5 podtips om IT-säkerhet

När man vill hålla sig à jour med IT-säkerhetsvärlden är det väldigt smidigt att få kommentarer på den senaste tidens nyheter i örat - som Podcast, när man tar sig till jobbet/står o diskar eller annat…

Dessa poddar lyssnar jag på och brukar rekommendera till de som vill vara “on top”:

1) SANS Internet Storm Center Daily Network/Cyber Security and Information Security Podcast

https://itunes.apple.com/se/podcast/sans-internet-storm-center-daily-network-cyber-security/id304863991?mt=2_ _

A brief daily summary of what is important in cyber security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center.

[Johannes Ullrich - kort, koncis, o lite speciell stil (men man vänjer sig)]

2) Risky Business

https://itunes.apple.com/se/podcast/risky-business/id216478078?mt=2

Risky Business is a** weekly information **security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.

[Framförallt är det första delen med nyhetsgenomgång som Patrick Gray gör tillsammans med Adam Boileau (oftast) som är mest intressant]

_ _

3) Smashing Security

https://itunes.apple.com/se/podcast/smashing-security/id1195001633?mt=2

Join computer security industry veterans Graham Cluley and Carole Theriault as they chat about cybercrime, hacking and online privacy. Follow the podcast on Twitter at @SmashinSecurity. New episodes released every Thursday.

[Lättlyssnat med en portion humor och ofta en gäst]

_ _

4) Säkerhetspodcasten

https://itunes.apple.com/se/podcast/s%C3%A4kerhetspodcasten/id576469997?mt=2

Säkerhetspodcasten är Sveriges första podcast om IT-Säkerhet.

[Cirka varannan måndag kommer ett avsnitt på svenska där den (oftast) femhövdade panelen på ett insatt och avslappnat sätt kommenterar den senaste tidens IT-nyheter]

_ _

5) Säkerhetssnack

https://itunes.apple.com/se/podcast/s%C3%A4kerhetssnack/id1212104584?mt=2

En pod om IT-säkerhet. Christoffer och Olle pratar högt och lågt, med kärlek för det tekniska, om säkerhetsläget. Nyheter, utmaningar samt tips och råd. Så lyssna in och vässa dina kunskaper om säkerhet i cyberrymden.

[Relativt nystartade på svenska med temanummer inklusive lite reflektioner över senaste tidens IT-säkerhetshändelser. Kommer cirka två ggr i månaden]

_ _

Bubblare) Unsupervised Learning with Daniel Miessler

https://itunes.apple.com/us/podcast/unsupervised-learning-daniel/id1099711235?mt=2

A succinct and analytical summary of the week’s most interesting stories in infosec, technology, and humans. Each episode includes: InfoSec News, Technology News, Human News, Ideas, Recommendations, and the **weekly **Aphorism. It’s five hours of my research and curation condensed into 30 minutes so that you can be ready for Monday.

[Jag började lyssna denna vecka - Lovande - får se om den håller]

Tailwinds!

/Robin

I’m back!

OK, so I apologize that there’s been a few weeks of radio silence from “The von Post” transmission.

There are some nice plans on how to expand this curated flow of IT-security related news with some short personal comments on the incidents and articles enclosed in the newsletter - so please hang on and stay tuned!

Tailwinds!

/Robin

Paper/Film - Not the answer to Privacy

Searching the DHHS Wall of Shame for breached data filtering for “Paper/Film” 1 of Jan 2015 until Today gives a total of 966 000 Individuals Affected in the US by loss/theft of Paper/Films!

Avoiding electronic medical records is NOT the answer to your privacy...

https://twitter.com/SteveBellovin/status/712660040163962880

Mobile Devices Official Reply

I reached out to the French vendor of the telematics module C4 Max for an official comment on the blogpost by Jose Carlos Norte @jcarlosnorte and got a reply this evening:

Hi Robin,

Thanks for reaching out to us.

Please find below some clarification, and I am available for a call if you wish.

As a manufacturer of Telematics devices that offer the possibility to communicate with vehicles (through vehicle buses) we address security questions very seriously.

Our telematics devices (C4Max, C4 Dongle) come with several onboard features such as: GPS receiver, cellular (2G, 3G, or 4G communication), several local interfaces (serial ports, digital and analog I/Os, USB, 1-wire, Bluetooth and WiFi…), including vehicle bus interfaces (CAN, OBD, J1708,…). One of their advantage is that they provide the maximum flexibility and openness for the development of applications, using Morpheus SDK.

Our customers are usually Telematics services providers or integrators and will ultimately install these devices in vehicles. In the “minimum” scenario the devices are only connected to power and unable to communicate with the vehicles. In some cases they will also be connected to vehicle buses.

In the past we would provide to our customers the mechanisms and support, allowing them to ensure security but it was usually our customers’ choice to decide when and how to activate them.

With the evolution of the telematics industry and the growing interest in connecting devices to vehicle buses we have adopted a different approach, which ensures security is applied as soon as our customers decide to deploy the devices. We provide the devices in 2 different modes :

1.      Development mode: our customers can develop applications that can be executed in these devices using the Morpheus SDK associated and test them

2.      Deployment mode: once the specific application is developed if any, or by default with the standard application which we provide in the devices, the units are deployed on vehicles.

If a customer decides to deploy the telematics devices he must use the deployment software packages which comes with highest security mechanisms, preventing any remote access nor control of the devices and therefore of the vehicles in which it is installed.

Now in test mode, it is still needed and possible to remotely access the devices, but the users of the test mode are aware of this and take this into consideration when using vehicles.

Practically the access to vehicle bus has gained some interest more recently and in many use cases it is still not used, which means the devices are not connected to the vehicle bus but only powered by the vehicle and rely on internal sensors  only (GPS, accelerometer, …).

If the devices associated are in deployment mode, NO access to get any information from the device or the vehicle is possible.

If the devices associated are in development mode, then depending if the devices are connected or not to the vehicle bus some information may be available.

We are aware that some devices are still in development mode and we are running a comprehensive check with our customers to ensure that all devices which must be in deployment mode (with security activated) are effectively in this mode.

We are running the investigation these days and we will let you know if we discover that any devices are still in development mode although used in deployment and if these devices are connected or not to the vehicle buses. In that case we will make sure that the integrator gets all the support from us to switch these devices in deployment mode asap.

Feel free to contact me for any additional information.

Best,

Aaron Solomon – MOBILE DEVICES