Posted on

Cyber Crime School

Every industry needs to train its next generation of people I guess! An interesting report by Terbium Labs (link to the report is in the article) detailing that ‘guides to cyber crime’ are starting to become a hot commodity.

The report does indicate that the efficacy of the information may be a little questionable (is there no integrity in the dark markets anymore?). But an interesting point would be how law enforcement will approach this.

While personal and financial details are clearly identified in various computer crime related laws, information on how to conduct computer crime might be a slightly grey area. Is possession of theoretical knowledge on how to conduct the crime illegal. Certainly it will put an individual on law enforcement radar, but conviction might be more difficult.

https://www.theregister.co.uk/2020/04/16/cybercrimeby_fraud_lessons/

Posted on

Secure DNS with Firefox

Kudos to Firefox for this one. While on by default in the US, it needs to be turned on manually in other jurisdictions.


The article doesn’t provide any technical analysis so like always the devil is in the details

#security #infosec #privacy
https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/

Posted on

Cyber Resilience

An interesting paper, What Good Cyber Resilience Looks Like (behind paywal).
I have heard many conversations indicating that compliance is not security. This is evidenced by the massive number of data breaches that we see commonly reported in the media today. However the second part of that conversation usually leads towards technology solutions in place of compliance. This is not the answer either.
This paper describes the basic idea behind cyber resilience and describes it as the following basic concepts:


1. Know your mission. Cyber resilience isn’t just about incident response, it is about keeping business running despite what ever cyber incident is occurring. Each business needs to describe what that looks like for them

2. Cyber is everything. Integrate cyber throughout the organisation. It isn’t just the responsibility of the security practitioners employed by the organisation but something that every business function needs to address

3. People. Invest in your people. Train them and keep them. Technology will be useless without them
All very self evident ideas, but ideas that often get lost in the conversation around cyber in general.

https://www.researchgate.net/publication/282081616_What_good_cyber_resilience_looks_like

Posted on

Contact tracing done right?

Relevant given the recent release of the Australian app. The EU have been generally pro-privacy for some time and the list of safeguards they mandate seem to be fairly reasonable and balanced upon protecting the individual and doing the job it needs to do.

The problem with the conversation at present on the Australian app is that it is using a number of keywords such as encryption and privacy impact assessment; both of which can have significantly varying degrees of efficacy neither of which are explained in any real detail. There is also a high reliance on legislative protections. As we have seen in the recent past with metadata retention, legislative protections are not always the best solution.

https://www.theregister.co.uk/2020/04/17/european_contact_tracing_app_spec/

Posted on

Code security

An interesting coverage of the state of Open Source Software and the vulnerabilities it carries. I do recall a time where the common wisdom was that open source was more secure because you have thousands of eyes looking at the code as opposed to the closed environment of the corporate world that is focused on product releases and the bottom line only.


The irony seems to be that those two views have merged somewhat. The adoption or Open Source Software into the enterprise environment has diluted the religious zeal of the open source coder with a dash of the corporate world bottom line mentality.

I think in today’s world with complex supply chain for code and services used by software, that the simple maxim of all code has vulnerabilities is the only one that rings true. Regardless of source, open or closed, you need to address your application security, coding practices and supply chain.

https://www.technewsworld.com/story/86564.html

Posted on

Use technology to fight the good fight….always

Don’t get me wrong here. This is a serious issue and one that would benefit from the application of technology to help the mammoth effort of track and trace required to fight the pandemic. But if we have managed to mobilize the amount of resources we have so far in the response to this, surely we can also mobilize the necessary skills, both technical and policy, to ensure that whatever tracking system we create has the safeguards necessary to protect the rights and privacy of the citizen.


We have the potential capability to deploy a mechanism that would make this crisis and any future ones like it easier to manage and save lives. But this doesn’t mean that we need to create something that has far reaching consequences after the crisis is over.
Like all good applications should be, design the necessary security and privacy safeguards in now, rather than later when it is a problem.

#privacy #infosec #security

https://www.scmagazine.com/home/security-news/news-archive/coronavirus/aclu-privacy-concerns-abound-over-location-tracking-to-stop-covid-19-spread/

Posted on

Someone buy Zoom a book on Secure Development?

I think there are a couple of lessons here.

Media love to dogpile on a tech company that gets security wrong publicly, and Zoom certainly got it wrong (secure development is not really a new concept guys). That said, I wouldn’t go so far as to call this malware as some articles have. It represents a need for everyone to know the full extent of their supply chain for not only the products and hardware they own, but also the services they consume.

That said, if you are using Zoom right now to easily allow grandma to communicate safely with the grandkids during these times, more power to you. If you are conducting sensitive company meetings over the platform, well…….maybe stop for now?
#infosec #securedevelopment
https://www.nytimes.com/article/zoom-privacy-lessons.html

Posted on

Working at home safely

For organisations that already had remote capabilities, these very different times that we are now in likely represent only an increase in capability rather than new capability.
But for those organisations suddenly thrust into the need to give their employees remote access to their systems and files for the purposes of just staying in business, standing up the necessary technology and processes to enable remote access security can be difficult.
SANS has published a good basic toolkit just for that purpose
https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

Posted on

Social Media or Information Warfare?

Ok, so it was only 30 million accounts and not 50 million…..that’s ok then!

Interesting conjecture as to who was behind the attack. Further evidence I think that identifies FaceBook as no longer being a social media platform but a tool for Cyber Enabled Information Warfare. Whether you use it illegally like these threat actors have or go in as a legitimate customer and pay the money, it is undeniable the power that this tool can provided beyond sharing cat pictures.

https://www.databreachtoday.com/facebook-clarifies-extent-data-breach-a-11598