It’s felt like a comparatively slow week for information security. Maybe it’s just because I’ve had my head down busy working, or maybe it’s the unusually wet August in good old London.
But, just because there may have been fewer stories to hit the news, it doesn’t mean they are any less interesting. As usual, the best ones that caught my attention have been curated with love, care, and cynical commentary. (bonus points for tweeting @AlienVault which rock band inspired todays titles).
Paint it (Carbon) Black
A security services firm called Direct Defense has, likely for the good of the public, published a report accusing Carbon Black products of leaking customer data.
With levels of click-bait usually reserved for buzzfeed, it managed to get some coverage referring to Carbon Black as running a pay-for-play exfiltration botnet.
Apparently Direct Defense didn’t care to contact Carbon Black prior to releasing its report, according to Carbon Black in a rapid rebuttal.
In my younger years, I spent many an hour watching wrestling (rasslin’). And if there’s one thing I learnt from all the body slams, pile drivers, and promos – is that if you’re a mid to low level jobber, trying to climb up the rungs to a title shot can be a long and thankless process. So the best way to get a quick title match, is to generate some heat by taking a cheap shot at the champ or any other fan favourite.
Adrian Sanabria examines the whole fiasco in a well-written post, words have meaning.
Gimme (UK critical infrastructure) Shelter
The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4% of global turnover for failing to have effective security measures in place.
I blame GDPR for popularising the penalty of x% of global turnover. Maybe this is the regulators version of speaking softly and carrying a big stick.
- NotBeingPetya: UK critical infrastructure firms face huge fines for lax security
- UK Gov: Firms could face £17M fine if cyber security is not up to scratch
- £17 million fines for CNI companies under proposed EU SNIS plans
There’s something quite satisfying when you stumble upon a nice repository of data. Which is exactly what happened when I followed a tweet from Hack with GitHub to the appropriately named, awesome hacking GitHub repository. I found some nice tools – and clearly a lot of effort has gone into organising them all. Have a browse.
All Sold Out
An interesting read from an ex-NSA employee turned whistleblower William Binney, on how the NSA tracks you.
While all this data isn’t helping to stop attacks, having all the data gives the intelligence community the “power to manipulate anyone they want.” It’s like “J. Edgar Hoover on super steroids” — all the collected data gives intelligence agencies the means to target anyone. Then parallel construction is used after the fact to go back and build a separate basis for an investigation to cover up the fact that the data was obtained unconstitutionally.
Good times, Bad times
As a security researcher, getting accepted and speaking at DEF CON is a pretty big deal. As one of the largest security conferences in the world, the opportunity to present to your peers, the media, and in effect, the world is cool.
However, two Salesforce security engineers, Josh Schwartz and John Cramb found themselves in a bit of a bittersweet situation as their employer texted them half an hour before their talk, that if the presentation went ahead, they would be fired.
Apparently, the two researchers didn’t see the text, gave their talk, and shortly after giving their talk were informed they were no longer in employment.
It’s a shame when security researchers are gagged from sharing their experiences, tools, and ideas. It’s even worse when they lose their job over it.
However, I get the feeling they won’t be out of a job for very long.
- Salesforce sacks two top security engineers for their DefCon talk
- Salesforce fires red team staffers who gave Defcon talk
You can make it if you try
Illinois has signed a new legislation requiring that all state employees receive cybersecurity awareness training; becoming the 15th state requiring such training.
With attacks on the rise and no signs of slowing down, this sounds like a good initiative. The trick in awareness training though, is to make it relevant, engaging, and repetitive.
Around and around
The threat of possible cyberwarfare attacks against ships sea is prompting the return of navigators using radio navigation technology like Loran, as opposed to modern GPS (Global Positioning System).
On one hand it’s good to see security actually being taken seriously and prioritised over convenience. On the other hand, it is a sobering reminder as to the inadequacy of protective security controls.
Next up, accountant buys an abacus, and eBay sets up a stall at the local Sunday market.
- Sea Traders Are Revisiting WWII-era Navigation Tools Amid Fears About Cyber Attacks
- GPS vulnerability questioned after cyber attacks – Maritime journal
- Cyberattacks at sea prompt return of radio ship navigation
Get out of my clouds
The US military has reportedly banned the use of DJI drones, citing ‘cyber vulnerabilities. There aren’t that many details around what the vulnerabilities are, or it could be an inherent mistrust of the Chinese-made drones.
I hope my DJI drone isn’t spying on me and my holiday ‘dronies’!