I started out in this field many years ago, more or less 1998 give or take a few years depending on your definition of security. Each year I have found the work to be harder and harder with more and more to learn and rising complexity to manage. Quite a few friends and former colleagues have run into the wall and burned out. I have never been there myself but the stress sure is killing you sometimes. I found this article recently and it do point out quite a number of issues within the field. We need to find better solutions to minimise the workload. My take is to remove the most valuable information all together and work with tokens instead as long as possible and have the most valuable information in as few places as possible, the same thing that happened with PCI DSS.
Even if you are aware of the risk with using the same account name and password on different sites, sometimes you reuse it just because it makes your life easier. The problems arise if a site is hacked and you are unaware of it. Gladly there is a free service that monitors leaked information and looks for account names and email address. If you are interested in finding out if your account is out there register for this service.
It may come as no surprise that Ashley Madison has been hacked again. It is that type of site that some people find offending, hence becomes a target just because it exist. This hack was a lot more severe and they are threatened to close their site completely otherwise a lot of data about their users will be exposed. Quite ironically you have the possibility to pay for a service that deletes all your data but apparently that was lip service only.
It is interesting to look at the costs for Ashley Madison on a larger scale. If data is leaked then there will be a lot of costs for fines but also lost business. Ashley Madison had announced that it would try to raise $200 million in an initial public offering and this opportunity may now be lost. Who said that investing in security is only a fast way to lose money?
A few years back I did an engagement were there was a theoretical possibility that I could have stolen millions of euros. Before conducting that assignment I had to answer the simple question: What is my price? After careful consideration and a lot of calculations I concluded that during that time my price was around €30M. However, that doesn’t seem to be the case for others as this reports concludes. Around 35% are willing to sell out their working place´s information and as many as 25% for as little as €7000.
I have skipped over to London for a few days of vacation and when taking a stroll late in the evening after having a few beers I became witness to the implementation of an ATM-scam. Within 30 seconds I saw two men attach a new front over an ATM and drive away. I waited until they have turned around the corner before calling the policy and within 5 minutes they arrived and could remove the front. Gladly there was a camera that was not immediately visible that had filmed it all, including the plate so they have good hope of finding them.
The last months I have been helping a client to become PCI DSS-compliant again. I have to say that the new standard really emphasising the policy. Everything you do needs to be in a policy. I can appreciate why everything needs to be in a policy but when the QSA asks for strict wording it has gone over the top. Security is not about finding the right words but managing risks.
It has been all over the news recently: It is possible to hack a plane in-flight! I have to say that this is a bold statement in the first place but the sources site a FBI document. I´m a bit reluctant to actually believe it in the first place. Gladly the staff at Wired clarified it a lot here .
A quick answer if you don´t have time to read the article: No, and it is also illegal.
There are times when I wonder why I even started working with security. Today is such a time. I´m currently working at a proposal for Security as a service. Yes, it´s doable but it sure is a struggle to cover everything that’s needed. Gladly it´s not a fixed price offer but only a framework from where they can order services.
I tend to be a rather slow adopter when it comes to cars. I prefer environmentally friendly cars that are very safe for me to drive but aren´t that costly. Entering Volvo V70 Bifuel, it runs on biogas and has rolled over 300 000 km now. Having an older car means it also breaks down now and then. I recently decided to purchase a OBD-link tool to be able to find out what´s behind the lamps that sometimes flashes. I just wonder if I should dare to run a vulnerability scanner towards the car as well?
I do quite a lot of presentations. This time I was recorded and here is the result. What I describe in this presentation is how we hacked the access control system to be able to walk into a factory and then move forward into the Sony Pictures Hack setting everything into a context.