These are the noteworthy stories, in no particular order, that peaked my interest last week.
- Farnborough Airshow: Keeping drones safe from harm
- You really do want to use biometrics for payments, beam banks
- How our voices could unlock the connected world
- Why Hackers Love Your LinkedIn Profile
- Antivirus software is ‘increasingly useless’ and may make your computer less safe
- Ransomware ‘stopped’ by new software
- Privacy Shield: The new EU rules on transatlantic data sharing will not protect you
- UK gov says new Home Sec will have powers to ban end-to-end encryption
- Theresa May wants to see your internet history, so we thought it was only fair to ask for hers
Farnborough Airshow: Keeping drones safe from harm
This obviously is a demo setup fully prepared and tested before they made this small video piece. Although a lot of drones use a similar protocol for control, taking over control and at the same time fully blocking the original controller will require more then just pressing a button. For demonstration sake this video is pretty interesting, though there is an entire world of transmission analyses, antenna theory and possibly jamming solutions behind this as well. I hope there was more then this at Farnborough 2016 related to information security and the aviation sector, but I haven’t seen anything closely related in the news and overview broadcasts yet.
source: BBC News (external link) (Please note the BBC website is using insecure Flash for it’s video’s, if you have the BBC news app installed, you can watch it there as well without the Flash related security risks).
You really do want to use biometrics for payments, beam banks
Visa-backed survey gives fingerprint recognition the thumbs-up
Whilst I don’t disagree with the outcome nor the benefits of biometrics for the payment and banking industries, there is a very important side-note to be made here which is: if compromised, lost, stolen or otherwise, biometric data can never be reset. Which means that if somebody misused your fingerprints in any way at all, you will lose the ability to use them again for the rest of your life. Securing biometric data therefore is much more important than any other authentication data.
A middle way would be to have the biometric data stored on the (credit)card you use to do the payment with and as a form of smartcard verify the data on the smartcard itself with it never leaving the confines of the onboard chip. The authentication of the payment and authorisation to the payment system will then use large public/private key pairs and subsequent cryptographic mechanisms like digital signatures computed on-board the smartcard as well.
Storing biometric data on servers of payment companies, probably even in cloud-based environments, to me is something we really need to be very careful with. As said, you only have one set of biometric data and if compromised well that’s it and there is no reset button.
source: the Register (external link)
How our voices could unlock the connected world
As compared to the research done (see the previous story), more people are taking up voice identification as opposed to the figures in the European and VISA sponsored research. For this type of identification, a similar warning holds however: make sure the data is very well protected as you can never reset your voice or it’s characteristics. Although misusing this type of information is probably more difficult than a fingerprint, unless software is created that can fully mimmic a person’s voice by inputting some sample audio and other characteristics, protecting the related data must have a high priority. As for misuse, the standard phrase method is probably easier to misuse then the free speech method, although callcenter employees need to be trained to spot that an authentication sentence like “my voice is my passport” is spoken possibly by a different voice then the remainder of the conversation which would be a clear indicator for a possible attempt of fraud.
source: BBC News (external link)
Why Hackers Love Your LinkedIn Profile
Apparently this is an somewhat older article, but it was reposted to Twitter last week hence it’s inclusion here. Besides that, there is nothing really I can add to this article other then that this holds obviously for all social media outings of your employees and yes that’s even their private accounts as well.
Now that last bit will be a bit more difficult to implement as you are again blurring the line between the business and private worlds of your employees, but it however is key they understand and are aware that even their private social media accounts, weblogs etc. are part of their personal image online. This online image has, private or business, impact on the company they are working for.
source: F-Secure blog (external link)
Antivirus software is ‘increasingly useless’ and may make your computer less safe
Anti-virus software has been losing out on really protecting you for the last years. This has partially to do with the facts stated in this article which boil down to cyber criminals less and less usage of viruses and malware that AV-software can detect, but also with how AV programs actually work. The last bit has to do with the enormous volume of available viruses and malware that has been created over the last decade and which, if an anti-virus program would want to offer more protection, it is required to check against all of them at all times. This is such a significant burden on your hardware and the size of the program’s internal database of signatures, that it would not only slow your system down rather then making it completely unusable. So the answer of the AV-program vendors is to only put recent as well as the most commonly used signatures for viruses and malware in their databases. Together with a fully patched and updated system this will give some level of protection.
