Week in Review 11th August 2017

August 11, 2017 | Javvad Malik
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

It’s felt like a comparatively slow week for information security. Maybe it’s just because I’ve had my head down busy working, or maybe it’s the unusually wet August in good old London.

But, just because there may have been fewer stories to hit the news, it doesn’t mean they are any less interesting. As usual, the best ones that caught my attention have been curated with love, care, and cynical commentary. (bonus points for tweeting @AlienVault which rock band inspired todays titles).

Paint it (Carbon) Black

A security services firm called Direct Defense has, likely for the good of the public, published a report accusing Carbon Black products of leaking customer data.

With levels of click-bait usually reserved for buzzfeed, it managed to get some coverage referring to Carbon Black as running a pay-for-play exfiltration botnet.

Apparently Direct Defense didn’t care to contact Carbon Black prior to releasing its report, according to Carbon Black in a rapid rebuttal.

In my younger years, I spent many an hour watching wrestling (rasslin’). And if there’s one thing I learnt from all the body slams, pile drivers, and promos – is that if you’re a mid to low level jobber, trying to climb up the rungs to a title shot can be a long and thankless process. So the best way to get a quick title match, is to generate some heat by taking a cheap shot at the champ or any other fan favourite.

Adrian Sanabria examines the whole fiasco in a well-written post, words have meaning.

Gimme (UK critical infrastructure) Shelter

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4% of global turnover for failing to have effective security measures in place.

I blame GDPR for popularising the penalty of x% of global turnover. Maybe this is the regulators version of speaking softly and carrying a big stick.

Satisfaction

There’s something quite satisfying when you stumble upon a nice repository of data. Which is exactly what happened when I followed a tweet from Hack with GitHub to the appropriately named, awesome hacking GitHub repository. I found some nice tools – and clearly a lot of effort has gone into organising them all. Have a browse.

All Sold Out

An interesting read from an ex-NSA employee turned whistleblower William Binney, on how the NSA tracks you.

While all this data isn’t helping to stop attacks, having all the data gives the intelligence community the “power to manipulate anyone they want.” It’s like “J. Edgar Hoover on super steroids” — all the collected data gives intelligence agencies the means to target anyone. Then parallel construction is used after the fact to go back and build a separate basis for an investigation to cover up the fact that the data was obtained unconstitutionally.

Read the full article on CSOOnline

Good times, Bad times

As a security researcher, getting accepted and speaking at DEF CON is a pretty big deal. As one of the largest security conferences in the world, the opportunity to present to your peers, the media, and in effect, the world is cool.

However, two Salesforce security engineers, Josh Schwartz and John Cramb found themselves in a bit of a bittersweet situation as their employer texted them half an hour before their talk, that if the presentation went ahead, they would be fired.

Apparently, the two researchers didn’t see the text, gave their talk, and shortly after giving their talk were informed they were no longer in employment.

It’s a shame when security researchers are gagged from sharing their experiences, tools, and ideas. It’s even worse when they lose their job over it.

However, I get the feeling they won’t be out of a job for very long.

You can make it if you try

Illinois has signed a new legislation requiring that all state employees receive cybersecurity awareness training; becoming the 15th state requiring such training.

With attacks on the rise and no signs of slowing down, this sounds like a good initiative. The trick in awareness training though, is to make it relevant, engaging, and repetitive.

Illinois to require cybersecurity training for all state employees

Around and around

The threat of possible cyberwarfare attacks against ships sea is prompting the return of navigators using radio navigation technology like Loran, as opposed to modern GPS (Global Positioning System).

On one hand it’s good to see security actually being taken seriously and prioritised over convenience. On the other hand, it is a sobering reminder as to the inadequacy of protective security controls.

Next up, accountant buys an abacus, and eBay sets up a stall at the local Sunday market.

Get out of my clouds

The US military has reportedly banned the use of DJI drones, citing ‘cyber vulnerabilities. There aren’t that many details around what the vulnerabilities are, or it could be an inherent mistrust of the Chinese-made drones.

I hope my DJI drone isn’t spying on me and my holiday ‘dronies’!

Javvad Malik

About the Author: Javvad Malik
The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.
Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT