Roll up! Roll up! It’s a security round-up!

Apologies for the infrequency of recent updates. I’ve been busy – understanding the GDPR, doing some speaking engagements and (hush!) actually working for a living. So, without further ado, here’s what’s going on right now:

Theresa May is trying to push the Snoopers Charter (aka the Investigatory Powers Bill) through Parliament despite plenty of expert opinion that it’s oppressive, regressive and not actually much use for its intended purpose. Should we care (as businesspeople)? Well, yes, if it introduces significant additional costs – passed on from ISPs – to pay for the snooping infrastructure, and/or clogs up the free flow of ecommerce.

The FBI and Apple are in a spat about unlocking a terror-suspect’s iPhone. It’s easy to get this one confused – as far as I understand it the phone in question is not one of the more recent models with proper encryption baked in, so it may be crackable; Apple are taking a principled stand. If it was an iPhone 6, the FBI would be demanding the impossible (or more accurately, the computationally unfeasible) – which revives the “should we weaken encryption to fight terrorism” debate. Answer? No. The threat to the global economy posed by intentionally crackable encryption is far greater than that coming from terrorists who, as the Paris attacks prove, are hardly sophisticated in their use of cyber in the first place.

The payment card industry (and particularly Barclays, I understand) are on a bit of a crusade to get merchants to comply with PCI-DSS. Obviously they’ve all been supposed to comply for years, but all of a sudden it’s being enforced. Could this have anything to do with the looming cap on credit and debit card charges, courtesy of the EU? If we Brexit, will they stop bothering and carry on charging a couple of percent? Answers on a postcard, please.

Cryptolocker continues to make the news, with several councils hit – notably Lincolnshire, which was offline for a couple of days but claims not to have paid a ransom – and a number of US hospitals, including Hollywood Presbyterian (surely an oxymoron) which did pay up. The ransomware writers are still managing to get their payload past anti-virus scanners, exploiting user propensity to click “OK” to all dialog boxes to get their malware installed. Another reason to make sure you limit user privileges, and implement a Cryptolocker Canary (like the mineshaft safety system, without the animal cruelty).

The US taxman has confessed that a hack last May in which the bad hats used a tax transcript download service to steal taxpayer’s personal information was a bit worse than they’d first admitted: seven times worse, in fact. Something like 700,000 people may have been compromised. Not a good day for digital government. The UK has more than 10,000,000 self-assessment taxpayers, of whom 90% file on-line, and the “beta” (oh goody!) HMRC website includes a similar ability to download your entire tax history. Thankfully they’ve implemented some basic two-factor authentication (using SMS to a mobile number) and some similarly basic identity verification (based on knowing your income from last year). Better than nothing, but please let’s have something a bit more robust before it comes out of beta.

More tomorrow…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.