Climbing Mount WebAppSec – Chrome Extensions

As we move “client-side” browsers are evermore important as they effectively become our operating system – Chromebook for example. Many of the tasks we undertake were traditionally hosted inside the operating system but are now accessed via the browser – email and document processing being the prime examples. As a consequence browser security has become critical. In order to extend our browser functionality we are dependent on 3rd party extensions. It is vital we check the privileges granted these extensions as they often demand unnecessary invasive access. To give an example, I recently needed an simple PDF viewer Chrome extension and noted the Read More

UK Cyber Security Breaches Survey 2016 – Some Quick Stats

The UK government has just published the Cyber Security Breaches Survey 2016 (PDF here). Commissioned by the Department for Culture, Media and Sport, as part of the National Cyber Security Programme. It was carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth, and comprised: ▪ a representative telephone survey of 1,008 UK businesses from 30 November 2015 to 5 February 2016 ▪ a total of 30 in-depth interviews undertaken in January and February 2016 to follow up businesses that Here’s some pertinent stats lifted from the report: (69%) say cyber security is either Read More

The normalisation of biometric authentication

The ‘problem with passwords’ is well documented and grows more acute as traditional network boundaries are blurred with the adoption of mobile devices. As a result, the imperative to counter user impersonation and prove authentication on endpoint devices has never been so critical. Traditionally, biometric solutions have not been widely adopted because of complexity, interoperability, credential storage, spoofing, false failures, flawed technology and perceived intrusiveness. Compounding this, high-profile biometric breaches such as the one that hit the OPM have naturally led the public to ask again “Quis custodiet ipsos custodes?”, and no less because if their card is compromised, they can Read More

Information Security Basics ARE Sexy

It all begins with a headline such as: “Hackers hack [insert new thing hacked]” Obviously, you change “insert new thing hacked” with whatever has just been demonstrated at the latest hacking convention, be that an ATM, fridge, sniper rifle, car, baby monitor, etc. Following this news, two camps will emerge. The first is the FUD (fear, uncertainty and doubt) group characterised by doomsaying. The second is the junk-hacking group, which is characterised by being unimpressed with what they call ‘junk hacking’ (junk I found around my house and scared you by hacking it). Both groups probably have their merits. One thing Read More

Insider threat PSYOPs – know thy employees

Following on from a previous post, in which I noted that a recent security survey revealed that 31% of all information security incidents were employee-related, I wanted to spend a little time on the insider threat. In as many different ways as the inside threat can manifest – from sabotage to theft – there are as many reasons and personality types engaging in such activity. Thus, this is not an examination of insider-threat criminology, but given we expend so much of our time keeping the bad actor out of our networks, this is an exploration of what might be done to prevent the potential bad actor Read More

GCHQ – Moving Out From the Shadows

Noun: Smart Home Definition: Mini data center minus admin and security staff. This is of course tongue-in-cheek, although some will recognise truth in this. As consumers we are reliant on manufacturers of our “smart appliances” being cognisant of security and engineering safeguards. But can we trust them? Yesterday we learned that despite £11bn being spent on new smart energy meters due to be installed in every UK home, GCHQ had to intervene as every meter had the same encryption key. We saw a similar problem in Spain in 2014 with poorly protected credentials. Aside from miscreants leveraging these weaknesses to lower their own energy bills, there Read More

It’s time to patch our human firewall

In light of a recent article on IT Governance blog entitled “What exactly is Social Engineering?”, I’d like to take a step back and explore what precedes a successful social engineering attack. I recently asked an expert in social engineering, deception and negotiation the following question: Would you say that underpinning social engineering would be a process of reconnaissance, perhaps using social media? She responded: Almost always these days, Stu! Many articles focus on the attack methods that ultimately give rise to a breach but neglect to mention the single most important aspect of these successful breaches: reconnaissance. The importance of Read More

Securing the Internet of Things

People talk of the coming Internet of Things (IoT) but what is it and when is it coming? The Oxford English Dictionary defines it thusly: The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. Okay, so when is it coming? The truth is, it’s already here. Gartner estimates that there will be 4.9 billion connected devices this year, up 30% on last year, rising to 25 billion in 2020. With the plethora of news relating to IoT application vulnerabilities, coupled with IoT applications’ increasing demand for user-device information, which is Read More

DDoS attacks strike hard over the festive period

With Grinch-like predictability, DDoS attacks have almost become part of the Christmas and New Year festive period. Last year saw Microsoft and Sony gaming networks swamped and taken offline much to the chagrin of players worldwide. I’m not entirely sure what the “hacktivists’” motives were and I’m not convinced they feel they need one. This year was no different except for this particular DDoS attack on Steam, which allowed users to view other users’ private information: In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Read More

Anatomy of a Spear Phishing attack

Competent IT network admins have upped their security game. They’re constantly on the lookout for news on vulnerabilities, implementing necessary vendor patches and updates with gusto, and even scanning their own systems for open doorways and weaknesses. This is all good and necessary stuff. The upshot is that perimeter defences are strong, there’s a diminishing attack surface and criminals are finding it increasingly difficult to locate low-hanging fruit. THE FLIP SIDE As with the famous Maginot Line, criminals are going around the wall and targeting the ‘meatware’ or ‘human OS’. Every single day, grim news headlines confirm the above assertion. Given Read More