Another Californian cyber weekly
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
Feel free to forward this on to people you think might be interested. If someone forwarded this to you, then you can subscribe to your own copy at Cyberweekly
Replies to this email come straight to me, so just hit reply to send me feedback, comments or links or tweet it to me @bruntonspall.
This is another early/late newsletter from me, as for the second week in a row, I’m sat in an airport. This time, I’m at San Francisco flying back to the UK.
It’s not been that eventful a week as far as I can tell, so pickings are light this week. Hopefully more next week as I’ll have time to concentrate on catching up on email and happenings.
TSB admits 1,300 cases of fraud
“However, Pester said 70 times the normal level of fraud attacks were seen last month, and he described this as “an unprecedented attack across UK banking from organised crime”, adding that TSB was working with a range of agencies in an attempt to track down the perpetrators.”
When you suffer a public IT failure, your staff will start streamlining processes and you’ll start using emergency procedures a lot more. Are they resistant to fraud, or do they skip the slow and cumbersome security checks? Even worse, your customers, desperate for information, will respond to emails, texts or other contacts out of the blue that seem to help, so phishing will be on the rise.
How I became Leonardo da Vinci on the Blockchain – Terence Eden's Blog
“There's no way to permanently attach a digital certificate to a physical work of art.”
Terrence outlines one of the big problems in Blockchain. It’s relationship to physicality is tenuous at best
Password Tips From a Pen Tester: Common Patterns Exposed
“When employees are faced with this requirement, they tend to: Choose a dictionary word or a name Make the first character uppercase Add a number at the end, and/or an exclamation point”
We knew this anyway but yet more data that forcing complexity rules onto people Makes them follow patterns in order to cope. The most popular password that meets the complexity requirements and can be changed every 90 days? Winter2018
The enduring mythology of the whiz kid
“The team had no money to spend on a solution, and little in the way of technical expertise, so they came up with the idea of using Google Sheets to coordinate infrastructure projects, appointing an existing city employee to manage the spreadsheet.”
This is important. Innovation isn’t about using new technology, it’s about innovating on processes and using the tech available to us.
AI at Google: our principles
“We will design our AI systems to be appropriately cautious, and seek to develop them in accordance with best practices in AI safety research. In appropriate cases, we will test AI technologies in constrained environments and monitor their operation after deployment.”
When you buy that fancy new devsecops tool chain that uses AI and ML to automatically block bad traffic, what capability do you haven’t monitor and review how that “AI” is working and feed back to it if it’s creating problems? See also: https://ai.google/education/responsible-ai-practices for more in depth discussion of the principles.
BYU Neurosecurity Lab - Longitudinal habituation study on warnings
“they show that people not only habituate to warnings, but also that they recover from this habituation effect if a warning isn’t seen for a while (in our case, 24 hours). However, this recovery is not enough to compensate for frequent exposure to warnings over time. This means that systems designers need to be judicious in the number of times warnings are displayed to a user.”
Yet another nail in the coffin for the myth that it’s a requirement for users to read all the security warnings. If you keep showing people warnings, within 15 days, the response rate to negative warnings drops to 55%. The researchers find that if you constantly change the styling of the warning, then you only drop to 75%. I think we need to reconsider, when we are showing a security warning, what else could we do instead?
Why Isn't Secure DevOps Being Practiced?
“While adoption varies by industry, the report found only a 12 percent margin between the highest and lowest adopters by industry. High-tech industries lead with 56 percent adoption, while retail was ranked last at 44 percent integration of app security testing in CI/CD workflows. Most commonly, organizations rely on software analysis scanning solutions, dynamic analysis methodologies and third-party penetration testing when secure DevOps is practiced in the enterprise.”
I agree with a lot of this report, especially that the big barriers to embedding security in the build pipeline is because tooling isn’t easy to automate and the large number of false positives. But that last reason “developer indifference” could be turned around to say “security hasn’t made itself relevant”.
In the same way DevOps is about aligning development and operations to care about business goals, I think devsecops is more than just build pipelines, it’s about enabling developers to deliver business value, with security enabling developers to do that.
SaaS security - surely it's simple? - NCSC Site
SaaS security should be simple, but it’s often hard to find guidelines for how to assess the security of a SaaS solution because all of the information that you’d review for your own systems, SaaS companies don’t publish. This guide gives a good “sniff test” for any SaaS products you might be interested in.
Five Ways in Which Platform Business Models Influence Workers’ Well-Being
“Management by metrics: in addition to managing internal product development with metrics, platforms can also manage their ecosystem through metrics. Ride-hailing platforms, for example, use metrics to manage their drivers who are obliged to achieve or avoid a given threshold as a pre-condition of continued participation on the platform.”
Ok, I struggle to see a full “cyber” interest here, other than an interest in the future of technology and in particular “Mediation platforms” like Uber,AirBnB etc. This description of the information asymmetry between platform and operator is an interesting thought. I suspect that there’s actually an asymmetry inside the platform organisation, that the wealth of information and metrics can overload the platform company and make it hard to see the wood for the trees as well
Fraser “ZeroXten” Scott presentation on threat modelling
A good overview of how security engineers might use the owasp cloud security project to review cloud architecture
That's all for this week. See you next week.
Michael