STE WILLIAMS

Her Majesty’s Revenue and Customs, aka the tax collector, has agreed to delete five million voice recordings it used to create biometric IDs.

The Voice IDs were used to speed access to its phone line but were created before the implementation of the European General Data Protection Regulation (GDPR) and fell foul of the tougher rules.

HMRC will keep about 1.5m Voice IDs which are in use, but delete around five million where explicit consent was not received and where those people had never used the system since creating the ID.

Just keep slurping: HMRC adds two million taxpayers’ voices to biometric database

READ MORE

The Rev’s chief executive, Sir Jonathan Thompson KCB, said in a letter to his data controller:

“I have informed ICO that we have already started to delete all records where we do not hold explicit consent and will complete that work well before ICO’s 5 June 2019 deadline. These total around 5 million customers who enrolled in the Voice ID service before October 2018 and have not called us or used the service since to reconfirm their consent.”

HMRC followed several banks and other organisations in using a “my voice is my password” system to identify account holders. It will continue to use the system but in line with GDPR rules and its own published privacy policy.

Director of Big Brother Watch, Silkie Carlo, said in a statement:

“This is a massive success for Big Brother Watch, restoring data rights for millions of ordinary people around the country. To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database.

“This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no Government department is above the law.”

Thompson said in his letter the Revenue will continue to use Voice ID because it is “popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster.”

The letter is available as a PDF from this page on the HMRC site. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/03/hmrc_bashed_for_5m_voice_slurp/

Well-crafted narratives can help you win over users in the battle to develop a sustainable cybersecurity culture.

When was the last time you felt a deep emotional connection to a PowerPoint slide? How often do you find yourself enraptured by a lecture? Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences. When it comes to your company’s security, you really don’t want to add to that number.

Whether we’re talking about gaining or maintaining an audience’s attention, narrative is one of the most powerful tools you have. Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment. They entice viewers to keep watching to see what happens next. And they provide coherent, digestible messages that audiences actually want to hear.

Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that “character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later.”

Because stories are so reliant on the power of empathy, it’s crucial to make them as relatable as possible. Zak explains that it’s easier to convey the “transcendent purpose” of your company by “describing the pitiable situations of actual, named customers and how their problems were solved by your efforts. Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution.”

Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories. For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars. There’s a reason why the expression “cautionary tale” is so common — there’s no better way to prepare people for the worst.

In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are “often associated with increased recall, ease of comprehension, and shorter reading times.” This is because, as Dahlstrom explains, narratives “seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory.”

These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies. What’s the use in security training programs that won’t be remembered a few weeks or months after they’re implemented? This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible. Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.

To return to our Equifax example: If you simply tell your employees to keep software patched, they won’t be thinking about why this is so important. But what if you introduce the issue like this? “In the summer of 2017, the personal data of 145 million American consumers were stolen when Equifax was targeted by one of the largest hacks in US history. The breach could have been prevented if Equifax would have patched a vulnerable web application, but it failed to do so. This is why it’s vital to make sure all of our software is up-to-date.” A call to action is much more powerful if it comes at the end of a compelling story.

We live in an age of perpetual distraction. According to a recent study published in the Journal of the Association for Consumer Research, even the mere presence of a smartphone “reduces available cognitive capacity.” A Microsoft survey found that the percentage of people who “get side tracked from what they’re doing by unrelated thoughts or day dreams” increases dramatically if they’re early tech adopters, heavy social media users, and/or consumers of large amounts of media (the vast majority of your employees probably fit these criteria). The same report discovered that almost one-fifth of online viewers “defect in the first 10 seconds.” 

In other words, it has never been easier for employees to ignore warnings and absent-mindedly click through the training exercises that are supposed to keep your company safe. Professional communicators should never forget this fact — if you can’t seize your audience’s attention right away, there’s a good chance you’ll lose it for good. And even if you manage to keep the audience engaged for the first 10 or 20 seconds, you’re waging a constant battle to reach 30 seconds, 40 seconds, and so on.

