* Posts by Drs. Andor Demarteau (ShamrockInfoSec)

22 posts • joined 21 Sep 2018

Giga-hurts radio: Terrorists build Wi-Fi bombs to dodge cops' cellphone jammers

Drs. Andor Demarteau (ShamrockInfoSec)

why use Ghz frequencies at all?

Lower frequencies in the VHF (30-300Mhz) range have a longer distance perspective than the Ghz frequencies mentioned in this article.

Only the 900Mhz band comes close to these characteristics.

This has partially to do with reflections as well as that higher frequencies have more trouble penetrating materials, specially those containing metals.

And yes that's also why WiFI networks have trouble in your home between rooms. Specifically if the walls contain metal like in reinforced concrete.

Lower than then 30Mhz is unwise as that comes with larger antenna's as well as very different distance propagation characteristics (which may or may not work depending on time of day, sun spots etc.).

Drs. Andor Demarteau (ShamrockInfoSec)

white noise

There are alternatives that block all these frequencies and they are not even expansive either.

Even terrorist in Afghanistan have used it with unknown effect to me that is.

Take any electric motor, strip away all the insulation, connect a large copper rod to the most radio active part (simple software defined radio stuff will easily tell you where that is) and switch in on.

Biggest problem? It will probably destroy all radio communications in a certain range. With all I really mean all. This technique is indiscriminate and not frequency specific.

Another solution is a certain type of external battery, the charging circuit of which makes so much RF noise that I have sent two units back and gotten my money back because of it (okay that was 7 years ago, but there is still enough household equipment out there that effectively is radiating RF where it should not do so, including light dimmers, plasma TVs, solar panel transformers etc.).

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Looks like things are getting worse

Security is not a bolt-on feature period.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Flight Pattern

Not entirely true for airlines.

Whilst all older companies have legacy stuff, the airlines sector have invested heavily to create a common community cloud platform where a lot is being handled these days.

This platform is called Amadeus and is Spanish based.

I know this holds true for CX as well.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Flight Pattern

I agree, this isn't specifically an airlines issue as such.

Although there is one contributing factor that does hit the airlines sector more than other sectors named:

with the ever dropping prices of tickets, due to LCC's (low cost carriers), the overhead and therefore the budget available to do proper IT, information security and privacy protection goes down with that as well.

This is seen worldwide and not only in the EU and US markets.

Budget as such isn't the only issue, management buy-in as well as a proper security culture are even more important.

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Bruce is spot-on, but we gotta start somewhere

And since AI is nothing more than a rules based system, at least for the foreseeable future......

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Bruce is spot-on, but we gotta start somewhere

There has been a solution for this available for at least 11 years.

Unfortunately nobody has been willing to embrace and implement it yet.

The solution verifies the physical presence of the user during the entire transaction and/or session, not only at the start of it.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Really Lousy Idea

Effectively this, although not by law, is what already happens.

It will make the problem worse than better as well.

Make the companies creating this junk accountable.

No, not with fines but with a full market ban on their products.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: More seriously

Will FCC also check the software security of the device?

Btw, this holds similarly for the European CE mark.

Security is not tested.

Even worse, on electrical stuff correct filtering components are removed during actual production to save costs.

is your dimming unit for your lights buzzing? But does it have a CE mark? Good chance this is the reason why.

What does this have to do with security? Just that just regulations will not work, enforcement and regular re-testing will.

But since we are not doing that with electrical equipment, there isn't much hope it will all of a sudden be done in the security space.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: IOT is only going to grow as an issue long term

PCI-DSS is no more then a baseline with a lot of requirements that, if you would do security the right way, you would already have implemented anyway.

It's no more than the creditcard industry's risk management policy.

Has it actually improved on all those creditcard details being leaked with major security breaches including recent ones with British Airways etc.?

No it hasn't.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: IOT is only going to grow as an issue long term

Entirely correct.

precisely why, just a related topic, GDPR privacy controls are as strict as they are because without them we would see a similar effect.

As such the security and privacy by design and default requirements from the data protection law may actually already help in the IOT security challenge. Although specifically for consumer equipment.

Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts

Drs. Andor Demarteau (ShamrockInfoSec)

A server in the middle that reroutes messages does not have to be a weakness as the article claims.

If proper end-to-end encryption is used, it doesn't really matter who sees the encrypted (cypher text) messages or not.

What seems to be the case here is a combination of a central server with an apparently no so well implemented end-to-end encryption syste or the use of weak cryptographic algorithms.

