The niner noteworthy stories of 2017 (week 8)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

FCC to halt rule that protects your private data from security breaches


If you see the title and as specially the title on a related article on The Register (external link), you are made to believe that stoping these privacy rules to get into place is a bad thing. Which, if you only would be looking at these specific rules and the companies they apply to, is indeed the case.
However, the reason given by the new FCC chairman Pai that such rules should be part of an industry wide framework which also would hold for companies like Google and Facebook is at least interesting.
I think mr. Pai should pay a visit to Europe and see how we deal with these matters from a fundamental human rights point of view.
The way mr. Pai however choses to come to such a framework by reducing privacy protection first, or at least not strengthening it, is counter productive to say the least.
source: Ars Technica (external link)
Update March 9th: the
International Association of Privacy Professionals (external link)
has posted an in-depth article on the expected vote and it’s implication on March 2nd.

Cloudflare bug data leak exposed


Old software, no security testing and certainly not secure coding practices, all combined and you will get incidents like this.
Interestingly the BBC article and subsequent information states a limited impact on a limited time-scale as well. However an article on Dark Reading (external link) disagrees with this statement and subsequently states that the servers may have been leaking data for up to a year. Unless the buggy peace of software was updated on the date the leak started, the problems could very well have been there long before it’s discovery and therefore been leaking data longer then Cloudflare is admitting to.
A partial fix in 47 minutes and a complete fix in 7 hours is impressive for sure, but since nobody knows which online services are actually using the Cloudflare platform so is the potential impact.
source: BBC News (external link)
Another article states that the blunder was a simple typo with disastrous consequences, The Register (external link)

Why Adobe is rolling out digital signatures for any device


What Adobe seems to forget is that, specifically in Europe, physical devices are required as a smartcard or token to hold the actual signing keys. The problem with all these cloud technologies and sign stuff from anywhere and any device is that no guarantee can be given the person using the private key to sign a document is actually the person that owns that particular key.
Now I might be old fashioned etc. but as soon as a private key is somewhere stored in the cloud on servers that are not under my control, in my opinion the signature becomes invalid as you can’t prove the person who claims to have signed the document is indeed the person you think it is.
This trust-based paradygm is an absolute requirement of a digital signature system that works. Unfortunately it is barely understood by industry let alone by the organisations purchasing solutions like the Adobe one.
That’s not to say their solution is hopelessly insecure, although if their Flash offering is any indication I wouldn’t put my hopes up.
source: CIO Dive (external link)

How’s your online bank security looking? The Dutch studied theirs and… yeah, not great


Unfortunately there is one very good reason for this which is the ever growing pressure from regulators to be “compliant” to more and more financial sector standards. This has the unfortunate yet expected side effect of checklist mentality instead of real risk management, as well as the fact that as long as it isn’t pushed for in those same standards it’s not taken up either.
Couple that to a notion and false sense of security and you understand why they haven’t been taking up the challenge of implementing DNSSec.
Are banks therefore completely insecure because of it’s absence? Fortunately this is certainly not the only measure banks must take to become secure. Although I understand this is the scope of view of the SIDN, if the security of any organisation is solely based on DNSSec I would certainly not want to have a bank account with them for sure.
source: The Register (external link)

Privacy Watchdog: Microsoft Must Explain How It Processes Windows 10 User Data


Microsoft says they want to work with privacy groups (I think the author means data protection agencies here), if that’s the case than why is the article 29 working party still concerned with wat Redmond is failing to do in the upcoming update?
Privacy concerns over data slurping and it’s usage for advertising purposes have been around sinds the release of Windows 10 in 2015 and as is apparent by this article, Microsoft is not really doing it’s best to help put these concerns to rest either.
With the upcoming GDPR and the proposed changes in the E-Privacy laws, Microsoft could be phasing a hard time on this issue if the watchdogs of our European fundamental human right decide to bite and hold firm on this issue.
source: Softpedia (external link)

Critical Infrastructure Cybersecurity: the crude reality


The problem presented in this article is very real and you don’t even need industrial IOT to understand nor take advantage of industrial systems. Most of these systems are poorly secured as they were never designed to be interconnected in the first place. Add to wireless connectivity to the mix, of which the security and reliability can be compromised unless backup links and strict security measures are in place and you may start to get the picture of where we are heading with our smart cities.
Safety is a term well understood by industry, specifically after world shocking accidents like the 1988 Piper Alpha one. Security however is a concept alien to most industrial organisations which will become a problem, as long as it isn’t one already.
In the Netherlands this is only made more complicated by our language which combines the words “security” and “safety” in to the Dutch word “veiligheid” which can have either of the two meanings. If not understood correctly which of the two possibilities is meant, the consequences can be disastrous.
source: Cipsec (external link)

UK forced to derail Snoopers’ Charter blanket data slurp after EU ruling


And here is the impact to the investigatory powers act I wrote about early this year.
Data slurping is illegal under Eu laws, which has been confirmed by the EU courts over and over again in the last couple of years. However it seems that governments keep trying to get around this provision with new laws and new attempts that are bound to fail.
This one will probably get a followup later this year and certainly one as soon as the UK government is not accountable to the ECJ anymore after brexit. Will the UK become a snooper’s paradise where European companies actually don’t want or aren’t even allowed to store or transfer their sensitive data? Time will tell.
source: Ars Technica UK (external link)

Watch Malware Steal Data From Air Gapped PC With Blinking Lights and a Drone


Sometimes these stories pop up which use alternative methods to transfer data, just like these two I previously wrote about: CLEVER ATTACK USES THE SOUND OF A COMPUTER’S FAN TO STEAL DATA and Air gap breached by diskdrive noise.
Whilst all these techniques are pretty interesting and if you are paranoid enough you now start to cover all windows, LEDs and use only finless diskdrives etc. The truth of the matter is that such attacks aren’t trivial to pull off in the first place.
Most quadcopters on the market are quite noisy themselves and hovering outside your window, certainly at night, will cause suspicion for sure (at least I hope it does). Why I am posting about these kind of attacks than? Simply because it’s interesting to read about and it also gives you a glimpse in what is possible when really determined people get creative.
source: Wired (external link)

US Homeland Security is so secure even its own staff can’t log in


Whilst normally I would agree that systems workers can’t login to are the most secure systems available. But only if they are not connected in some way to the internet on the other end either of course.
Time will tell if this is a classic IT cock-up or something more sinister at work at the DHS. As for the comment in the article on the soon-to-be head of cyber security in the Donald’s administration, indeed have a look at his website and what’s been written about it already and you may get an idea this may not be the last story on the American government and possible intrusions.
source: The Register (external link)