Security ramblings

July 18th, 2016 by Stephen Jones Leave a reply »

I ran across a piece last week that noted 10mm Android phones have malware that has rooted their operating system. For the most part this malware is designed to show ads and install apps. Mobile devices are becoming ubiquitous, for everyone. It’s not just technical people that now have access to internal systems from mobile systems as everyone from low level marketing people to high level executives is becoming comfortable with accessing information regularly, from anywhere, at any time. This means that our security is inherently weaker because we allow access and with BYOD spreading this problem looks to get worse before it gets better..

One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. Many recent cases where representations of a data breach were made turned out subsequently to be wrong. For example, the recent case where it was claimed that 272 million accounts had been stolen from Hotmail, Yahoo, Gmail and Mail.ru. The mail providers subsequently confirmed that this was not the case. Same again for recent claims that there were 32 million Twitter accounts on the loose. Twitter quickly debunked this and speculation that they were obtained via malware has never been substantiated.

The basics of security are still woefully weak. Many sites only allow you to create limited length passwords or to enter weak passwords such as pwrod123, or ******, etc. This implies they’re trying to fit the password into that varchar(10) column in the database thus implying no cryptographic storage, and it fundamentally weakens the choice of passwords available to the user. E.g. see the Etihad site, or KLM flying blue. Other airlines are equally lackadaisical and there many other security flaws easy to find. PayPal will also truncate long passwords but without telling you – so you might find yourself locked out because your entered password is too long

A recent data back up mantra I heard that is worth repeating is the 3-2-1 approach:
3 copies of data
on at least two media
one copy held remotely
.

Advertisement

Leave a Reply

You must be logged in to post a comment.