crowmoor.se

I tend to be a rather slow adopter when it comes to cars. I prefer environmentally friendly cars that are very safe for me to drive but aren´t that costly. Entering Volvo V70 Bifuel, it runs on biogas and has rolled over 300 000 km now. Having an older car means it also breaks down now and then. I recently decided to purchase a OBD-link tool to be able to find out what´s behind the lamps that sometimes flashes. I just wonder if I should dare to run a vulnerability scanner towards the car as well?

I do quite a lot of presentations. This time I was recorded and here is the result. What I describe in this presentation is how we hacked the access control system to be able to walk into a factory and then move forward into the Sony Pictures Hack setting everything into a context.

I do take pride in my skills in communicating all aspects of security but sometimes even I fail. I met with a lawyer recently that was employed at one of my clients. They had a problem with German legislation demanding that they were able to prove that the protection deployed on the laptops were sufficient for protecting personal data. When discussing with him I utterly failed to communicate that there needs to be a security baseline that is followed and that using hard drive encryption on all laptops is not enough when 30% of the employees where domain administrators. At least the CSO understood what I meant.

And yet another version of the PCI standard. Not that many changes this time but of course there are always a few. Most notably is that you should now effectively use TLS 1.2 and nothing less. Oh, and don´t forget to write a standard and a policy. Otherwise you´ll fail. There must be someone on the PCI Council that loves documentation.

Most of you have read the news of what happened to Sony Pictures. A truly devastating attack where ransomware, or to be more precise a Trojan with ransomware and other devastating payload, played a crucial role in the mayhem. When I talk with my peers not all of them fully understand the possibilities that ransomware opens up to the hackers. What we are talking about is the possibility to kidnap an entire company´s infrastructure and make a crippling blow to all their IT.

2015 will be the year when we will see large scale attacks of ransomware here in Sweden. Why? Because we saw a lot in US during 2014 and Europe is ripe for harvesting. I had a chat with a large company in Sweden recently. Their security department is struggling with implementing protection but there is no interest from the business to take ownership of the problem. I wonder if they have fully understood the consequences of losing all their IT-capabilities in one stroke?

As you may have notice I spend a lot of my time ‘Up in the air’, still haven´t seen Gorge though. 😉
I always sit in the aisle seats, mostly to be able to leave the plane quickly after landing, but sometimes to watch who is working with what. Even in the year 2015 people still seldom protect their screen. The last week I have seen two proposals that I also work on (sadly no prices this time but I´m not allowed to use that information any way thanks to our Blue Book), one network chart and several mailboxes. I´ll make sure to bring a pair of binoculars next time.

It´s early in the morning the day after New Year. I wonder if there is anyone that will read this within the following hour? 😉
The third trait that´s important to me is being a team player. We are here to help our clients becoming and staying secure. Focusing on solving everything by yourself and not asking for advice is the trait of a lone wolf and still I haven´t met a single security specialist that knows everything, not even me. Happy new year!

The second thing I look for is curiosity. That trait will help you finding new ways of attacking, new ways of protecting and all in all help you find all the information you need and more. If you have grown to know everything there is in the field and has stopped studying you will quickly loose the battle. Curiosity is almost as important as being able to have fun.

What better way to spend one´s birthday on than blogging? 😉
I´m currently in the process of recruiting a lot of security personnel and thought that I should provide a few insights I have accumulated during the years. There are several qualities I look for when I recruit. First of all is the ability to have fun, not being a whiner. If you are to succeed in the field of security you need to be able to fail and comeback over and over again because finding vulnerabilities is all about try and try again.