One reasons for this could be that the people selling the phones and subscriptions have enough evidence on their clients to use against them if they start getting nasty.

As most have a criminal intent, at least according to the Dutch police presser, it would be a nice backstop mechanism.

30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim

Drs. Andor Demarteau (ShamrockInfoSec)

Re: You're FIRED!

Typical for security people :(

Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Size matters

Effectively the number of employees may say very little on how juicy the SME target actually is.

The level of data available within the company may be a far better measurement of this in the end.

With a lot of processes now partially being automated, smaller companies can actually have larger juicier data sets than larger ones with a more traditional business model.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Good recommendations but...


Cloud is by default not "more secure" than local system.

All comes down to proper security and identity management, something the cloud providers don't do for you.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Umm...

Precisely, Linux system (MacOS as well) have the name of being more secure or better securable.

Whilst this, as specially towards Windows, was true a decade ago, Microsoft have actually quite stepped up their game in this area.

And no I'm not a Windows fan, but that has a different reason.

Any IT system can be as secure or insecure in measurement of the security competents of the people who are managing them in alignment with the requirements of the business itself.

I know what you're thinking: Outsource or in-source IT security? I've worked both sides, so here's my advice...

Drs. Andor Demarteau (ShamrockInfoSec)

Internal more expansive than external?

This is one I have seen too many times, both when working internally as well as being outsourced to companies as well.

Most of the times people compare your daily or hourly rate on a 1:1 basis with their salary levels.

However, what usually is forgotten is the fact that on top of that salary there are all kinds of additional costs like pension funds, sick leave, holiday payments, buildings, IT facilities, phone costs, management overhead etc. etc.

And in most freelance contracts, not to forget, travel costs.

Account for all of these and divide them by the actually worked hours and the trade-off may be less of a problem than you may think.

Actual worked hours is calculated by taking the maximum workable days, all weekdays in a year, where you subtract:

- all "bank" holidays

- all holiday hours given to internal employees

- a percentage of sick leave prevalent for the company over a year calculated in working hours

Take the salary plus all extra costs and divide it by the actual working hours and see what you get.

Drs. Andor Demarteau (ShamrockInfoSec)

Handing over responsibility vs. good advice

Whilst this article seems to focus on cyber security alone (hardware, networks, software etc.) it's missing the broader point on policies, procedures, standars, guidelines and the most important bit awareness and security culture.

Companies can outsource some of the work fine, but setting up a security program takes more than managing a firewall ruleset or patching systems.

Where a good mix between internal work and external expertise does have a large benefit is where you can draft in high quality advisory services that can help your business along but don't drain resources for years and years to come.

And yes, you've guessed it, that's precisely what my business model is.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: Oh no you're not!

Totally correct, this goes for information security as well as data protection btw.

Responsibility for a good service is with the outsourcer (processor in data protection), accountability firmly lies with the SME company themselves.

And no, not even an insurance policy will lift this accountability burden.

Drs. Andor Demarteau (ShamrockInfoSec)

Re: The big challenge is - well, catch 22


One line in this article graphically illustrates this above all:

"Let’s take an example. You’re using Cisco ASA firewalls but you don’t have the skills to manage them, so you outsource the job. But what do you expect the outside specialist to do? Monthly firmware updates? Weekly failover tests? Monitor the logs and respond to certain types of activity?"

Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers

Drs. Andor Demarteau (ShamrockInfoSec)

Can we really be sure they are now secure? (as claimed)

"As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect."

Maybe at the moment the ICO looked at it, but will it stay this way?

Security is not something you bolt-on nor patch-over afterwards. Security-by-design is a key requirement of the design of networks, systems, software and usage procedures.

or at least it should be.

Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once

Drs. Andor Demarteau (ShamrockInfoSec)

INternet connections are not the only issue

Things have been going wrong far before "stuff got connected to the Internet" in what is called Industrial IOT.

Because of the same "this costs money" attitude, industrial systems have been moving away from dedicated build hardware and software to commodity off-the-shell Windows systems for about 2 decades now.

And yes those come with the same issues, security problems and patch regimes as your office equipment, but with one caveat: patching is either extremely difficult or in some cases impossible, sometimes due to restrictions by software vendors and sometimes due to certification restrictions.

The solutions proposed in this article may work for new plants, but it will be a hell of a job to implement them in current installations.

Oh and they have to work not 10 but up to 20 to 30 years too.

Biting the hand that feeds IT © 1998–2019