image Photo by marcos mayer on Unsplash

IT moves to a zero-trust, decentralised model (Saturday)

Looks like Google were on the right track with BeyondCorp as Coronavirus has very succinctly put the “impenetrable border” approach to IT Security on notice. With millions of knowledge workers able to be productive from home, but failing to get access to resources as VPNs and Identity and Access Managements solutions struggle.

Checkpoint followed up a few days later with a series on videos on how their products could secure a remote workforce:

Gaps in Microsoft’s Threat Matrix (Monday)

  • Gadi Naor of Dark Reading called out that the Threat Matrix that Microsoft Published in April 2020 was missing a key aspect of operating Kubernetes on Azure:

One notable component Azure’s threat matrix leaves out is the “Command & Control” (C2) threat category

The threat model is invaluable to someone who does actually operate Kubernetes on Azure (AKS) in Production, the analysis even more so. Goes to show the value of peer review in the technology sector is critical.

Psychotherapy Clinic Hack Victims Blackmailed (Monday)

Despite an apparent armistice between the hacker community and healthcare providers, a Finnish Psychotherapy Clinic was hacked last week resulting in exfiltration of about 40,000 records pertaining to individuals. A subset of these users have subsequently be approached with attempts to blackmail them.

This is another example of how much damaged a small data loss may represent, and surely calls for more industry specific data protection advice and assistance for the Healthcare sector in general. Unfortunatly it doesn’t appear to be an isolated case:

Reverse Engineering Redacted Text (Tuesday)

via Schneier on Security

Fortunately we have come a long way from redactions simply being black shapes layered on top of text, allowing the redacted text to trivially be extracted with any PDF editor. Never under estimate how clever a suitably motivated person can be, as an example reverse engineered text of a deposition published in the US to reveal sensitive names:

Amazon faces the consequences of a malicious insider (Tuesday)

Amazon recently experienced one of the biggest fears of an employer, the fact that an employee, or worse multiple employees, would abuse their position for personal gain. It appears that the employees in question disclosed e-mail addresses to a third party resulting in Amazon making a statutory disclosure and informing customers.

It’s not just Amazon though, it’s also BAE Systems, dealing with fall out from rogue employees:

Don’t blame the font (Wednesday)

Troy Hunt started a small twitter conflict but then called out that it’s easy to blame developers, typeface designers, UX engineers or even end users (victims) for malicious users but at the end of the day you can’t fix everything.

Scott Helme summed the response to “training users” very well:

Unusually large number of unpatched Windows machines in the wild (Wednesday)

In a odd turn of events there seems to be an unusually large number of hosts on the internet vulnerable to the Critical and Wormable SMBGhost. There doesn’t seem to be an obvious reason why though:

Security and Defence Data Loss (Thursday)

There has been a few of these recently, combination of GDPR and increase threat landscape recently.

Tracking Waze Users (Thursday)

Given the user base of Waze this has quite an impact on consumers, good news is given Waze’s platform fixing the issue was less of a problem than, for example, if a in-car system was vulnerable.

Do you have a “Act of War” Clause? (Friday)

As it turns out Cyber Insurance often has an “Act of War” clause, which is perfectly normal. It’s not so normal that an attack against your business could be considered an act of war if perpetrated by a nation state actor.

Company Name XSS (Friday)

Almost unbelievably it’s possible to register a company name in the UK that contains characters that could be used as a XSS attack. In this case someone tried it, but in the name of science, not crime:

New Let’s Encrypt intermediary (Friday)

Scott Helme (again) has posted a rundown on the new intermediate certificates in use by Let’s Encrypt; which are now cleaner and smaller, thanks to common sense and Elliptic-Curve Cryptography:

Marriot fined (Friday)

The Information Commissioner’s Office slapped Marriot Group with a fine representing just 5p per customer. This isn’t exactly a win for data security, but hopefully “in-economy of scale” will make companies think twice about data security in the future.