Infosecurity Hall of Fame Interview

infosechalloffameI was honoured to be inducted into the Infosecurity Hall of Fame earlier this month. It is an award which I hope to live up to. I was interviewed during the ceremony and I talked about how companies should be better prepared for computer security incidents. The key points of that interview are covered in this article.

I was also interviewed after the ceremony and below is the video of that interview

Many thanks to all who supported me over the years and helped me get to where I am today and also a big thank you to all who passed on their best wishes.

Securing Business Podcast

securingbusinessWe are delighted to announce that a new podcast focusing on the business aspects of information security and cyber security is now available. The Securing Business Podcast is a joint effort with our own Brian Honan, journalist Gordon Smith, and Matt Houlihan from the International Radio Company.  It is available from Soundcloud and iTunes

Every fortnight, Brian Honan and Gordon Smith discuss the latest news in Cybersecurity and Cybercrime and its implications for business.

The first episode has a feature on the challenges in cybercrime and what research the UCD Centre for Cybercrime and Cybersecurity Investigations,

The second episode features Lance Spitzner from Securing the Human and Dr Ciaran  McMahon talk about the human side of cybersecurity and what we should do to improve security from that aspect.

Have a listen and do let us know you thoughts and comments

 

Parting is Such Sweet Sorrow – Farewell Lee & Thanks

parting is such sweet sorrow cats_Lee Munson has been a valuable member of the BH Consulting family acting as our Social Media Manager. Our blog has received many awards and plaudits which have all been down to Lee’s hard work, dedication, professionalism, and his unique ability to transform complex technical security issues into easy to understand commentary. While our Twitter feed has also grown steadily under his stewardship.

So it was with a heavy heart that I received an email from Lee to say he will be stepping down as our Social Media Manager as he has achieved his ambition of findinrecently taken on a new role to allow his ambition of working full time in infosec.

While we are sad to see Lee go, we are delighted about his new role and wish him all the best for the future.

Thanks for everything Lee and may you achieve the success you surely deserve.

Go n-éirí an bóthar leat

Brian and team

ICO hands out record fine, puts cap in hand and has a chat with the official receiver

Just because the Information Commissioner’s Office can hand out some pretty sizeable fines, doesn’t mean that it actually does.

And that’s the one criticism I have of an agency that, as far as I can tell, does some pretty sterling work in policing the privacy rules here in the UK.

But, in an interesting move, the ICO has perhaps addressed its apparent lack of bite by handing out its record fine, asking a Brighton-based nuisance telephone caller to place three hundred and fifty thousand shiny pound coins on its desk.

Interesting because of the amount you ask?

Well, yes, there is that, but far more interesting is the fact that, despite the size of the ask, the Commissioner may not actually receive enough to nip out and get a Tesco lunch deal.

That’s because the company in question – Prodial Ltd – is defunct.

At the first whiff of ICO interest the business expired. Ceased to exist. It is no more.

The company, which operated out of residential premises in the seaside town, peppered unwitting recipients with some 46 million automated calls related to the PPI claims they may, or may not, have been entitled to make.

Either way, the shady operating practices likely turned over a million quid, according to the ICO.

Nice work – if you can get it – and don’t mind pissing off a large proportion of the mainland in the process.

Talking of which, over a thousand people – which is a minute proportion of those affected – gave the ICO a call of their own to let them know how miffed they were with the situation. The prominent complaints included a doctor who couldn’t help but answer a phone that could have been used to dial in an emergency call, and someone else who claimed they were being called at all hours, day and night.

And of course there was nothing anybody could do about it either, save blocking numbers off – Prodial Ltd, which went to great lengths to obscure its identity, offered no means of opting out of its telephonic spam which, as you may have already guessed, came thick and fast despite none of its victims ever consenting to such nuisance behaviour in the first place.

In a blog post, Information Commissioner Christopher Graham wrote:

This is one of the worst cases of cold calling we have ever come across. The volume of calls made in just a few months was staggering.

This was a company that knew it was breaking the law. A company director admitted that once the ICO became involved, the company shut down. That stopped the calls, but we want to send a clear message to other firms that this type of law-breaking will not pay. That is why we have handed out our highest ever fine.

No matter what companies do to try to avoid the law, we will find a way to act.

So, job done, no more nuisance calls ever again, eh Chris?

I suspect such action, while welcome, will not quell the scourge of unwanted calls so much as encourage those behind them to become a little smarter and far quicker at winding their companies up when the ICO comes knocking.

Nothing to hide, nothing to fear? Stop being so British!

There’s a famous phrase that says something along the lines of if you have done nothing wrong, you have nothing to fear.

I’m not sure how well used that phrase is around the world but I suspect it may well be uniquely British.

Why?

Well I’m not entirely sure – is it because we’re a nation filled with apathy or one that lacks understanding? Or perhaps we just don’t care about the bigger picture, wrapped up as we are in our own individual worlds.

But it is a potential problem in certain areas of our lives and, perhaps, the most significant factor that comes into play here is within the domain of politics.

Love her or hate her, Margaret Thatcher (please correct me if I’m wrong) once said “Power corrupts. And absolute power corrupts absolutely”.

And while I don’t think all our politicians are corrupt, and I doubt even more that any intend to turn to the dark side when they begin their careers as least unelectable representatives of the people, there certainly is some degree of evidence to suggest that such people don’t always have our best interests at heart, either through wilful choice or lack of understanding of the legislation they propose to impose on us, the sheep of these isles.

And so it is disappointing to see the results of a survey conducted by Comparitech which says well over half the population (60%) of the UK would trade some privacy for extra security.

I think a famous American once had something to say about that.

A survey has shown that an overwhelming majority of the UK population (60%) believe that, when it comes to national security, the Government should be able to monitor mass communications… the study found that 49 percent of the 1000 people questioned from the UK (nationally representative) cite national security as having more importance than an individual’s right to privacy.

Sure, security is important.But how valuable is it when you give up your human rights to obtain it?

Not all would be my answer.

And yet we are arguably heading in that direction with the Draft Investigatory Powers Bill which politicians are just itching to get written into the statute books.

As Amar Singh of Give01Day says:

Let’s not forget that no government has a stellar record in protecting its own information; and if technologies are updated to allow “free access” for the government, then criminals will no doubt be able to obtain the same.

Good point sir.

And the same could be said for Comparitech director Richard Patterson who said:

While we wait to see the final outcomes of the Draft Investigatory Powers Bill here in the UK, and who will be victorious between the FBI and Apple, what is clear is that individuals need to understand that using electronic communications comes with provisos. On the one hand, laws designed to protect civil liberties shouldn’t then be used to provide a safe haven for those compelled to breach them and on the other, consumers shouldn’t have to give up their rights to privacy. It’s a thorny subject, with many grey areas, making clarity a necessity.

Balancing security and privacy is no easy affair and I for one don’t have the answer but what I do know is you can’t pick one at the total exclusion of the other.

It just doesn’t work that way, unless you want to live in a world where everyone potentially has something to fear and nothing left to hide.

InfoSec – you get nothing for nothing

I don’t know about you but I have a few acquaintances who want to change their lives, some of them in quite dramatic ways.

Their dreams all have a commonality about them too – if they do X and get Y then then the sun will shine upon them 24/7 for evermore.

Of course the reality would be somewhat different but by simply having something to work toward they are already on the way to some degree of enrichment.

Or at least that would be the case if any of them could so much as take the first step on their chosen path.

Why haven’t they, you may ask?

My best guess is a degree of fear of the unknown in one or two of them but, for the majority, it’s more a case of laziness or a misguided sense of entitlement.

It’s a sad indictment of society but both seem to be on the rise, and not just in the youth who appear to have been painted as the wasters of society.

Of course such an attitude pervades all areas of life and so you won’t be surprised to learn that the same approach is often taken where security is concerned.

