lowmanio.co.uk title image

Articles with the category: Cyber Security & Threat Management

GDPR and the Cloud

Tue, 20 Jun 2017 05:05PM

Today I attended Scot-Cloud in Edinburgh, a free conference hosted by Digit, an independent business technology community in Scotland. Lots of conversation about GDPR, in fact it was mentioned in all of the talks and had two specific talks on it too. The first talk was by Martin Sloan of Brodies LLP Solicitors and second talk by Lilian Edwards, a Professor of Internet Law at the University of Strathclyde, which were both really interesting, despite perhaps what some people might call a dry subject matter!

Read full article

Nudge Theory

Thu, 27 Oct 2016 04:48PM

A few weeks ago I was at an ISACA/ISC2 event where Chris Ulliott spoke about usable security. He argued that we (technology creators in general) ask far too much of the general public to be able to understand and use technology securely. I agree – asking any internet user to be able to spot a sophisticated phishing email by looking at email return addresses, checking URL links and possibly even looking at email headers for dodgy IP addresses is just over the top. Chris mentioned something called Nudge Theory and how we should use it more when designing security features. From Wikipedia: "Nudge theory is a concept in behavioural science, political theory and economics which argues that positive reinforcement and indirect suggestions to try to achieve non-forced compliance can influence the motives, incentives and decision making of groups and individuals, at least as effectively – if not more effectively – than direct instruction, legislation, or enforcement."

Read full article

Smartphone location tracking

Fri, 25 Mar 2016 06:37PM

With 1 comment

Smartphone SMS 'hacking'

Sat, 12 Mar 2016 07:28PM

On Wednesday I went to a mobile cyber security conference held at the National Museum of Scotland organised by the Scottish Business Resilience Centre. One of the most interesting talks was given by Odd Helge Rosberg (@ohrosberg). Odd talked about the multiple operating systems (OS) in smartphones; which at first I was surprised at, but actually makes a lot of sense. You have your "smart" operating system – iOS, Android, etc, but the SIM card has a small embedded OS and the phone’s modem has an OS too. This real-time modem OS is stored in firmware, and controls everything radio related (texts, calls, etc). Unfortunately, these proprietary, closed software OSes are poorly understood. The standards around how the radio signals work were designed in the 1980s and 1990s, and were not designed to be secure.

Read full article

4th International Conference on Cyber Security & Education

Sun, 18 Oct 2015 05:20PM

On Friday I went to the 4th International Conference on Cyber Security and Education, held at the Scottish Police College in Tullillan Castle. There were loads of really interesting talks and I think the only let down was the lack of abstracts/summaries of each talk; so often I was blindly going into a talk in one of the three streams available with the title “malware” or “threat analysis” without much of an idea of what would be said. Photos and tweets from the event can be found with the hashtag #thecyberacademy.

Read full article

What makes malware "sophisticated"?

Sat, 25 Apr 2015 11:46AM

Most new articles on high profile cyberattacks call these attacks sophisticated, but are they really? At the RSA 2015 conference a few days ago, researchers Ira Winkler and Araceli Treu Gomes, wrote ‘the Irari rules for declaring a cyberattack sophisticated’. The summary article can be found here, and the conference slide pack here. The main message is just because the cyber attackers managed a large successful attack (such as the Sony breach), does not make it sophisticated. Sophisticated means it defeated security defences and was undetected until perhaps too late. We don’t call a burglar sophisticated if they managed to steal everything valuable out of a building if the doors where left unlocked, the codes for the vault were written on a post-it above it and the security alarms were easily turned off. Therefore, just because a piece of malware was able to wipe out all computers, exfiltrate a huge amount of data, commit fraud and cause all sorts of damage does not mean it did anything clever – it may mean that the victim just had poor security controls.

Read full article

Kill chain models

Thu, 29 Jan 2015 08:24PM

It has been 4 years now since Lockheed Martin released their "Cyber Kill Chain" paper, which describes the stages that the perpetrator of an advanced persistent threat (APT) takes. This kind of attack sequencing is not new, the American military and other government forces have used similar models to show the stages of a terrorist attack or how to target enemy missiles:

Read full article

Storing passwords in your browser

Sun, 25 Jan 2015 12:01PM

Passwords, passwords, passwords. We’ve come to a point where it’s impossible to have a life online without a gazillion passwords, which should all be complicated, long and unique. The easiest way to solve this is by letting the browser store the passwords for you. You make up something random, and let the browser remember it for you. But are the browsers safe? Can someone extract out the passwords forensically? According to the RaiderSec blog: if you use Firefox and use a strong master password, then you are safe (for now!). If you use IE then the difficulty in obtaining the password is dependent on the version. However if you use Chrome, you are, quite frankly, screwed.

Read full article

CompTIA Security+ Exam

Wed, 08 Oct 2014 07:05PM

A few weeks ago I took the CompTIA Security+ (version SY0-301) exam after 2 weeks of intense self-study and managed to successfully pass after a nerve-racking 90 minutes of questions. The exam covers all aspects of information security, including networking, access control, security threats & mitigation technique and cryptography. It doesn’t go into a huge amount of detail into any of the topics, but instead gives a broad understanding of all the areas. I highly recommend the exam for any forensic investigators who want to get a broader understanding of the infosec world, and unlike the extortionate EnCE or SANS courses – you only need to pay for a study book and the exam (which was a few hundred pounds). The exam will be moving very shortly to the newer version, 401, which will have updated concepts but the general feel will be the same. Below are some of the materials I found useful (and useless!) for my study.

Read full article

The risks of QR codes

Sun, 13 Apr 2014 06:03PM

In my last blog post I talked about the merits of QR codes and their use in forensics. I’m going to talk about the risks of QR codes now, as with everything, there are always issues with new technology. There are three main risks with QR codes:

Read full article

Thoughts on the UK Cyber Security Strategy

Wed, 07 Dec 2011 09:29PM

In November the UK government released the “UK Cyber Security Strategy” which can be downloaded here. There are four main objectives which will be funded by £650million over 4 years under the “National Cyber Security Programme” (NCSP). The objectives are:

Read full article

Online backups

Wed, 27 Jan 2010 03:01PM

With 2 comments

I like backing stuff up. I have not yet actually had a computer crash on me and lose everything, but I do quite regularly reinstall Windows XP when it gets too slow. To make this an effortless process I used to have the C:\Documents and Settings folder live on a different partition, so when I reinstalled Windows on the other partition, all my stuff was still there – just needed a few registry values changed. I can’t really be bothered with that any more, some programs got quite confused to where my home directory was and resizing the partitions when I ran out of space on one was a bit of a hassle. If you’re interested, this is how to do it.

Read full article