Wednesday 24 February 2016

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 
Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

Tuesday 23 February 2016

The rise of the (Chief) Data Protection Officer

Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.
Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.

Looking back a bit further, Sysnet discussed the new EU Data Protection Regulation, which requires the appointment of a Data Protection Officer (DPO) for most organisations, and explained the role and responsibilities of the appointed DPO. 

Wednesday 17 February 2016

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 
The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

Tuesday 16 February 2016

Tim Cook's letter..

Tim Cook's letter about a recent demand made to Apple by the US government. (February 16, 2016)

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step
which threatens the security of our customers. We oppose this order, which has
implications far beyond the legal case at hand. This moment calls for public
discussion, and we want our customers and people around the country to
understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People
use them to store an incredible amount of personal information, from our private
conversations to our photos, our music, our notes, our calendars and contacts,
our financial information and health data, even where we have been and where we
are going. All that information needs to be protected from hackers and criminals
who want to access it, steal it, and use it without our knowledge or permission.
Customers expect Apple and other technology companies to do everything in our
power to protect their personal information, and at Apple we are deeply
committed to safeguarding their data. Compromising the security of our personal
information can ultimately put our personal safety at risk. That is why
encryption has become so important to all of us. For many years, we have used
encryption to protect our customers’ personal data because we believe it’s the
only way to keep their information safe. We have even put that data out of our
own reach, because we believe the contents of your iPhone are none of our
business.

Wednesday 10 February 2016

Critical Security updates for all Windows versions

Microsoft has released a number of security updates to address vulnerabilities across all of its Operating Systems. All the vulnerabilities were reported to Microsoft under a responsible disclosure agreement, thus, these are not believed to have been actively exploited by attackers. 

  • MS16-009: A security update for Internet Explorer 9 through 11 to patch 13 security issues, including remote-code-execution (RCE) and information disclosure issues.
  • MS16-011: An update for Microsoft's Edge browser in Windows 10 patches 6 security issues, 4 of which address remote code execution vulnerabilities.
  • MS16-012: An update to address two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. These could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
  • MS16-013: An update for a memory-corruption flaw that could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.
  • MS16-015: An update to patch 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.
  • MS16-022: A security update for vulnerabilities found in Adobe Flash Player across all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.


It is highly recommended to ensure that any systems running any version of the Microsoft Operating System are updated as soon as possible.