In a new survey commissioned by VPN provider Hide My Ass, the major finding was that people want to be secure online.. as long as it doesn’t require any effort.

In questioning 2,000 people, the privacy company discovered that close to two-thirds of them had experienced some kind of online security issue but only 56% of them had done anything to change their behaviour afterwards.

Hmmm… if you’re not going to react after an event, when are you going to react?

Curiously, 67% of the respondents claimed they would like more security than they have now, citing privacy concerns as one of their biggest issues, and yet only 13% took advantage of two factor authentication, less than 5% used Tor, and a considerable number were slapdash with their personal information – jut over half were happy to plaster their email address across online public gathering places, 26% would have no problem sharing their home address online and 21% would have no qualms about posting their telephone number on the web.

Continuing the privacy theme, only 11% of the respondents used a VPN and a whopping 44% didn’t even know what a Virtual Private Network was in the first place.

Hide My Ass is obviously in need of an awareness program!

Ending on a slightly more positive note, just over half (55%) of those surveyed had at least given their privacy a knowing look by asking someone else to delete a post they were featured in or untag them in the photo though, as some of you are no doubt aware, shutting the door after the horse has bolted is often a futile gesture.

More encouragingly, 60% of those surveyed said they had fobbed online marketers off with duff info, though I doubt any would have noticed as they are far too busy following all and sundry on Twitter these days instead of actually working.

Oh, and 69% said they “consciously limit” the amount of personal information they share on the net, despite that figure flying in the face of their other responses.

Go figure!

Up, up and away… cybercrime costs have tripled over the last 5 years

The cost of cybercrime is going up and up, according to a new report published by Hamilton Place Strategies.

In its Cybercrime Costs More Than You Think paper, it says the total global cost of online crime is around $450 billion (£318 billion/408 billion Euros), a figure which would give ‘cyber’ a market capitalisation second only to Apple.

Offering further perspective, Hamilton valued the cost of cybercrime in terms of a nation’s Gross Domestic Product (GDP), which would have made it the world’s 27th largest ‘economy,’ placing it between Norway and Austria.

So I guess the report’s opening line is in fact a tad understated:

In an increasingly interconnected world fueled by the expansion of digital technology, cybercrime has become a big business.

But it’s not always been that way – the study explains how the cost of online crime has actually surged in a very short period of time, up by around 200% in just 5 years. And if the media is any kind of barometer, I expect it to keep on growing, at least in the short-term.

The report highlights how money itself is not the only growth area – information (an equally valuable commodity) is also increasingly at the mercy of the dark side of the global network with some 828 million records having been pilfered since 2005. To put that into perspective, that’s the equivalent of everyone in the UK having their personal info stolen around 12 times each in 10 years!!

I myself think the loss of people’s data is the most important statistic but this article is more interested in the financial aspects, highlighting what many of us already know – a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread:

While the direct cost of a cyberattack can be significant, the reputational damage can be even more impactful to the bottom line. In the Target data breach of 2013, which affect-ed millions of U.S. customers, the company incurred $252 million in data breach-related expenses, with only $90 million of that expected to be offset by insurance recoveries.

Hamilton Place Strategies also outlined what it called the “ricochet effect,” in which other organisations also observe a business impact following the breach of one of their competitors.

Using Target as an example again, the report says its breach raised questions about the security posture and preparedness of other players in the retail sector which, as we found out later, were not entirely unwarranted.

The report ends with a rather simplistic view of how businesses can be better prepared to withstand or deal with a cyber attack, though its basic premise of being prepared and having an incident response plan in place is of course sound.

Given the warning that –

If you’re in business today, it’s nearly a guarantee you’ll be hacked at some point over the next couple of years.

– I would say there is much more you can do to minimise the risks of being breached in the first place which is, of course, a preferable outcome to having to engage the incident response plan.

If you’d like to know more, click here for a list of our services.

Sweet 2FA – Instagram finally gets additional account security

Better late than never they say and that is certainly the case with snap-happy social network Instagram.