Well-crafted narratives can help you win this battle, which is why they should be an integral part of your cybersecurity platform. 

Related Content:

• 7 Tips for an Effective Employee Security Awareness Program
• Regular User Awareness Training Still the Best Security Tactic (video)
• Creating a Security Culture Solving the Human Problem
• The Fundamental Flaw in Security Awareness Programs

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a “security awareness mindset,” in which online safety becomes part of who someone is … View Full Bio

Article source: https://www.darkreading.com/endpoint/how-storytelling-can-help-keep-your-company-safe/a/d-id/1334548?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Enterprise cloud security is making real progress, but emerging technologies call for security teams to keep up the pace.

Image Source: Adobe Stock (immimagery)

The state of cloud security is improving — or, at the very least, it isn’t backsliding. But as cloud technology grows more prevalent and more complicated, security teams are going to need to keep innovating with improved controls and integrations.

So say the experts with SANS Institute, which just put together its first comprehensive review of cloud security practices since 2017. On a positive note, SANS analyst and instructor Dave Shackleford says responses show that cloud security stances are improving.

“The news was not all doom and gloom. I was pretty excited by some of the results that came back this year because there are some shifts happening that tell me the security industry is really starting to step up,” Shackleford says.

Nevertheless, increased penetration of the cloud, increasing attacker awareness of expanding opportunities to target cloud resources, and the acceleration of use of new cloud technologies are all making it tough to rest on those laurels.

“The attackers have figured out that there’s a lot of cloud surface area to approach and attack,” Shackleford explains. “At the same time, we’ve got people trying to make use of new platforms and new technologies within those platforms — things like Kubernetes, S3 buckets, and so forth.”

As a result, the survey shows a big uptick in unauthorized access by outsiders into cloud environments and assets — impacting 31% of organizations so far this year compared with 19% two years ago. The good news is that while organizations are still struggling to gain visibility into cloud environments, that situation has improved. Whereas in 2017 55% of organizations complained they were frustrated by trying to get low-level logs and systems information for forensics, that has decreased to 30% of organizations today.  

To offer more insight into the report’s findings, Dark Reading cherry-picked some of the best charts from the report to offer an overview of the highlights.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/cloud/the-2019-state-of-cloud-security/d/d-id/1334604?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The EO outlines a ‘rotational assignment program’ intended to help security practitioners develop their skills.

President Donald Trump this week signed a new executive order (EO) designed to recruit and educate more cybersecurity professionals across both government agencies and the private sector.

The EO outlines myriad initiatives supporting its plan to create a larger pool of talent moving between businesses and the federal government. Some of these are training opportunities including work-based learning, apprenticeships, and “blended learning” programs for new entrants to the security field, as well as seasoned practitioners who want to develop their skill sets.

One of these is a “cybersecurity rotational assignment program,” an effort to be led by the Department of Homeland Security, along with directors of the Office of Personnel Management and Office of Management and Budget. The initiative will bring DHS employees to other agencies, and vice versa, to help build risk management expertise and other skills needed to work in cybersecurity.

The program will use the National Initiative for Cybersecurity Education (NICE) framework as the basis for participant requirements; it also mandates that NICE terminology and taxonomy are used in workforce knowledge and skill requirements for IT and cybersecurity services.

As the EO points out, the rotational program is nonreimbursable, but it does mention agencies will create “new awards and decorations” to recognize security performance and achievements. It also describes an annual cybersecurity competition dubbed the “President’s Cup,” which will let federal civilian and military employees compete in offensive and defensive security skills.

Read the full executive order here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/new-executive-order-aims-to-grow-federal-cybersecurity-staff/d/d-id/1334609?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You may be pleased, or perhaps underwhelmed, by the news that you no longer have to remember to log in and delete the stuff you didn’t know Google was tracking about you.

Google announced new auto-delete controls for Location History and activity data on Wednesday.

…not that Location History and Web App Activity aren’t the best things since sliced bread – or places where sliced bread is served, Google said:

Whether you’re looking for the latest news or the quickest driving route, we aim to make our products helpful for everyone.

The data can make Google products more useful for you – like recommending a restaurant that you might enjoy, or helping you pick up where you left off on a previous search.

However, it’s been getting feedback about users wanting simpler ways to manage or delete all that data.

You can already use your Google Account to access simple on/off controls for Location History and Web App Activity or to delete all or part of that data manually.

Soon, you’ll also be able to set auto-delete controls that you can use to set a time limit for how long you want your activity data to be saved, be it for 3 or 18 months. Data older than that will be automatically deleted from your account on an ongoing basis. Expect to see the new controls roll out first with Location History in coming weeks and then on Web App Activity. From Google:

You should always be able to manage your data in a way that works best for you and we’re committed to giving you the best controls to make that happen.

Well, that sure SOUNDS nice. Mind you, as we’ve learned over the past few months, Google’s mobile apps can gather our location data even when they’re not running if you’ve opted into Location History…

… location data that law enforcement officials in the US have been routinely mining for criminal investigations, as revealed in an investigation by the New York Times.

So yes, you can soon set up auto-delete for Location History, and then for Web App activity. But if you don’t like the notion of the police, and the advertising behemoth that is Google, being able to track your every movement, you can also turn off location history entirely.

To do so, sign into your Google account, click on your profile picture and the Google account button. From there, go to Data personalization, and select Pause next to Location History. To turn off location tracking altogether, you have to do the same for Web App activity in the same section.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/c2gztPqlUww/

A battle is playing out between manufacturers and users over who has the right to repair a product – and tech companies are using cybersecurity concerns as a weapon.

Across the US, states have been mulling right-to-repair legislation that would let users repair their own devices, opening up access to verified parts and technical documentation. It’s a reaction to moves by manufacturers such as Apple to lock down the repair process to authorized partners.

Earlier this week, California State Assembly Democrat Susan Talamantes Eggman pulled proposed right-to-repair legislation from consideration by the State’s Privacy and Consumer Protection Committee because it didn’t have the support it needed. She accused industry lobbyists of shooting down the bill, telling Motherboard:

Manufacturers had sewn enough doubt with vague and unpacked claims of privacy and security concerns.

Privacy, security and injury

According to the site, vendors and industry associations had been lobbying lawmakers to argue that the right to repair was a bad idea. Apple warned that people trying to repair their own iPhones might puncture the battery and injure themselves.

Industry group CompTIA had also approached lawmakers with a letter sounding the cybersecurity alarm. It warned them that opening up repair rights to the general public could make products less secure. This is similar to claims it made in March 2017, when it sent a statement to the Nebraska Legislature protesting a potential right-to-repair bill in that state. The Nebraska letter pointed out that hackers are constantly trying to break into devices, adding:

Any weakening of the current standards, including sharing sensitive diagnostic tools and proprietary hardware data, could expose customers to risk.

Not so, say cybersecurity professionals. Last November, technology journalist Paul Roberts founded securerepairs.org, an advocacy group that supports right-to-repair legislation. This week, it announced support from over 20 cybersecurity rock stars, who will speak out for right-to-repair legislation across the US.

These spokespeople include Bruce Schneier, a ‘public interest technologist’ and cybersecurity expert who is a board member of the Electronic Frontier Foundation (EFF), and Katie Moussouris, CEO of Luta Security. Dan Geer, the CISO of the CIA’s non-profit venture arm, In-Q-Tel, is also on board, as is Chris Wysopal, CTO at Veracode and former member of the L0PHT collective. L0PHT was an elite hacker group who testified to US Congress in 1998, warning them early about the dangers of not securing internet-facing products and services. We all know how that went.

