tag:blogger.com,1999:blog-13033454197574643412024-02-07T03:45:59.664-08:00VerticesSteve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-1303345419757464341.post-67212724226875958262016-05-23T04:25:00.000-07:002016-06-22T03:42:30.185-07:00What's your network good for?<h2><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="perfectcobalt" border="0" src="http://www.perfectcobalt.com/images/logo.png" height="173" width="200" /></a></span></span></span></h2><h2><span style="font-family: "verdana" , sans-serif;">More to cyber-security than protecting data</span></h2><span style="font-family: "verdana" , sans-serif;">Information security isn't just about your customer data, or even your own business data. Even if you store <i>no</i> information about your customers or anything else (perhaps you use The Cloud, but that's a whole different story in any case), you still need to worry about Cyber Security.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Or to put it another way, even if you're not a target, you might still be a stooge.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Some while ago, Brian Krebs published a striking image of what a compromised PC might be used for: <a href="http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/" target="_blank">http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/</a> </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">It's far from a complete list, of course. New ways to use computers seem to come round every day, but even off the top of my head, I could add Crypto-currency "mining" and password-hash cracking. Your hacked PC might just be a single node in a whole network - a Dark Cloud if you like.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <br />
<h3><span style="font-family: "verdana" , sans-serif;">Hidden risks</span></h3><span style="font-family: "verdana" , sans-serif;">The threat posed to you by having someone else use your computers and network shouldn't be underestimated. What is your legal position if you are found to have been used to launder money obtained by fraud? What about hosting pirated music, software, or other media? </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Some of the risks are less obvious. If your PC is used as a source for sending Spam emails, your network address may end up getting blacklisted in some databases used to identify such things. This might mean your newsletters, legitimate marketing emails, even queries or invoices getting lost straight into your customers' spam buckets. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">In a really bad scenario, it might be your domain name that gets blacklisted, possibly making your website un-searchable, or even unobtainable.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">As ever, straightforward vigilance can make all the difference. Regular anti-virus and anti-malware scans are vital, because they can spot if a device is already being used. Attackers use a variety of means to retain "back doors" to compromised networks, but regular anti-malware scanning means they have to work <i>much </i>harder to remain undetected.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Prevention requires different tools and is all about having regular vulnerability scans, to ensure you're not leaving doors open that an attacker can use to get access.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" target="_blank">perfectcobalt.com</a></span></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="mailto:info@perfectcobalt.com" target="_blank">info@perfectcobalt.com</a></span></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"> <a href="https://twitter.com/PerfectCobalt" target="_blank">@PerfectCobalt</a></span></span></span><br />
<h3><span style="font-family: "verdana" , sans-serif;"><br />
</span></h3>Steve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.com0tag:blogger.com,1999:blog-1303345419757464341.post-85312902692411399062016-04-18T01:18:00.000-07:002016-06-22T03:42:42.888-07:00Article: Using open WiFi securely <span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="perfectcobalt" border="0" src="http://www.perfectcobalt.com/images/logo.png" height="173" width="200" /></a></span></span></span></span><br />
<h2><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">An Open Question </span></span></h2><h3><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">(Or How I Learned To Stop Worrying And Love Public Wi-Fi)</span></span></h3><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">I recently wrote about some of the risks of using public WiFi, and some of the measures you can take to protect yourself. </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">The article was first published in C Vu Vol 28 #1, March 2016 - the <a href="http://accu.org/" target="_blank">ACCU</a> members' magazine. </span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"></span></span><br />
