Security

Information Security or Cyber Security, whatever you call it, this is where you’ll find it.

The Chinese spy-chip saga: One week on

Last week, the Financial news website Bloomberg released what could potentially be the biggest security related story in years. Evidence that the Chinese government were implanting so called “Spy Chips” on Supermicro motherboards intended for use in top American companies including Amazon, Apple, and the US government itself. In the hours and days following, Supermicro’s share price has fell by 40 percent; while Supermicro, Apple and Amazon have all issued vehement denials as to their alleged discovery of the chips embedded in the motherboards. Both The Register and Ars Technica produced excellent write ups of what was an bombshell revelation….
Read more

Share

Want to work in Infosec? Impress me!

So, you’ve decided that information security (Other titles are available) is the career for you, now you just need a job. Firstly, congratulations! You’ve made an excellent choice. The threat to companies and individuals from cybercrime and cyber-enabled crime is ever growing, creating a pressing demand for skilled individuals to help protect our information, more than ever in the age of GDPR. Before you can get started in security however, you’ll have to come through someone like me – the hiring manager. Whether you’re an IT professional that wants to move into security; it’s your first security job; or you’re…
Read more

Share

Why everybody should be using HTTPS

Using HTTPS on a website has historically been a pain, and therefore reserved only for e-commerce sites. In order to use HTTPS you would need to first purchase certificates which had a cost associated; then you would need them installing, which your hosting provider would need to support. As a result adoption of HTTPS for ‘regular websites’ was low. Last week, I took the opportunity to secure this website. The best part was doing so cost nothing, and it took just 10 minutes! This led to the conclusion – there’s no excuse not to use HTTPS. What is HTTPS? When using…
Read more

Share

WordPress Security: Some useful tools

Look to the right of the page and you’ll see the effect various personal issues have had on my free time. Couple that with needing to do a load of work on the house, and my capacity for looking after this website has become near zero. The problem is that administrative overhead didn’t go away – comments still needed to be moderated, and the number of failed login attempts was starting to become a worry. So one lunchtime at work I decided to look at some WordPress security tools. Ultimately I came up with two plugins and a useful website…
Read more

Share

Time for a new approach to password security?

The password. It’s been used for thousands of years and today represents the key security token in modern computer systems. Despite its ubiquity, the password is not well loved. Attitudes towards passwords vary from apathy to downright contempt. Very few people would ever stand up and argue that the password is a good method of securing a system. IBM predicted back in 2011 that the password would be dead within five years. However, while the giants of the technology industry are rushing to consign passwords to the dustbin of history, nobody seems to be asking whether the problem is with passwords…
Read more

Share

Physical Security: How to cause mayhem!

I have a number of rules I use in a professional and sometimes personal capacity. This is number 1: Always assume the worst about everything. You’ll rarely be disappointed. When you apply it in a security context, it means given a choice, users will always choose the stupid option. Take passwords, if you don’t mandate a certain password quality, then they’ll choose crap passwords (No, Pa55w0rd does not could as a good one!) If you make the password rules too difficult, well… With a little patience and technical expertise though, it is possible to secure your systems effectively. Password policies,…
Read more

Share

TalkTalk: Words fail me

On Friday, as the whole TalkTalk hacking was blowing up in a big way, I sat down to write an article about the fiasco, if fiasco is a strong enough word to describe the mess TalkTalk find themselves in. The problem is that every time I managed to write a bit the story had once again changed. As with many things however, the more you sit and watch it, the more you recognise patterns. Two such patterns that have come out of this debacle are: Here’s another company that has failed to invest in Information Security; The CEO – Dido…
Read more

Share

Protecting a website against spammers and robots – CallamMcMillan.com

This post was originally going to be a talk about what I did with CallamMcMillan.com to stop comments, followed by another article on how I dealt with a robots problem on the article voting system. After re-reading the article though, I decided to explain the problem a bit better and make this article somewhat informative so that you can use it on your own websites. If you’re like me then you’ll enjoy getting feedback on your work. The feedback may not always agree with my point of view, or it may suggest that my technical solutions are lacking, but at…
Read more

Share

What the latest Java exploits teach us about security

I contributed earlier to a disucssion on an article in The Register (Link) on dealing with malware caused as a result of security vulnerabilities in Java. The article discusses how to go about cleaning up the various pieces of Malware downloaded and requires the use of multiple security tools covered in 12 steps. As I and others suggested at this point, given an infection of this magnitude, going for a clean-up should be the last resort. Virus removals are my least favourite computer repair job since it can be virtually impossible to totally rid a system of a virus, and…
Read more

Share