The niner noteworthy stories of 2017 (week 6)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Is The Tesco Bank Hack The Wakeup Call Needed To Make Mobile Security A Priority?

Could this type of attack happen again? Unfortunately yes it could certainly. Is this the wake-up call to the financial sector it needs to take this seriously? Probably not. It wasn’t their company being breached, so yes they will take note but still think they are secure themselves so don’t need to take extra measures.
The most interesting bit in this article however is not the Tesco bank hack, but the 2015 one referred to. The American company Heartland thought they were compliant but yet they were breached.
This precisely is the issue in the entire financial industry where risk is more often then not seen similar to compliance leading to a checklist mentality and a false sense of security, specifically on board- and senior management level.
They author, Kirsten Bay, states that this hack will elevate security to be thought of as an high ticket item, I must respectfully disagree. Why would this incident be different in that respect from all that have come before it and clearly have not raised security as a high ticket item? At least not enough to prevent incidents like this happening.
Sure it will certainly help to raise awareness, but will it be enough?
source: Information Security Buzz (external link)

Cybercriminals Shifting Tactics In Light Of EMV Chip Credit Cards – Cybercriminals Shifting Tactics In Light Of EMV Chip Credit Cards

Whilst entirely correct, the adoption rate of new technologies is frighteningly slow if you are looking at those that require a paradigm shift like the ones required on implementing IP version 6 and DNS security with DNSSec.
Next to that you are looking at an industry the financial sector, that isn’t your particular frontrunner in advanced new technologies and as long as the risk isn’t too high will certainly not change.
These two factors together show why fraude using EMV chips, creditcards and other payment systems probably won’t decline anytime soon.
Although the points made in this article have a far more reaching impact then the financial sector and could equally be applied to access to health data as well.
source: Information Security Buzz (external link)

TLS vulnerability in popular iOS apps allows user data to be intercepted in man-in-the-middle attack

Another week and another story on cryptography implementations that are not done correctly. There is however one bit in this article which made my hairs stand up on the back of my neck, though I am fully aware it happens and have seen it often enough myself too.
The offending sentence is the final bit in the following quote:

There is no possible fix to be made on Apple’s side,” Strafach asserts, as overriding this functionality would “actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections with an enterprise.

If you need certificates on corporate networks, make sure they are real certificates and therefore can be validated. In most cases this issue arises on such networks, self-signed certificates are used which therefore have no real value to the connection as such as validating them and providing assurance that you are indeed connecting to the server you think you are connected to is impossible.
A short but somewhat difficult workaround could be to distribute an internal root certificate to all employees making it possible to at least validate the certificate used for the connection, although this may seem to help it effectively only disguises the problem.
source: Apple Insider (external link)

Most Mobile VPNs Have Major Security Concerns

Sound advice combined with the usual pitfalls makes for an interesting article which is certainly worth reading if you are either planning or already using VPN services to “hide” your web traffic from prying eyes.
In this day and age though, only a VPN tunnel isn’t enough anymore and with techniques like browser fingerprinting via audio and video as well as other tracking techniques, the question remains how useful such services by themselves really are. That is unless they are combined with advanced malware and advertising blocking obviously.
Which has one major drawback, with more and more web traffic being encrypted point-to-point these additional protection mechanisms will lose their effectiveness too.
source: Wired (external link)

Sports Direct hacked last year, and still hasn’t told its staff of data breach

Besides the extremely obvious disregard to it’s employees in not informing them of the data breach, which may very well would be a breach of law under the general data protection regulation, there is one sentence which also shows apparent disregard for any information security practice within the company as well. Although the systems are clearly available, it seems nobody is looking at them or at least reports on incidents are not taken seriously.
The exact line in the article is this:

Sports Direct’s internal systems detected the intrusion in September, but it was not until December that the company learned of the data breach.

. Okay, only 3 months which is below the usual detection average, but still 3 months roughly after internal security systems already detected the breach it seems. A clear example of buying tools to secure your network and not make sure alerts are actually looked at or they are and nobody actually listens to the people managing the systems? either or both could be true. The final line in the article from the company’s spokesperson is clearly incorrect. Okay except for informing the relevant authorities, at least the CIO was informed, that’s the least they could do. Something they probably only did to make sure they wouldn’t be fined.
source: The Register (external link)

Ransomware evolution: Locky and Sage combine in phishing

Why build something new if you can reuse something that already exists and has proven it’s worth? Same here it seems, although if the infrastructure is taken down used for both strains of ransomware then both will initially be out of business. However, if the miscreants behind these attacks are smart enough they will know this as well and will have a backup plan and infrastructure in place for this scenario.
As for the common strategy, again as long as it works why change a winning team?
source: SC Magazine (external link)

One Hacker Just Took Down a Fifth of the Dark Web

If there ever was a definition of ethical hacking this prime example would certainly qualify in that category. Not only because the hacker in question took down questionable websites, but the files he or she released were also cleaned of any personal data too. If indeed all claims and information are correct, my compliments for handling it this way.
On the other hand, you can always ask why this person or persons were snooping around on the dark web in the first place. That though the story doesn’t tell.
source: Futurism (external link)

Australia wants to jail infosec researchers for pointing out dodgy data

Hopefully deterring? Good luck with that. It is kind of extremely naive of the Aussies they think they can put pseudonomised (this is certainly not anonymised) data in a public portal and think by making research on that data to protect it a viable measure of security.
As is already proven by the researchers named in the article, the health data can be connected to the people it is related to. If this would be misused on a large scale, the breach probably could potentially be the largest in it’s kind, certainly from a government point of view.
source: The Register (external link)

Firms split on who handles aftermath of cyber-attacks

I can’t but agree with this article, ultimately it is the responsibility of the board to make decisions after a breach and the responsibility of the IT managers to clean up, fix and harden systems. But that last bit can only happen if the board members see the necessity of doing so and provide the budget and choices required to actually implement these measures, preferably before a company gets breached.
The ultimate irony of this stalemate is that both parties are partially right, although probably not on the part they would choose themselves.
It also illustrates very compactly the knowledge gap between the IT department and the boardroom as well as the inability of both groups to speak each others language. In this respect nothing has changed over the last almost 10 years, the only thing that has is the fact that companies struggling with this can ask me for assistance to help narrowing the communication gap.
If you want to know more, don’t hesitate to contact me.
source: BBC News (external link)

Security firms ‘overstate hackers’ abilities to boost sales’

This doesn’t help the situation either btw, with board members probably thinking that if they buy this bit of kit there companies are fully secured. IT staff usually know better then that.
I have seen examples of this often enough, as one presenter in a conference video on industrial security put it

I don’t need more dudes and dudettes to sell me more blinky toys with blinky lights to solve my security problem

and he is right in most cases.
Some companies do require more hardware and software to fix stuff, but it isn’t the magic or silver bullet, far from it.
source: BBC News (external link)