The problem with most organisations is their lack of a well designed and executed patch management policy and guidelines, further degrading the effectiveness of any anti-virus or anti-malware package installed. This, as well as the ransomware protection discussed below, this must be part of a full defence in depth strategy.
source: CBC (external link)
Ransomware ‘stopped’ by new software
The main take-away here is that, if it stays 100% successful in detecting ransomware, it is always an early warning system of an already infected and activated attack. Therefore in a strategy of defence in depth, where multiple layers of security are used to protect your critical assets, this is probably the last and final layer to minimise the actual impact.
Again, this starts with awareness of your employees or even your family members. Because it are certainly not big institutions alone that suffer from ransomware attacks.
I personally have seen with a previous employer what a, all be it minimal in the end, ransomware attack can do for your organisation. Things like awareness, limiting access rights on shared disks, correctly written applications where the application itself accesses files and is not depending on the read/write access of the user to a specific filesystem etc. would have even further minimised the impact or even limited it to the user’s his/her own profile and private files. This holds even more true for people who need more access rights to do their daily work like system and network administrators.
If your organisation requires assistance in setting up a defence in depth strategy which will protect against more then just ransomware, don’t hesitate to contact me.
source: BBC News (external link)
Privacy Shield: The new EU rules on transatlantic data sharing will not protect you
I have written about this topic before in several previous additions of this weekly overview as well as in this article voicing my concern with apparent lack of protection on the US side and the in my opinion apparent inadequacy of US mass-surveillance and bulk data collection methodologies. For some reason it seems our EU politicians do not want to see this as a problem or are painfully pressured by their US counterparts and the US tech industry to come to a quick solution.
Another thing pointed out in this article is the fact that US companies have a clear advantage of not having to comply with EU privacy laws whilst European competitors have to do this with obviously more costs involved. This will either lead to eroding privacy protection in Europe or, and I don’ see this happening, a strengthening of privacy protection within US companies. In my article I concluded by asking who had more to say on our data protection as European citizens, our own data protection agencies and politicians or the American government and possibly tech sector. With this version of the privacy shield, there is no shielding whatsoever and the balance is tipping in the wrong direction.
source: the Irish Times opinion (external link)
UK gov says new Home Sec will have powers to ban end-to-end encryption
Amber Rudd yet to emerge from blanket of ministerial double-speak
Should we here on the mainland be happy now that the UK which is invoking such broad snooping laws is leaving the European Union? Or is this going a bit too far. Whichever way you think of it, the honourable gentleman in the house of Lords clearly needs to have a lesson in cryptography before being allowed to say anything on the matter again.
As one of his fellow MP’s very rightly points out, if you build an end-to-end encryption system into your product, it is the entire goal and purpose of such a system to be secure at all times without any and all possibilities of any intermediate party to have cracking, decoding and/or decrypting abilities whatsoever. The only way around this is allowing such systems to be used after the private keys are handed over to the government. I have criticised American politicians and intelligent agencies on my blog before for exactly these same reasons. Apparently with the snoopers charter (or investigatory powers bill as it is officially named) the UK is even worse off than it’s closest partner across the big pond.
source: the Register (external link)
Theresa May wants to see your internet history, so we thought it was only fair to ask for hers
This also is a somewhat older article, but it hasn’t lost it’s relevance in an overview related to Ms. May now becoming the new leader of the UK as well as the IPBill passing through parliament last week. Although on the one hand I can understand why the data was not released, on the other hand putting it to a too heavy burden on the department to do so is silly at best. That is unless they don’t monitor and store their own browsing habits at all which would be an interesting fact by itself.
source: the Independent (external link)