Video Thumbnail: Will 2016 Be a Better Year for Cyber Security?

Will 2016 Be a Better Ye...

2015 was a big challenge for cyber security. There were a lot of fireworks with all the high profile targets and attackers that made headlines. But now we can ask, will 2016 be a better year for cyber security? What are we – both end users and the security industry – going to do to make 2016 a better year? Our 2016 predictions made bold claims about what will happen in the next 12 months. We can simply wait for these to happen, or we can prepare ourselves before they do happen. We just have to remember that cyber security is as much as prevention as it is negating the effects of these attacks. So we need to do our part in the process. One thing is for certain, the security industry will deal with ransomware, and a lot of it. People ask if paying ransom is a good or bad idea. If...
Video Thumbnail: Encryption Works – Don’t Break It!

Encryption Works – Don’t...

Every now and then, an ill-informed politician will stand before a microphone and say something along the lines of: encryption is helping bad guys (either terrorists, child pornographers, or other similarly acceptable target), because law enforcement can’t see what the bad guys are doing because they’re using sophisticated tools that use encryption. Said politician will urge tech companies to “work with us” to help catch these bad guys. This constant demand for encryption backdoors is something that no longer surprises me. It comes from a misunderstanding of what encryption is: it’s not some magic piece of code that can do whatever the programmer wants it to do. It’s a tool that is defined by mathematics: in short, it can only do what the math allows it...
Video Thumbnail: Targeted Attacks: Not All Attacks Need To Be Sophisticated

Targeted Attacks: Not Al...

The security industry loves to talk about how “sophisticated” attacks can be. Usually this takes the form of us saying how advanced and sophisticated an attack is, what new methods were used to hide servers or make analysis harder, etcetera. However, it’s easy to forget that not all attacks need to be technically sophisticated; instead it can be in the social engineering used and how the attack is carried out. For example, a few months ago we talked about the Arid Viper campaign, a sophisticated attack that targeted users in Israel. However, that well-organized attack shared some of its attack infrastructure with Advtravel, which was far less sophisticated. Arid Viper was advanced; Advtravel was less so. How could this be the case? Weren’t targeted attacks supposed to be the work...
Video Thumbnail: Defending Critical Systems: Does It Have To Be “Smart”?

Defending Critical Syste...

Everywhere I go it seems to be that “critical” systems are being attacked. Earlier this year people were talking about whether planes could be hacked. We’ve talked about whether smart grids can be hacked, too. Just a week or so ago, LOT Polish Airlines was almost completely grounded by a distributed denial-of-service (DDoS) attack. In many cases, these critical systems turn out to have been built on off-the-shelf open-source software. Almost a decade ago, I said that open-source software was safer. While that’s turned out to be mostly true, more recent issues like Heartbleed and Shellshock have illustrated that open-source software has its own problems, too. Non-technical people may ask: “Why did nobody spot these problems earlier? Are we software developers...
Video Thumbnail: The Internet of Things: Whose Data Is It Anyway?

The Internet of Things: ...

Everywhere you look, it seems to be that everything is becoming “smart”.  On my wrist, I frequently wear a smart watch that monitors how many steps I take, what my heart rate is, and so on. At home, a smart thermostat can be controlled via an app, or even be programmed based on my own behavior. I can even have a camera that will either let me see who’s at the door, or let me talk to my cats while I’m in the office. All of these devices are generating one thing: data. The smartwatch is keeping track of my health data. The thermostat is keeping track of what’s going on inside my home. The cameras are keeping track of what they see and when they are turned on. A lot of this data is passed on to the providers of these services, which frequently say they are “free”. This may...
Video Thumbnail: Defending Your Organization From Insider Attacks

Defending Your Organizat...

If you’ve read enough crime novels or seen enough action movies, the plot is all too familiar to you: an insider – acting to correct some slight or insult he or she received years ago – turns against an organization and inflicts significant damage. Sometimes the insider is on the side of the good guys, sometimes on the bad guys. This makes perfect sense. An insider knows exactly how an organization does things, what they consider valuable, and how they will respond to an attack. Who else would be better to carry out an attack than an insider? However, that assumes that an “insider threat” is by design. Fortunately, most people are not out to destroy the organization they belong to. Most people want the group that they are part of to succeed and do well. Unless you’re in an...
Video Thumbnail: Vulnerabilities for Sale

Vulnerabilities for Sale

2014 showed that vulnerabilities could be found in all applications – both Heartbleed and Shellshock caught system administrators off-guard by revealing that open-source server applications could have severe vulnerabilities as well. The reality is that making software that is free from vulnerabilities is difficult and expensive, if not completely impossible. For every thousand lines of code, you can expect to find 15 to 50 errors of some kind. Maybe you can get that error rate down for truly critical applications like space exploration, but that adds time and money to the costs of software development. Despite the costs associated with doing so, developers need to do a better job of creating secure products. Changes in how software vulnerabilities are found and disclosed mean that the...
Video Thumbnail: Light Can Keep the Dark at Bay

Light Can Keep the Dark ...

We are all afraid of the unknown. Why? Because we all want to be in control of our lives: what career path to take, how to deal with our finances, where to go for a vacation. We like certainty. We love to know what’s ahead of us. We are hard wired like this. As far as technology is concerned, we don’t know what the next innovation would be like—how a product or service would affect our lives and the way we do things. Technology keeps surprising us. Yes, we have an idea of what could be the next trend because it is us consumers who dictate it, but that’s as far as we can go. Unfortunately, most vendors make their products with security at the bottom of their priority lists. The public is generally kept in the dark as to what goes inside a product. Nobody holds any guarantee. If...
Video Thumbnail: Mobile Virtualization – Solving the BYOD Problem

Mobile Virtualization – ...

For many users today, how they use technology is defined by mobile devices. Their primary device is not a desktop computer, or even a laptop. Instead, it’s a tablet or a smartphone. Instead of data stored on a hard drive or a USB stick, corporate data is now stored in the cloud and accessed as needed by users. If we look at the number of PCs versus smartphones sold, the trend is clear. In the 3rd quarter of 2014, analysts estimate that 79.4 million PCs were sold – compared to 301 million smartphones in the same period. This changes the relationship that IT has with end users. In the past, they would have given their users PCs that they could centrally control. However, for many organizations, that policy has not been acceptable: mobile devices are thought of as “personal” in...
Video Thumbnail: Setting Up Your Gadgets Securely

Setting Up Your Gadgets ...

It’s that time of year again – the last quarter of the year is a time for many of us to buy a new smartphone, as we look at the new devices launched relatively recently by Apple, Samsung, and all the other phone providers and decide which one we shall use for the duration of our next smartphone contract. I’m sure that many of us will take home brand new iPhones and Android devices and set it up just the way we want our personal devices to be. We should take a minute to remember, however, that because these devices are so personal to us, the damage a hacked smartphone can do to is significant. Imagine what would happen if a hacker stole your personal data. We don’t have to imagine, however, as this has happened to many users in 2014. At the very least, this is embarrassing to the...