Daily Archives: April 17, 2019

What Did We Learn from the Global GPS Collapse?

On April 6, 2019, a ten-bit counter rolled over. The counter, a component of many older satellites, marks the weeks since Jan 1, 1980. It rolled over once before, in the fall of 1999. That event was inconsequential because few complex systems relied on GPS. Now, more systems rely on accurate time and position data: automated container loading and unloading systems at ports, for example. The issue was not with the satellites or with the cranes.

The problem highlights the pervasive disconnect between the worlds of IT and OT. Satellites are a form of industrial control system. Engineers follow the same set of principles designing satellites as they do designing any other complex programmable machine. Safety first, service availability next.

In the 1990s satellites suffered a series of failures, prompting the US General Accounting Office (GAO) to review satellite security. The report (at https://www.gao.gov/products/GAO-02-781) identifies two classes of problems that might befall satellites, shown in these two figures.

Figure 1: Unintentional Threats to Satellites

Figure 2: Intentional Threats to Satellites

This analysis is incomplete. It omits an entire class of problems: software design defects and code bugs. The decision to use a 10-bit counter to track the passing weeks is a design defect. The useful life of a satellite can be 40 years or more. A 10-bit counter runs from 0 to 1,023, then rolls over to zero. Since the are 52 weeks in a year, the counter does not quite make it to 20 years. This design specification was dramatically under-sized. More recent designs use a 13-bit counter, which will not roll over for almost 160 years. That provides an adequate margin.

As for code bugs, satellites suffer them just like any other programmable system. The Socrates network tracks satellites to project potential collisions. In 2009, Socrates predicted that two satellites, a defunct Soviet-era communications satellite and the Iridium constellation satellite #33, were projected to pass 564 meters apart. In reality, they collided, creating over 2,000 pieces of debris larger than 1 cm in size. Whether the defect arose from buggy code or inadequate precision in observations, the satellites collided. Either way, there is a software defect here. The question is, is the software inaccurate, or is it creating precision that does not exist? If the instruments doing the measurement have a margin of error, the report should include that data. By stating that the satellites will pass 564 meters apart, the value implies a precision of ½ meter either way – between 563.5 meters and 564.5 meters. If the precision is within half a kilometer, the software should state that specifically – “Possible collision – distance between objects under 1 KM.” If the input data is precise, then the code is calculating the trajectories incorrectly. Either is a code bug.

These two types of defects are neither unintentional (code and designs do not degrade over time) nor intentional (no saboteur planted the defect). The third class of defect results from inconsistent design specifications (the satellite can live for 40 years but the counter rolls over in 20) or poor coding practices (creating a level of precision unsupported by the measurements, or calculating the trajectories incorrectly). These are software defects.

As we all know, there was no failure in the GPS system. I made a passing comment during a talk on satellite security at the RSA 2019 conference. A reporter from Tom’s Guide was there, and he wrote an excellent article on the problem: https://www.tomsguide.com/us/gps-mini-y2k-rsa2019,news-29583.html.

The failure is not including software issues among the risks to a programmable device.

What do you think? Let me know below or @WilliamMalikTM.

The post What Did We Learn from the Global GPS Collapse? appeared first on .

Is Your Baby Monitor Susceptible to Hacking?

There’s no doubt that digital technology, in many of its forms, brings everyday tasks much closer-to-hand. From discovering breaking news, to online shopping, to keeping tabs on your home via security cameras—everything is within the touch of a button. Even so, with the growing reach of the Internet of Things (IoT), new and unsuspected threats are just around the corner—or are already here. 

One of the most alarming threats to emerge is the breach of privacy. In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news.

For example, in early January of this year, a Western Australian mother voiced her worries when she discovered that the baby monitor she recently purchased was compromised. The monitor allowed her to log in with a QR code and a generic password in order to watch her child through a camera. Though she followed the instructions for installation, upon opening the monitoring website she was greatly alarmed to see a vision of a stranger’s bedroom, rather than her child’s.

This type of case isn’t isolated, as another report surfaced last year when a stranger allegedly hacked a baby monitor camera to watch a mother breastfeed. In yet another case, a Texas couple, whose devices were hacked, said they heard a man’s voice coming from their baby monitor threatening to kidnap their child. It doesn’t get much scarier than that.

