Feed on

A few years back I did an engagement were there was a theoretical possibility that I could have stolen millions of euros. Before conducting that assignment I had to answer the simple question: What is my price? After careful consideration and a lot of calculations I concluded that during that time my price was around €30M. However, that doesn’t seem to be the case for others as this reports concludes. Around 35% are willing to sell out their working place´s information and as many as 25% for as little as €7000.

I have skipped over to London for a few days of vacation and when taking a stroll late in the evening after having a few beers I became witness to the implementation of an ATM-scam. Within 30 seconds I saw two men attach a new front over an ATM and drive away. I waited until they have turned around the corner before calling the policy and within 5 minutes they arrived and could remove the front. Gladly there was a camera that was not immediately visible that had filmed it all, including the plate so they have good hope of finding them.

The last months I have been helping a client to become PCI DSS-compliant again. I have to say that the new standard really emphasising the policy. Everything you do needs to be in a policy. I can appreciate why everything needs to be in a policy but when the QSA asks for strict wording it has gone over the top. Security is not about finding the right words but managing risks.

It has been all over the news recently: It is possible to hack a plane in-flight! I have to say that this is a bold statement in the first place but the sources site a FBI document. I´m a bit reluctant to actually believe it in the first place. Gladly the staff at Wired clarified it a lot here .

A quick answer if you don´t have time to read the article: No, and it is also illegal.

There are times when I wonder why I even started working with security. Today is such a time. I´m currently working at a proposal for Security as a service. Yes, it´s doable but it sure is a struggle to cover everything that’s needed. Gladly it´s not a fixed price offer but only a framework from where they can order services.

Hacking my car

I tend to be a rather slow adopter when it comes to cars. I prefer environmentally friendly cars that are very safe for me to drive but aren´t that costly. Entering Volvo V70 Bifuel, it runs on biogas and has rolled over 300 000 km now. Having an older car means it also breaks down now and then. I recently decided to purchase a OBD-link tool to be able to find out what´s behind the lamps that sometimes flashes. I just wonder if I should dare to run a vulnerability scanner towards the car as well?

I do quite a lot of presentations. This time I was recorded and here is the result. What I describe in this presentation is how we hacked the access control system to be able to walk into a factory and then move forward into the Sony Pictures Hack setting everything into a context.

I do take pride in my skills in communicating all aspects of security but sometimes even I fail. I met with a lawyer recently that was employed at one of my clients. They had a problem with German legislation demanding that they were able to prove that the protection deployed on the laptops were sufficient for protecting personal data. When discussing with him I utterly failed to communicate that there needs to be a security baseline that is followed and that using hard drive encryption on all laptops is not enough when 30% of the employees where domain administrators. At least the CSO understood what I meant.

PCI 3.1

And yet another version of the PCI standard. Not that many changes this time but of course there are always a few. Most notably is that you should now effectively use TLS 1.2 and nothing less. Oh, and don´t forget to write a standard and a policy. Otherwise you´ll fail. There must be someone on the PCI Council that loves documentation.

Most of you have read the news of what happened to Sony Pictures. A truly devastating attack where ransomware, or to be more precise a Trojan with ransomware and other devastating payload, played a crucial role in the mayhem. When I talk with my peers not all of them fully understand the possibilities that ransomware opens up to the hackers. What we are talking about is the possibility to kidnap an entire company´s infrastructure and make a crippling blow to all their IT.

Older Posts »