Category: Information Security

Not on our / I watch ..?

OK, so I wrote about the lack of API integration (yes, double) in IoT land. Which seems about to change. Now that this has come around. Tools in their early adopter stage, gotta love ’em. Next, the breakthrough.
Of IoT, too; but in what direction? Countries’ hardware infrastructures first, how deep down to B2C channels? The other way around, home channels all the way up? SocMed to wearables to life tracking blends? We’ll see. Maybe soon.

But for one thing: That geriatric-thinking pseudoreligion time-teller will not connect to the rest of the world. Sad (??). Will become the next one down. Hopefully.

For your viewing pleasure:
20140905_201020[Heaps upon Sea, indeed]

Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

  • E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
     
  • Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
     
  • Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

Jargon Watch: Dorking

Google Dorking, to be more precise. Though some startup Internet company (you know, that has a ‘web site’) may want the adjective dropped.
[Maybe they’d better do a ‘); DROP TABLE STUDENTS; — on themselves but that’s another matter entirely]
Which is exepelainifyed in this doc, and at this site (from where I took the doc, duh).

Okay, since it’s Friday afternoon, I’ll leave you with:
h108B4EAA

Progress: Hacked (short note)

OK, so there’s progress… hackers (of the ethical kind …! …?) actually improving security, as per your Nest thermostat.
Contrary, of course, to the hacking of your home security system as spelled out here and already ‘predicted’ by means of requiring solutions, quite some time earlier here

For their, and your, viewing pleasure:
019_19[The ‘old’ shouldn’t be underrated by not being rated well enough…]

IoTsec as expected

Yawn. A decade of humongous growth in Information security is coming. To tackle the likes of this.
Think of where the somewhat organized, somewhat budgeted, somewhat up to it corporate world now is. (With the public organization world lagging, seriously, on all counts.) Then think of what it would take to make the general public ‘safe’.

And then think of how many InfoSec professionals would be needed. Yeay! Indeed, as in:
DSCN0449[Onto Val d’Orcia, as you spotted]

Gotta TruSST’MM

Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.

First, a picture:
DSCN4198
[Controlled to I/O, Vale]

Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.

Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.

Welcome to Hotel SV

Just a short note; tinkering with more ‘cybersecurity’ songs (to support (or not) #ditchcyber), I came across the following snippets…:

“Welcome to the Hotel California”
“Such a lovely place”
Such a lovely face
Plenty of room at the Hotel California
Any time of year
You can find it here”

“Bring your alibis”

“Mirrors on the ceiling”

And she said “We are all just prisoners here, of our own device”

Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
“Relax, ” said the night man,
“We are programmed to receive.
You can check-out any time you like,
But you can never leave!”

How’zat (sorry (no I’m not Canadian) USofA, culturally you’re still 99% British so you should get that reference) for the famous search engine’s approach ..?

And, of course:
000022 (13)[Yeah Breck is CO not CA, about two decades back]

COPE a Nope

Hm, this piece seems to miss the point entirely…

Because the move to BYOD had/has (sic) nothing to do with operability. But all with power. And speed. COPE will be much more of the same, but with an even more inexplainable awkward speed/flexibility/functionality trade-off. With nothing of (e.g., the European current and forthcoming Regulations’ and practices’) privacy in mind, just pipe dreams of regained totalitarian control. Heh, if that floats your boat, everyone’s including or except your boat has left the harbor because ships are safe there but it isn’t what ships are for. If you can’t see the analogy … you’ll be sunk.

And then, there’s a pic:
000004 (5)[Great for learning gaff rigging but for serious yachting…?]

Bewijs van legitieme identiteit

Bij wijze van vraag aan @iusmetis / @ictrecht …:
In het dagelijks Nederlands taalgebruik kennen we nog (…) het verschil tussen legitimatie en indentiteit, als in -bewijs respectievelijk -sbewijs. De laatste ook nog equivalent gezien met ‘ID’.
Waarbij de vragen komen:

  • Bestaat er ook juridisch (nog) verschil tussen beide ..? Waar komt dat verschil if any vandaan, hoe wordt het (nog) toegepast?
  • Hoe is de ‘mapping’ naar (identificatie,) authenticatie en autorisatie zoals die termen in de ICT van vandaag worden gebruikt..?

Met name dat laatste lijkt me bestuderenswaardig omdat a. de juridische termen lang hebben gehad om uitgekauwd te raken, en ‘dus’ nog relevante verschillen naar voren kunnen brengen met de relatief pas oh zo kort geleden ontwikkelde ideeën over toegang tot systemen/gegevens.
En het verwarren van de functie van ‘elektronische’ ID met ware identiteit en de dubbelrol van b.v. een ‘user-ID’ is ook nog wel wat beschouwing waard.

Maar goed, eerst maar eens e.e.a. definitietechnisch helder naast elkaar zien te krijgen.

En uiteraard het plaatje van de dag:
DSCN9834[Hey kèk nâh ze hadden hier in Lucca al heel vroeg Starbucks…?]

Maverisk / Étoiles du Nord