Blog Post

jm hearted

Things I hearted Last Week

For the week ending 25th September 2016

 

On one hand vendors want users to patch their systems and keep them secure. On the other hand, actions like this causes people to not want to apply official updates.

 

North Korea just accidentally turned on global zone transfers for their top level domains, archive of the data here.

 

My good friend James McQuiggan attended (ISC)2 congress where he not only MC’d the leadership awards, but also won the Presidents Award for a volunteer who has contributed to advancing the security profession. He wrote a nice writeup of the event.

 

The war Microsoft should have won.

 

Over 60k vulnerabilitie went unassigned by MITRE’s CVE project in 2015. Good research on the issues with CVE and what needs to be fixed.

 

Building Spring Cloud Microservices That Strangle Legacy Systems A good post on legacy systems, handing data etc. Worth bookmarking this one.

 

Well-written piece on how terrorists use encryption.

 

2016 best WiFi hacking and Defending Android application.

jm hearted

Things I hearted Last Week

For the week ending 18th Sept 2016

 

I’ve stopped even trying to understand digital ownership and how copyrights work. Getty images tries to make original photographer pay for her own photos.

 

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years.

Apparently this has been running for a while, but only the payment details were made available for the last two years. According to Krebs, it looks as if two people were the masterminds behind the operation. So that would be an average of $150k each a year. Then you subtract costs of running the operation, any additional resources they need, the cost of laundering money and it’s likely they took home around something closer to $100k each a year. Now $100k is by no means anything to turn your nose up to. But, they probably could have ended up better off if they’d chosen a legit route to market.

 

Still in Israel, How Israel’s startup community shut down an IPO that one investor called a ‘sham’

 

If you look up the word ‘irony’ in the dictionary, you’ll probably see a link to this article where adblock itself is to begin selling advertisements. It illustrates the difficulty online businesses have in generating revenue streams outside of advertising. Thus lending credence to publications and sites that have a lot of adverts. All I can think of is the quote from The Dark Knight “You either die a hero, or live long enough to see yourself become the villain.” But seriously, is this where adblock moves from a pure ad-blocking service to an ad-moderating service. Will it spin up the security angle that it only serves ads free from malware? How long before an AV vendor buys it and bundles the capabilities into its consumer version?

 

A detailed account by Wired on how it made the move from plain old HTTP to the shiny HTTPS. I like real-life tech stories – and this is nicely written.

 

Uber, Square, Airbnb, and others form cybersecurity coalition for vetting vendors. I like the idea in principle – to save duplication of effort and standardize on some aspects. But actually effectively implementing something like this… ummm.

 

Discovering how Dropbox hacks your Mac.

 

I wasn’t able to make it to 44Con last week, but the feedback from the event has been great. I noticed Steve Armstrong posted his slides on Advanced Incident Remediation techniques. Steve’s a great presenter and really knows his stuff.

 

CB Insights has a wonderful periodic table of cybersecurity startups.

 

FBI trying to build legal cases against Russian hackers.

 

Not quite security, but a good post nonetheless on critical thinking for software engineers.

 

Finally, nothing is sacred. A ‘memory hacker’ explains how to plant false memories in people’s mind!

 

jm hearted

Things I hearted last week

For the week ending 11th Sept 2016

 

Yes, I’m late again. Don’t blame me – blame Gartner! Well, the fact that I was attending the Security and Risk Summit in London and then I was catching up on work and then… well you’re not interested in my excuses, let’s get onto the juicy stuff!

 

I read this article on “predictive policing” and how police could learn a lesson from Minority Report and couldn’t help thinking about the parallels that could be drawn to security.

 

Fake attacks by insiders to fool companies

 

This is pretty cool – USBe – air-gap cover-channel via electromagnetic emission from USB. (PDF). There’s also a video showing it in action.

 

Age diversity an issue? What happens when a 54 year old esteemed apple engineer applied for a job at the Genius Bar. What happened next will shock you! No, I don’t think I’m quite at that level of click-bait yet.

 

Snagging creds from locked machines by using a plugin device that masquerades as a USB Ethernet adaptor.

 

 Hacker takes down CEO wire transfer scammers and sends their Win 10 creds to the cops.

 

Detecting malware with Memory Forensics. (PDF)

 

Little Flocker beta is out. It’s a product similar to Little Snitch, but for file access instead of network connections. Looks pretty cool.

 

Internet Disinformation Service for Hire – isn’t that pretty much all of the internet? I’m sure my facebook feed is filled with more disinformation than anything else. Please share this post and type amen or something bad will happen to you!

 

The employee badge that monitors where you are and who you are talking to.  Umm yeah, totally a cool thing and like “fitbit for your career”. Nothing creepy about this at all.

