This week London has been in the midst of snowmageddon! An inch of snow ground the city to a halt with schools closed and the capital on red alert. Fortunately, one of the perks of working from home is that I get to stay on top of the security news regardless of the weather, so put on your snow boots and jump right in.
Trading stocks in the wake of breaches
The US securities and Exchange Commission (SEC) has waned high-ranking executives not to trade stocks before disclosing beaches, major vulnerabilities and other cybersecurity related incidents.
- SEC statement on public company cybersecurity disclosure (PDF) | SEC
- After Intel & Equifax Incidents, SEC Warns Execs Not to Trade Stock While Investigating Security Incidents | Bleeping Computer
Tracking your sold hardware
Many devices now come with tracking features to help you find it if it gets lost or stolen. It started predominantly with phones, but now is in most laptops, desktops, and plenty of smart devices.
The trouble is that location tracking isn’t something we intuitively ask for when buying or selling an item. We just assume that the seller has disabled it, or it wasn’t enabled in the first place. Will we get to a point where before buying a smart teddy, a kid will ask if its been factory-wiped and all credentials removed?
- How I sold an old Mac and unknowingly had access to its location for over 3 years | Bredon Mulligan / Medium
Cover your own assets
John Carroll wrote an interesting blog post on influencing business layers that might not get infosec.
- Cover your own ass(ets) | CTU Security
Cybersecurity Style Guide
How many times have you wished you had a cybersecurity style guide to help you understand how to pronounce security phrases, or write a word, or the definitive meaning of a term. Well, your wishes have all been answered as Bishop Fox has created a style guide for you.
- Web Semantics: The Bishop Fox Cybersecurity Style Guide | Wired
- Download the Bishop Fox Cybersecurity Style Guide (PDF) | Bishop Fox
Well, at least the motive was easy to establish.
Teach a man to Phish… on second thoughts
The NCSC posted a somewhat polarising post on the trouble with phishing. While it raises some good points about the limitations of phishing and how user awareness is one layer among many to protect organisations. It does make some broad assumptions and makes user awareness sound almost futile.
- The Trouble with Phishing | NCSC
The market is taking a slightly different view, with a number of acquisitions in the user awareness space in recent months. I wrote a recap over at my blog.
- The user awareness landscape | J4vv4D
Phish of the week
How to hack any Facebook account
A nice writeup on how researcher Anand Prakash found a vulnerability in Facebook that allowed access to any account, which earned him a $15k bounty.
It relied on the fact that you could reset a Facebook password with a 6 digit code that could be brute-forced as there wasn’t a rate limit.
- I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it | AppSecure
In other Facebook news.
Influencing Security Policy
Instead of criticizing cybersecurity policy, Robert Knake has some advice on how you can more effectively influence it.
What are the benefits of ISO27001?
ISO27001, the cornerstone of most security programmes. But what are the benefits and how can you make it work?
Fortunately, Brian Honan is a man that knows a thing or two about the ISO standard they call 27001 and shares his wisdom.
Somewhat related because Brian helped me put this together a few years ago
- THE CYNIC’S GUIDE TO ISO27001 | J4vv4D
Random assortment of news
- Why I Quit Google to Work for Myself | Michael Lynch
- Deception Technology: Worth the Investment? | Bank info security