Five years after parent company Facebook added two factor authentication, the younger member of the Zuckerberg family has finally followed suit.

The company revealed today that it has begun the process of rolling the new feature out to all of its 400 million odd subscribers.

It requires users to verify a phone number, after which any attempt to sign in on another device, even with the correct email address and password, will fail unless it also includes an authentication code sent to said phone number.

Handy indeed should your credentials be guessed, stolen, phished or included in a post-breach data dump.

Sure, it won’t suddenly make your account hack-proof overnight, but it will, as the name suggests, add an additional layer of security.

Given how damaging a hacked social account could be – from an individual losing some hard-won followers through to a brand suffering catastrophic reputational damage – the only real surprise here is just how long it has taken Instagram to introduce the feature.

With a lineup that includes major organisations and celebrities, the company is indeed a target, and even the lowliest of users would be shocked if they lost their photos or discovered their account had been used to upset their friends or spam other Instagrammers.

Oh, and slightly peeved, perhaps, with the subsequent account recovery process after the event.

But alls well that ends well, though the word “eventually” needs to be inserted into that phrase – many Instagram users won’t see two factor authentication for a while yet as the roll out is predicted to be quite slow.

The first to get it will be residents of Singapore.

Beyond that, well, keep an eye out for updates to find out when you will have the additional security afforded by the new feature.

And, in the meantime, keep an eye out for the usual suspects – suspicious emails, dubious web links and email attachments.

And, even more importantly than that, check your passwords – are they lengthy, complex, comprised of letters, numbers and symbols and nothing remotely like your name or date of birth?

And, even more important than the last important note, please, please do not reuse your passwords across multiple accounts – when hackers break into websites they often publish all the email addresses and passwords they find so others can try them against all the popular accounts – if someone gets your Instagram password you wouldn’t want that to also give them access to Facebook, would you?

Why is ransomware such a popular online crime?

Because it pays!

In fact, it pays very well indeed.

Forty-four percent of the time.

And those behind it are hardly likely to get caught either.

The perfect crime, some may say.

So just how much are people prepared to pay to get their encrypted data back? Well, according to Bitdefender, the answer is a good chunk of change as 31% of the 1,906 respondents in a recent survey said they would hand over four hundred British pounds to get their mitts on their holiday snaps and lawfully downloaded movie collections.

But what if the price was a bit lower?

As those of us in security circles know, the going rate for low-level ransomware has been nearer £300 lately. Would that price tempt a few more people out of saying “sod it” and starting the reformat and reinstall game?

Why, yes, it would.

Bitdefender says 44% of British ransomware victims have handed over the cash to recover their encrypted data.

That’s a lot of money!

In fact, it’s enough to encourage victims and non-victims alike to make regular backups.

Isn’t it?

Well, hopefully, as 39% of ransomware victims think they’ll get stung again. And you know what? They’re probably right. Once bitten, forever marked as someone who pays they shall be, thus inviting all manner of future ill fortune upon themselves in the future.

Catalin Cosoi, Bitdefender’s chief security strategist, said:

The ransomware phenomenon has been hitting internet users and generating huge profit for cybercriminals for years. While victims are usually inclined to pay the ransom, we encourage them not to engage in such actions as it only serves to financially support the malware’s developers. Instead, coupling a security solution with minimum online vigilance could help prevent any unwanted ransomware infection.

Brian Honan, our CEO, says:

  • Keep your software patched and up to date.
  • Employ reputable anti-virus software and keep it up to date.
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data.
  • Make staff and those who use your computers aware of the risks and how to work securely online.

And I say:

Never pay ransoms as that will… lead to more ransoms in the future. Inform law enforcement and, if at all practical, keep your customers informed as to what is going on. Also, be on your guard for ransomware on non-Windows devices and be aware that newer variants, such as Chimera, also employ doxing, meaning they will pepper your ransomed files (unencrypted) all over the internet if you don’t pay up.