The niner noteworthy stories of 2017 (week 19)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Szymon Apanowicz /

Macron campaign team used honeypot accounts to fake out Fancy Bear

If this is indeed true, you never know if they really fell for it, then this is absolutely very smart indeed.
Although the technique of using honeypots to snare hackers is certainly not new, using them in this way as delay tactic to help avoid foreign influence in your elections is new and inventive.
source: Ars Technica (external link)

Crooks can nick Brits’ identities just by picking up the phone and lying

Ah yes, the old trickery of social engineering a call center script kiddie (person at the phone just following laid out script to help the caller). Only training them and making them constantly aware of these practices will help in combating these tactics.
This obviously goes against our human nature to be friendly and helpful. In a lot of these cases too helpful unfortunately.
source: The Register (external link)

Millions of identities stolen from education platform Edmodo

Yes I know the passwords were hashed and even a salt value is used which makes the result of a hash function unique per salt value used, even if the passwords are identical. Cracking these is a lot more difficult then without a salt value added to the password, although the salt value is known in cleartext with the hashed password value.
What is getting on my nerves is this quote in the article from the breached organisation: “Edmodo has learned about a potential security incident, protecting the privacy of our users is of the utmost importance to Edmodo. We take this report very seriously and we are investigating.”
Why are companies always saying that they take the privacy of their users very seriously after they have just been notified of being breached? Does that make them sound more trustworthy to their customers? I seriously doubt it.
Okay 100 percent security doesn’t exist, but for some reason these kind of quotes by spokespersons always make me wonder how serious they really take it.
source: SC magazine (external link)

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Anti-virus software has been dead for years, but the subsequent industry keeps trying to let us believe it is not.
The problem is not only the facts that are described in this article, but also the size of the database with virus signatures. The more there are, the larger the dataset would become and the slower your machine too. Something some of the older anti-virus products, notably Norton or Mcafee if you didn’t get the proper key, were or maybe are still known for anyway. The easiest fix to this is to drop all signatures that are either older than X amount of time or haven’t been seen regularly enough.
This will leave attacks open using these older and dropped signatures and the malware belonging to them. This is a problem that can not be solved however.
Should you fully drop anti-virus software? probably not, but at least be aware of it’s limitations and never use it as your only line of defence.
source: Ars Technica (external link)

NYU Accidentally Exposed Military Code-breaking Computer Project to Entire Internet

The fact that this type of research is being done should not be a surprise to anyone really. With the debates raging over cryptographic backdoors, banning end2end encryption or weakening it at least, have been going on for decades.
That this sensitive data ends up on a folder that is fully unprotected from the Internet is either a stupid misconfiguration or maybe an act of being a whistle blower in his or her own rights without having to scurry away to Moscow to save your freedom.
source: The Intercept (external link)

igor kisselev /

An Obscure App Flaw Creates Backdoors In Millions of Smartphones

Do we have to count these under the 99% of mobile malware that is targeting Android already or is this an additional problem?
The background of this convenient feature most likely lies in the Linux roots behind the Android operating system and the fact that it’s makers left this possibility open for app developers. So my suggestion would be to implement the following fix: disallow all apps to open ports of themselves to listen for incoming traffic.
Your mobile phone is not a server system and should not act like one either.
source: WIRED (external link)

Gaining insight into how cyber insurers understand and price risk

You probably need to click through to the research itself to read what the actually more interesting findings are. The main points seem to be that most policies are very similar, questionnaires are used to assess risk and 3rd party security risks are noted as difficult to estimate correctly.
Do particularly pay attention at the definition at the start of the article on what insurance companies seem to use a definition for a security incident.
It is pretty clear that you need to carefully read those cyber security policies before you actually buy insurance (called risk transferring in IT risk management).
However do keep this in mind: whatever insurance you have, you will always be accountable as senior management. That will never change.
source: IAPP (external link)

To mitigate major Edge printing bug, use a Xerox copier, baffled user advises

If you want to learn a couple of things from this weird article then at least note the following: yes you can change PDF files, never use your browser to print them if you can have a dedicated tool to do so, Xerox copiers won’t copy documents from the Internet as this article seems to suggest.
Although that last bit might be a mix-up or directly related to a users’ advise.
If anything, at least check if your prints match what you wanted to print, specifically if it is important.
source: Ars Technica (external link)

Juergen Faelchle /

Cybersecurity Pros Will Soon Patrol Computer Networks Like Agents in ‘The Matrix’

Seriously? Although maybe interesting, the skills required will not change that much as you still need to know a lot of thecnical details to effectively do your job as a prowling VR cyber agent.
Unless we want to do everything automatically and use log correlation and event monitoring tools to present the right information to our gaming security operation center.
As a lot of companies without these VR additions have trouble implementing security incident and event monitoring in a meaningful way, I don’t see this technology being of any benefit anytime soon. And no that’s not because I’m not a gamer.
source: Singularity Hub (external link)