These are the noteworthy stories, in no particular order, that peaked my interest last week.
- More than 200 Southwest flights were delayed or canceled because of technology problems
- CISSP certification: Are multiple choice tests the best way to hire infosec pros?
- Shred-it Busts Seven Common Information Security Myths
- Snowden designs device to warn when an iPhone is ratting out users
- 40 Million iCloud Accounts Hacked? Hackers Hold iOS Devices To Ransom
- 53% of organisations around the world still use Windows Server 2003
- UK’s DRIPA spy law is legal if safeguards in place, says top EU court advisor
- Governments Googling Google about you more than ever says Google
- Hacker shows Reg how one leaked home address can lead to ruin
More than 200 Southwest flights were delayed or canceled because of technology problems
Yes even this is an information security problem as it is clearly a loss of availability and a lack of business continuity management as well. Aviation is more and more dependent on IT systems for all daily operations including tickets, boarding, scheduling, flight planning, briefing flight crews and handling special care passengers’ requests. With schedules for planes becoming ever tighter because a plane flying makes money, one on the ground doesn’t, a glitch in one system or application will have a massive effect on the entire network and operations if it goes on long enough.
A good strategy on availability and continuity would indeed, as one carrier actually did, include low-tech solutions like handing out handwritten paper boarding passes as well as backup paper systems and other solutions to guarantee a maybe delayed but at least not cancelled schedule. Technology will not solve every issue, sometimes going low-tech will be your only solutions. But the best measure is to think about this before it actually happens and have your continuity plans ready and tested.
source: Business Insider (external link)
CISSP certification: Are multiple choice tests the best way to hire infosec pros?
Focus on skills instead of certifications like the CISSP, experts argue.
Whilst some of this article does hit the nail on the head completely, I don’t fully agree with all of the opinions and preconceptions. Multiple-choice exams are certainly not the way to test if people understand information security, specifically because they only test if you know the answer required by the test organisation like ISC2, SANS Institute or ISACA. Even worse, specifically with CISSP, if you have too much relevant background and let your day-2-day knowledge take over during the exam, you will fail miserably as I have seen some former colleagues do, in some cases even multiple times.
Now you may ask why I have an impressive list of these certifications and why I am keeping them current as well? It is indeed partially because of the HR and recruiters firewalls of ctrl+f selection methods as this article points out all to correctly. However for me, with most of these certifications at least, the real benefit is in the fact you demonstrate not only 5+ years of relevant experience in the field which is extended with the number of years you own the relevant certification.
As for the notion “you can hack or you can’t”, I can’t but fully agree. I have seen enough people claiming to be ethical hackers, and having the certifications to show for it, to look open mouthed at my laptop at a linux terminal listing some small script for testing a blind sql injection using nothing more then a linux command-line tool and a self-written shell script.
For the time being at least, I will maintain my certifications and even expand the number of them I have passed the multiple-choice exam for. Mostly because of the reasons listed in this article, but also because they will signify the real work experience I have. But as said, that only holds true for the once that actually require it to be maintained as well appropriately shown before you can actually certify at all.
source: Ars Technica (external link)
Shred-it Busts Seven Common Information Security Myths
There is actually even more behind these 7 myths then the facts listed in this article. It does portrait a nice picture on what actually can, and in a lot of cases does, go wrong with confidential data protection.
Training employees once a year doesn’t have to be an issue, if the training is done right and not kept to the same e-learning module over and over again. Although training more often or having additional awareness programs in place to help employees do their work more securely will certainly help with your overal protection level. If your business wants to have a look at it’s security awareness training as well as go over your data protection policies, don’t hesitate to contact me.
source: (external link)
Snowden designs device to warn when an iPhone is ratting out users
“Introspection Engine” might one day work with wide variety of smartphones.
