The niner noteworthy stories of 2017 (week 21)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Contactless payments and SecurID patent spat

antb /

Creator of SecurID sues Apple, Visa over digital payment patents

So his new company isn’t really getting the funding it requires or the licences it needs to actually operate. What to do next: Well the standard American response it seems: sue the crap out of big companies and see if they are willing to caugh up some money.
The label of it being the most secure portal in the world is probably true if you are only counting the ones that are actually in use and not what e.g. has been in mothballs for the last 3 years.
I have recently spoken extensively with a company that is presenting a solution based on a validated physical piece of hardware that is more secure then the RSA token. And, on top of that, a lot less expansive as well.
If you want to know more and be one of the first adopters? contact me immediately for more details. Let’s make the world a secure place for customers and for doing business.
source: Ars Technica UK (external link)

Contactless payment fraud soars to £7m

For some reason this doesn’t really sound too surprising. Banks are often not the frontrunners in technological advances and if they do finally implement it, it’s most of the times half-heartedly certainly when security is concerned. With these contactless payment cards, the potential of fraud is quite high and the opportunity to spot it with all those small transactions rather limited.
Although honestly, taking 2 weeks to actually block a card whilst it clearly was reported lost is rather silly. Although since banks don’t transfer inter-bank payments on weekends or e.g. the 1st of May (as they still see that as a bank holiday) is idiotic to say the least. It does however clearly show the financial industry hasn’t decided to come into the 21st century yet.
Although the new European payment services directive version 2 (PSD2) will demand a 15 second transaction throughput time, I doubt a lot of banks will actually be able to do it when the subsequent national laws come into force by February 2018. The 2 weeks lead-time to block a lost card, as stated in this article, is an indirect example why that’s not going to happen.
As for the seemingly increase in fraude with contactless payments, although an earlier figure isn’t provided, the almost 4fold of the amount of contactless transactions is indication enough why it soared in the first place, lack of security and fraud detection is a good second.
source: BBC News (external link)

Privacy breaches

posteriori / shutter

Blackburn High School families’ details illegally downloaded in targeted attack

Coincidence or well thought out attack, interesting question specifically seeing the final part of the article with apparently a rise in phishing mails coming from government and other trusted private companies. The fact that two schools have been breached in a short amount of time may be an indication, then again it may be pure coincidence as well.
What is more troublesome, if you read between the lines of the article, that the hack of one teachers’ laptop can lead to such a big impact to children and their parents. A second interesting bit there is that the data included information on current as well as past students. Specifically this last bit is of interest when looking at it from a data protection perspective, although it is difficult to take into account here the differences in data protection regimes between the European and Australian ones.
source: Fairfax Media group (external link)

Tax worker fired after biggest privacy breach at Revenue Canada

A typical example of the curiosity of employees snooping in data that they don’t need to access to do there work. In one instants however the employee went as far as to modify 2 account as well it seems.
It is interesting and positive to read that the CD-ROM with 28 thousand records was encrypted. Let’s hope the decryption key required to read it was not sent in the same package that was lost however.
On a side-node: implementing systems to detect these types of privacy breaches are enormously invasive to the employees of the organisation using them, a balance must in all cases be struck between detecting fraud and unauthorised access on the one hand and distrust and employee following and scrutiny systems on the other. A difficult balancing act for sure.
source: CBC News (external link)

1.5 million students’ data leaked online, put up for sale for up to Rs60,000

This seems another standard data breach where too much data was easily accessible, leaked, published or put up for sale. However, this article takes a bit of a twist in stating carefully that this data may not have been breached in one of these default ways but simply is being sold by the organisations that actually should have kept it secure in the first place.
Okay, it is quite unclear if the entire organisation is involved or just a handful of people getting probably pretty rich from these deals, but the fact a lot of websites selling this data as well as other seemingly influential people declining to comment says more then if they had commented, at least in my opinion.
How much legal recourse will help the students that are effected is questionable to say the least.
source: Livemint (external link)

