The niner noteworthy stories of 2016 (week 24)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

NSA wants to Exploit Internet of Things and Biomedical Devices

If you read this title and are surprised, do read on please. If you are not surprised, like me, then you probably expected this or at least didn’t think of it yet.
With IOT (Internet of Things) growing and it’s manufacturers ability to make the products they sell also very secure being next to fully absent, it isn’t really that hard to come up with the notion of intelligence agencies wanting a piece of the personal data pie being served up hot and steamy by your own IOT devices. If you still think you have nothing to hide and privacy is overrated? Please think again, very hard.
source: The Hacker News (external link)

Theresa May’s surveillance plans should worry us all

I have commented before on this snoopers charter story and it’s far reaching consequences. Now it seems it is almost passed into law, the only thing that remains is to highlight again why this is such a dangerous move. And not in particularly to startups or other tech-sector companies in the UK providing services to companies abroad possibly containing very interesting datasets.
The fact that the intelligence agencies will obtain very broad equipment interference possibilities is obvious, that they also obtain them to be used to “test, maintain or develop equipment interference capabilities”, in other words they can hack into your systems just to see what they can do or “for fun” if you will, is ridiculous. Effectively the only stopgap measure between massive misuse and appropriate use is the “rubber” stamp of the home secretary. Not that dissimilar as we have seen in the United States with the rubber stamp courts and gag-orders for companies around the Patriot Act, the Foreign Intelligence Security Act and probably some others I forgot here. Thanks to Mr. Snowden we know it exists in the US, the Brits are gentleman enough to tell us upfront by stating it in their laws.
source: The Guardian (external link)

NATO officially recognises cyberspace a warfare domain

This in the end could become an interesting paradox. On the one hand NATO wants to build up our defences and resilience against cyber attacks, on the other hand the intelligence agencies want to make use of the lack of security to harvest data. Specifically the policies in place to snoop on your own citizens and those of your NATO allies would become part of this paradox situation.
And yes I am calling it “cyber” security here and not Information security. Though the latter term has a broader scope, in this context the threats mostly would come from within cyberspace (that’s the Internet to you and me).
The fact that NATO only now sees this threat model as a fifth warzone level is however kind of worrying by itself. Have we as NATO countries really done next to nothing in this field together?
source: Security Affairs by Pierluigi Paganini (external link)

Russian government hackers penetrated DNC, stole opposition research on Trump

A very interesting read into a breach that the DNC probably could have never prevented. The fact that it was discovered in the end is interesting to say the least.
If the breach indeed started with spear phishing attacks, which remains to be seen it seams, it is very difficult but not impossible to defend against. Security awareness training and constant awareness programs can help to limit the exposure to such attacks. Limit indeed, never completely mitigate, but that holds true for all information security measures and programs.
source: The Washington Post (external link)

Japan travel agency fears leak of 7.93 million records, passport deets

heading level 2 Names, addresses, emails, and 4,300 valid passports leaked

Again, this time confirmed, a successful phishing attack leaking loads of identities including copies of valid passports. It would be very interesting to see what this company did to prevent this, not only on security awareness but possibly also on basics like least privilege and need to know principles to limit the amount of data accessible to the breached employee.
source: The Register (external link)

Data protection groups seek to join key High Court case

Action initiated by Data Protection Commissioner could have huge international implications

In my article on the Eu/US Privacy Shield I stated that I would not put my money on either the European Data Protection Agencies or the US intelligence agencies to have the final say on who decides on the level of access on our personal data. Apparently big corporates will have their say if the Irish court allows the US government and Business Software Alliance to have their say in this as well.
If this case is referred to the European Court of Justice and if the standard contractual clauses are indeed found to breach the fundamental rights set forth in the ECHR (article 8), this will have a major impact to the American tech sector and to a lot of European companies doing business using that tech sector’s products alike.
This goes much further then a privacy shield replacing the safe harbour and will shake the fundamental notion of data protection online. Who comes out on top in the end, remains to be seen.
source: The Irish Times (external link)

Lax Password Security Practices Endanger Consumers

Passwords won’t die out in the near future indeed. However the alternative suggested in this article, using biometrics stored by an internet company for authentication, would certainly not rank very high as my goto replacement. Sure, biometrics can be very useful in multi-factor authentication systems, but storing them on internet facing systems, how well designed the security and data protection methods around them are, to me is not a good idea.
The main issue is that if you ever lose your biometric data, it can never be replaced. You can’t just buy a new set of fingerprints, change an eye for a new retina scan etc. Storage on the internet of such personal details should be a no-go in all situations.
Oh and finally, I doubt the picture painted in this article on Americans being lax with their passwords would be different if the research was done in Europe for that matter.
source: Quinstream (external link)

75% of apps not compliant under EU data protection rules

In these cases this means that most apps are not only non-compliant with the General Data Protection Regulation (GDPR) but most likely will fail compliancy to current EU data protection laws as well. Specifically the once from countries that have a more stringent implementation of the old directive like Germany. One error if you wil in this article I must point out is that the GDPR has come into force on the 25th of May 2016 already. The two years the article is referring to is the changeover period allowed for companies to align their current data processing activities to the new regulation, that holds for all activities that were already going on before the 25th of May 2016. All new data processing activities must meet GDPR compliancy standards immediately.
source: Business Cloud News (external link)

The web attacks that refuse to die

This article states it absolutely correctly: security by design and secure coding takes time, effort and discipline. However not doing so means that if a similar report is made up in another 9 years or so, we ar still dealing with web attacks like cross-side scripting, SQL injection, local file inclusion, session hijacking etc. etc. etc.
It makes you wonder when the coding community finally will wake-up and say they won’t code another line unless it’s done securely. It also makes you wonder if this is pure laziness, a lack of funding or ignorance. I leave it to you to decide for yourself which of these options most likely is the closest to the truth. Whichever option it is, it needs to change and fast to make sure the ever more pervasive presence of web-based technologies will ever reach a level of security required in the 21st century.
source: Naked Security by Sophos (external link)