The rise of the (Chief) Data Protection Officer

Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.

Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.

Looking back a bit further, Sysnet discussed the new EU Data Protection Regulation, which requires the appointment of a Data Protection Officer (DPO) for most organisations, and explained the role and responsibilities of the appointed DPO. 

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory. 

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

Tim Cook's letter..

Tim Cook's letter about a recent demand made to Apple by the US government. (February 16, 2016)

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step

which threatens the security of our customers. We oppose this order, which has

implications far beyond the legal case at hand. This moment calls for public

discussion, and we want our customers and people around the country to

understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People

use them to store an incredible amount of personal information, from our private

conversations to our photos, our music, our notes, our calendars and contacts,

our financial information and health data, even where we have been and where we

are going. All that information needs to be protected from hackers and criminals

who want to access it, steal it, and use it without our knowledge or permission.

Customers expect Apple and other technology companies to do everything in our

power to protect their personal information, and at Apple we are deeply

committed to safeguarding their data. Compromising the security of our personal

information can ultimately put our personal safety at risk. That is why

encryption has become so important to all of us. For many years, we have used

encryption to protect our customers’ personal data because we believe it’s the

only way to keep their information safe. We have even put that data out of our

own reach, because we believe the contents of your iPhone are none of our

business.

Critical Security updates for all Windows versions

Microsoft has released a number of security updates to address vulnerabilities across all of its Operating Systems. All the vulnerabilities were reported to Microsoft under a responsible disclosure agreement, thus, these are not believed to have been actively exploited by attackers. 

• MS16-009: A security update for Internet Explorer 9 through 11 to patch 13 security issues, including remote-code-execution (RCE) and information disclosure issues.
• MS16-011: An update for Microsoft's Edge browser in Windows 10 patches 6 security issues, 4 of which address remote code execution vulnerabilities.
• MS16-012: An update to address two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. These could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
• MS16-013: An update for a memory-corruption flaw that could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.
• MS16-015: An update to patch 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.
• MS16-022: A security update for vulnerabilities found in Adobe Flash Player across all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.

It is highly recommended to ensure that any systems running any version of the Microsoft Operating System are updated as soon as possible. 

Abertay Ethical Hacking Society: 5th annual Security Conference: Securi-Tay V

Securi-Tay [1] is an Information Security conference held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fifth year the conference is taking place (hence the V) and it will be held on February 26th - 27th, 2016. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like. 

I was very pleased to get accepted to speak at the conference again this year and I am already looking forward to it. The talk is about passwords and more specifically on how to train your brain to "regenerate" different passwords for different accounts, instead of remembering them. I know that this is not very clear at the moment, but I promise you that everything will be explained during the presentation. This is something I started working more than 10 years ago. I actually published two papers on the subject, one paper describing the thought process and one paper on how to reverse the password generation process during a computer forensics investigation based on an individual's profile.