Re: It's all down
Possibly not I suspect.
I’ve been trying to mail a business friend, who turns out to be a Rackspace customer, and all mails time out after half a day or so.
Although just one example, it would not surprise me if this is indicative.
Posts by Drs. Andor Demarteau (ShamrockInfoSec)
27 publicly visible posts • joined 21 Sep 2018
Rackspace rocked by ‘security incident’ that has taken out hosted Exchange services
Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data
Monday 12th August 2019 07:54 GMT
Re: A solution?
That already exists, it's a US company that checks the validity of your ID with all fields visible.
This, by itself, is a breach of GDPR if used by EU companies as it will transport various amounts of data (including in the Dutch case the national identification number, a number they shouldn't have in the first place) to a country with lesser protections and safeguards.
Monday 12th August 2019 07:50 GMT
Re: And so ad infinitum
yes they have, but do they have any reason to hold on to that copy of your ID or drivers' license after the request has been completed and fulfilled?
The basic answer I suspect would be: no, not really.
As such they should delete it immediately as it has served its purpose.
A bigger problem is that they usually request such copies via e-mail, which is inherently insecure.
And yes, that goes for all personal data (minimisation principle, only keep the data you really need to have unless there are legal reasons why you need to have it longer than the usage requires).
Monday 12th August 2019 07:46 GMT
Re: Consent is mentioned a few times....
Consent means the consent given for a well specified, defined and limited use of your personal data for a purpose you understand and can freely agree with.
It does not mean: anything else that was not stated.
It neither means: any massive lists of usage scenarios, either ones already in use or future purposes, with one consent button.
For each different purpose consent needs to be requested and also be able to be withdrawn as easily as it was given.
Do companies need consent for everything they do with your personal data?
Hell no, there are 5 other legal reasons they can use to have and process your data including to fulfil a contract or pre-contractual actions, legal requirement.
So FB selling on data and consent: only if you have given it explicitly.
And not hidden within their privacy notice somewhere as part of the total package.
(on that issue a complaint and possibly legal case has been brought by several parties on the 25th of May 2018 already).
Monday 12th August 2019 07:38 GMT
It's certainly not GDPR's fault
The law is pretty clear, although it will not specify what prove of identity you need to provide it does leave the option open to request a copy of your ID (preferably not via e-mail for obvious security reasons).
The fault here squarely lies with the companies that have implemented the requirements partially, maybe are afraid of exceeding time limits or have obtained bad advice.
Should the law mandate how it must be done? No, as there are other laws to mandate what a prove-of-identity means and there is enough guidance available.
Besides if you know all that information from your girlfriend, there is probably no rat's chance in hell you could not have pulled this off.
Nice in showing at least the data providing part of the law works, okay it wasn't the right person. Btw, does she actually know you have her login credentials of certain website?
As for the information this person obtained: that's precisely the goal of the law (article 15 to be precise), to obtain a copy of all data a company holds of you.
An And yes that may include very sensitive information.
It shows nicely that one company has stuff they shouldn't have had in the first place, if you can believe this information about that given in this talk and she indeed hasn't heard of the company.
Btw, he precursor of the GDPR, at least in the Netherlands, already had the right to obtain a copy of information a company held of you anyway. So in that respect it may be less new than suggested.
Giga-hurts radio: Terrorists build Wi-Fi bombs to dodge cops' cellphone jammers
Monday 20th May 2019 08:30 GMT
why use Ghz frequencies at all?
Lower frequencies in the VHF (30-300Mhz) range have a longer distance perspective than the Ghz frequencies mentioned in this article.
Only the 900Mhz band comes close to these characteristics.
This has partially to do with reflections as well as that higher frequencies have more trouble penetrating materials, specially those containing metals.
And yes that's also why WiFI networks have trouble in your home between rooms. Specifically if the walls contain metal like in reinforced concrete.
Lower than then 30Mhz is unwise as that comes with larger antenna's as well as very different distance propagation characteristics (which may or may not work depending on time of day, sun spots etc.).
