,

Making Sense of WannaCry

WannaCry_Sense_650_366.jpg

Whenever a calamity befalls, it’s only natural for people to try and rationalise and identify the problem.

As is now happening with the WannaCry ransomware outbreak that affected the UK’s NHS service, and other services in over 100 countries. People are discussing what should have been done to prevent it.

On one hand, there’s a debate ongoing about responsible disclosure practices. Should the NSA have “sat on” vulnerabilities for so long? Because when Shadowbrokers released the details it left a small window for enterprises to upgrade their systems.

On the other hand, there are several so-called “simple” steps the NHS or other similar organisations could have taken to protect themselves, these would include:

  1. Upgrading systems
  2. Patching systems
  3. Maintaining support contracts for out of date operating systems
  4. Architecting infrastructure to be more secure
  5. Acquiring and implementing additional security tools.

The reality is that while any of these defensive measures could have prevented or minimised the attack, none of these are easy for many enterprises to implement.

… Read the rest of the post here

Looking busy when working from home

I work from home. To some this seems like the ideal situation, and in many ways it is. My commute to the “office” takes 30 seconds, I never get caught up in traffic, there’s always good food, and I don’t have to worry about what I’m wearing.

But there are many downsides to a home working arrangement too. You need to be self-disciplined and maintain a routine, otherwise you can end up working all hours of the day and night.

Cabin fever also begins to set in. There’s literally nothing new to talk about with the family. There’s no walking through the door in the evening and asking the family how their day was. Because you are with them all day and know exactly how eventful or not the day has been.

Perhaps, the one thing I miss the most is having the social interactions that you get when working in an office. Sure, communications are great, you can email, instant message, or video call colleagues. But it doesn’t replace the casual banter by the coffee machine or being able to bounce ideas off each other quickly and easily.

When you work from home, it’s very easy for the family to forget that you’re working. After all, to the untrained eye, all you are doing is sitting and staring at a computer all day long. So it becomes very easy for them to ask you to run a quick errand to the shops, or agree to attend a school meeting without checking first. Or the worst, is interrupting you when you’re deep in thought on work, or are in the middle of an important conference call.

So combat this, I’ve tried different techniques to illustrate when I’m busy so as to keep the kids from making me a viral sensation. I’d be lying if my techniques have been 100% effective. So interested in hearing from home-workers what has or hasn’t worked for you.

Privacy: Take control

There’s a lot going on in the world about governments snooping on citizens, and hacker groups trying to gain control over your facebook.

While these are genuine concerns, it probably shouldn’t be the biggest worry for most citizens. It is always easier to point the finger at a boogeyman, and blame all your woes on it.

Rather, let’s turn this around and see what can we do to protect ourselves, and those around us better.

I’m by no means advocating shunning technology altogether, but rather to be more mindful of what you are sharing online and with whom. When you need to fill out an online form in order to get internet access, do you really need to answer everything truthfully with your real name, address, and date of birth? Do you really need to share details of all your holiday plans in advance?

What about privacy settings on social media? Does it really need to be completely open to the public?

It requires a bit of discipline, and it won’t work in every instance, but by taking a few steps and building them into your online habits, you can take back a bit of control of your privacy.

 

SHA1 collision – What’s it all about?

Why should we be concerned about the successful SHA-1 collision attack that was recently demonstrated by Google researchers?

I take a look at encryption, cryptographic hashing, and why this attack is a big deal.

The 2016 Alien Eye In the Sky Recap

Today is the last Alien Eye in The Sky episode for 2016, so rather than just recapping the week, we thought we’d take a look at what’s transpired over the course of 2016.

To be honest, I underestimated the huge task at hand, and after researching several hundred breaches, decided that it was better to break down the incidents into trends and take samples from each.

Hopefully this will give a renewed appreciation of how much the cyber security challenge is growing across the world and across all industries.

So, without further ado, all the stories mentioned in the video are linked below.

Happy holidays everybody!

 

Online dating

Adult Friend Finder

Fling,

Mate1,

Shadi.com,

Muslim Match.

Password re-use attacks

Carbonite,

Netflix,

GoToMyPC,

Reddit,

TeamViewer,

Camelot,

Deliveroo,

KFC.

Heathcare

Banner Health which impacted 3.7m patients

Turkish state hospitals 10m patients.

Queen Mary Hospital in Hong Kong saw 3,600 records accessed

Al Zahra Private Medical Centre in the UAE had 4,600 records accessed.

New Jersey Spine Centre,

Center for Neurolosurgical and Spinal Disorders

 

It’s Not all fun and Games

steam game keys stolen.

Evony gaming company saw itself targeted twice during the year.

Forums belonging to Clash of Kings and Funcom were breached.

 

Elections

The Philippines commission on Elections was attacked a month before the country held its 3rd automated elections

The personal information of over 93.4million Mexican citizens had their voter registration details exposed online.

Illinois online voter registration portal hacked, information compromised

Every voter in Louisiana’s details exposed

In Ghana, the Electoral Commission had four computers stolen that were used for biometric voter registration.

Education

The Indian institute of management was hacked and reults of CAT exam released

University of Central Florida

N.C State university

Jacksonville State University

University of Liverpool

University of Ottawa missing hard drive with data on 900 students

Saga prefecture schools

Defcon IoT village saw 47 new vulnerabilities discovered in devices

Ransomware

Banking incidents

Tesco Bank Hack

Bank of New Zealand

Royal Bank of Canada

SunTrust Bank

Qatar National Bank

Miscellaneous hacks and breaches through the year

Oregon Department of Fish and Wildlife

Azerbaijani hackers leak secret data from Armenian intel server

World Anti-Doping Agence (WADA) hacked

Adani Po  wer Ltd. India

Zameen.com Pakistani real estate giant hacked, entire DB leaked.

Siliconware Precision Industries in Taiwan suspected an engineer stole data.

Christians against poverty saw bank details, phone numbers, and other data stolen.

American Association for the Advancement of Science

Rhode Island Blood Enter

Vietnam Airlines

South Africa’s Department of Water Affairs

Yahoo hack

Alien Eye in the Sky Ep 8

Another week, another set of impactful, bizarre, and interesting security stories.

 

We tried something interesting this week, rather than focusing on a few stories in the video and posting links to others, we’ve crammed them all into one action-packed episode!

Stories covered

 

Toyota dealer sued for stealing intimate photos off couple’s smartphone

 

Nice Security Matrix about Office macros (PDF)

 

Counterproductive security behaviors that must end

 

How HMRC combats phishing by using DMARC

 

How publishers are defeating ad blockers and how ad blockers are fighting back

 

Fake US embassy in Accra ‪Ghana staffed by Turks, flew an American flag and issued fraudulent visas for $6,000.

 

Did someone put you in the TO: instead of the BCC: ? Do This…

 

15 ways to deal with badly written risks

Every so often, a report gets presented which looks like it was written by the work experience student that was employed by the intern.

So what’s the best way to respond? I went on twitter to ask the opinion of folk who have to deal with this kind of thing on a regular basis, and distilled their wisdom into 15 tips.

Other honourable mentions go to: