Seriously? Hard coded password? Someone Just Leaked Hard-Coded Password Backdoor for Fortinet Firewalls
Recommendations for Intelligent Public Transportation
We talked a lot about critical infrastructure protection – especially in the light of failures thereof. Therefore I really like some of the work ENISA does on recommendations for them.
Here is a new one for intelligent public transportation: Cyber Security and Resilience of Intelligent Public Transport. Good practices and recommendations
Blackout of Critical Infrastructure – it will be about Resilience this year
Remember the prediction we have seen in a lot of “what security brings us in 2016” that we will see failure of critical infrastructure due to security incidents. Well, it seems that news just waited for the year to turn 2016 to appear (not exactly, the US news appeared late December): The US Power grid…
Details
Time for Adobe Flash is more than over
The initial security discussion was all about browsers: Which one shows less vulnerabilities, which one is more secure? There were even government agencies in Europe recommending the use of a different browser every other week based on the “vulnerability de jour”. This changed a bit and modern browsers are more or less out of focus…
Details
Security and the Internet of Things
A challenge, which we have to address: How will we secure the Internet of Things in the future? Swisscom (“my” former security architecture team) just published an interesting paper called Integrity and trust in the Internet of Things. We need new approaches on how we will deal with security – interestingly, the ones Swisscom is…
DetailsIs this my new life as a consultant now 😉 http://dilbert.com/strip/2015-12-20
The most important security criteria? Usability!
I read this article (Surviving an Insecure Cyber Workforce) this morning about “the user” (and was once more disappointed – initially. They talk about the importance of awareness, the technology to make sure that the user does not access anything outside their business needs and only well audited etc. and at the very, very end…
Details
Top 15 Security Predictions for 2016
No, they are still not coming from me but this article is actually really interesting: Top 15 security predictions for 2016. A few of them are remarkable: At your criminal service (Kaspersky/Seculert) The profitability of cyber-attacks means sophisticated criminal gangs with modern organizational models and tools will replace common cyber criminals as the primary threat.…
Details
Lessons from Morgan Stanley – is monitoring outgoing data the silver bullet?
A lot of articles are looking into the Morgan Stanley breach case, which is definitely an interesting story all by itself. An employee illegally accesses information and stores it on his home server. Obviously not a very smart thing to do but initially it rested there. It would be interesting to understand what he planned to…
Details
Security in 2016?
This time of the year typically two things happen: I am asked several times to either have a presentation or write an article about “Security in 2016”. The second thing is that everybody who writes a blog or otherwise thinks that they have to say something look into the crystal ball and writes an article…
Details
Dangerous Encryption Discussion
I am really worried. Always after major incidents like serious crimes or terror attacks like in Paris, politicians start to push for the spotlight. They want to show that they are here for the citizens and here to protect them. This is definitely not bad at all but when it comes to high-tech discussions –…
Details
Better Metrics Needed to Assess Security of Critical Infrastructure?
This is actually an interesting discussion: Critical Infrastructure: Better Cybersecurity Metrics Needed. From a high level view there is nothing you can object here. Definitely we need better metrics and definitely it would help us to understand the maturity of security in any given company – not just the critical infrastructure. But wait, I think…
Details
Proud Member of the Swiss Academy of Engineering Sciences
I just got informed today, that I have been elected as a full member of the Swiss Academy of Engineering Sciences. The vision of the SATW is: SATW is recognized as the principal organisation for the communication of independent, objective and comprehensive information about technology – as a basis for the forming of well-founded opinions…
Details
Is White-Listing Doable?
Quite a while ago, I provocatively asked the question, whether Anti-Malware Technology is dead. Back then it caused quite some reaction. Honestly, I still see little value to be added by classical anti-malware products if we would finally be willing, able and ready to use the technology, which is built in today’s operating system. Unfortunately,…
Details
My First Steps at Accenture – Employment Opportunities
On the one side: Unfortunately, my garden leave is over – on the other side, cool to start working again. My first days at Accenture are over now and I have to say: Quite an experience. I met a million people (at least it felt that way and this is what always happens, when you…
Details
Maturity in Vulnerability Handling
This seems to be hot at the moment. In Thoughts on Responsible Disclosure and Wasenaar I gave some ideas, what I would expect from a vendor in how they will handle security vulnerabilities in their products. Now, I read HackerOne launches free Vulnerability Coordination Maturity Model tool which is very interesting from my point of…
Details
The Risks of Spreadsheets
Back when I was working at Microsoft I was joking that the company was been run on Mail and Spreadsheets. I guess I was not THAT wrong and I guess a lot of companies are the same. Key data still resides in any kind of SAP (or the like) installation and then the data is…
Details
Checklist for Incident Response
If you are in the process of setting up an Incident Response Team (or you just want to check back), there is a good article to check your status: Checklist for Incident Response Teams Roger Related articles After Ola, Uber Too Brings Disguised Phone Numbers For Passenger Privacy! (trak.in) Attackers forgo malware (linuxsecurity.com) App. State…
Details
Security Information and Event Management – Really the Way Forward?
When we are looking at solutions like SIEMs (Security information and event management), they are following a promising approach: You are collecting events from different systems and are trying to correlate the events to figure out what is happening and to find anomalies. Actually a good idea. There are a few “howevers”, however. It definitely…
Details
Securing WordPress
Currently, I am running two WordPress sites. One is my blog and the other one is the website of our bicycle/mountain bike club (www.vcvolketswil.ch). Securing them is part of the story for somebody like me, I guess. Normally you keep them just updated. Part of my responsibility is WordPress, all the plugins and the Themes.…
Details