In an open letter written back in February, securerepairs.org supporter Joe Grand explained why the vendors’ cybersecurity argument doesn’t wash with him. Grand, who was a member of L0PHT along with Wysopal, is also a computer engineer with experience in designing and manufacturing hardware.

He said:

When implementing security to modern day best practices, having physical access to a device should not weaken security in most situations, particularly during the ordinary business of repair. Devices with well-planned security initiatives will isolate components that are critical to security within a physically protected and access-controlled area.

He cites Apple’s Secure Enclave technology, which stores hardware security secrets, along with similar processor-level measures from Intel, which stores hardware security data in a trusted platform module (TPM).

In fact, he argues that opening up the right-to-repair and providing access to original parts and documentation actually lowers the risk of compromise.

Those that repair devices may be innocent, unwitting parties in a malicious attack by being forced to obtain components from unverifiable sources of questionable quality.

A long way to go

There have been some positive moves for right-to-repair advocates recently. In October, the Library of Congress and Copyright Office created an exemption to the Digital Millennium Copyright Act (DMCA), allowing people to circumvent TPMs and other electronic locks in smartphones and home systems for maintenance or repair purposes. So you won’t get hauled off to jail for hacking your own Apple T2 chip.

Still, right-to-repair advocates have a long way to go.

Using security as an argument against right-to-repair also opens up another question: what about software patches? Patches are a kind of repair supposed to make software more secure. They normally come from the software’s vendor, but if the vendor doesn’t release a patch in time or the program reaches the end of its support period, should others be allowed to create patches for their proprietary software?

What are your views on the effects of user repair on cybersecurity? Should vendors make it easy for people to repair their products by publishing technical documentation and selling verified parts to customers, or are they right to keep their technical repair secrets locked up tight?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CubAZklCPMw/

In December 2018, the CEO of Canada’s major cryptocurrency exchange, QuadrigaCX, allegedly died of Crohn’s disease while in India without telling anybody the password for his storage wallet.

Oh, really? Funny, that. Experts say that Crohn’s is hardly likely to kill an otherwise healthy 30-year-old. Nor was there an autopsy. Or, apparently, a body. It’s also odd that days earlier, Gerry Cotten made out a will leaving everything to his wife. And that Ernst Young used public blockchain records to review the transactional activity of the six identified cold wallets set up by Cotten, where his wife claims the assets were locked up without access to the password keys, and found that they’d been emptied of $137m.

And, well, you can see where this is headed: straight into the likelihood that it was one of the year’s most scorching exit scams.

CipherTrace analysts think it’s highly unlikely to be anything but fraud, theft or foul play, they noted in the company’s 2019 Q1 Cryptocurrency Anti-Money Laundering Report. Gerry Cotten probably isn’t really six feet under, they suggest. Rather, he could have slipped underground in another way entirely as he and his “widow” actually work to launder a total of nearly $195m worth of customers’ funds.

We’ll likely never know what really happened. But we do know that the lost QuadrigaCX funds have added to a total estimated US$356 million stolen (stolen or “lost,” if you buy the death-by-Crohn’s story) from exchanges and cryptocurrency infrastructure during the first quarter of 2019.

According to CipherTrace, which develops cryptocurrency and blockchain tracing and security capabilities, that figure could swell further still, given that the New York Attorney General last month accused cryptocurrency exchange Bitfinex and cryptocurrency Tether of an $850m fraud. If the allegations bear out, the total losses in Q1 will be more than $1.2 billion.

The increasingly varied ways for funds to go POOF!

Suspicious death in a foreign land; the disappearance of a Norwegian billionaire’s wife by alleged kidnappers who purportedly demanded about 1% of all existing Monero funds in exchange for her release (she was last seen alive in October 2018); a spike in cross-border payments from US exchanges to offshore exchanges that fall off the radar of US authorities: these are just some aspects of the current landscape of cryptocurrency crime, CipherTrace says.