Whilst the idea is very interesting, it will only nicely show you that your device already has been compromised and probably that your location has likewise been compromised as well. If you really want to make sure your device can’t transmit anything, switch it off completely and bring a piece of paper and a pencil to write stuff down. In those circumstances you really need that smart device, apart from it’s radio’s obviously,place it in a Faraday cage bag or it’ low-tech equivalent in the form of some tin foil wrapped around the device.
source: Ars Technica UK (external link)
As for the approach of these gentlemen: you don’t really need the complete design specs of a smartphone for this to work, rather you need to know the exact frequency ranges the on-board radio’s are abel to transmit on. With that information, it is possible to build a small unit with a receiver for all these frequencies, use 4 small antenna’s to do some direction finding to make sure it is indeed the phone and not something else transmitting and build the remaining logic into a software defined radio system. Most if not all of the required technology is already widely available in the amateur radio community.
40 Million iCloud Accounts Hacked? Hackers Hold iOS Devices To Ransom
A couple of things can be done to protect against these styles of attack: activate multi-factor authentication on your iCloud account, be really careful where you use it and with which password, always have a backup of your device stored on your local computer.
The first reason is obvious, if they have your password and not your, as Apple calls it, “trusted device” they simply can’t login and execute the “find my iPhone” attack. As for the second one, never use the same password on multiple locations, an obvious one it may seem but still relevant in the light of most password scams and fall-out from credential leaks.
The last and third one is more complicated as iOS by default will store a backup on iCloud of your device for later recovery. You can, for those who don’t know, also create a local backup using iTunes on your own computer. In the case your iCloud account gets compromised and your device is wiped, contact Apple to gain back control on your AppleID and subsequently restore your device from it’s latest local backup. If all successful, go back to steps one and two to complete your protection.
source: TechWorm (external link)
53% of organisations around the world still use Windows Server 2003
And I suspect that at least half or more of these old 2003 instances are not even properly patched or have a firewall enabled at all. However as insecure as this may seem, in some cases it is unavoidable to still run the old system even though it is already end-of-life for more then a year. Specifically in industrial IT environments older systems are still present as the software required to control them simply doesn’t run on newer versions of the server OS or changing them would require an entirely new certification cycle for the equipment.
However, this does mean extra care needs to be taken to adequately protect these systems with additional measures. Often these measures need to be taken outside of the older system to isolate them from other parts of the network and correctly filter any network connectivity that is required for correct operations. So yes it is a risk to have these older end-life unsupported systems still around, but if you are aware of the risk and take appropriate measures to mitigate it, it can be done even relatively secure.
source: SC Magazine UK (external link)
UK’s DRIPA spy law is legal if safeguards in place, says top EU court advisor
Brexit chief David Davis quits DRIPA case in big blow to privacy campaigners.
This law is going to be replaced with the IP bill or snooper’s charter as it’s adequately named in the UK tech media. A law with even more far reaching powers for the home secretary as compared to the current DRIPA it seems. A lot of comments on the IPBill have been entered around blanket surveillance and inadequate privacy protections. It is going to be interesting to see how this ECJ note, which clearly was put out on a fast track before the snooper’s charter last day in the house of Lords, will influence their standpoints.
source: Ars Technica UK (external link)
Governments Googling Google about you more than ever says Google
Chocolate Factory welcomes ‘improvements’ in surveillance laws
Though this may be mixed news on how much data is coughed up by Google upon the request of governments, I am more interested in the legal comment by the company of welcoming the EU/US privacy shield. Does Google really see this as beneficial for EU citizens and their own role of maybe having to cough of data less? Or is it more enticing to think they love it because it strengthens their own position over European based companies in still not having to comply fully with European privacy laws, which obviously gives them a competitive advantage as well as more data to cough up to the US government as well upon request.
source: the Register (external link)
On a side note to this transparency report: it is as transparent as the US government will allow it to be. With the presents of gag-orders in some US intelligence agency’s arsenal, how much more data is actually coughed up and not aggregated in this report?
Hacker shows Reg how one leaked home address can lead to ruin
Just don’t go on Facebook, people. You’re giving yourself up to crims
How some social engineering, public records, social media and knowing where to look could have lead to absolute tragedy. This article shows very fine grained detail what the use of privacy, actually data protection, is so much more than not having anything to hide. An argument heard all too often in the privacy discussions I usually have with friends and clients. Read the article and if you are amazed and/or surprised after reading it, my goal of helping you see the importance of data protection and being careful online has been achieved. If you are neither amazed nor surprised, you are probably privacy aware already.
source: the Register (external link)