A tale of a compliance kettle…

All images CC BY Frank Breedijk
A tale of a compliance kettle…     This is a story that took place during SHA2017, an international hacker camp in Zeewolde. If you want to get an impression of how awesome this event was, I suggest you read Chris van ‘t Hof’s article[1] (in Dutch) or Jenny List’s personal review[2] (in English).   Even though SHA2017 is a hacker camp, and thus has an anarchistic tendency to it, it doesn’t mean that there are no rules. These rules... read more >

It could have happened to us...

The weakest link, a CC NC image by Darwin Bell (https://www.flickr.com/photos/53611153@N00/465459020/)
There, I said it. We could just as easily have been a victim of NotPetya as any of the poor folks that did get hit. And what about you? We have listed some questions for you to consider at the end of this blog.   Our CSIRT team did a post-incident analysis, a common practise at Schuberg Philis with regards to major incidents. Besides the usual questions like: ‘What damages did we incur?’ (none) and ‘How did we act’, we also tried to find out; ‘Was... read more >

Victim blaming?

DSC00249 a CC ND image by Johannes Nest - https://www.flickr.com/photos/43395921@N07/24284087684/
Do companies that were affected by WannaCry only have to blame themselves, or is that “victim blaming”? Let’s do some soul searching.   Was WannaCry special? Yes, because it was based on tools allegedly stolen from the NSA and it caused significant trouble in the real world. Yes, because it got a lot of media attention. On the other hand, no, WannaCry was, for us at Schuberg Philis and many others, pretty much a non-event. It was a worm that spread via... read more >

The adversary factor

“Droidcon Berlin 2015 - Tag 2” a CC SA image by droidcon Global (https://www.flickr.com/photos/133733835@N08/18453997082/)
There is one thing that sets aside Security from all other areas of expertise that you find in modern day businesses. No, it isn’t our love for black t-shirts, the infinite amount of Club Mate we seem to be able to digest, or our sticker covered laptops. It is that adversaries are part of the daily routine. Security in that sense is a negative occupation, since you are always securing yourself from somebody.   Even when you compare seemingly similar fields like safety... read more >

IMPORTANT: By reading this article you accept the conclusions ☁ + sourcing - cl / d = t

Image from https://fsfe.org/contribute/spreadtheword.en.html#nocloud CC-BY-SA created by Markus Meier
Lately I have been looking a lot into the risks and security aspects of cloud service. And to be honest, from a security perspective, cloud is not that new. Most of the risks associated with cloud services are actually exactly the same as those related to outsourcing, a subject I’m obviously quite familiar with. In that respect, the Free Software Foundation Europe (https://fsfe.org) is quite right.   Yet, saying that Cloud is just the same as outsourcing would not... read more >

Monkey see, monkey patch...

Way In – A CC NC SA image by Steven Feather (https://www.flickr.com/photos/7317295@N04/25334993474/)
Every now and then there is major new in the world of cryptography, or in this case the world of breaking cryptography. This month a team from CWI (Centrum voor Wiskunde en Informatica) and Google announced that they have created a practical attack, called SHAttered, on the SHA-1 hashing algorithm. What is SHA-1? SHA-1 stands for Secure Hashing Algorithm – 1. As the name suggests it is a hashing algorithm. A hashing algorithm can be used to... read more >

WYSIWYG

Since I’m a fourthly something Dutch guy, the first word processor I started to use after the typewriter was Word Perfect. This is the Word Processor I used in school and wrote my graduate thesis on. One of the “features” of word perfect was, what the Dutch called, the underwater screen. The underwater screen, allowed a user to actually see what special characters Word Perfect was using as an internal representation of the document as it would be formatted... read more >

Information Security: Going full Triangle

JPG-Triangles-and-Circles-Squared a CC NC image BY Lex McKee
Everybody who ever did a formal information security training or searched for information security on Wikipedia[1] is familiar with the information security triangle. The theory of this triangle is that information security is about protecting information against threats to its Confidentiality, Integrity or Availability (often abbreviated with CIA).   Early information security One of the earliest and most famous examples for applied information security is... read more >

Responsible Disclosure a year in review - 2016

It is that time of the year again! The time to worry about loosing the holiday poiunds, but also the time to do our yearly review of our Responsible DIsclosure program. Let's start by killing the suspense, we only sent out two rewards in 2016. Does this mean we did not get any reports in 2016? No, in total over 1000 tickets were created. Over 4/5 of them were either spam, noise (like account confirmation emails and such) and abuse messages for our Atom86 team. We... read more >