Feed on
Posts
Comments

Ashley Madison

It may come as no surprise that Ashley Madison has been hacked again. It is that type of site that some people find offending, hence becomes a target just because it exist. This hack was a lot more severe and they are threatened to close their site completely otherwise a lot of data about their users will be exposed. Quite ironically you have the possibility to pay for a service that deletes all your data but apparently that was lip service only.

It is interesting to look at the costs for Ashley Madison on a larger scale. If data is leaked then there will be a lot of costs for fines but also lost business. Ashley Madison had announced that it would try to raise $200 million in an initial public offering and this opportunity may now be lost. Who said that investing in security is only a fast way to loose money?

A few years back I did an engagement were there was a theoretical possibility that I could have stolen millions of euros. Before conducting that assignment I had to answer the simple question: What is my price? After careful consideration and a lot of calculations I concluded that during that time my price was around €30M. However, that doesn’t seem to be the case for others as this reports concludes. Around 35% are willing to sell out their working place´s information and as many as 25% for as little as €7000.

I have skipped over to London for a few days of vacation and when taking a stroll late in the evening after having a few beers I became witness to the implementation of an ATM-scam. Within 30 seconds I saw two men attach a new front over an ATM and drive away. I waited until they have turned around the corner before calling the policy and within 5 minutes they arrived and could remove the front. Gladly there was a camera that was not immediately visible that had filmed it all, including the plate so they have good hope of finding them.

The last months I have been helping a client to become PCI DSS-compliant again. I have to say that the new standard really emphasising the policy. Everything you do needs to be in a policy. I can appreciate why everything needs to be in a policy but when the QSA asks for strict wording it has gone over the top. Security is not about finding the right words but managing risks.

It has been all over the news recently: It is possible to hack a plane in-flight! I have to say that this is a bold statement in the first place but the sources site a FBI document. I´m a bit reluctant to actually believe it in the first place. Gladly the staff at Wired clarified it a lot here .

A quick answer if you don´t have time to read the article: No, and it is also illegal.

There are times when I wonder why I even started working with security. Today is such a time. I´m currently working at a proposal for Security as a service. Yes, it´s doable but it sure is a struggle to cover everything that’s needed. Gladly it´s not a fixed price offer but only a framework from where they can order services.

Hacking my car

I tend to be a rather slow adopter when it comes to cars. I prefer environmentally friendly cars that are very safe for me to drive but aren´t that costly. Entering Volvo V70 Bifuel, it runs on biogas and has rolled over 300 000 km now. Having an older car means it also breaks down now and then. I recently decided to purchase a OBD-link tool to be able to find out what´s behind the lamps that sometimes flashes. I just wonder if I should dare to run a vulnerability scanner towards the car as well?

I do quite a lot of presentations. This time I was recorded and here is the result. What I describe in this presentation is how we hacked the access control system to be able to walk into a factory and then move forward into the Sony Pictures Hack setting everything into a context.

I do take pride in my skills in communicating all aspects of security but sometimes even I fail. I met with a lawyer recently that was employed at one of my clients. They had a problem with German legislation demanding that they were able to prove that the protection deployed on the laptops were sufficient for protecting personal data. When discussing with him I utterly failed to communicate that there needs to be a security baseline that is followed and that using hard drive encryption on all laptops is not enough when 30% of the employees where domain administrators. At least the CSO understood what I meant.

PCI 3.1

And yet another version of the PCI standard. Not that many changes this time but of course there are always a few. Most notably is that you should now effectively use TLS 1.2 and nothing less. Oh, and don´t forget to write a standard and a policy. Otherwise you´ll fail. There must be someone on the PCI Council that loves documentation.

Older Posts »