Cyberweekly - The second iteration
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall. Replies to this email come straight to me, so just hit reply to send me feedback, comments or links or tweet it at me @bruntonspall.
I've been in the US this week at Code for America, which has been equal parts inspiring and frustrating. So many civic projects being built, so much good work going on, but consistently people tell me that their interactions with security are negative, that they can’t get help, only told no, or made to jump through pointless hoops. How we change this is the challenge facing the securityindustry, and I don’t think it’s through blockchain, machine learning or other technological methods, but by talking to each other more.
Anyway, this letter is slightly early due to catching the flight back.
Visa system crashes - guardian live blog
[This issue is live as I write this newsletter, hopefully more next week, assuming it’s security related, which initial reports are that it’s a hardware issue. But, regardless, this jumped out at me from the coverage]
“Peter Hahn, the professor of banking at the London Institute of Banking and Finance, said consumers should be prepared for the possibility of “cyber risks” at all times by having backup payment options. [...] That almost means you should have two bank accounts. Cyber risks can happen really anywhere”
This is the sort of advice that is totally useless to your average consumer and is exactly why people don’t listen to security advice. Because security experts don’t seem connected to real lives of real people, who have only 1 bank account and no ability to get other credit cards.
The man who cracked the lottery
“And that’s when the idea first came. “Just like a little seed that was planted,” Tipton said in his proffer. “And then during one slow period I just had a — had a thought that it’s possible, and I tried it and I put it in.””
Interesting account of a real insider job. Working out what could have been done to prevent, detect or recover from this is an interesting exercise.
Isolated Networks in the Cloud – SensorFu
“Because they don’t work like traditional networks, with switches and routers, there are nuances in each platform that must be taken into account”
This is an interesting review of networking in the cloud. It’s useful to be reminded that cloud networks aren’t like real world networks and as such certain traditional principles and patterns might not be appropriate
The crooked timber of humanity
“The scam was only uncovered in 1836, when the crooked operator in Tours fell ill and revealed all to a friend, who he hoped would take his place”
Collusion is much harder than an individual insider or attacker. Personnel controls like enforced holiday or role rotation can deter and reveal insider threats. Also I didn’t realise how close Terry Pratchet’s clacks system was to reality!
VPNHUB - a free VPN from the company behind pornhub
“What do you get with premium? You get no more ads, a faster connection and you can choose from a wide range of countries.”
A free VPN for mobile use, with unlimited bandwidth is interesting. This makes sense for pornhub, especially with increasing monitoring of adult browsing. But the “no more ads” makes me curious what they are actually doing with the connection. A quick test and I can't see anything obvious going on with adverts, which makes me doubly curious.
GitHub - fireeye/GeoLogonalyzer: GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
This is a cute tool for analysing your vpn logs for anomalous behaviour, such as a user logging in from different remote locations faster than is humanly possible to travel between them
Delivery-driven Government
As well as believing this in the large, how government policy can be shaped, this works for me in the small when we talk about security policies in organisations. Are those policies based on user needs? Do they help the users do the right thing? If your end user device policy doesn’t take account of how real users use the devices in the real world, your users will just work around those policies.
The detection of faked identity using unexpected questions and mouse dynamics
“While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors”
This is interesting research for detecting fraudulent applications. Would be interesting to see good data on false positive rates, and anyone using similar heuristics to input into their fraud engines
The state of cybersecurity at financial institutions
An interesting insight into the role of CISOs, and cyber security at financial organisations. Interesting, if slightly predictable that the focus is on operational security, primarily in IT, rather than any focus on building security in, on security engineering and proactive security approaches.
Troy Hunt: Subresource Integrity and Upgrade-Insecure-Requests are Now Supported in Microsoft Edge
“SRI and Upgrade-Insecure-Requests are supported across all the major browsers - just do it!”
Says it all really
Do Not Sell My Personal Information: California Eyes Data Privacy Measure
“Brookman predicts many companies will implement the same standards nationally. "Most companies aren't going to try to configure their systems to guess when an IP address is based in California," he says. "They'll say, 'You know what, this isn't that hard to do. We're just going to do it for the entire country.' "”
I think his optimism is a little strong but nevertheless it will be interesting to see what happens if California does pass some data protection legislation
Five real things about security in agile
“I have learnt to take a very harsh default position with anyone with “security” in their name – you have about 3 interactions to demonstrate that you’re there to actually explain security and help deliver before you’re mentally tarred with the “enterprise” brush of doom.”
Dan has done agile security at one of the biggest and hardest programmes in the uk government. His insight here into what works and what you should be doing is invaluable and well worth reading.
VPNFilter EXIF to C2 mechanism analysed - Securelist
More info on vpnfilter, in particular how the C2 is addresses are actually encoded in the images that it can download.
That's all for this week. See you next week.
Michael