They are not without repercussions. Ironically enough for those who got into cryptocoins for the lack of regulation, these crimes are ushering in what CipherTrace calls a “tsunami” of regulation. We’re looking at tough new global anti-money laundering and counter-terror financing regulations that will steamroll the crypto landscape in the coming year, according to its analysts.

While nations such as Iran and Russia are looking to roll out their own currencies in an effort to avoid sanctions or are looking to attract crypto businesses to foster economic growth, others are trying to get a grip on the downside, including extortion, kidnapping, money laundering and terrorist financing potential of crypto assets.

Some examples:

• The Finance Committee of France’s National Assembly in March published a report about crypto assets and blockchain technology. In it, the committee proposed a complete ban on privacy coins.
• The Bank of Mexico proposed banning financial institutions from transacting with crypto exchanges, citing money laundering and terror financing risks.
• In light of the huge losses suffered by users of QuadrigaCX, regulators in Canada and around the world are looking for input on how to regulate cryptocurrency exchanges.

Crime + consequences = Quid pro quo for lack of regulation?

With these kind of crimes and losses, it’s not surprising that regulators are getting ready to march. But it’s worth noting that the total market capitalization for cryptocoins is about $177 billion, which put the 2019 Q1 thefts at roughly 0.2% of the total value of cryptocoins.

Granted, that’s not nothing. And also granted, CipherTrace didn’t take into account some thefts, such as North Korean state-backed hackers having successfully breached at least five cryptocurrency exchanges in Asia between January 2017 and September 2018, causing $571 million in losses, as the UN Security Council reported on 6 March.

…but still, it’s a small percentage. It’s also worth remembering that averages are made up of peaks and troughs. Most of the value of the thefts came from the total plundering of a few big exchanges, which likely means that while cryptocurrency overall might lose 0.2% to theft, people don’t.

The risks of sticking funds onto somebody else’s computer

Many might not lose anything at all to these and other forms of theft, while some might lose everything. Those are the risks we take with cryptocurrency exchanges, which are, as we’ve mentioned before, Just Another Website and therefore unaffected by the magical un-crackability of cryptocurrency crypto.

Cryptocurrency exchanges are websites where such currencies are bought, sold and stored. For Bitcoin and its ilk, they’re a soft and vulnerable underbelly. Like “the cloud,” an “exchange” is just another name for “somebody else’s computer.” You know next to nothing about the quality of that computer, or the ethics of the person operating it.

To help keep funds safe – at least from online threats, if not from kidnappers and other real-life criminals – don’t leave crypto-assets in a hot wallet. Instead, put the bulk of it in cold storage. Just make sure to figure out a way to securely give someone else the password after you die, in case you really do pass away unexpectedly, somewhere, sometime, be it overseas or in your own bed.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oB8senjmSjg/

When it comes to an easy life, the criminals behind the fearful Anubis banking malware have become big fans of Twitter and, increasingly, the secure messaging of Telegram.

There’s nothing new in malware piggybacking on popular services but why Twitter and Telegram, and is the recent migration to secure messaging significant?

As SophosLabs explains in a new analysis, Anubis borrows these services to host the command and control (C2) instructions malware reaches out for after first installing on a target system.

Twitter is attractive because its popularity and ubiquity means that its domains are less likely to be blocked by web filtering.

Despite this, SophosLabs has recently noticed Anubis moving from Twitter to use Telegram almost exclusively, on the face of it a strange thing to do.

Perhaps Twitter’s in-house security has got better at whacking the mole – blocking the Anubis domains as quickly as they are set up. Malware writers know that’s going to happen at some point but if it’s within minutes or a few hours, that can be inconvenient.

In fact, Telegram is also quite good at suspending accounts that abuse its service in this way. Nevertheless, writes SophosLabs’ researcher, Jagadeesh Chandraiah:

By the time Telegram removes the account being used for C2, it’s likely that several victims have already installed the malware and obtained their initial C2 server address from the malevolent Telegram account.

