May the fourth. I’m sure there’s a sci fi reference to be made here somewhere, but I just can’t put my finger on it. I’m sure it will come to me soon enough.
In the meantime, enjoy the security news, views, and opinions that caught my eye this past week.
Schools out for Ransom
“They didn’t have a clean offsite backup,” said Leominster Interim Police Chief Michael Goldman in an interview with ABC News. “This happened and the school system was not locked down as they should have been.”
I don’t like stating the obvious when ransomware strikes and there was no offsite backup. Mainly because for many companies this is a transitionary period. We’ll probably see ransomware continue to hit companies for a few years until having offsite backups, or other protective and recovery mechanisms become commonplace.
Hopefully other schools can learn from this and save themselves $10k that could be better spent on educational services.
The reality is that it doesn’t matter how small or insignificant you may feel your company is, if an attacker sees a potential target they won’t care whether it’s a school, a nuclear facility, transport system, hospital, or bank – they see a money-making opportunity and will look to exploit it.
- Massachusetts school district caves to ransomware demand, pays $10,000 | SC Magazine
- A ransomware attack and no contingency plan cost a Massachusetts school district $10,000 | Cyberscoop
- Hackers get $10,000 in bitcoin after attack on Leominster schools | Boston Globe
Taking the Human Element Out of Security
The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.
- Insights From RSAC 2018: Taking the Human Element Out of Security | Security Intelligence
+ On the topic of humans, the Social Engineering framework is a decent resource for those looking to learn more about the topic.
The thought police cometh
Just when you thought surveillance in China couldn’t get creepier, you learn it has its own version of George Orwell’s Thought Police.
Besides the use of CCTV surveillance and artificial intelligence (AI) to make spying in real-time resemble something out of TV show Person of Interest — it can even be used to text jaywalkers a fine — and surveillance being used to record public Wi-Fi users’ online activity, there are face scans required to be issued a strip of toilet paper and China’s social credit system, or Citizen Score.
Well, now there’s news circulating about surveillance tech being used to monitor employees’ brainwaves.
+ in other news, British Prime minister Theresa May is trying her best to keep up with China, and would if it wasn’t for those pesky courts!
- High Court Rules Part of Snoopers’ Charter Illegal | Infosecurity Magazine
The RSA ROI
What do vendors get out of exhibiting at RSA? Isn’t it just a massive waste of money for everyone? That’s kind of the sentiment you hear a lot – which is why I really enjoyed this post by Haroon Meer at Thinkst on their first time experience of exhibiting at RSA.
Sure, it’s expensive, there are a lot of weird things, but there is also a nice payoff.
WhatsApp founder Jan Koum is planning to leave the company after clashing with its parent.
I’m assuming the short version is that Facebook wanted to get its hooks into that juicy WhatsApp data, heads were butted, and Jan walked away in a manner befitting Silicon Valley; stating he plans on collecting rare air-colled Porsches, working on his cars, and playing ultimate Frisbee.
- WhatsApp founder plans to leave after broad clashes with parent Facebook | Washington Post
Facebook tries to creep into more aspects of people’s lives by launching a dating service
- Facebook's new dating service may know us better than we do | CNN
- Facebook Is Investigating a Claim That an Employee Used His Position to Stalk Women | Motherboard
Which isn’t a big deal right. It’s not like any data would be abused… oh wait…
Attack the block(chain)
Some of the technologists at the meeting of the International Standards Organization were surprised when they learned that the head of the Russian delegation, Grigory Marshalko, worked for the F.S.B., the intelligence agency that is the successor to the K.G.B.
They were even more surprised when they asked the F.S.B. agent why the Russians were devoting such resources to the blockchain standards.
“Look, the internet belongs to the Americans — but blockchain will belong to us,” he said, according to one delegate who was there. The Russian added that two other members of his country’s four-person delegation to the conference also worked for the F.S.B.
Another delegate who had a separate conversation with the head of the Russian group remembers a slightly different wording: “The internet belonged to America. The blockchain will belong to the Russians.”
+ Amber Baldet had an informative closing keynote on blockchain security at Hack in the Box Security Conference,
How to Wrestle Your Data From Data Brokers, Silicon Valley — and Cambridge Analytica
One thing is certain: My personal data, and likely yours, is in more hands than ever. Tech firms, data brokers and political consultants build profiles of what they know — or think they can reasonably guess — about your purchasing habits, personality, hobbies and even what political issues you care about.
You can find out what those companies know about you but be prepared to be stubborn. Very stubborn. To demonstrate how this works, we’ve chosen a couple of representative companies from three major categories: data brokers, big tech firms and political data consultants.
Some strong opinions in this post by Daniel Miessler on the importance of asset management.
“what value is being compliant with an information security regulation if you can pass while having zero idea whatsoever where your data is and what systems you have?"