Saturday, September 27, 2014
The proposed General Data Protection Regulation (GDPR) is expected to replace 20-year-old regulations (the current rules came into place in 1995) and enable harmonisation of data protection across the EU sometime next year. This will bring with it a much stricter compliance requirement and harsher consequences for failure to comply. How harsh? At the sharpest end of the punishment stick for those organisations breaching the rules that could be five per cent of global turnover. While the regulation will put much of the emphasis on the organisation itself to ensure such compliance, it also requires businesses to work with a service provider which can guarantee data is processed in compliance with the data protection rules.
Thursday, September 25, 2014
A 22 year old vulnerability, yes you read that right, has been discovered which some security experts suggest could be bigger than Heartbleed. The bug, reported as 'CVE-2014-6271:remote code execution through bash' relates to how environment variables are processed: with trailing code in function definitions being executed independently of the variable name. This can be exploited remotely with code injected into environment variables across the network.
Saturday, September 20, 2014
Friday, September 19, 2014
Tuesday, September 16, 2014
The Internet of Things (IoT) is something of a buzz-phrase right now, and locking down the IoT is certainly something that vendors across both security and hardware industries are talking up. The problem with the publicity surrounding stories of 'things' that have been hacked is that, well, they never really have much potential impact right here, right now, to you or your business. So someone managed to break into an Internet-connected baby monitoring device and make creepy announcements over it, or there's the potential to control an Internetified self-driving car in the future; neither of which fill me with dread about the security of my data as is, it has to be said. However, maybe you and I are missing the point. Maybe we need to broaden our definition of what things this Internet of them actually comprises. How about printers, for example? Stand up if you have a printer which isn't connected to your network and the Internet beyond? I'm guessing there are lots of you still sitting down, I certainly am. There's part of the IoT right there which represents a very real threat to your security posture, and you probably didn't know it.
Monday, September 15, 2014
There can be little doubt that applications that talk to the cloud are on the ascendency, but the same cannot be said about security awareness when it comes to the APIs that facilitate communication between the two. When Evans Data looked into the area of cloud application updates, for example, it discovered that 37 per cent of developers were releasing new versions at a frequency of at least one per week. This is good news from the usability perspective, as these small tweaks can be installed invisibly and as soon as they are coded. The cloud is killing point upgrades and patches, at least when it comes to minor programmatic changes rather than huge functionality overhauls, and that has to be a good thing. Or is it?
Thursday, September 11, 2014
Reports started circulating yesterday that Gmail had been hacked, with some 5 million logins at risk. This follows the publication, on Tuesday, of a plain text list of Gmail usernames and passwords on a Russian Bitcoin forum. Within 24 hours the 'hack hysteria' had taken hold and people were being advised to check if their accounts had been compromised, change their passwords etc. Trouble is, there appears to be absolutely no actual evidence that Gmail has been hacked at all, and plenty to suggest that this credentials list is just another composite; constructed with passwords taken from lists already published concerning other breaches. The Gmail connection is, at the most, that people whose credentials were exposed at those other sites and services had used a Gmail address to register their accounts.
Wednesday, September 10, 2014
It was also no big wow that Apple quickly responded to such a major reputational shafting by insisting it takes security very seriously (yada yada yada), and had not been 'hacked' and will take steps to ramp up account protection in future. Some, including myself, would argue Apple should be doing this already. It's pretty much right there in the first chapter of Cloud Security for Complete Newbies, after all. Flick to chapter two of this virtual tome and the heading would probably be something like 'Use Two-Factor Authentication' which, funnily enough, Apple also says it will be encouraging more people to do now.
Some interesting research from security outfit Proofpoint was published this morning which reveals that unsolicited email heading towards users in the UK is three times more likely to contain malicious URLs than that destined for users in the United States, or Germany, or France for that matter. It's not, as you may think at first glance, just a matter of the UK getting more spam. The research conducted over the summer, using the US as a baseline, shows Germany getting more spam as a percentage than the UK, US and France. The prevalence of spam and malicious URLs in the total email traffic are not, Proofpoint conclude, therefore correlated. Instead, UK users are being targeted with less spam but with a higher volume of infected spam. Compared to Germany, as much as five times as high in fact. Which begs the question 'why are cybercriminals targeting the UK so relentlessly when compared to other nations?'
Friday, September 05, 2014
If Edward Snowden has taught us anything, it is surely that Big Brother really is watching after all; it's not just a conspiracy theory any more. With the cloud at the heart of the average enterprise data storage strategy these days, and regulatory compliance issues coupled with basic data protection laws regardless of where you are based to consider, taking responsibility for ensuring your data remains private has become even more of a priority. Don't get too hooked up on the NSA spy scandal though, there's also 'accidental' data leakage and intentional hacking to throw into the security mix as well. Doing nothing is no longer an option, unless you relish being fined for compliance/Data Protection Act violations or seeing your reputation tank.