Though you might not have prepared for it, it’s increasingly clear you need to take steps to protect yourself, your children, your privacy, and your new smart devices from these kinds of emerging privacy threats, as well as others. As a first precaution, you should always remember to change the default passwords on all your networked devices, starting with your router, creating strong new ones and securing them safely whenever possible with a password manager. You should then pick the best endpoint and network security solutions you can find to protect all the networked devices in your home.

Trend Micro Password Manager provides a password manager that lets you generate and sync strong passwords across your PCs, Macs, Android, and iOS devices.

In addition, Trend Micro Security provides the best endpoint security for PCs, Macs, Android and iOS—a key part of any home security strategy. Trend Micro Maximum Security includes Trend Micro Mobile Security as part of its subscription, so you can protect up to 10 devices.

Finally, Trend Micro Home Network Security is specifically designed to protect all your new “smart” connected devices in the home. It filters incoming and outgoing traffic to provide an extra layer of protection against intrusions or hacking of the home network. It protects your router and a wide range of smart devices, including security cameras, child monitoring devices, smart TVs, refrigerators, smart speakers, and even smart doorbells and thermostats, from emerging IoT threats—and the list goes on.

With our endpoint and network security solutions, we’ve got you covered! Click the links above for more details on our solutions.

The post Is Your Baby Monitor Susceptible to Hacking? appeared first on .

We are hiring – Senior Cybersecurity Consultant

Due to the continued expansion of our DPO as a Service, and CSO as a Service offerings, BH Consulting is now seeking to recruit a Senior Cybersecurity Consultant to join its growing team.

BH Consulting is a dynamic and fast-paced cybersecurity and data protection consulting firm. We provide a market leading range of information security services focused on GDPR, cybersecurity, cyber risk, digital forensics, ISO 27001, and awareness training.

We have a vast range of clients from private and public sector organisations, to large global multinational organisations. We operate both domestically in Ireland and Internationally with our head office located in Dublin.

The trust relationship with our customers underpins the fibre of our organisation. We nurture this trust relationship by investing time and resource to understand our customer’s business needs and we provide advise that aligns with those needs.

Our team is passionate about successfully addressing the cybersecurity and data protection issues our customers have. We continue our journey to grow and expand and have established a new senior role within our organisation to support this growth.

Who are we looking for?

A senior cyber-security consultant who will work closely with the Chief Operations Office, and the CEO, Brian Honan. You  will help BH maintain its customer relationships by delivering to existing clients and you will also help to win new business. You will be an ambassador for BH’s trusted brand and your calibre will reflect this.

Who are you?

You are a Senior Cyber-security Consultant, with a wealth of experience at both a technical level and at senior management level. You have a reputation as both a thought leader in cyber-security and data protection, and a strong technical background combined with senior leadership skills.. You a dynamic individual who likes to be challenged and you have an in-depth knowledge of cyber risk management, cybersecurity, cyber strategy, data protection and business strategy. You will be able to understand the needs of both the C suite and on-the-ground teams and you will be able to talk to both audiences. You are target driven, and passionate about helping customers solve their cybersecurity and data protection risks. 

Details of the role

  • Develop stakeholder relationships with executive management in our clients, and proactively develop ongoing service and product recommendations for these clients based on their business needs
  • Define and provide pragmatic security guidance and architectures that balance business benefit and risk
  • Assess and advise on cyber-governance models, data governance models, risk management programs, and data protection compliance frameworks
  • Deliver cybersecurity risk assessments, running assessment workshops with clients
  • Audit and review client cyber projects
  • Examine clients cyber-security controls and make appropriate and practical recommendations that achieve robust security or compliance outcomes
  • Consult on security considerations based on system delivery models including internally, hosted, cloud hosted, cloud managed, mobile, etc.
  • Provide pre-sales advice and support, working alongside account managers
  • Research emerging threats, vulnerabilities and security practices/standards to maintain professional relevance
  • Provide complex technical advice, recommendations and consultancy regarding networks, infrastructure, products and services
  • Provide guidance around IaaS, SaaS, and PaaS security best practices
  • Enable clients to achieve certification to the ISO 27001:2013 Information Security Standard.