IOT and biometrics

Carlos Amarillo /

BBC fools HSBC voice recognition security system

And of course HSBC immediately said: “The security and safety of our customers’ accounts is of the utmost importance to us.”
Yet the only reason this system was implemented was to tackle fraude, which they probably succeeded in and took the odd mismatch and failure of the system as a low risk which therefore was acceptable. Unless the company that sold them this system actually made them believe it was completely foolproof which the BBC reporter and his twin showed it clearly is not. Which is actually not surprising at all.
Biometric systems have always a tolerance for failures. This tolerance works both ways: too strict and some legitimate users will not be granted access or to relaxed and some fraudulent users will gain access. There is also a cross-over point where these two factors are in balance, however that is pretty hard to achieve.
Another nice example of this is the Samsung Galaxy s8 it’s iris scanauthentication system which was breached as well see BBC News (external link).
Although this seems unrelated, the same issues with biometric systems apply to both these cases in equal measure.
source: BBC News (external link)

EU security think tank ENISA looks for IoT security, can’t find any

So ENISA actually has seen some IOT security then? Because otherwise I couldn’t very much like it. IMHO there is nothing to be seen as there usually is no security whatsoever in the Internet of Threats (things) to be spotted in the first place. Okay, Philips Hue lighting seems a somewhat different standard in that as well as Apple HomeKit, but generally the picture is pretty bleak.
As for standards, policies, frameworks and trust or certification labels, that wil all come down to enforcement and enforcement alone. It is unfortunate that companies these days can get away with lacking or even fully leaving any security measures out of their products without any consequences whatsoever. Apparently the moral and ethical problems with that also don’t hit home with the C-level execs of these companies either.
As for the certification, if enforcement is as weak as the level currently in place for the CE marking on products then expect nothing to change for the good too, just the opposite.
source: The Register (external link)

Cyber Security

Masterchief_Productions /

Whilst I hate the term “cyber security”, I can’t escape it here as both articles below use it as their main topics.
However I must stress again that cyber is only a hype term and often misused by senior management to stick their head in the sand (ostrich security) because they can’t be blamed as cyber is seen as the Internet and therefore everything coming from outside their network.

Netherlands nearly up to speed in cyber-security, says readiness report

To summarise: we apparently have plans, discuss a lot, have insufficient funding and started a national cyber security center in 2012.
Let’s start with the last bit, which is partially incorrect as there already was a predecessor to the NCSC called GovCert for many years that flowed over in the NCSC. Probably with a broader scope but still.
What the article fails to mention is that my government can’t even keep their own systems secure enough or their own employees and agencies adherence to the data protection laws valid and updated. How can I trust them to keep my country safe from cyber attacks, specifically knowing Amsterdam has one of the largest and probably most important internet exchanges in Europe?
And then I am not even discussing the partially deplorable system which is used to authenticate people wanting to connect digitally with the government, the longstanding misuse of social security numbers as VAT numbers for sole proprietorships, the fact that a lot of local municipalities can’t even secure their systems and adhere to security policies set out for a sharing network with tax and other financial data of all Dutch citizens and certainly can’t make our elections digitally fully secured.
As for the last bit, the government used software to tally votes that was hopelessly insecure. Earlier this year they were surprised when somebody found out, but reading through the audit reports of the last couple of years, they were or could have been very aware of this for a long time.
So, nice try but no cigar. There is a lot left to do and as the politicians in the Hague are currently playing the kindergarten dance of who likes who and who dislikes who to end up on the seats of government, nothing will change that dramatically either anytime soon.
source: SC Magazine UK (external link)

Why Is Cybersecurity So Hard?

Apart from the fact that the author keeps calling it cyber security whilst information (data that has meaning or significance) is the actual gold mine. Cyber space, often misrepresented as the Internet, has indeed the characteristics described in this article, however it still is too technically oriented whatever the author and his cyber security alliance may say.
The actual protection needs to be at data (information) level or at least oriented at that level because all the technical stuff below it is and will remain important too.
Why is cyber security hard? One thing the author has indeed correct is the fact that it too often is seen as a pure technical, IT, problem. He fails to complete the analyses however by stating it is actually a business problem that has a very large IT component but ultimately needs to support and enable business.
source: Harvard Business School Publishing. (external link)