The niner noteworthy stories of 2017 (week 4)Insights in information security and privacy news

These are the noteworthy stories, in no particular order, that peaked my interest last week.

It’s 2017 and 200,000 services still have unpatched Heartbleeds

How do we get those admins to get patching you ask? Quite simply, when they will get time to actually maintain stuff and that will only happen when senior management finally understands this is an absolute necessity in running a secure IT operation.
As long as the prerequisites are not met in a majority of the organisations, outsourcing companies are not reprimanded for lousy patch management because their clients don’t understand nor care about it, this will never change at least not anytime soon. That is until they are breached, which then in most cases probably will go undetected.
source: The Register (external link)

Hackers exploit SCADA holes to take full control of critical infrastructure

If you have read the article above and was wondering why Stucksnet was still so prevalent after it being widely known for 6 years, read this article as well and be surprised or shocked or even both.
The most shocking line in this article is the following bit:

In one case, the researchers responsibly disclosed a “vulnerability in the cloud SCADA platform Daq Connect which allowed attackers running a demonstration kiosk to access other customer installations.” The vendor’s totally unhelpful response was to tell the researchers “to simply ‘not do’ the attacks.”

If you only read that specific line, I ask you: need I say more?
source: Computerworld (external link)

China just made VPNs illegal

Note to the author of this article: effectively not withholding internet access and connectivity whilst at the same time sensoring what you can and can’t view is, in China’s perspective, exactly the same thing. Cracking down on VPN services therefore is not really unexpected and I am somewhat surprised that these services were available for this long anyway.
Online privacy is something we think of as a fundamental human and therefore online right, that is we in Europe, but other countries think differently on this topic which this crackdown clearly shows.
If this move by the Chinese government is ethical can be debatable. According to European values it certainly is, but who are we to judge them on this?
source: Engadget (external link)

This App Offers Personal Recommendations While Keeping Your Data Private

Sometimes research is done that respects privacy whilst at the same time is trying to provide a similar service as another company that clearly does not respect user’s privacy. This app and accompanying research is clearly such an example.
If only more companies would see it this way, the world would be a better and more privacy respecting world.
Now you may think that I’m a dreamer and my hope is unrealistic, if that really would be the case then at least I’m not the only one with this vision.
source: link MIT Technology Review (external link)

‘Security questions’ not that tough to crack (IAPP daily dashboard)

Liz Weston: Your mother’s maiden name is not a secret

Yes indeed, security questions are dead and have been for a long time as I already wrote about in this post.
Adding biometrics to security questions to bolster security could help, be it that it is optional in this case, unless Adobe releases this piece of software.
And apparently with American financial institutions 2-factor authentication is an option too. There is only one comment I can end this piece with, which is: Make America broke again!
source: The Seattle Times (external link)

Lloyds cyber-attack details emerge

This is certainly one to watch over the coming weeks or even months. Lloyds may say no money was stolen and no ransom claim was made, that doesn’t mean nothing else actually happened.
Usually with these large scale DDoS (distributed denial of service) attacks without any claim, reason or direct impact other then loss of connectivity, something else is lurking behind these attacks. There is always a reason for these attacks, the fact in this case there seems to be none yet disclosed only means precisely that. There is a reason and a secondary attack factor, which is either not disclosed or even not found yet.
source: BBC News (external link)

Majority of organisations are in the dark regarding daily network attacks

One in four companies breached in the last year? And that is then only the 25% that actually in some way detected or found out later they were breached in the first place. This factually means that the actual number of companies breached is potentially much higher then that.
Chilling facts that if we are not careful will only grow over the coming years.
If your company wants to score an A grade in information security, please don’t hesitate to contact me to see where we can improve your current security program and posture.
source: SC Magazine UK (external link)

Ransomware Hijacks Hotel Smart Keys to Lock Guests Out of their Rooms

I have one other advice for this hotel and others like it: segregate your key card system from all other networks and even, if possible, completely take it off any internet connectivity whatsoever. Patching can be done through other means or a temporary lifting of the internet connectivity ban, but only to specific IP ranges where the patches must be downloaded.
This is called an air gap and in this case would have prevented this hotel having to pay the ransom money.
If the management of this and other hotels happen to read this, do contact me for further assistance.
source: The Hacker News (external link)

Autoriteit Persoonsgegevens wil optreden tegen datalekken gemeenten

The number of local Dutch governments reporting data leakage has grown according to this article. A fact by itself which is extremely disturbing, specifically because social security numbers (burger service nummer or citizen service number) are leaked in some cases as well.
And that apparently is only the tip of the iceberg as a lot of data leaks are not even reported to the Dutch data protection agency the Autoriteit persoonsgegevens. With the BSN number being more and more used for all kinds of services including the entire health sector, this is potentially extremely dangerous for the citizens of the Netherlands.
For people having their own business as a sole proprietorship (eenmanszaak in Dutch) the situation has been even worse for a long time as the Dutch tax authorities are misusing this BSN number as the VAT number for these companies. Attempts to change this back in 2013 however failed.
The BSN number is also the basis for the Dutch government online identity system. Having that number and the home address of the holder of that number has already lead to cases of identity fraude, the chance of which will only grow with every leak or misuse of these details.
source: ANP, article in Dutch (external link)