Silicon Shecky

IT News, Reviews and Thoughts

Connect

Wild Thing – A Post Cyphercon post

By Leave a Comment

Last week broke my string of consecutive weeks posting on this blog. It was a bit busy for me, as I was at Cyphercon up in Milwaukee. The talk I gave went well I feel. Got some good feedback and some good constructive criticism. The only problem I had with the talk was the person running the sound board left the room right before I started, and left the music playing. Now I love 80’s music as much as the next person, but karaoke versions of 80’s songs like Wild Thing can really mess with a person putting on a presentation. Thankfully not me too much, and I attribute that to years of theatre and acting where something goes wrong, you continue on no matter what.

Cyphercon itself is a nice smaller hacker/infosec convention. The talks there are of a wide variety, and there really is something for everyone. I do know most of the talks were recorded, but I am not sure where or when they will be up for viewing. Once they are I do recommend the ICS talk given by Lesley Carhart and Mark Stacey as it gives a great background into ICS threat hunting.

 

While there I also got to meet (and get an awkward hug from) Jayson Street. He is really an awesome guy who besides being smart and cool, is really approachable.

The badges were made by The Toymakers and the outdid themselves again. Made to look like a phone, it was a whole challenge in itself and more information can be found here. I cannot wait to see what they come up with for next year.

I do recommend keeping your eyes open for tickets and CFP for this con later this year. It is well worth the affordable price.

BREACHES? BREACHES? Learn the term please!

By Leave a Comment

Communication and terminology is important. So why can’t we get it right?

I recently saw a poll on Twitter asking if the Cambridge Analytica situation was a breach. and saw people argue both ways. Definitely a gray area. On the other hand, the Panera situation is different. Nobody breached anything, yet Checkpoint even is calling it a breach. The information was put out on the net for all to see. Same thing with any of these misconfigured S3 buckets that give out data, unless of course the data was not suppose to go to the bucket in the first place.

We want to secure things, and we hate FUD, yet we go around throwing words like breach out there when it should not be. Talk about confusing people and sowing FUD! So how do we fix this? It has to start with us coming up with a proper, universally accepted definition for a word like breach. Most of the time we seem to use it to indicate a willing ex-filtration of data that should have been kept private. The keyword there is WILLING. That means someone who was either unauthorized to access the data did (and possible copied/removed it) or someone who had rights to the data intentionally removed it (and possibly put it out for others to access). Going by this simple and basic definition It would indicate that while Facebook was a breach, Panera definitely is not a breach. Panera would be more along the lines of a site misconfiguration, or a permissions issue. The open S3 buckets that have happened would vary depending on if the data in those buckets was permitted to be there or not. If the data was not supposed to be in an S3 bucket, it would be a breach, otherwise it would be just a security misconfiguation or a permssions issue that allowed private data access. The term breach sound so much scarier, but if everything is a breach, then nothing is, and you start to get to an area of desensitizing people to the term, and then have ot come up with a scarier word.

Personally, I think not using the term breach and instead showing that a company screwed up on a configuration is a bigger deal than a breach itself. At least with a breach someone actively had to target the data and take it. We all know there is no perfect security and breaches will happen. On the other hand, setting up a website to show PII about anyone to anyone is a bigger trust issue, as it should have been caught in the QA phase before a site goes live. Mistakes happen, and the response of the company to either a configuration issue or a breach is important, and that is the even bigger fail in Panera’s case.

Privacy vs. Security

By Leave a Comment

The GDPR is coming, The GDPR is coming!!!

Well all know that the GDPR goes into effect in May. As I was listening to the Defensive Security Podcast this week, they started talking a bit about how the privacy laws can affect security and security posture. It is odd to think that something like privacy which we are in favor of, can have a negative effect on security, but it can. If you think long and hard about it, not being able to access logs, to be able to see where people have been on their corporate computers, how secure can we make them? One of the first steps in corporate security is knowing what is on the network, and knowing what data you have. Now you have an employee using their work computer for personal business say online banking, or logging into a patient portal. Now lets say those are phishing sites that look very much like the real site and not only that but after the first login attempt, redirect to the real site. At what point do we have to stop in an investigation of say malware on the machine? At what point are they breaking maybe corporate rules. The corporation cannot compel the individual to opt into being monitored according to the GDP. Maybe the corporation has a policy of no personal stuff being done on the work computer. How do we know without being able to have the insight?

What we seem to be getting into is a sticky situation that really has not been thought through to logical conclusions, or at least most except the best case scenarios were not granted viability. In the end there is a balance required to get best security and privacy at the same time. Right now though, everything tend to be out of balance.