CyberSecurity Strategy and Essentials

Cybersecurity becomes even more complicated in the context of today’s threat landscape, which is not only constantly changing, but is also expanding at an increasingly fast rate. This is the most problematic element of Cybersecurity; its evolution is so fast and unpredictable while the nature of the risks involved are constantly changing.

Managing security by diverting resources to the most crucial system components in order to reduce the likelihood of a successful breach, is now considered to be an insufficient approach in the current environment of advanced cyber threats. Threats are changing faster than traditional risk management approaches can deal with, and a more proactive, focused and adaptive approach is needed to manage an effective Cybersecurity strategy.

Good security management is a continuous effort with preparation, readiness, and good planning being the best approach. To achieve this, there are some basic best practices that can be considered essential to organisations that need to protect their assets from the most common and opportunistic cyber-attacks.

Security BSides Athens 2016, Greece

I am happy to announce that I am involved in organising Security BSides Athens 2016, in Greece. More information you will find at the BSides Athens website www.bsidesath.gr (currently under construction).

Most of the information about the status of the event can be also found at the official Security BSides wiki page in the following URL: goo.gl/pseoow

The 1st ever BSides Athens conference is scheduled to take place on Saturday, 25 June 2016. The entrance to the event will be free of charge, but attendees will need to book a ticket online in advance, when these are made available (we expect them to become available around March 2016). 

Please follow us on Twitter @BSidesAth and send us a message if you would like to sponsor, support, volunteer or just give us a hand on the day. 

Please use hashtags #BSidesAth #BSidesAthens when talking about BSides Athens on social platforms (i.e. Twitter) and spread the word! Even though Twitter is our main form of communication for reaching out to you, and for you to reach us, there is also an official BSides Athens group on Facebook and one group on Linkedin. 

CFP (Call for Presenters) is scheduled to open on Monday, 30 November 2015 and it will close in March 2016. 

• An Android mobile application is available on Play Store for BSides Athens.
  https://play.google.com/store/apps/details?id=dimism.bsidesathens
• An iOS mobile application is available on App Store.
  https://itunes.apple.com/us/app/bsidesath/id1057022307

The mobile applications allows you to find information about the conference on the spot, have real-time access to the track schedule and directions on how to the get to the venue. So, for this event #goPaperless by downloading the mobile application suitable for your phone and tablet!

In the following links you can find the Security BSides Athens 2016 logo in different dimensions and use it freely to promote the event on your webpage and/or social media. 

• 500 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01.jpg
• 250 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_250x250.jpg
• 200 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_200.jpg
• 150 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_150x150.jpg
• 50 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_50.jpg

Visit www.bsidesath.gr and stay tuned for more to come!

Secure a Sapce ?

This is one of the biggest fails ever! How can you misspell your own URL on the tickets you are issuing and more importantly, in the section where you actually ask people to visit that non-existent misspelled URL and pay a parking fine?! Yes, they did! This is not a hoax!

Lets look at the ticket. The parking fine has instructions on how to pay it online. There is a header which says: HOW TO MAKE A PAYMENT. Below that you will see the name of the company and its postal address. However, you will notice that they have misspelled their own URL! 

A Weapon for the Mass Destruction of Computer Infrastructures

Disclaimer: This is NOT a weapon. This is AN EXPERIMENT. 

You MUST NOT try this at home. The tests were performed under the supervision of licensed electricians, in a controlled environment. 

I intentionally do not provide any technical details about the devices. The purpose of this blog post is not to tell you how to do this, but to raise the awareness that this can actually happen. I believe, entities should be aware of this threat and take any necessary actions to protect their infrastructures. 

Having done a number of physical security assessments over the years, I started wondering how vulnerable our computer infrastructures are. I tried to think of a way for a malicious insider or an external third-party, to target a company’s computer network and take it down by damaging it (someone who doesn't have physical access to the server room). I started thinking about this from a different perspective and I tried to approach this "question" with an outside-the-box point of view. 

Due to my experience with physical security assessments I noticed that there are many unattended Ethernet ports (sockets) everywhere around a building. These ports might not be “active” but most of the time they are connected at the far-end on a managed or unmanaged network switch. 

I started wondering what would be the effect if one tried to apply electric current on an Ethernet socket from a power socket directly. The picture on the left illustrates a cable which sends electric current (220V-250V) directly from the power socket to the Ethernet port (This is very dangerous, do not make one, and do not try to use it). In reality, such attempt is actually pointless, as it will only "toast" the device you connect this modified power cable. 

The hypothetical network switch at the other end will end up toasted in a split second and the person doing this will experience a loud bang and a bright flash, along with the smell of burned plastic at the Ethernet socket side. 

This is a very dangerous thing for one to do and not a very convenient or an effective way for taking down the whole computer infrastructure. The whole point is to manage to "fry" all the devices behind the network switch!!! (..even after the network switch is "toasted", and the circuits are burned). Also, without exposing ourselves to any danger, as it would have happen if someone have used the cable mentioned earlier on. 

Skype is down!

Skype seems to be having technical difficulties! Most users can login but they appear offline. Skype said that it is still possible to chat in most occasions but not possible to receive or make calls. It seems though that the web.skype.com is working! Also, Skype for business seems to be working without issues. 
According to the Down Detector website the service appears to be out in a number of different countries worldwide. Maybe it is related to a major AWS outage which knocked Amazon, Netflix, Tinder and IMDb. The official twitter account of Skype (@Skype) posted the following message: 

"We are working to fix an issue which is preventing some users from logging in & using Skype. We apologize for any inconvenience."

Even thought this message was posted about an hour ago the Skype Support team (@SkypeSupport) posted a message four hours ago about the issue. More specifically, the message was saying that "We are aware of an issue affecting Skype status at the moment, and are working on a quick fix: sk.ype.ms/1KuQTL".

The URL sk.ype.ms/1KuQTL takes you to the skype.com domain where you can read more about the issue. This is what has been posted about the issue: 

We have detected an issue that is affecting Skype in a number of ways. 

If you're signed in to Skype, you will not be able to change your status and your contacts will all show as offline even if they are online. As a result, you won’t be able to start Skype calls to them.. 

A small number of messages to group chats are not being delivered, but in most cases you can still instant message your contacts.. 

If you aren’t signed in to Skype, you may be experiencing difficulty when attempting to sign in. Any changes to your Skype account such as your Credit balance or your profile details might take a little while to be displayed.. 

You may also have difficulty loading web pages on the Skype Community. For that reason, please check back here for future updates.. 

We're doing everything we can to fix this issue and hope to have another update for you soon. Thank you for your patience as we work to get this incident resolved.