<h4><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><a href="http://www.perfectcobalt.com/articles/openwifi.html" target="_blank">An Open Question</a></span></span></h4><span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;">Disclaimer alert: I am the editor of said magazine!</span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><br />
</span></span> <span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" target="_blank">perfectcobalt.com</a></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="mailto:info@perfectcobalt.com" target="_blank">info@perfectcobalt.com</a></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"> <a href="https://twitter.com/PerfectCobalt" target="_blank">@PerfectCobalt</a></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: Verdana,sans-serif;"><span style="font-family: "verdana" , sans-serif;"><br />
</span></span></span> Steve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.com0tag:blogger.com,1999:blog-1303345419757464341.post-49024960653902140872016-04-15T05:00:00.001-07:002016-06-22T03:42:52.594-07:00Privacy vs Security in Business<h2><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="perfectcobalt" border="0" height="173" src="http://www.perfectcobalt.com/images/logo.png" width="200" /></a></span> One Person's Security is another's Privacy</span></h2><span style="font-family: "verdana" , sans-serif;">There's been much in the news of late regarding the tension between (national) security and (personal) privacy. Apple vs. FBI, UK Gov's Investigatory Powers Bill, various anti-encryption proposals in the US and elsewhere, all putting security and privacy at odds with each other. There is another side to the story, however.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">If you are a custodian of data about your customers - a Data Controller in the dry jargon of UK Data Protection Law - then you have a responsibility to take adequate measures to prevent that data from being accessed by unauthorized people, or being stolen. In effect, you are accountable to your customers regarding <i>their </i>right to privacy. It's not really <i>your </i>data, it's theirs.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">A recent report by KPMG (<a href="https://home.kpmg.com/content/dam/kpmg/pdf/2016/02/small-business-reputation-new.pdf" target="_blank">Small Business Reputation & Cyber Risk</a>) suggests that <b>over half of small-business customers would be discouraged from using a company that had suffered a data breach</b>, and that 90% of them are concerned about the safety of the data that businesses hold about them. In short, consumers - your customers - take their data privacy seriously.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">It's not just about privacy<span style="font-family: "verdana" , sans-serif;">, <span style="font-family: "verdana" , sans-serif;">either. </span></span>The issue of identity fraud is extremely serious, and growing<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">, and at least some of <span style="font-family: "verdana" , sans-serif;">the data used by c<span style="font-family: "verdana" , sans-serif;">yber-criminals to impersonate people is g<span style="font-family: "verdana" , sans-serif;">ath<span style="font-family: "verdana" , sans-serif;">ered <span style="font-family: "verdana" , sans-serif;">from <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">personal </span></span>information</span></span></span></span></span></span></span></span><span style="font-family: "verdana" , sans-serif;"> leaked by <span style="font-family: "verdana" , sans-serif;">security breaches</span>.</span></span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">The KPMG report also claims that 86% of procurement managers would consider removing a business from their supplier roster after a breach. This is also a grave <span style="font-family: "verdana" , sans-serif;">s<span style="font-family: "verdana" , sans-serif;">tatistic </span></span>for small businesses who fail to take their information security responsibilities seriously enough.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Which brings me neatly to my final point, also highlighted in that KPMG report. Over half of the small businesses surveyed think it unlikely - or even highly unlikely - that they would be the target of an attack. And yet, another recent survey by PricewaterhouseCooper (commissioned and sponsored by the UK government - <a href="https://www.gov.uk/government/publications/information-security-breaches-survey-2015" target="_blank">Information security breaches survey 2015</a>) reports that <b>74% of small businesses had suffered some form of data breach in 2015</b>.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Your customers value their privacy, and trust you to safeguard <i>their </i>data. It's your security that protects th<span style="font-family: "verdana" , sans-serif;">e<span style="font-family: "verdana" , sans-serif;">ir privacy. </span></span>If you don't take your own cyber-security seriously enough, you risk losing that trust.