Things I Hearted this Week: 29th Sept 2017

September 29, 2017 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

We’re a whisker away from October, which means all the usual Q4 activities will soon be upon us. People will be trying to use up their annual leave before the end of the year, holiday dinners will be being planned, budget plans will be adjusted, and breaches – oh the breaches will just keep rolling to the point of fatigue. But at least they will be ginger latte flavoured breaches.

When a breach costs the top job

In an M Night Shyamalan plot twist, Richard Smith, CEO of Equifax has resigned in the wake of the huge data breach which saw an estimated 143 million records exposed.

Is there any doubt that information security should be taken seriously at the highest of levels? Or do the heads of CEOs need to roll on a more frequent basis for businesses to understand security isn’t an isolated IT issue to manage?

How much does that train journey cost?

Transport for London which runs the London underground, aka the Tube, introduced WiFi on trains a couple of years ago. Many commuters were glad to be able to connect in the otherwise dead zones, giving an excuse to stare at their phones to avoid even accidental eye contact with another Londoner making their way to or from work.

However, getting even a little bit of data attracts business attention like blood in the water attracts sharks. There are plans to track customers through their WiFi connection and then sell on the data – potentially netting Transport for London (Tfl) £322m.

Of course, this isn’t the only company to do so. Many free WiFi providers, such as those in shopping centres (malls) will track customer movement. The only way to defend against such tracking is to turn off WiFi on the device.

It reinforces how much customer data is worth, but how little people actually care, or consider the cost.

Maybe GDPR will help in this regard as Tfl will have to demonstrate consent per person for this, and also allow for opt-outs.

Qualifications and tech jobs

This isn’t really news – but a debate that continually echoes in the background. Perhaps more recently brought to light by the unfair accusations slung at the Equifax CISO for having a music degree.

The question is, what qualifications should a CISO have, or what type of background should one have. A lot of which is biased by peoples own experiences and knowledge. If you look at the twitter crowd, the opinions varies from it being necessary to have formal education and qualifications, to those thinking such formalities as redundant. Or must someone come from a technical hacking background vs a business background that understands risk and profit/loss statements.

Troy Hunt has summed up a lot of good thoughts in his unique style over at his blog; How Important Are Qualifications to Modern Technology Jobs?

Revealing the content of the address bar

Apparently Internet Explorer is still in use out there. This blog post by Broken Browser is a great writeup on how when a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own. To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker.

Buy Vs Build

Should you build your own machine learning or buy something off the shelf? Engineers would probably jump at the opportunity to build their own, but is it necessarily the right thing for the company?

This post explores some of the pros and cons of both approaches and raises some good questions to ask yourself and vendors such as:

1. Do you have the scale and is your operations team staffed to run this yourself? Can you attract top machine learning talent to your company?

2. Do you have more data than almost any other player in your industry for this particular problem or could you benefit from a vendor’s ability to train on lots of data across multiple customers?

3. Is this machine learning application unique to your business or something all your competitors need to do also? (e.g., fighting fraud, moderating forums) Will this allow you to competitively differentiate yourself?

What I like about this post, is that you could almost read it and replace Machine learning with any IT Security problem and you could address it in the same way.

Surviving the “Robocalypse”

According to the latest Economic Outlook by the region’s largest bank, the best way to future-proof your economy is to have a highly educated workforce and low inequality -- two features that abound in the Nordics.

“A lot of work will be replaced by robots,” Nordea senior economist Erik Bruce said in an interview. “The difference is that we're better prepared because we share the view that we should have a fair distribution of income and we make sure people are trained to take on a new role.”

A Sonic Breach

In another case of Brian Krebs is my IDS, it looks as if Sonic Drive-In may have had a breach and millions of credit / debit card details exposed. The details are a bit light at the moment, but once again, it highlights the importance of having adequate threat detection controls on the network as well as critical endpoints to detect any compromises, exfiltration of data, or strange patterns. Threat intelligence could have also helped, particularly if the organisation was monitoring activity on the dark web to detect mentions of its name or assets.

Car tracking passwords leaked

The Kromtech Security Center recently found over half a million records belonging to SVR Tracking, a company that specializes in “vehicle recovery,” publicly accessible online. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen. To achieve “continuous” and “live” updates of a vehicle’s location, a tracking device is attached in a discreet location, somewhere an unauthorized driver isn’t likely to notice it.

According to SVR’s website, the tracking unit provides “continuous vehicle tracking, every two minutes when moving” and a “four-hour heartbeat when stopped.” Basically, everywhere the car has been in the past 120 days should be accessible, so long as you have the right login credentials for SVR’s app, which is downloadable for desktops, laptops, and almost any mobile device.

Passwords to Over a Half Million Car Tracking Devices Leaked Online

Well, that's about it for this week. We'll see what next week brings...

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL