The niner noteworthy stories of 2017 (week 16)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Security of connected devices and smartphones

Chinnapong / Shutterstock.com

Vigilante botnet infects IoT devices before blackhats can hijack them


Most of the times I have comments on articles because my vision on the world and information security in particular differs from that of the authors. In other cases I simply will try to better explain the business impact of what the article describes.
However, in this case I simply can’t but agree with the author. Although it seems benign what this worm is doing, it is illegal and certainly no solution for a growing problem.
Bricking the devices would not work either, except for taking them off the net temporarily and causing a lot of troubles for their owners and probably the vendors as well. Although I must admit that the latter group may get les of my sympathy as it was their insecure device in the first place.
The problem of poorly or even non-secured IOT devices is certainly going to get worse, even to the point that ti wil have a large economic impact as well.
source: Ars Technica (external link)

Meet PINLogger, the drive-by exploit that steals smartphone PINs


The only solution could be to not allow sensor data to be accessed by a certain site unless explicitly approved by the user. Although this is a technical solution which probably doesn’t work as then all sites will request that access, similarly as we have seen with the cookie walls in Europe where there was practically no distinction possible between what kind of cookies are really necessary and which you don’t want because of advertising and tracking purposes.
A temporary workaround would be to make your pin codes longer and/or more complex using alphanumeric characters.
besides this however, this issue doesn’t limit it’s impact to possibly stealing your device its pincode, it can leak a lot more sensitive data as well which can and probably will be more damaging then the unlock code itself.
source: Ars Technica UK (external link)

The Importance of VPNs While Using Wi-Fi on Airplanes


Whilst the article is correct in the fact that WiFI on planes can be insecure and when traveling over certain countries you can break the law by visiting certain websites, using a VPN connection or cryptography in general may break the law in other countries you travel over as well. So whilst this advice seems to help, it may also do the exact opposite as what it is trying to prevent.
Maybe airlines should help in this respect and make sure all their internet traffic is going over an airline setup VPN to a fixed endpoint in a country that has either no restrictions or at least has the restrictions constant during your entire flight.
Oh and yes a VPN connection will slow down something, probably the device you are using. Cryptography is computationally intensive which means that it will require more resources on your device then a unencrypted connection would use. If this is noticeable will greatly depend on how fast your device is these days.
One last thing, whilst you are protecting yourself against possible WiFi roque access points or breaking the law in countries you fly over, at the same time you are providing an enormous wealth of data on your browsing habits to the VPN provider. So choose your provider wisely.
source: Grown-up Travel Guide.com (external link)

Security ethics and awareness

Yeexin Richelle / Shutterstock.com

‘We should have done better’ – the feeble words of a CEO caught using real hospital IT in infosec product demos


So you fire people if they don’t meet your ethical standards? Then again, since when is asking customers if you can show their security gear in demo’s ethical? Can’t you setup your own demo environments?
Even worse in this case is that they used a hospital its systems without permission. So I ask again, where are your own ethical standards and how bad must those ex-employees be if they don’t meet those low company ethical barriers?
Oh and besides that, even if it was a demo environment and no permission was obtained, why was that demo environment accessible from the outside in the first place? Really, it’s one of the first and often less or not secured environments hackers try to find to gain a foothold into your company network. Although Tanium it’s product may be interesting, the conduct of this company clearly lacks ethical understanding which we may find out reflects to it’s product quality as well.
One tip for hackers, go for the Tanium console as apparently you will have full remote access to the entire network.
source: The Register (external link)
and some more background here Ars Technica UK (external link)

Health execs rank employee awareness as greatest cybersecurity concern


Then apparently your security awareness training is not good enough if you still think that that is your greatest threat. Whilst employees are certainly a risk for data leakage or other privacy data issues, this survey would suggest that from all parties who responded a large majority have their security programs, governance and mitigations strategies in top notch shape and are left with the human factor as weakest link.
Either this survey got lucky in which organisations it requested a response from or the data it is based on is incorrect as this doesn’t match the number of data breaches reported in the healthcare sector.
As for the security awareness training itself, it’s not enough telling your employees what they should or shouldn’t do. You also have to explain why it is necessary to take certain precautions and measures. And yes you have to repeat that over and over again but not in the same manner every time either or you will lose your target audience their attention and therefore the effectiveness of your training, increasing the risk at the same time.
source: Healthcare IT News (external link)

Cyber attacks: British firms storing customer data more prone to breaches


There is a very good reason for this, personal identifiable information (PII) is becoming the currency on the criminal parts of the internet. Your data is worth a lot if it can be used to scam you, impersonate you or be sold on to others having similar intend.
In that respect these types of data are a lot more interesting then say creditcard numbers as they probably can be misused multiple times. Creditcard data is usable only in a small window of opportunity as cards are quickly, at least I hope so, blocked when fraudulous activity is detected either by the card company or the card holder. With identity fraud and identity theft this is usually much more difficult to detect let alone stopped.
It is interesting, on a side-note, that these details are published. I wonder what would happen if a similar survey would be undertaken in the Netherlands.
source: Ars Technica UK (external link)

Hacking the financial sector and counter measures

Chesky / Shutterstock.com

New leak shows how a major hacking group cracked Windows and international banks


So it seems that the NSA was also targeting the Swift network directly. Not too surprising as their data stream which e.g. contained practically all transactions done within Europe tried up a couple of years ago (or so the EU will have us believe).
In an sector where checkbox compliancy is more important that actually mitigating risks, this can be very significant. As specially if some of this stuff is going to be use for fraudulous means, which is only a question of time obviously.
The last couple of weeks I seem more and more vacancies popping up from large international financials requesting people with Swift experience (no not the programming language) to help them implement the new April 2017 rules. Although this might improve security over time, I’ve also been told that implementing 2-factor authentication for Swift connectivity is still not mandatory.
besides the fact that 2FA as it is usually implemented may not really be 2FA at all. But that’s another story altogether.
source: The Verge (external link)

Holiday Inn hotels hit by card payment system hack


So whilst Europe switched to the more secure EMV chips with a 4-pin passcode (or probably finger print, see next article), The US has stayed behind in the magnetic swipe card era with all the consequences attached to it.
This isn’t the first time I have paid attention to this issue either as can be seen in here and here.
That the EMV chips themselves are getting a fair amount of attention too is certainly true as can be seen here and one from August last year.
The most interesting note in this article however is that apparently hotels who took an encryption based security measure would not have been effected. So much for PCI-DSS (Payment Card Industry Digital Security Standard). Maybe this is the reason one of my clients a couple of years back said they weren’t going to implement PCI-DSS.
source: BBC News (external link)

Mastercard launches card that replaces PIN with fingerprint sensor


This is indeed an interesting development and a far better option then the updated EMV scheme which places the sensor on the terminal making all kinds of attacks, snooping and skimming possible.
Although I wonder how the fingerprint is actually put on the card the first time the card is issued. This could be a major security headache and is, unfortunately, not elaborated on in this article.
The final point on fraude is pretty real. Banks have already tried to put the blame on the end-user for fraud with their bank accounts if their computer wasn’t secured enough, as I understand it that backfired and never was adopted widely. It would not surprise me if creditcard companies would try to do a similar thing as they believe that a fingerprint is unique and very secure too.
As for the remark it would also make online payments more secure, I respectfully have to disagree. I have never had to use my creditcard it’s pincode in any online transaction, so how MasterCard wants to pull that off is a real mystery as BBC News (external link) correctly states that online payments and other card-no-present transactions still require additional security measures.
source: The Register (external link)