Monday 20th May 2019 08:25 GMT
white noise
There are alternatives that block all these frequencies and they are not even expansive either.
Even terrorist in Afghanistan have used it with unknown effect to me that is.
Take any electric motor, strip away all the insulation, connect a large copper rod to the most radio active part (simple software defined radio stuff will easily tell you where that is) and switch in on.
Biggest problem? It will probably destroy all radio communications in a certain range. With all I really mean all. This technique is indiscriminate and not frequency specific.
Another solution is a certain type of external battery, the charging circuit of which makes so much RF noise that I have sent two units back and gotten my money back because of it (okay that was 7 years ago, but there is still enough household equipment out there that effectively is radiating RF where it should not do so, including light dimmers, plasma TVs, solar panel transformers etc.).
Cathay Pacific hack: Airline admits techies fought off cyber-siege for months
Wednesday 14th November 2018 10:23 GMT
Re: Flight Pattern
Not entirely true for airlines.
Whilst all older companies have legacy stuff, the airlines sector have invested heavily to create a common community cloud platform where a lot is being handled these days.
This platform is called Amadeus and is Spanish based.
I know this holds true for CX as well.
Wednesday 14th November 2018 10:20 GMT
Re: Flight Pattern
I agree, this isn't specifically an airlines issue as such.
Although there is one contributing factor that does hit the airlines sector more than other sectors named:
with the ever dropping prices of tickets, due to LCC's (low cost carriers), the overhead and therefore the budget available to do proper IT, information security and privacy protection goes down with that as well.
This is seen worldwide and not only in the EU and US markets.
Budget as such isn't the only issue, management buy-in as well as a proper security culture are even more important.
Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses
Monday 12th November 2018 08:51 GMT
Re: Bruce is spot-on, but we gotta start somewhere
There has been a solution for this available for at least 11 years.
Unfortunately nobody has been willing to embrace and implement it yet.
The solution verifies the physical presence of the user during the entire transaction and/or session, not only at the start of it.
Monday 12th November 2018 08:45 GMT
Re: More seriously
Will FCC also check the software security of the device?
Btw, this holds similarly for the European CE mark.
Security is not tested.
Even worse, on electrical stuff correct filtering components are removed during actual production to save costs.
is your dimming unit for your lights buzzing? But does it have a CE mark? Good chance this is the reason why.
What does this have to do with security? Just that just regulations will not work, enforcement and regular re-testing will.
But since we are not doing that with electrical equipment, there isn't much hope it will all of a sudden be done in the security space.
Monday 12th November 2018 08:41 GMT
Re: IOT is only going to grow as an issue long term
PCI-DSS is no more then a baseline with a lot of requirements that, if you would do security the right way, you would already have implemented anyway.
It's no more than the creditcard industry's risk management policy.
Has it actually improved on all those creditcard details being leaked with major security breaches including recent ones with British Airways etc.?
No it hasn't.
Monday 12th November 2018 08:37 GMT
Re: IOT is only going to grow as an issue long term
Entirely correct.
precisely why, just a related topic, GDPR privacy controls are as strict as they are because without them we would see a similar effect.
As such the security and privacy by design and default requirements from the data protection law may actually already help in the IOT security challenge. Although specifically for consumer equipment.
Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts
Wednesday 7th November 2018 16:25 GMT
A server in the middle that reroutes messages does not have to be a weakness as the article claims.
If proper end-to-end encryption is used, it doesn't really matter who sees the encrypted (cypher text) messages or not.
What seems to be the case here is a combination of a central server with an apparently no so well implemented end-to-end encryption syste or the use of weak cryptographic algorithms.
One reasons for this could be that the people selling the phones and subscriptions have enough evidence on their clients to use against them if they start getting nasty.
As most have a criminal intent, at least according to the Dutch police presser, it would be a nice backstop mechanism.
