Periodic Wrap -25th September, 2016

This periodic wrap brings a reminder for us to behave in public, and in private, as Snap, with its name change from Snapchat, gets set to release its sunglasses with recording functionality – ‘Spectacles’.

Also in recent reading, I see a few records have reportedly been set with:

1/ Yahoo’s 2014 breach of a reported 500m account credentials – a reminder for us all to put an extra step in the business process, and in the same vein use 2-step authentication where offered,

2/ Quantum Key Distribution achieving a distance of over 6.2km (up from 800m) bringing us ever closer to Quantum connected cities; and,

3/ Well regarded security blogger KrebsonSecurity having his site pummelled by reportedly one of the largest ever DDoS’ which reportedly harnessed a botnet of ‘things’ to execute the attack. This highlights the need to patch our ‘things’ given the impact we can have on others and lobby for standards and patches where our ‘things’ don’t offer them (and we’d like to keep them on the internet of ‘things’). There is a moral hazard to cybersecurity – we need to look after ourselves to look after each other.

1/ Yahoo’s 2014 breach of a reported 500m account credentials

The publicisation of this breach is a reminder for us all to:

  1. a) put an extra step in the business process, and in the same vein
  2. b) use 2-step authentication where offered.

The reasons are multiple-fold as email addresses:

  • taken in breaches are then used in phishing attacks and spearphishing attacks.
  • may also be tested with passwords either decrypted or left unencrypted, guessed or taken from another breach. This means multiple accounts on multiple systems could be vulnerable.
  • Could be used by cyberbaddies to send emails encouraging us to click on a link and give away more information or download malware.

So, beware and, give or take a few bells and whistles, at the time of writing:

  1. Enable 2 factor authentication where offered – it makes it harder for the people who’ve nicked, or then if they have subsequently traded the information – for others who’ve bought, the information to gainfully use it; and,
  2. Put an extra step in the (business) process before transferring money, clicking on links or providing further information that could lead to these things.
  • Note, the cyberbaddies also reportedly have security questions and answers and other details and so offline consequences could include similar things happening through the post, over the phone or through social media – take a breath, put an extra step in the process. By verifying the information through a different means we can, again, prevent the cyberbaddies from gainfully using the information

These practices are good hygiene no matter who we are or what provider(s) we are with. This breach was 2014 but there have been many others and sometimes providers use third parties that we may be overtly unaware of in their supply chain – that is, even if we think we’re not with a particular provider we may have been, or still be, affected.

A further note for interested site operators and lawyers amongst us, litigation has reportedly already commenced .My sense is victim blaming isn’t helpful but by the same token we need to ensure we have the basics in place and can talk to them when things go wrong. Therefore as a business – early and balanced disclosure is responsible and important.

However, given so much information has bolted over so many breaches, it would be a rational approach to operate all the time as though our information is available. Therefore, once more with feeling – good practice at the time of writing would be to i) enable 2 factor authentication where offered and ii) put an extra step in the (business) process. It will also help prevent ‘iCloud Hacks’!

If we do receive spam, avoid unsubscribe – this is old news but we and our organisations still get caught with it. This article is from 2004. Instead, we need to create a filter (ask your local techie or techie friend to show you how) to bypass our inboxes and delete them.

Note, too, that these attacks are also hoovering up encrypted information. The question is, how good is that encryption. The rise of quantum is important in this context, and many others, and NIST standards are already in report phase for development around quantum resistant cryptography. Bruce Schneier has a nice succinct article on it too.

Which brings us to our second recent record reportedly recently set …

2/ Quantum Key Distribution reportedly achieved a distance of over 6.2km

Quantum Key Distribution reportedly achieved a distance of over 6.2km (up from 800m) bringing us ever closer to Quantum connected cities

And our third and final recent record reportedly set:

3/ One of the largest Distributed Denial of Service (DDoS) attacks reportedly harnessed a botnet of ‘things’ to execute the attack.

Reportedly one of the largest DDoS’ has been targeted at highly regarded Brian Krebs of KrebsonSecurity.  He had a great communications plan, however, and handled the media and the community well – who all felt for him. There is a lesson for us all in how well this incident was managed. The cyberbaddies reportedly used a botnet of recruited ‘things’ over the internet from cameras to routers. There is more on the front page of Krebs’ site. This highlights the need to patch our ‘things’ given the impact we can have on others and to lobby for standards and patches where our ‘things’ don’t offer them (and we’d like to keep them on the internet of ‘things’).

In our homes, we need to change passwords from default, patch where possible and keep systems they are connected to up-to-date. In a business setting we can turn to standards such NIST’s special publication, and frameworks such as those provided by CPNI, which also refers to the NIST standard. Here is also an old 2013 synopsis toward a whitepaper for executives with some additional links.

Speaking of interconnected things….

‘Things’ are also in, and connected through, space. Chatham House has freshly released a comprehensive research report – and interesting read – on ‘inextricably linked’ cybersecurity and space, which among the highlights points to taking a collaborative approach in addressing it.

Finally, Blockchain is reportedly now not only open but also on a path to standards development with ISO. This had been in the wind for some months  and even reported on NASDAQ.

Until our next wrap …

Dr Sally Ernst I UK and Australian Cyber Security Networks I info@csns.co Ihttps://www.linkedin.com/in/sallyernst I @DrSallyErnst

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s