That Anubis has also taken to using Chinese characters as a form of obfuscation perhaps offers a clue to the criminals’ motivation – it’s an attempt to buy a bit more time by making things more complicated for malware analysts.

Hiding in Telegram

Perhaps the criminals think that using Telegram – a service that employs well-regarded end-to-end encryption to secure its messages from prying eyes – will keep their traffic hidden.

If so, they’re wrong. While Telegram messages sent to and fro are encrypted, Android system logs created by the apps that spearhead Anubis aren’t. These, SophosLabs discovered, can be read quite easily.

That, it might be argued, is a lucky technical break. A future version might uncover a way of avoiding leaving such a trail in the clear, taking its C2 communication beyond the ken of researchers.

Having its security borrowed to hide bad stuff is something that’s dogged platforms like Telegram almost from the start. It’s not alone either – WhatsApp, Facebook Messenger and others have also been implicated at different times.

What appeals to criminals isn’t simply the encryption and bot automation of these platforms but the fact that there are now so many of them to choose from.

Most users pick a messaging platform because they know their friends use it too. Criminals face no such worries and can migrate from niche platform to niche platform to counter the possibility of snooping and infiltration.

It’s one reason why there have been calls to weaken the encryption offered by some of these platforms, but at best that would just cause criminals to move to new platforms, or perhaps even set up ones of their own.

After three decades of popularisation, good encryption is now well on its way to becoming something anyone can access, criminals included. While back doors have little chance of reversing this trend, SophosLabs’ research does underline how the device itself is still a major weakness.

The APIs are within reach of anyone but so are the devices from which these secure applications must operate.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U5uLyU21oik/

Something for the Weekend, Sir? I arise with thoughts of robots having sex.

Pro-spam is to blame. While Mme D receives conventional spam on a daily basis asking her if she would like to lengthen her penis (hence the folder label “Junk”), I tend to receive a more exclusive, professional class of unsolicited email advertising.

So when I roll over to check my overnight messages on my phone, still half-asleep from the night’s excesses in fairyland, the subject line Your extension interface will slot into our portal conjures in my mind a picture of robots acting being bawdy. Another email has pushed its way into my inbox, as it were, to sell me custom-fit factory uniforms – an acquired fetish, I suppose – in personally labelled delivery bags referred to as “manpacks”.

As I make my way downstairs for breakfast, I mutter to myself croaky impersonations of cybermen offering to rip open their manpacks so that daleks could investigate their portals while the daleks agree only on the condition that the cybermen fiddle with their plungers first.

Utterly ridiculous, I’m sure you agree: neither daleks nor cybermen are robots.

Pro-spam is a category of unwanted advertising email that comes from genuine organisations with legitimate phone numbers, postal addresses and everything. Rather than trying to sell you sleeping pills and knob stretchers, they want you to buy anything from workplace cleaning products and office stationery to SaaS expertise and reels of CAT5 by the mile.

Over porridge, I wonder why my business email address should end up in their mailing lists. Naturally I didn’t sign up to receive this crap – no one does that any more – and I tread softly in social media these days lest my breathing pattern mark me out as a target for accusations of one “–ism” or another, so why would any advertiser determine that I might be interested in buying industrial overalls?

I continue to ponder this question as I wander down to my local train station in anticipation of the day’s exertions. Absent-mindedly considering checking a few forums on the topic, I log in to the station’s free but woefully weak Wi-Fi. Welcome screen. Cookies nag. Sign in with an email. Accept policies. Done done done. Trigger VPN and we’re off…

…just as the train pulls in to the station. So I board the train and a notification on my phone asks if I want to connect to the train company’s free and similarly weak Wi-Fi. Welcome screen. Cookies nag. Sign in with an email. Accept policies. Yes yes, whatever, gah it’s so slow. Trigger VPN and… oh it’s really sluggish establishing a secure connection. Let’s try Belgium. Germany. Kazakhstan?