30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim
Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim
Monday 5th November 2018 09:37 GMT
Re: Size matters
Effectively the number of employees may say very little on how juicy the SME target actually is.
The level of data available within the company may be a far better measurement of this in the end.
With a lot of processes now partially being automated, smaller companies can actually have larger juicier data sets than larger ones with a more traditional business model.
Monday 5th November 2018 09:37 GMT
Re: Umm...
Precisely, Linux system (MacOS as well) have the name of being more secure or better securable.
Whilst this, as specially towards Windows, was true a decade ago, Microsoft have actually quite stepped up their game in this area.
And no I'm not a Windows fan, but that has a different reason.
Any IT system can be as secure or insecure in measurement of the security competents of the people who are managing them in alignment with the requirements of the business itself.
I know what you're thinking: Outsource or in-source IT security? I've worked both sides, so here's my advice...
Monday 5th November 2018 09:32 GMT
Internal more expansive than external?
This is one I have seen too many times, both when working internally as well as being outsourced to companies as well.
Most of the times people compare your daily or hourly rate on a 1:1 basis with their salary levels.
However, what usually is forgotten is the fact that on top of that salary there are all kinds of additional costs like pension funds, sick leave, holiday payments, buildings, IT facilities, phone costs, management overhead etc. etc.
And in most freelance contracts, not to forget, travel costs.
Account for all of these and divide them by the actually worked hours and the trade-off may be less of a problem than you may think.
Actual worked hours is calculated by taking the maximum workable days, all weekdays in a year, where you subtract:
- all "bank" holidays
- all holiday hours given to internal employees
- a percentage of sick leave prevalent for the company over a year calculated in working hours
Take the salary plus all extra costs and divide it by the actual working hours and see what you get.
Monday 5th November 2018 09:32 GMT
Handing over responsibility vs. good advice
Whilst this article seems to focus on cyber security alone (hardware, networks, software etc.) it's missing the broader point on policies, procedures, standars, guidelines and the most important bit awareness and security culture.
Companies can outsource some of the work fine, but setting up a security program takes more than managing a firewall ruleset or patching systems.
Where a good mix between internal work and external expertise does have a large benefit is where you can draft in high quality advisory services that can help your business along but don't drain resources for years and years to come.
And yes, you've guessed it, that's precisely what my business model is.
Monday 5th November 2018 09:31 GMT
Re: Oh no you're not!
Totally correct, this goes for information security as well as data protection btw.
Responsibility for a good service is with the outsourcer (processor in data protection), accountability firmly lies with the SME company themselves.
And no, not even an insurance policy will lift this accountability burden.
Monday 5th November 2018 09:25 GMT
Re: The big challenge is - well, catch 22
Precisely.
One line in this article graphically illustrates this above all:
"Let’s take an example. You’re using Cisco ASA firewalls but you don’t have the skills to manage them, so you outsource the job. But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?"
Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers
Friday 21st September 2018 05:16 GMT
Can we really be sure they are now secure? (as claimed)
"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect."
Maybe at the moment the ICO looked at it, but will it stay this way?
Security is not something you bolt-on nor patch-over afterwards. Security-by-design is a key requirement of the design of networks, systems, software and usage procedures.
or at least it should be.
Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once
Friday 21st September 2018 05:08 GMT
INternet connections are not the only issue
Things have been going wrong far before "stuff got connected to the Internet" in what is called Industrial IOT.
Because of the same "this costs money" attitude, industrial systems have been moving away from dedicated build hardware and software to commodity off-the-shell Windows systems for about 2 decades now.
And yes those come with the same issues, security problems and patch regimes as your office equipment, but with one caveat: patching is either extremely difficult or in some cases impossible, sometimes due to restrictions by software vendors and sometimes due to certification restrictions.
The solutions proposed in this article may work for new plants, but it will be a hell of a job to implement them in current installations.
Oh and they have to work not 10 but up to 20 to 30 years too.
Biting the hand that feeds IT