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" target="_blank">perfectcobalt.com</a></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"><a href="mailto:info@perfectcobalt.com" target="_blank">info@perfectcobalt.com</a></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;"> <a href="https://twitter.com/PerfectCobalt" target="_blank">@PerfectCobalt</a></span></span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span>Steve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.com0tag:blogger.com,1999:blog-1303345419757464341.post-42944659854718024322016-04-05T04:24:00.000-07:002016-06-22T03:43:01.760-07:00The Old Ones are the Best Ones<div class="separator" style="clear: both; text-align: center;"><span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="perfectcobalt" border="0" src="http://www.perfectcobalt.com/images/logo.png" height="173" width="200" /></a></span></div><h2><span style="font-family: "verdana" , sans-serif;">The Low Hanging Fruit</span></h2><span style="font-family: "verdana" , sans-serif;">Whilst vulnerabilities such as Shellshock, Heartbleed and DROWN are undoubtedly nasty, they aren't very easy to exploit, at least until they are identified. The thing with zero-day vulnerabilities like these is that it's generally quite difficult to identify them in the first place. It usually requires crafting malicious packets, probing for buffer over-runs, attempting large-scale denial of service attacks, or seeing if protocol flaws can be exploited. Or some combination of the above. All of these take skill and patience.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">If you are the developer of a widely used encryption library, or a ubiquitous runtime library, then you do indeed need to care about these things. "Widely used" in this sense means having millions of users. And that's what makes such things attractive to attackers, and worthwhile concentrating their effort on finding those vulnerabilities. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">However, it's not <b>always</b> <span style="font-family: "verdana" , sans-serif;">t</span>he zero-day exploits that catch people out. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">If your software is sending customer passwords in plaintext back to the MotherShip, or fails to correctly validate user-input from a form, then attackers aren't going to bother looking for more subtle exploits. They already found the low hanging fruit.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">And this can happen to software that is widely used: </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;"><a href="https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.bzelzn2vv">https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.bzelzn2vv</a></span> <br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">This isn't even low hanging fruit, it's fruit that's already fallen off the tree and is just lying there, waiting to be picked up. In this instance, the "attacker" had the best of intentions: to highlight a flaw in Valve's process. When they were notified, Valve immediately engaged with the perpertrator to get the problem fixed.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">Not everyone takes their security so seriously, even after they've been exploited. The moral is this: it's better to find out if you have vulnerable systems <i>before</i> you're attacked by someone who almost certainly will not tell you they've done it!</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;"><a href="http://perfectcobalt.com/" target="_blank">perfectcobalt.com</a></span><br />
<span style="font-family: "verdana" , sans-serif;"><a href="mailto:info@perfectcobalt.com" target="_blank">info@perfectcobalt.com</a></span><br />
<span style="font-family: "verdana" , sans-serif;"> <a href="https://twitter.com/PerfectCobalt" target="_blank">@PerfectCobalt</a></span>Steve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.com0tag:blogger.com,1999:blog-1303345419757464341.post-32598103725645774892016-03-30T09:20:00.000-07:002016-03-30T09:23:03.071-07:00Whose Data Is It Anyway?<br />
<div class="separator" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;">
<a href="http://perfectcobalt.com/" target="_blank"><img alt="perfectcobalt.com" border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrxuzW3QJ4EsCtLxJ5ugpK9WpkjfedrORDTQf67gvdE2aQ1fejITvO9oXfACxtbpA_fkB_v6Tmm-lBMe5rc659HDCwlKiFg179c567bqQZU1RAaJa8qP3V07gFiAzsNHP_HOj0BP3wtMo/s200/logo.png" width="200" /><span id="goog_389828191"></span></a><span id="goog_389828192"></span></div>
<br />
<h2>
<span style="font-family: "verdana" , sans-serif;">The Real Cost of Cyber-Security</span></h2>
