These are the noteworthy stories, in no particular order, that peaked my interest last week.
- Google Online Security Blog: Hosted S/MIME by Google provides enhanced security for Gmail in the enterprise
- Rethinking Vulnerability Disclosures In Industrial Control Systems
- Particle accelerator hacked: Boffins’ hashed passwords beamed up
- Why 53 Percent of Banks Think Security Controls Negatively Impact Customer Experience
- Most enterprises lack risk strategy, fear damage to reputation: Ponemon Institute
- Ransomware Turns to Big Targets—With Even Bigger Fallout
- Goodlatte: Electronic Privacy, Foreign Intelligence on Judiciary Agenda
- Privacy Commissioner wants big fines for privacy breaches
- Dutch will count all election ballots by hand to thwart hacking
Google Online Security Blog: Hosted S/MIME by Google provides enhanced security for Gmail in the enterprise
There is just one sentence in this blog post that should worry, or least lead to enough attention, to anybody responsible for security within a company, which is:
To use hosted S/MIME, companies need to upload their own certificates (with private keys) to Gmail, which can be done by end users via Gmail settings or by admins in bulk via the Gmail API.
The most important term here is private keys, they are not called private for nothing and as such should be regarded with very great care.
Who actually has the keys, owns the communication encrypted with their corresponding public keys or signed by the private key. In this case, Google.
yes this is an interesting business opportunity but you really need to trust them a lot to hand over your private keys to their servers.
As for implementation, you still are responsible for generating the keys and requesting the certificates as well as training your users. As such you can easily add training to implement the certificates client side as well to the mix, in which case this is really no solution afterall. Besides, who signed that all important message, the user who is supposed to own the private key or somebody at Google? You can’t tell the difference.
source: Google blog (external link)
Rethinking Vulnerability Disclosures In Industrial Control Systems
Whilst this article is indeed spot on, the problem it describes is however created by the industry itself by switching to commodity off-the-shelf hardware and software and connecting everything together without thinking about the security complications. Yes you can’t easily patch an industrial control system, if a patch is even available at all. However what you can do is mitigate these security holes in a different way by isolating these systems, using data diodes and other security techniques that filter and monitor communication into and out of the industrial parts of your network.
Not taking note of this will lead to irreparable damage and associated risks for the companies and, depending on the type of industry, for the environment and society too.
source: Dark Reading (external link)
Particle accelerator hacked: Boffins’ hashed passwords beamed up
Okay it is not an industrial control system, but it is a portal to such a system which wasn’t appropriately secured. This is precisely what may lead to possibly worse situations if indeed the control systems behind such a portal are breached as well.
A prime example therefore why I wrote the particular comments with the previous article on industrial security. Other then that, this is just another password and e-mail address leak, pretty commonplace these days unfortunately.
source: The Register (external link)
Why 53 Percent of Banks Think Security Controls Negatively Impact Customer Experience
Information security is always a trade-off between security measures, ease of use. However that is how it often is viewed. In some cases security and specifically authentication mechanisms can be annoying, however a good explanation why they are in place will certainly help your employees as well as your customers to understand why it is necessary.
As for sms-based 2-factor authentication systems not being considered secure anymore, passwords aren’t considered secure as this article states yet a lot of organisations are still very widely using them. I don’t see that changing with sms-based authentication systems any time soon either.
There is one related problem when changing to behavioural security mechanisms, most of these are based on some form of profiling which could bring such measures in conflict with data protection laws.
source: IBM Security (external link)
Most enterprises lack risk strategy, fear damage to reputation: Ponemon Institute
Correct in that risk isn’t managed. Incorrect in that the CISO is only managing IT risks, at least that should never be the case as practically all information security risks impact business and are caused by that same business as well.
Risk management should be a business responsibility, whether it is financial, operational or data related risks doesn’t matter.
On the other hand you can ask yourself how much damage Target and Home Depot actually suffered after their respective breaches. As long as it’s still cheaper to get hacked then build strong IT defences, as I have commented about here, nothing wil really change that much.
source: IT World Canada News (external link)
Ransomware Turns to Big Targets—With Even Bigger Fallout
The final sentence of this article is precisely why I have included it because it states that if next time you are collateral damage of a ransomware attack on a hotel, hospital or business it isn’t your fault but it is made your problem by the company that was the real direct victim.
As with all such attacks and the aftermath of them, it’s real people bearing the cost and effect of such attacks rather then just a bit of data which was lost or stolen.
This is precisely why the responsibility is laid on the companies owning or processing the data as per the general data protection regulation (GDPR) and not on the data subjects aka you and me.
source: Wired (external link)
Goodlatte: Electronic Privacy, Foreign Intelligence on Judiciary Agenda
So, all electronic communication that is somewhere on a server and is 180 days old is fair game for the intelligence community, interesting. Specifically when considering that non-Americans who reasonably are outside the United states are fair game anyway, probably within the 180 days limit as well.
Just consider these laws for a minute and match them up with the EU/US privacy shield or the GDPR and you probably will come to the same conclusion as I have: they don’t match.
source: Morning Consult (external link)
Privacy Commissioner wants big fines for privacy breaches
Interesting to see that more and more countries and data protection authorities are moving towards more stringent data protection laws including fines for those careless enough to break them. Although 1 million Kiwi dollars pales in comparison with the fines maximum within the general data protection regulation (GDPR), it’s a start in the right direction for sure.
source: Stuff.co.nz (external link)
Dutch will count all election ballots by hand to thwart hacking
In the mean time local authorities are having big problems getting this organised just 5 weeks before the elections are due to be held on March 15th. Although this article claims RTL as the source, the real person behind this information is ethical hacker Sijmen Ruwhof who uncovered the entire problem with the counting software behind the paper ballots and the extremely insecure by design processes to transfer counting results from local to national poll tallying stations.
Reading all this makes me wonder what else within the Dutch government is hopelessly insecure and very dangerous to our society. More worrying even is that the authorities themselves apparently lack the knowledge and insights to realise this is the case and we require people like Sijmen to bring this to light.
source: The Guardian (external link)
You can find the entire weblog post by link Sijmen Ruwhof here (external link)