info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Biometric, IoT, Recovery Time Objectives

2/16/2018, 3/2/2018, 3/16/2018

 

 

Biometric Auth Defeats, Internet of Things Insecurity, and Recovery Time Objectives

Biometric authentication tokens are not good security and can be beaten

Amazon Echo, Alexa, Echo Spot are really spy devices

Restoring backups was going to take too long, so hospitals paid ransom

MP3 - IoT Devices, Biometric Authentication, and Recovery Time Objectives

MP3 - Protecting Your Privacy

MP3 - Network Security Strategy and Trustico Debacle

 

 

 

Summary

  • Biometric tokens are not good security and can be beaten
  • Amazon Echo and Alexa are really spy devices
  • Restoring backups was going to take too long, so hospitals paid ransom
  • The latest CPB directives make burner devices mandatory
  • Quick update on Spectre/Meltdown
 

Biometric tokens are not good security and can be beaten

https://www.darkreading.com/operations/passwords-4-biometric-tokens-and-how-they-can-be-beaten/a/d-id/1330939

 

Amazon Echo and Alexa are really spy devices

The Echo Spot is being marketed as a smart alarm to be put into your bedroom. This product has a microphone and camera and is always listening to you from across a room.

https://www.newstarget.com/2018-01-21-amazon-wants-to-put-cameras-and-microphones-in-every-bedroom-in-america.html

These devices are inherently insecure.

IoT devices are not designed to be secure. They are designed to be convenient.

Here is James Clapper stating that the NSA will use IoT devices to spy on citizens.

www.businessinsider.com/spy-chief-james-clapper-admits-spies-will-use-internet-of-things-devices-for-surveillance-2016-2

James Clapper: The head of US intelligence admits, things we use Internet to spy.

US might use household web devices to spy on people

 

The CIA's Weeping Angel hack

Is your smart TV spying on you? Wikileaks says CIA spies on people through smart TVs - TomoNews

 

Restoring backups was going to take too long, so hospitals paid ransom

https://www.theregister.co.uk/2018/01/16/us_hospital_ransomware_bitcoin/
You know your backup system is faulty when it does not allow for backup and restore within what is called a recovery time window. The first step in engineering a backup system is to define what the recovery time window must be. This is such a driving design consideration that it is the primary decision making factor, or should be.
In many cases, when the recovery time objective is very short, then a clustered hot failover system is required. There should have been hourly snapshots of their systems being made so that systems could be recovered back to a recent point in time when the malware was not present.
It is really not hard to have this technology, and a normal small business with a server can have that technology capability, IF and only IF the system was designed correctly to begin with to have the capacity for this.
Unfortunately, most consulting firms never even have that conversation with the biz owners, and most biz owners are only concerned about acquisition cost.

50% of SMBs that get breached end up closing business within a year after the breach. This is because of the costs of remediation and they no longer control the timeline of that remediation. They are unable to continue operations without immediate a full remediation.

A fork truck company in Racine sold out to another company because of a variety of financial mismanagement issues, one of which involved a relationship with an IT service provider who could not get their technical operations up and running for more than a month despite having a contract that stated that the maximum outage time would be 48 hours. With a contract like that, and yes I saw it with my own eyes, the fork lift company should have sued the IT services firm for breach of contract amongst other things. But the management did nothing, paid the failing IT services firm for useless services delivered where no resolution was achieved, and ended up going bankrupt as a result.

So if you are going to specify a recovery time objective, you better darn well understand how it is going to be achieved, and have proven capabilities to accomplish it. Going on faith is just plain foolish.

 

The latest CBP directives make burner devices mandatory

https://www.cbp.gov/document/directives/cbp-directive-no-3340-049a-border-search-electronic-devices

Effectively this means that your electronics and anything stored on them will either be outright seized or copied. And you are not allowed to view the search or copying operation. So your electronics will be seized, you will be detained in a room where you cannot see what they are doing, and then you may not get your electronics back even after they have copied the contents. No probable cause is required because the border zone (defined as anywhere within 100 miles of the U.S. national border) is declared a Constitution-free zone. Why? Because CBP declares authority to do what they want based upon a litany of Federal regulations.

Section 5.3 states that travelers are OBLIGATED to present their electronic devices and the information contained therein in a condition that allows inspect of the device and its contents. If you have a passcode or encrypted device and refuse to unlock the device for them or provide them the means to do so, they will simply seize the device.

Because of this, it may be wisest to simply travel with a burner device with no information on it. Once you get to your destination, you can then add your accounts to the device. This is no different than memorizing a private key for cryptocurrency and travelling across borders with it. What you need to cross the border exists exclusively in your memory. At least so far, there is no technological means to put you in a chair and make a copy of your memories to be available for search.

 

Quick update on Spectre/Meltdown

Some manufacturers have pulled their BIOS updates due to causing computers to randomly shut down. I'm not talking about bluescreens either, but actually where the computer just hard powers off. And on some computers, the Meltdown patches just won't install. This may be due to a revision in the code of the patches to prevent installation of the patches on systems where the BIOS update is not yet installed. I saw this during the 3rd week of February 2018, and there are no publications yet talking about these issues.
 

Cryptojacking cryptominers are evading adblockers - what are you doing about it?

https://www.secplicity.org/2018/03/09/cryptojacking-ads-evade-adblockers-daily-security-byte

Office 365 tenant branding - why it is so important for security

Audit logging and information protection capabilities are critical and not enabled by default.
Work with a competent and certified Office 365 Microsoft Cloud Competency Partner.

The tech support scams are showing up all over again using browser lockers
https://www.scmagazine.com/tech-support-scams-using-browser-lockers-rising/article/750218/

 

Facebook keeps creepy secret files on the intimate habits of internet users even if they DON'T have an account: Here's how to see yours


http://www.dailymail.co.uk/news/article-5448389/Facebook-personal-data-files-Australia-inquiry.html

The Trustico debacle and why you should never use companies like them.

You cannot be shopping for certificates based upon price.
Here's a great breakdown of the sequence of events.
https://www.secplicity.org/2018/03/02/trustico-or-trustinot

https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/

Linkedin