Backdoor The Encryption
The British government is making fresh calls to ban end-to-end encryption, claiming how apps like WhatsApp provide a safe haven for terrorists.
The home secretary Amber Rudd said it was “completely unacceptable” that the government could not read messages protected by end-to-end encryption
If all of this sounds familiar, it’s because it is. It's echoing what David Cameron said should happen after the Charlie Hebdo shooting.
- The Independent refer to Amber Rudd’s call to end WhatsApp encryption as “Incredibly naïve”.
- ArsTechnica ask, Why not ban cars Amber Rudd? It’d be more effective than banning encryption
- The Guardian “WhatsApp must be available to authorities”
US ISP’S Can Sell Browsing History
Is this the final nail in the coffin for privacy? Has it been taken around the back and double-tapped? Or was it never alive to begin with?
These are interesting questions, ones that future generations will probably be too scared to ask. From a business perspective, it does put ISPs at odds with VPN’s, or indeed any form of protection that makes it difficult to track user activities.
- The Register, Your internet history on sale to the highest bidder
- Gizmondo, Congress just gave internet providers the green light to sell your browsing history without consent.
My Video Of The Week
It’s all well and good getting aggravated at the fact that that governments and service providers don’t appear to be overly concerned about preserving individual privacy. But that doesn’t mean individuals can’t restrict the information about them that can be accessed.
Where possible individuals should take control, and pass on good habits to friends and family around them.
Troppers 2017 Wrap Up
It was the 10th anniversary of the TROPPER conference in Germany.
Xavier Mertens (xme), attended and wrote a wonderful four-part series highlighting the key elements from the talks he attended. If you’re not familiar with Xavier’s work, he consistently provides some of the best written wrap-ups from conferences.
As more conferences tend to record their talks, it appears as if fewer people take notes beyond tweeting out a few lines. Which makes Xavier's recaps a welcome change of pace, especially for those who don’t have time to sit and watch hours of talks.
Day 1 wrap-up
Day 2 wrap-up
Day 3 wrap-up
Day 4 wrap-up
Cloud and IoT Study
We undertook a survey at RSA 2017 to better understand how companies understand, use and deploy both cloud and IoT.
The results probably raised more questions than they answered. But makes for an interesting read.
- Blog about the report
- Press release
- EnterpriseTech: IoT deployments fuel ‘chaotic’ cloud security
- Dark Reading: Cloud security, IT pros still skittish
- Channel e2e: IoT creates cloud security misperceptions, challenges
A Red Teamer's Guide To Pivoting
Penetration testers often traverse logical network boundaries in order to gain access to client’s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach or gaining access to initially unrouteable network segments after compromising hosts inside the organization. Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility.
The “Five Stages” Of Being Breached
This is an insightful post into the human side of breaches and the impact it has.
This one got me thinking that one of the things we are not trained for as incident responders is dealing with customers in this situation. As a counsellor, my partner worked part time for a few years to complete a Masters Degree (another one) to learn how to deal with people going through this cycle. It's important for us as IR professionals to know how to deal with people going through the breach grief cycle. The average InfoSec type has no training on how to deal with customers going through this grieving process.
Dishwasher Has Directory Traversal Bug
Is it sad that we are seeing more and more headlines like this when it comes to the internet of things. Or is it worse that we are getting used to seeing such headlines?
The dishwasher in question isn’t a household product, rather a commercial offering. Which probably makes it worse in some ways? Preventing a restaurant from washing dishes may have more impact than an average household.
The Register has the details.
ENISA Reports Are Free
The European Union Agency for Network and Information Security (ENISA) has been around for over a decade and seeks to deliver security advice. It has a number of reports that are free and are worth taking some time out to read.
Mike and I spent a week pouring over forensic artifacts and soon identified the perp as a Russian-speaking hacker called “M4g”.