Things I Hearted this Week, 14th September 2018

September 14, 2018  |  Javvad Malik

With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology.

There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices.

The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse.

But enough about that, let’s get down to business.

British Airways Breached

BA suffered a rather large breach which included payment information (including CVV) and personal details.

While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems.

As an affected customer, I accept that companies get breached. But the advice seemed pretty poor.

Boards need to get more technical - NCSC

The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.

Hunting in O365 logs

Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful.

GCHQ data collection violated human rights, Strasbourg court rules

GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment.

But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.

It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations.

A Mega hack!

Cloud storage service has announced that users that installed their Chrome browser extension may have had their passwords compromised. A malicious version of the browser extension was uploaded to the Chrome web store to gain access to user’s logins to Amazon, Microsoft, Github, and Google.

The Effectiveness of Publicly Shaming Bad Security

Is publicly shaming a company a good idea? Personally, I’ve tended to steer away from it - I don’t feel like it’s a very constructive approach.

But when there’s data to prove otherwise (albeit we aren’t talking in the scientific sense), then one may need to reconsider. There are ample examples of companies that have fixed their security issues after being publicly shamed - as my favourite blogger from down under, Troy Hunt shares in his blog post.

These are all good examples, but it’s not too far away from digital pitchforks and mobs going after institutes over a simple misunderstanding.

On the topic of shaming, I would recommend the book, “So, you’ve been publicly shamed” by Jon Ronson.

FDA to Ramp Up Medical Device Cybersecurity Scrutiny

The Food and Drug Administration should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed, a new government watchdog agency report says. FDA says it will carry out the report's recommendations.

The Department of Health and Human Services' Office of Inspector General's report recommends that FDA better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices.

About time!

Hacking Tesla’s keyless entry

With about $600 worth of equipment, it is possible to wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing the theft of the associated car without a trace.

Share this with others

Get price Free trial