<span style="font-family: "verdana" , sans-serif;">According to a UK goverment-sponsored survey carried out by PwC (<a href="https://www.gov.uk/government/publications/information-security-breaches-survey-2015" target="_blank">information-security-breaches-survey-2015</a>), 74% of small businesses in the UK suffered some form of data breach in 2015. Nearly one third of all businesses surveyed declared that they had performed <b>NO</b> security risk assessment in that time. Obviously these are the headlines in broad strokes, but it's clear that some correlation exists between those things, especially factoring in the other broad statistic: that the cost of data breaches to small business was, on average, between £75,000 and £311,000.</span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">These are fairly worrying statistics, not least because the survey had already filtered out responses from companies who felt unable to answer the questions, for whatever reason. </span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">The cost shown above accounts for such things as material loss of business as the result of a breach, regulatory fines imposed for failing to adequately protect data, business disruption and so on. It's much harder to put a hard number on <i>reputational</i> damage. Customers are increasingly aware of the value of their personal data, and the importance of identity integrity. Any business who fails to protect that data risks losing the trust of those customers - and their business.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">I would go a step further: businesses need to understand that they are only <i>stewards </i>of the data, that ultimately data about a particular customer belongs to the <i>customer</i>. </span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">More succinctly, if I'm your customer, it's not your data, it's mine.</span><br />
<h4>
<span style="font-family: "verdana" , sans-serif;"> </span></h4>
<h4>
<span style="font-family: "verdana" , sans-serif;">What is to be done?</span></h4>
<span style="font-family: "verdana" , sans-serif;">The security media seems focussed on the latest zero-day attacks (exploiting vulnerabilities for which no patch or fix is available), coupled with the latest high-profile breaches in industry. Serious vulnerabilities are even being given names, possibly to make them more accessible, resulting in <a href="http://heartbleed.com/" target="_blank">Heartbleed</a>, <a href="http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html" target="_blank">Shellshock</a> and <a href="https://drownattack.com/" target="_blank">DROWN</a>. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">These are indeed very serious issues, and need to be addressed by anyone using the technologies involved, but I doubt they account for most or even many of the attacks reported by PwC in their report. Without naming names, there have been a number of very high-profile data breaches of late, many of which seem to have been possible due to careless security practises within the companies who were victim to attack. Poor password policies on critical systems, and vague or non-existent security procedures for dealing with things like <a href="https://en.wikipedia.org/wiki/Phishing" target="_blank">phishing</a> and <a href="https://en.wikipedia.org/wiki/Malware" target="_blank">malware</a>, seem to have been the primary causes.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">These vulnerabilities aren't new, they don't require expensive tech or cutting-edge methods to exploit, but they do exist, and they <i>are</i> dangerous. Not all businesses are at risk from state-sponsored attack, or zero-day exploits, because they are generally expensive to implement. They are certainly expensive to protect against. </span><br />
<br />
<span style="font-family: "verdana" , sans-serif;">Most businesses, on the other hand, <i>are</i> vulnerable to simple automated attacks such as port-scanning, password brute-forcing and 3rd party software version/patch vulnerabilities. These things, by contrast, are relatively easy to identify, and much less expensive to protect against.</span><br />
<h4>
<span style="font-family: "verdana" , sans-serif;"> </span></h4>
<h4>
<span style="font-family: "verdana" , sans-serif;">Here it comes: the sell</span></h4>
<span style="font-family: "verdana" , sans-serif;">If you got this far, then perhaps you'll forgive me this plug. <a href="http://perfectcobalt.com/" target="_blank">PerfectCobalt</a> is an Information Security company which specialises in providing an affordable, straightforward service to businesses of all sizes, but particularly small businesses who perhaps are unable to justify spending huge amounts of money on cyber-security. If those businesses instead do nothing, it puts their data, and their customers' data, at risk. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">We focus on identifying and advising on common vulnerabilities such as those mentioned above, because they present the largest attack surface, and present the greatest risk. </span><br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span> <span style="font-family: "verdana" , sans-serif;">If you would like to find out more about PerfectCobalt's services, see our <a href="http://perfectcobalt.com/" target="_blank">website</a>. You can follow our updates on the Twitters as well <a href="https://twitter.com/PerfectCobalt" target="_blank">@PerfectCobalt.</a></span><br />
<br />
<span style="font-family: "verdana" , sans-serif;"><br />
</span>Steve Lovehttp://www.blogger.com/profile/04944748401193962551noreply@blogger.com0