CyberWeekly - third times a charm
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
Feel free to forward this on to people you think might be interested. If someone forwarded this to you, then you can subscribe to your own copy at Cyberweekly
Replies to this email come straight to me, so just hit reply to send me feedback, comments or links or tweet it to me @bruntonspall.
In whats beginning to feel like a habit now, this email is coming to you from the US, so apologies for the early transmission. I’m out here for Velocity Conference and hoping to find lots of new tools and approaches.
Cyber wars by Charles Arthur (Amazon Affiliate Link)
“At the time, the fine was the ICO’s largest ever. It worked out to between £ 25.50 and £ 2.54 per affected customer, depending on what value one puts on the exposure of the bank information. If you put a £ 20 value on the bank detail exposure, each individual’s data exposure is worth £ 0.55; if each individual’s data exposure merits £ 2 of fines, the bank details are worth about £ 5.50. So the fines equated to somewhere between £ 7 and £ 20 per person affected.”
This book by Charles Arthur is an excellent read, well researched and filled with links to the relevant background research. But the most interesting takeaway to me was background on the TalkTalk hacking scandal. The fine for being breached was far higher for losing much more sensitive identity data in bulk. Furthermore the churn rates went up in a spike but then returned, so it appears that customers really don’t seem to care if you lose their data
Serverless Architectures
“ In the original version, all flow, control, and security was managed by the central server application. In the Serverless version there is no central arbiter of these concerns. Instead we see a preference for choreography over orchestration”
This is a good description of serverless, in particular FaaS (think Amazon Lambda). The change in architectures means a change in security. No longer will security be centralised or by access (perimeter or network security) or even authentication as security (auth as the control plane). Instead I think we’ll see the rise of complex and ever changing policies, like AWS IAM or Azure policies. But we don’t have tooling or approaches yet for visualising those, managing the changes or auditing or assuring that the policies don’t have vulnerabilities easily (think about the number of publicly readable S3 buckets for example)
How Judea Pearl Became One of AI's Sharpest Critics - The Atlantic
“As he sees it, the state of the art in artificial intelligence today is merely a souped-up version of what machines could already do a generation ago: find hidden regularities in a large set of data. “All the impressive achievements of deep learning amount to just curve fitting,” he said recently.”
The argument that modern machine learning is just applied statistics is not new, and while I agree that there’s interesting value is interrogative AI, for cyber security and in particular operations and analysts, understanding that machine learning is just curve fitting helps us work out where we can apply it more usefully. I think the deeper AI work in here will be more useful for analysts dealing with the question of why and attribution in the future.
Hackers threaten to reveal personal data of 90,000 Canadians caught in bank hack | CBC News
“The hackers say they used the algorithm to get account numbers, which allowed them to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account.”
Another day, another breach. The reporting is a bit confused, they used an algorithm, or they reset people’s passwords, or something. The key thing for me is the scale again. 90,000 customers is a lot. It’s not clear over what time, but do you measure the number of password resets/minute/hour you do?
Whois? Whowas. So what's next for ICANN and its vast database of domain-name owners? • The Register
“But ICANN and the American corporations that dominate the non-profit based in California have refused to accept that reality and, as a result, have been soundly embarrassed three times in three months.”
This is a thorough dressing down of ICANN and a good overview of the problems that have plagued it for the last few years. Given the supposed value of WHOIS to law enforcement and cyber defence, the future plans are something to watch
Security Debt and the Keys to the Kingdom | Decipher
“We drilled down into the accounts that were popped and were disturbed to discover that almost 100 accounts were administrative-level access for people that were no longer with the company. For whatever reason, the add/remove process for staff had completely broken down”
Security debt can come because of a failure to move with the tide of technology, the growing average age of your technical systems for example. But it also comes when your processes don’t connect with security because security isn’t offering an obvious value to the process owner. Processes can then change without consulting security.
stethoscope-app/README.md at master · Netflix-Skunkworks/stethoscope-app · GitHub
“The Stethoscope app is a user-respecting, decentralized approach to promoting good security configurations for desktop and laptop computers.”
User respecting in this case means it doesn’t run in the background and it doesn’t change things without the users consent. But certain web applications might require you to be running it and your computer to meet a set of criteria such as patch level. This is a lovely tool and a great indication of the approach
Delivering for citizens: How to triple the success rate of government transformations | McKinsey & Company
“Another challenge is a lack of leadership longevity. For example, a review of ministers of health across 23 countries from 1990 to 2009 found that half of them served for less than two years in office.”
There’s a bunch interesting in this report, but this stood out. If political appointees, regardless of country, don’t stay longer than 2 years, which is far shorter than most operational Cybersecurity risks take to materialise, how will we ever get people to prioritise good operational security?
Side-channel attacking browsers through CSS3 features
Layering an image over the top of an IFrame from another site won’t tell you the resultant colour, that would be an explicit information leak, but certain blend modes take longer than others based on the source pixel value. This is a lovely demonstration of how to identify and generate a proof of concept for a timing side channel attack.
GitHub - senorprogrammer/wtf: A personal information dashboard for your terminal.
This seems like a cute console utility for displaying information. If you prefer your status in the terminal, this includes cvss feeds for example.
That's all for this week. See you next week.
Michael