 

Don’t like security restrictions? Just ignore them. Clinton email highlights frustrating reality of bypassed IT policies

 

IoT security vulnerability disclosure: A tale of two industries

 

Finally – an interesting article on being patient and how invention is only the first step of innovation. When you change the world and no one notices.

jm hearted

Things I Hearted Last Week

For the week ending 4th Sept 2016

 

A classic case of an auditor that is intent on causing more harm than good – resurfaced on my twitter stream, so thought I’d re-share.

 

Troy Hunt confirmed the Dropbox hack is unfortunately real. However, some observers are saying that Dropbox’s data breach response is still wrong. It makes some valid points – and one has to wonder whether we do need mandatory breach notification.

 

What qualities do you look for when hiring information security professionals?

 

Apparently it’s possible to unlock phones with a VR headset and Facebook photos.

 

Are companies’ digital transformations near complete? The C-suite things so, the people on the ground beg to differ.

 

What I learned speaking at events as a CEO for the past 2.5 years. A good article that lists some of the business benefits from public speaking, as well as useful tips on what to look out for and how to measure success.

 

This isn’t representative of MSSP’s. But it does show that as a customer, security is seldom ‘set and forget’. It is a good reminder that just because you think you’ve deployed monitoring technologies, it doesn’t mean you have.

 

The ICO has a report on UK data incident trends. Healthcare is by far the worst sector with 232 incidents. In second place is local government with 62. The most common data security incident type was ‘data posted or faxed to incorrect recipient’. The most common Cyber Incident type was ‘cyber security misconfiguration’.

 

Not quite security related, but interesting all the same. The biggest threat to democracy? Your social media feed.

 

How spy tech firms let governments see everything on a smartphone. With an eye-watering $500k setup fee?

 

CSP Is Dead, Long Live CSP! Google research paper on the insecurity of whitelists and the future of content security policy.

 

Pokemon Go – hacking, and personal moral dilemma’s. Nice article.

 

AirBnB released their first ever transparency report. France leads the way with 42 requests.

 

Five attributes of an effective corporate red team.

 

The rise and rise of the machines. Wallmart is cutting 7k jobs due to automation.

 

Threat hunting is more than a marketing buzzword.

 

Sensepost wrote a tool and a blog that shows how you can pop shells on an end users box that has outlook running with just their AD/OWA//exchange credentials.

 

Microsoft gets support in gag order lawsuit from U.S. companies.

 

One to file under ‘breaches sometimes really do hurt business’. India shelves plans to expand French submarine order after data breach.

 

 

jm hearted

Things I hearted Last Week

For the week ending 28th August 2016

 

We had a bank holiday Monday here in London, so I’m a bit off – and may have skipped a day or two. Not that anyone would really notice, but I felt the need to preface my tardiness with an excuse.

 

When security and convenience collide we get beauty sites that let anyone read customers personal information.

 

Chris Nickerson tweeted out the first PTES map created. Really interesting to go see how things start out. How many items do you have sketched out on the back of the beermat? A good reminder to go out and see things through to completion.

 

Can you explain encryption to me?

 

Analyzing malicious office documents.

 

Sounds like the title of a Hollywood B-movie. Unfortunately, it’s true – How the Pwnedlist got Pwned.

 

Why twitter was the platform of choice for ripping apart the NSA dump.

 

Not really surprising, but still saddening that many hospitals transmit your health records unencrypted.

 

Timing of browser-based security alerts could be better. More likely that this kind of research will be lapped up by advertisers.

 

Not entirely security related, more from a legal perspective, but interesting all the same. How you can intentionally destroy evidence and still win a $25million verdict.

 

Opera server breach incident

 

Car hacking is the future – and sooner or later you’ll be hit

 

Great piece from my friend / partner in crime / ex-colleague Adrian Sanabria on why we need to change the psychology of security.

 

Saving the best / worst for last – did WhatsApp fall from (relative) grace in one quick motion as it announced it will share your phone number with Facebook. On the topic, it also appears as if disabling tracking on WhatsApp doesn’t disable tracking or your data being sent to Facebook.

My friend Steve Lord summed up the WhatsApp position in a multi-tweet rant better than I could:

A couple of people have said to me that they don’t want to remove whatsapp and switch to Signal because their friends are all on whatsapp. These people don’t understand that Whatsapp will upload your contacts to Facebook. You might not care about your privacy, but I care about mine, and that of others.

People who aren’t on facebook will get a shadow profile created about them, with their phone number attached to it. They never agreed to a terms of service, and it’ll be your fault that it’s been passed over to facebook, all because ditching these {expletive} was somehow inconvenient. You’ll be just as guilty of flaking out over other peoples’ private data as Whatsapp and FB.

So seriously – install signal, get your friends to install signal, give it a try and get rid of whatsapp once you’re happy with it. At least then you’ll be coming from a position of having tried.