The niner noteworthy stories of 2017 (week 9)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

‘Cloudbleed’ post-mortem points to huge data leak, but no evidence of exploitation


There is some follow-up news on this topic as of last week’s writing.
As I wrote last week, cock-ups like these have a potential massive impact which is confirmed by this article.
One interesting note however is this sentence: “Cloudflare confirmed that customer SSL private keys were not leaked.”
If this were to happen, they can easily be replaced. However, it could have made the potential impact and scope for misuse that much larger. The problem is that this could actually happen because the Cloudflare services will terminate your SSL connection at their edge routers, this is the only way they can deliver their security services. The reason is pretty simple: if you want to detect malware, viruses and attacks easily, encrypted traffic is a problem.
source: ZDNet (external link)

Amazon typo knocked websites offline


I can understand why you want, for ease of use, to have a link between your billing system and your virtual machine farm. If somebody stops a subscription or fails to pay, you can easily take the relevant machines offline and/or even delete them if necessary.
However, if somebody makes a mistake you are actually inviting problems like this. Certainly if for instance no four eyes principles are embedded in your processes to make sure somebody can’t do anything malicious by themselves or, as in this case, stop somebody making a mistake.
Then again as The Register (external link) adequately shows, the web and app developers share part of the blame as well. The service does offer distributed computing options to make sure that downtime in one data-center doesn’t take out your entire platform. However, the fact that they aren’t taking advantage of this is probably only partially to do with costs and the fact that distributed computing isn’t a piece of cake either. The hole notion of “cloud computing” and the marketing messages with them are to blame for this as well.
And yes even Amazon themselves fail in this spectacularly as their own status dashboard was effected too.
source: BBC News (external link)

Master spy behind Snoopers’ Charter wants to gag leakers, journalists


Did we last year think the investigatory powers act (or snoopers charter) was going too far in the mandates granted to the intelligence community on allowing surveillance, this piece and related draft or proposed law changes is making it even worse.
Even so that, not entirely surprising, some have already hinted at the fact that if this is continuing the UK doesn’t have to count on obtaining any adequacy decision by the European Union on data transfers between the EU block and the UK after brexit.
Although it is interesting to note that apparently the Information Commissioners Office (ICO) is continuing with their work on the general data protection regulation (see next story), a lot of which is in extremely sharp contrast with the UK’s push for sweeping surveillance powers and even criminalising leaks of “sensative” data.
source: Ars Technica UK (external link)

Europe’s data protection rules set a high bar for consent – and UK ICO welcomes your thoughts


So consent will be (re)ddefined as fully informed and freely given. This looks like a similar definition as is part of the Wet Bescherming persoonsgegevens (WBP) which is the current Dutch law for data protection. I am wondering if this would also hold for organisations sharing information with e.g. concert organisers for spam targeting as well as the concerthall itself sharing personal information with these organisers without being able to opt-out at all. I would suspect that even under the current law this practice is at least unethical, under the GDPR this may even be finable too. I can’t wait till the moment I could ask the Dutch data protection agency (Autoriteit Persoonsgegevens) to launch a formal investigation to one major concerthall in the Netherlands and at least one organiser who doesn’t want to listen to requests to stop spamming.
Or at least my ability to opt-out of this unethical and certainly unwanted sharing of my personal details.
source: The Register (external link)

Global cybercrime prosecution a patchwork of alliances


No digital alternatives for security camera’s? Yes there is, it’s called IDS or maybe IPS or even SIEM and if enough skilled staff is actually looking at the monitors and making sure they pick out the correct incidents instead of the false positives there certainly is a digital variety of your physical security camera.
However, as positive as this may sound though, they are also easier to beat than your average security camera too. Where the camera has to be destroyed, it’s connection cut or it’s lens painted to make sure detection is not possible anymore, digitally it will greatly depend on what logging and detection methods are used as well as who is looking at them to be able to duck under the radar.
And where as a non-functional security camera would directly show up on any monitor connected to it, digitally it isn’t that easy.
So the main point in this article “we aren’t there yet” is certainly true.
source: CSO Online (external link)

MWC 2017: ‘22,000 hackable webcams in Barcelona’


Whilst this isn’t really news, that is if you have been following my blog or any other tech media site for the last months, the fact that there are so many of them in just one city is obviously worrying. Even though the research was done by a company for marketing purposes.
Couple this to other recent news on backdoors in Chinese IOT devices and the unwillingness from it’s manufacturers to fix the flaw, makes for a problematic cocktail of which the consequences we have already witnessed last spring with massive IOT-based DDoS attacks.
source: BBC News (external link)

Ransomware for Dummies: Anyone Can Do It


DDoS as a service, lifetime copies of click-and-forget ransomware tools and all advertised on Youtube including advertising around the video’s from Google itself who makes money off these postings too. The problem behind this issue however is the fact that more and more of these seemingly advanced hacking and extortion toolkits are being made too easy to use and are being sold openly on the internet for anyone to obtain and start their career in cybercrime.
The creation of bitcoin, as an anonymous payment method, has not helped the matter either. Where will this end?
source: Krebs on Security (external link)

Visa, Mastercard beef up mobile payment tech at Mobile World Congress


Interesting to see that older technologies could have there modern day implementation as well. On the other hand, w tie growing competition from payment services like ApplePay and others, it seems the VISA and Mastercard companies are trying to seek new markets rather then actually beefing up security.
Creditcard usage has never been about total security, if it was then some systems like extra online pin- or e-codes would be mandatory on all online payments.
source: CSO Online (external link)

It’s Schrems, round two


Yes indeed, if all data flows to the US are fully suspended, there will be economic impact. But not only for the European Union I have to add.
However, for some companies like Facebook themselves the EU economic impact I guess won’t be as great as they are letting us believe.
This entire story is an interesting one as it pitches the EU way of handling data protection against the US way of thinking about it. Recent developments around the new US administration are only widening the rift between the two continents on this matter.
source: IAPP (external link)