Monday, August 8, 2016

Do not play with cybersecurity: Better once

There is an Spanish expression, with some variations, about the importance of  dealing with difficult decisions before they get more complicated.: better once red than a hundred times yellow. It's odd, but one year ago not one or two or three cybersecurity news were accumulated, attesting that this expression is valid for the cybersecurity world too.   

And if we're talking about getting yellow, talking about China is the best thing. One year ago we knew that Chinese cyberspies were going into and out of some Obama´s Administration high rank members mails since at least 2010. At least, if we trust in the version we received then, the compromised accounts were the private ones because the work accounts were "more secure". Maybe, but the Chinese have been making the USA´s officials get yellow for five years.  

What would look for a guy who gets into another one´s mails accounts? Eavesdroppers, which are the less dangerous, aside, the objective is always the same: money. It was what a criminal move, disabled one year ago, was looking for. They were specialized in accessing to the data of large listed companies, to make financial operations using information they knew before the rest of the investors. Investors who got yellow too after this fact was revealed.

Guys who try to scam using work email accounts are following the money trail too, such those who made a 39,1 million dollars hole in the accounts of Ubiquiti Networks in 2015, as the company itself was forced to admit in a press release one year ago. If somebody knew about this breach previously, and instead of notifying it at that time the company waited until the presentation of the income and expenditure account, we would be facing another example of somebody who prefers a hundred yellow than once red. 

Another firm that stated clearly its rejection of getting red was Oracle, when one year ago released a post which lasted less than a morning, in which the company showed its teeth to some users "accustomed" to making reverse engineering with the code used for bug detection. "We have experts for that", said this post which also rejected bug bounties policies. The post lasted what lasted because in actual world this insistence is the kind that ends rendering you yellow a hundred times.

To top one year ago actuality off, we saw not one, but two epic fails of companies with broad reputations and trajectories: a researcher presented a vulnerability affecting all the Intel and AMD processing units (which means almost all the PCs market) in the BlackHat, and it was due to an industrial engineering mistake committed... In 1997!!  And another security researcher declared that he just found a perfectly designed rootkit in his Lenovo machine, which was designed to spy and remotely control the equipment. Something that the company was forced to confirm. These are two of this kind of news that you don´t know if makes you get red, or yellow for the rest of the eternity. 

The most important thing of knowing our own security holes is not only that it allows to better avoiding attacks: It's also the best antidote against being caught offside, without knowing what to say and reacting late and clumsily when somebody finds us a backdoor, a design mistake or a severe coding bug.   

Image: Flickr, CC licence.


Post a Comment