Roger Halbheer on Security
This seems to be hot at the moment. In Thoughts on Responsible Disclosure and Wasenaar I gave some ideas, what I would expect from a vendor in how they will handle security vulnerabilities in their products. Now, I read HackerOne launches free Vulnerability Coordination Maturity Model tool which is very interesting from my point of…
DetailsBack when I was working at Microsoft I was joking that the company was been run on Mail and Spreadsheets. I guess I was not THAT wrong and I guess a lot of companies are the same. Key data still resides in any kind of SAP (or the like) installation and then the data is…
DetailsIf you are in the process of setting up an Incident Response Team (or you just want to check back), there is a good article to check your status: Checklist for Incident Response Teams Roger Related articles After Ola, Uber Too Brings Disguised Phone Numbers For Passenger Privacy! (trak.in) Attackers forgo malware (linuxsecurity.com) App. State…
DetailsWhen we are looking at solutions like SIEMs (Security information and event management), they are following a promising approach: You are collecting events from different systems and are trying to correlate the events to figure out what is happening and to find anomalies. Actually a good idea. There are a few “howevers”, however. It definitely…
DetailsCurrently, I am running two WordPress sites. One is my blog and the other one is the website of our bicycle/mountain bike club (www.vcvolketswil.ch). Securing them is part of the story for somebody like me, I guess. Normally you keep them just updated. Part of my responsibility is WordPress, all the plugins and the Themes.…
DetailsIt is not my first post (Crypto and Quantum Computing) and I am sure it will not be my last. I am deeply convinced that quantum computing will create a nightmare some when in the industry. It does actually not need thousands of computers – it just needs one and cryptography the way we know…
DetailsYou might know that I am a big fan of threat modelling. I think that this is a really good way to structure your thoughts around the way an attacker might think. Therefore, the tooling around threat modelling can be important as well. Microsoft offers free help with the Microsoft’s Threat Modelling Tool and published…
DetailsYou might have seen that I changed the design of my blog – I did this each time I changed job. So it is time to do it again….
If you see anything which does not work, please let me know: webmaster@halbheer.ch
Thank you
Roger
When you do risk management, one of the key questions is always, how a possible incident impacts the trust and then the customer base. Do you really lose customers when incidents happen? Well, the VW group learns this the hard way currently but how does online trust really impact the business? Ponemon published an interesting…
DetailsI had to smile, when I read that: My Government Doesn’t Understand How Encryption and Cyber Security Work. I hate to say it but “I told you so” (Thoughts on Responsible Disclosure and Wasenaar) – but why shall they. Government elites and politicians are typically lawyers or have a degree in business administration. And then…
DetailsOutsourcing IT Security : A Recipe for Success or Disaster?
Good question but looking at the resources companies can (and want to) invest in security, most probably a recipe for success
One thing I was always worried about when we talked about biometry: What do you do if the database which stores your credentials gets compromised? Well, it happened: Stolen OPM Fingerprints: What’s the Risk? I am not aware of any successful and active attack so far as I guess nobody tried to replay the…
DetailsWhen I look at the recent events and data exfiltration cases, it really looks like we are at the losing end of a battle. It seems to be fairly simple to compromise a network and exfiltrate data nowadays. Now you may claim that you deployed all kinds of cool technology like hardened clients, data loss…
DetailsIt seems that the whole Ashley Madison case is used in a lot of areas as a learning exercise. We all were surprised (at least I hope) that people were stupid enough to use their business mail addresses to register – well, you cannot use your private one, can you? We – once again –…
DetailsIn the two years as a Chief Security Officer at Swisscom, I had the privilege to work with a really outstanding team to prove what I said since years: Security has to be a business enabler – even in one of the most critical infrastructures of a country. Together we removed the dust from the…
DetailsThis seems to be a discussion since I am in security – and this is quite a while. How and when shall vulnerabilities be disclosed? Shall be paid? Is it legal or illegal? Etc. I try to put a few experiences and thoughts “on paper” here. Before we go into details a disclosure: This is…
DetailsIs there still somebody saying that the police is not innovative? Clever idea (if you know the MAC address of your stolen phone): Police develop MAC-sniffing software to track stolen devices Roger Related articles US policeman goes war-driving to find stolen kit by MAC address (go.theregister.com) Cops Wardriving To Find MACs Of Stolen Gear (packetstormsecurity.com)…
DetailsAs criminals get access to better technology and as the underground markets get more active, it is not surprising that targeted attacks become more mainstream. This is something we have seen over the last 6-8 months as well as extortion threats grew in parallel. There is another trend I see talking to other organizations: Midsize…
DetailsJust read this post by Martijn Grooten ‘Why I fell victim to a LinkedIn scam – and why I would do so again tomorrow’. It is basically about when you accept connection requests on LinkedIn, Xing, Facebook etc. I agree with Martjin that I treat stuff I write on these platforms as public but still,…
Details
