It's been a big week for security news. Parliamentary email hacked, UK politician logon credentials circulating for sale, a massive (paper) data breach at the NHS, another massive ransomware outbreak, Boomerang Video fined... Wait, what? Who the hell are Boomerang Video? Boomerang are a small video-game rental operation. Their website was hacked in 2014 and … Continue reading Yes, data protection matters to you too
Being involved in cyber-security can be quite depressing. So much of the time we see things that make life better for many people being spoiled by a few bad hats. I can't help feeling this is getting worse, and that our digital future will be more paranoid, more cautious, less global and considerably less convenient … Continue reading Have we passed peak convenience?
Information security is a Board issue. Not everyone seems to appreciate this, and one of the more disheartening aspects of my day job is how hard it is to get senior execs to take the time to have security awareness training and engage with security policy. Why is it a Board issue? Firstly because directors … Continue reading The importance of governance – a dozen good questions you should ask your Board
I wrote recently about a report that people would sell their company username and password for as little as $150. That’s just the tip of the iceberg. There’s a market, and a market price, for everything – credit card details sell for as little as $7, but bank account credentials sell for 1-5% of the … Continue reading The hacker economy
More credit card details stolen – Rosen Hotels have admitted that they’ve had active malware stealing credit cards inside their systems for 18 months. You’d think after all the other point-of-sale compromises in the last couple of years, retailers would have tried a bit harder to check if they were infected. Have you checked? Blackmail … Continue reading Friday security round-up
PCI-DSS is a pain in the backside. There: you think it, I said it. However, it's also got some good stuff that's not just useful for protecting card numbers, but general network security best practice. One example is the requirement that you change the default passwords and disable guest accounts on network devices. Sounds obvious, … Continue reading It’s in PCI-DSS – so why don’t you do it?
Apologies for the infrequency of recent updates. I’ve been busy – understanding the GDPR, doing some speaking engagements and (hush!) actually working for a living. So, without further ado, here’s what’s going on right now: Theresa May is trying to push the Snoopers Charter (aka the Investigatory Powers Bill) through Parliament despite plenty of expert … Continue reading Roll up! Roll up! It’s a security round-up!
So now we have our own Target. Details are still sketchy, but it looks as though millions of TalkTalk customers have been thoroughly compromised. From the sound of it, there were some pretty basic failures, including lack of encryption and retention of sensitive data in the same location as everything else. Was this predictable? Of … Continue reading Less TalkTalk, more action
With fraud on the rise, a need to secure tax revenues, and a global commitment to reducing money laundering, it’s no wonder that regulation requires ever more stringent verification of customers’ identities. The trouble is that something which used to be the province of banks has become the province of, well, everyone. Including any number … Continue reading When verifying identity risks losing it – the overgrowth of KYC