By the time I am finally able to load a complete web page, the train has arrived at its London terminal. My phone asks if I want to connect to the station’s free Wi-Fi. Welcome screen. Cookies nag. Sign in with email. Accept policies. VPN tries to kick in but can’t. Being a central London train station, the Wi-Fi doesn’t work. It never does, since it’s over-used and really weak. What was I thinking?

Making my way down to the Underground station, I am prompted to connect to its free Wi-Fi. Welcome. Cookies. Email. Policies. VPN. By the time I have fought my way through crappy ads for water filters and mobile handsets, I am already strap-dangling in a carriage and on my way into the tunnel whereupon the already weak signal bars vanish one after another in rapid succession and the connection is lost.

At each station en route, the free Wi-Fi becomes available again. Welcome. Cookies. Email. Policies. VPN. Tunnel. Bollocks, I’ll have to wait until the next stop.

Back at street level, I am able to inhale fresh exhaust fumes at last and head on foot towards my first appointment of the day. Let’s pop in to the coffee shop first, though. And as I stand in the queue, my phone asks if I’d like to connect to the coffee shop’s free Wi-Fi.

Obviously in this case the answer is a definite “no”. Coffee shop Wi-Fi is rubbish. I’ve experienced stronger throughput on 1200 baud dial-up.

Does anyone else find this odd or is it just me? I mean, coffee shops are nothing more than a generally rectangular space containing tables, chairs and machines for generating unnecessary hissing noises, and yet they can’t seem to cast even the most meagre Wi-Fi coverage across the room. Compare this to my two-storey house (plus attic) which is served entirely by the single wireless router included with my cheapo standard home broadband package.

Checking alternative local Wi-Fi options on my phone, I note that I can achieve a stronger signal by connecting to the guest Wi-Fi from an office building across the street that I visited six months ago than the router on the coffee shop wall just six feet away from me at the till.

My morning appointment ticks along nicely, especially once the caffeine settles in. There was a bit of a palaver connecting to the company’s guest Wi-Fi, of course. There always is. God forbid that a company should allow its customers and business partners get online without jumping through a series of difficult and evidently very glitchy hoops just to get a weedy internet connection. Welcome. Cookies. Email. Policies. VPN…

…except it doesn’t like my VPN and nothing will work until I disable it. Actually, disabling VPN seems to make no difference either. An IT hobgoblin scuttles by later to scratch his head at us before slipping away with a promise to return, never to be seen again. Oh well, cross fingers and all that. Good job I brought local files with me.

Morning appointment over, I grab lunch on the way to the afternoon’s. Hmm, I fancy a quick sandwich but with which filling? Cheese? Egg mayo? Roast veg?

Yes, spleen, that’s the one.

Fortified with my particular choice of sustenance – yet inexplicably also feeling melancholy with no apparent cause, characterised by a disgust with everything – I march off to Client B nearby in the City for an afternoon of gothically romantic app virtualisation.

Client B is a security company. That is, it manufactures burglar alarms and keypad-operated locks. I can only get past reception after submitting two forms of photo ID, producing 18 months of electricity bills and reciting the opening monologue of Henry V.

The team has gathered in the boardroom, which means everyone is forced to connect to the company’s feeble guest Wi-Fi because IT management has determined that laptop MAC codes should only recognised when plugged in via Ethernet, and there are no sockets in the boardroom.

Welcome. Cookies. Email. Policies. Then a friendly browser page that warns us the security company’s Wi-Fi is insecure and we must tick “I understand the risks” before using it. And of course it’s as weak as hell. Oh for a muse of fucking fire.

Soon afterwards, I note the security company’s insecure Wi-Fi is blocking my email. When I mention this, I’m told “Yes, we all have that unless we’re plugged in at our desks.” This explains why they keep nipping upstairs throughout the afternoon “to check my messages”.

As I disable Wi-Fi and switch back to 4G data, one of the team regales us with a tale of a visiting senior VP from the security company’s US head office who was forced to take her laptop outside and hunt for free unsecured Wi-Fi on the street in order to sync her email. “I gave her directions to the nearest coffee shop.” Heh, there goes your hopes of promotion, pal.

