Yet Another Security Blog

The linked is a long article but interesting read.   The gist of it is that cyber security has to rely on humans as the first line of defense and as the early warning system.   It is yet another argument that the social sciences are as important if not more so than the automated and computer driven systems that most cyber security relies on.   ·          https://www.weforum.org/agenda/2018/11/cybersecuritys-greatest-weakness-is-also-its-best-line-of-defence/ ISSA look ahead for 2019: ·          DevOps will become a bigger player.   The bad guys are getting more professional and they are starting to find the bugs and flaws faster than the community and will be taking advantage of those.   ·          The focus is on 3 rd parties more and more (personal note; we saw an uptick in this in the last half of 2018).   Idea is if they can compromise suppliers they can use that as a back door to get around your on-prem security. ·          More and more agencies will start moving

Seems it was a slow cybersecurity week… It seems that we may have just had the biggest breach disclosure ever named Collection #1.   It is not know at this time where it came from or what was the basis behind it, but a database showed up on the Dark Web (the MEGA cloud service to be exact) and in its raw form contained 2.7 billion rows of email addresses with their associated user names and passwords.   After duplicates are removed there are still around 1 billion unique records and more alarming a high number are on no other previous breach notices.   The running theory is that it aggregated 2000 other breaches many of which were encrypted and someone was able to break the encryption.   Of an interesting note, I ran my city account and it did not show up on the list (though it does show up on 9 other older lists) while my personal one did. Wired was one of the first to break the news:   https://www.wired.com/story/collection-one-breach-email-accounts-passwords/   Threat pos

It turns out if you are willing to pay, most cell carriers besides Verizon are willing to sell your location data including real time. The idea is that they sell it to aggregators, but they include the code for the phone, meaning it is trivial to recombine the data and figure out who is who and where they go. Latest issue of Motherboard magazine had a write up: https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile Evidently it shook up several people, groups, and now companies: http://www.philly.com/news/nation-world/att-says-itll-stop-selling-location-data-amid-calls-federal-investigation-20190111.html And the calls to investigate: https://www.cnet.com/news/senators-call-for-investigation-on-phone-companies-selling-location-data/https://www.infosecurity-magazine.com/news/phone-carriers-selling-customer/ https://www.wired.com/story/carriers-sell-location-data-third-parties-privacy/ Microsofts mon