The niner noteworthy stories of 2017 (week 14)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Schneider Electric still shipping passwords in firmware


It is not the first time I have come across Schneider electric security cock-ups this year, this is no exception to the issues I wrote about in the bit that link refers to.
However, contrary to what the article by The Register states, there is something users of this specific ICS systems can do: use a defence-in-depth strategy and make sure any access port on industrial control systems aren’t easily accessible from outside the operational control network.
It is a well known fact that industrial systems can’t easily be patched, for various reasons, so designing your security controls around these systems as oppose to relying on them being secure themselves should be a given.
Okay the way Schneider is handling hard-coded passwords doesn’t get you the award for best secured industrial product and they should never have done this, but if this is your only level of security as an industrial plant you should be put in the corner next to Schneider for failing your duty in adequately securing your networks and equipment.
source: The Register (external link)

Wonga tells 270,000 customers no need to change passwords after data breach


Whilst this advice seems stupid, immature and unconsidered, if indeed the passwords for these accounts were not compromised then changing them is probably not necessary. However, the company itself still is investigating (at least was when this article by Ars Technica was published) on the exact cause and extend of this data breach. So who knows what was exactly compromised.
What’s more worrying in this case is the fact that Wonga tried to “hide” it screwed up in a corner of it’s website instead putting it front and center on it’s landing page where it should have been in the first place.
Yes they are right, attacks are on the rise (or at least you hear more about it in the media and steadily companies wake up and actually detect they are or were breached) and until we know why and how they were breached I reserve the right to be sceptical on their statement they work to the highest degree of security and privacy protection. In my opinion this is rarely the case with breaches of this size.
source: Ars Technica UK (external link)

Samsung’s Android Replacement Is a Hacker’s Dream


Tizen operating system by Samsung, I think somebody could become very very rich if they have to pay for every bug he found in this code. This isn’t certainly “taking security and privacy seriously” by a long shot.
If the Internet of Threats (Internet of Things) has shown to be a security and privacy nightmare, then Samsung’s Tizen operating system is it’s largest contributor, sponsor and maybe even the death of the Internet as we know it all rolled into one codebase and company.
Only last week I wrote about Samsung smart tv’s being hackable over-the-air and there is more evidence on my blog of Samsung’s “mistakes” as it comes to taking security and privacy seriously. All having to do with their smart tv’s and it’s smart home product.
This kind of immature coding can’t be patched either and probably needs a full rewrite of the entire codebase to become close to being as secure as possible. Maybe Samsung should stay with their core business, making hardware, although even in most hardware there is a tiny bit of software these days and reading this doesn’t make me feel very secure about buying any Samsung products whatsoever. I would not go as far as saying any products including Samsung chips, because that would exclude a lot of stuff including most Apple hardware (yes Samsung makes a lot of chips for Apple), but it does come close to this.
source: Motherboard (external link)

Mac malware spikes 744 percent, still not a big deal


So McAfee calls adware also malware. Interesting and to anybody who is privacy conscious probably quite close to the truth as well.
If the compensate for that, the spike in Mac malware is significantly lower then this article’s title would let you believe. Although Mac malware is still dwarfed by it’s Windows rivals, with the fact that Apple computers are becoming more and more popular, it is certainly not true that Mac’s don’t need anti-virus and anti-malware protection, on the contrary you are well advised to have these programs installed on your shiny Macintosh computer too. Even though the effectiveness of such software is highly debatable on Mac as well as on the Windows operating system.
source: SC magazine (external link)

An Unprecedented Heist Hijacked a Brazilian Bank’s Entire Online Operation


Yes indeed, your security measures include those for your domain name server administration as well as your internal network. Apparently this Brazilian bank had to learn this the extremely hard way as this is the attack factor that was used.
Now somme people bay be screaming that Let’s Encrypt needs to be taken out of service and that they are partially to blame for this, but I must strongly disagree with this. If the bank had kept their DNS record administration secure, this would not have happened in this fashion in the first place.
The only thing Let’s Encrypt checks if you are the valid owner of the domain by doing a DNS resolve and checking if it can reach a certain challenge-response mechanism, there is no extended validation (EV) part to these types of certificates, a type of certificate used by banks and other sites who require more assurance on their certificates for their clients and visitors.
source: WIRED (external link)

Data breach as details about MPs’ staff published in error


You would nearly think this was an ill-fated attempt at democratic transparency or a publication task under the new snoopers charter in which the public would, in return for giving up their privacy, be allowed to snoop on parliament. But no, somebody just made an enormous blunder it seems.
Then again, what is this kind of data doing on a webserver in the first place? In my opinion it doesn’t matter if it’s a defunct webserver or not, the fact by itself is indeed serious enough. And yes there were no addresses or financial data, but we all know these are probably easily obtainable by other means anyway.
The fact that this website would be “archived” soon makes it even more troubling.
source: BBC News (external link)

AI Privacy Assistants Could Stop You From Exposing Sensitive Info


If this ever would make it’s way into smartphone, watch or desktop/laptop operating systems I would certainly welcome it. Although I think they have to expand this to text with private data in it as well.
The fact that the agent lives on your own device is a major plus as that way no sensitive data can leak via the usage of such a privacy protection, which would ultimately be your next nightmare scenario if it did.
Until this is a reality however, some basic common sense can be found in not posting pictures online with the following information: your passport, credit- or debit card details, voting ballots, personal address, birthdate, social security number or equivalent, medical information etc.
And with don’t I really mean don’t, not even in “private” chats on social media or in an e-mail message. As all of those are less private then you probably think they are.
source: Vocativ (external link)

A new digital age is upon us – it’s called Internet of Things


It’s interesting to see that this article from a major player in the travel industry does understand that privacy and security are important. Although it is clearly something not too important as it’s almost mentioned on the sidelines in a “oh and btw. we need to think of this too” manner.
Whilst I can understand this from their marketing and sales perspective, it does leave me kind of worrying about their true motives.
Not only is it mentioned in this way, it is also stated in an extremely passive manner too. If Amadeus really wants to be the innovator in the travel industry including the growth in Internet of Tthings and ambient travel experience, I would expect them to take the lead in enhancing the security and privacy of this experience as well on all fronts.
As I certainly see the benefits I’m more then happy to help Amadeus achieve this goal.
source: Amadeus Corporate Blog (external link)

Web inventor Sir Tim Berners-Lee slams UK and US net plans


Online privacy (or data protection as it’s called at least in European law) is indeed a fundamental human right, or at least it should be regarded as such. Yes I know as well as anyone that anti-terrorism and law enforcement are having a hard time with all the encrypted web traffic, but so be it.
We have seen, with the wikileaks dumps of NSA cyber weapons, the government and intelligence agencies can’t simply be trusted to keep stuff they have to spy on us secret, which means that if we give them the keys to our secured communication they are sure to lose them as well.
Weakening cryptography will also have a major impact on our economy as business and financial transactions are not secured and private anymore. Even worse, cryptography in a lot of cases is also used for integrity and non-repudiation of messages, all of which will be degraded or lost when we weaken the cryptographic algorithms they rely on to function.
The Repercussions of this all will be far more damaging then the benefits for society in the short run.
source: BBC News (external link)