On the way home, I connect variously to free and appallingly weak Wi-Fi at a supermarket, a pub, the Underground, the train station, the train and the train station again. Welcome. Cookies. Email. Policies. Tick tick yeah yeah, just get on with it.

At last, back at the homestead, I can empty my pockets of work paraphernalia onto the coffee table and relax in front of recordings of our latest favourite daytime TV documentary series: Trapped! Encased in Two Feet of Blubber.

Bzzz. Mme D picks up my mobile, looks at the notification and hands it over with a poker face.

It will be our pleasure to service your manpack – with polish! We hope to handle your goods soon.

Where on earth are they getting my details from?

Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He still regrets no longer receiving Korean spam, which used to arrive overnight by the heapload, filled with accidental humour, radioactive colours and disturbing photos. He considers it to have been a valid art form and wishes it could be revived in order to cheer up his mornings. @alidabbs

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/03/a_day_in_the_life_of_london_seen_through_spam_and_weak_wifi/

Promo The internet is full of hacking tools and bad guys only too eager to use them. To help organisations keep their precious data out of the criminals’ hands, IT security training specialist SANS Institute is planning an event in Amsterdam from 20-25 May, 2019, for cybersecurity professionals to develop hands-on skills to defend against determined and increasingly ingenious attackers.

Nine courses are scheduled at SANS Amsterdam, all taught by leading cyber security practitioners, and seven of them offering the chance to gain GIAC certification.

During the training event students will also have the opportunity to attend SANS@Night seminars where SANS instructors give presentations on the latest topics and challenges in the infoSec field.

Topics of discussion at SANS Amsterdam include:

Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them

Improve your communication skills by avoiding the top 10 mistakes in cybersecurity writing. You’ll learn by spotting and fixing problems in excerpts from security reports, emails, and other content you regularly create. Speaker: Lenny Zeltser

Meanwhile, the courses available are:

Open-source intelligence (OSINT) gathering and analysis

A new course for system defenders, threat intelligence analysts, investigators, intelligence analysts and law enforcers. Discover legitimate ways to find and analyse potentially incriminating data in websites, apps and social media platforms.

Advanced incident response, threat hunting, and digital forensics

Rather than wait till the damage is done, look for attacks that get past security systems and catch intrusions in progress. Threat hunting uses known adversary behaviours to examine the network and identify intrusions by recognising malware indicators and patterns of activity.

Intrusion detection in-depth

Students ranging from seasoned analysts to novices with some TCP/IP background will learn the core skills and tools needed to detect and prevent intrusions.

Hacker tools, techniques, exploits, and incident handling

Gain hands-on experience in finding vulnerabilities and discovering intrusions that use the latest forms of attack as well as the familiar old ones. Examine such as employee monitoring, working with law enforcement and handling evidence.

Web app penetration testing and ethical hacking

Study the major web application flaws and how hackers exploit them. How will you convince your organisation to take the business risks seriously?

Wireless penetration testing and ethical hacking

Many organisations overlook wireless systems as a vulnerable attack surface. Identify and defend against threats not only to WiFi but also Bluetooth, ZigBee, Z-Wave, DECT, RFID, NFC and contactless smart cards.

Advanced penetration testing, exploit writing, and ethical hacking

Students with some penetration testing experience will walk through walk through dozens of real-world attacks. Gain in-depth knowledge of the most prominent attack vectors.

Mac and iOS forensic analysis and incident response

Investigators will dive deep into forensic and intrusion analysis of Mac and iOS in numerous hands-on scenarios.

Reverse engineering malware: malware analysis tools and techniques

Practical skills to help forensic investigators, incident responders, engineers and IT administrators examine malicious programs that target Windows system.

Full details of the courses, and how to register, are right here

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/03/sans_amsterdam_may/