customer and pay the money, it is undeniable the power that this tool can provided beyond sharing cat pictures.

https://www.databreachtoday.com/facebook-clarifies-extent-data-breach-a-11598

Posted on

Don’t think I want to bluescreen my car!

Well this is a little scary! The tradition with security vulnerability in software and computer hardware has been ‘ship it and fix it later’. For the most part this worked. It was responsive to business and it also realistically didn’t matter a great deal. Yes, your computer application might have a security vulnerability which may or may not be exploited by a bad actor, but even if it was the impact was generally minimal. If it did happen to impact you then you could “purchase support” at a reasonable price and everyone wins (that was probably a bit cynical of me.

However, today more and more lives are depending upon the same vulnerable technology. Will the same methodology of ‘fix it later’ work when we are talking about medical monitoring equipment or vehicles in busy highways? Somehow I think we are talking about a tipping point here where a new paradigm of how we approach this problem needs to be found and found very fast.

Hopefully markets and sense will prevail and find a solution, but if we look at this historically I think we might be in for a rough time.

https://www.nytimes.com/2018/10/11/opinion/internet-hacking-cybersecurity-iot.html 

Posted on

From little things, big breaches grow

With everything being connected these days and recording for our convenience and future reference, these types of data mashups are inevitable I suspect. It does go to show that sometimes the smallest and seemingly insignificant piece of electronics can lead to a very significant security issue.

The report referenced in the article also provides some additional interesting insights (https://www.gao.gov/assets/690/686203.pdf)

https://www.theverge.com/2018/1/28/16942626/strava-fitness-tracker-heat-map-military-base-internet-of-things-geolocation

Posted on

More Regulation Please?

An interesting op-ed piece. While I wouldn’t necessarily say that regulation (government or otherwise) is always the answer (other than to bolster the compliance industry), there is a point to be made here.

Are we reaching a tipping point like that experienced after the Enron fallout where a more holistic and measure approach to this problem needs to be mandated?

A data breach today is less likely to be an annoyance and more likely to have potentially significant and devastating real world consequences. The hit list of recent events in this regard identified in the article clear demonstrates that the problem is just getting bigger.

https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html

Posted on

The New World Order of Privacy

I suspect we will be seeing more of these types of articles in coming months and years. This is essentially the same type of problem that impacts other areas of security from secure software development to encryption; we develop an assurance method and then research (legitimate or otherwise) finds the flaws. The problem I see is that unlike secure software development and encryption, de-identification methods don’t have the same level of maturity. With the current environment of data (especially personal data) being of high value, we are going to need to mature these methods very quickly

http://www.smh.com.au/technology/innovation/australians-health-records-unwittingly-exposed-20171218-p4yxt2.html