Your responsibilities

  • Ensure that all BH Consulting clients receive a professional service in line with our company ethos and values
  • Ensuring a first-class service to clients is delivered on time and within budget
  • Planning and leading projects while effectively managing resources.
  • Leading and mentoring junior team members ensuring a high standard is maintained in line with KPIs
  • Demonstrating confidence of a strong technical skillset to clients in relation to cyber-defence and incident response
  • Delivering independent trusted advisory services to our clients to enable them to manage their risk profile
  • Enable clients achieve certification to the ISO 27001:2013 Information Security Standard
  • Work with clients to ensure adherence to regulatory, legal, and relevant governance frameworks
  • Manage client relationships and accounts
  • Meet and exceed all KPIs and revenue targets
  • Plan and attend relevant events and conferences to promote the BH Consulting brand.

Core competencies

  • Excellent technical knowledge of cyber-security, information technology, and business risk
  • Strong business understanding and acumen
  • Excellent written and verbal communications skills, able to use a variety of communications styles, language, and media, to effectively build relationships with key stakeholders
  • Have strong attention to detail and ability to present that detail in a dynamic manner based on its audience
  • Excellent planning skills together with project management and prioritisation skills
  • Delivery focused – ensuring projects are delivered on time and within budget
  • Strong analytical problem-solving capabilities
  • Ability to work on own initiative, yet also strong team player
  • Comprehensive understanding of risk management principles and effective risk response strategies
  • Passion and drive – willingness to go that extra mile to achieve a target/objective
  • Be willing to travel both within Ireland and internationally to our widely diverse client base
  • Resilience – ability to meet challenges and pressures head-on and to manage and address set-backs as encountered
  • Collaborative – ability to cooperate and to communicate well, and to resolve differences of opinion quickly and mutually
  • Flexible and adaptable – ability to improvise and adapt to a dynamic business environment.

If this role interests you and you want to join an exciting and growing company, please send your CV to info@bhconsulting.ie.

The post We are hiring – Senior Cybersecurity Consultant appeared first on BH Consulting.

Enterprises non-compliant with POPI Act in South Africa can get fined up to R10 million!

Estimated reading time: 3 minutes

From GDPR in the European Union to now the POPI Act in South Africa, data privacy regulation is slowly making its way across the globe.

The Protection of Personal Information (POPI) Act was passed in South Africa in 2013 and will soon come into effect across the entire country. Like the GDPR in EU, it marks a wide-ranging regulation on data privacy, personal information and data consent which will have a huge impact on how enterprises do businesses across the entire country. A recent report suggested that only 34% of organizations were compliant with the Act which makes it a troubling scenario.

If you are an organization based in the country, here is some information which you absolutely need to know:

What is the POPI Act?

The short-form of the Protection of Personal Information Act, this is a legislation which was passed in 2013 but is yet to be enacted. As per the official South African government website, it is aimed at the following:

  • to promote the protection of personal information processed by public and private bodies;
  • to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
  • to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
  • to provide for the issuing of codes of conduct;
  • to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
  • to regulate the flow of personal information across the borders of the Republic; and
  • to provide for matters connected therewith.

When will it come into effect?

Even though the act was passed in 2013, it is yet to come into effect due to governmental regulations. Currently, the wait is on for a Regulator to be established but most analysts feel it is not long before it comes into effect.

Who will it affect?

The act is intended to regulate how South African businesses collect, store, process and share personal information. Going by that definition, all South African businesses will be affected.

How is personal information defined?

The Act defines “personal information” as information related to an identifiable, living natural person which can include:

  1. Information related to personal differentiators such as race, sex, gender, pregnancy, marital status, etc.
  2. Information related to education, medical history, employment history, etc.
  3. Identifying numbers, symbols, email addresses, physical address etc.
  4. Biometric information
  5. Personal views, opinions
  6. Correspondence sent by the person, etc.

How will it identify businesses?

For starters, businesses have to classify what information they collect about data subjects as “personal information”.  There are regulations as to how companies can handle personal information which they will have to comply with, apart from exceptions as well. “Records” and “sensitive information” must also be identified and stakeholders will have to be notified in case of any data breaches.

What are the penalties of non-compliance?

Non-compliance can invite serious penalties. It could involve imprisonment for a period of up to 10 years or a fine of up to R10 million (rand), or in some cases, both.

Keeping all this in mind, it is imperative that South African enterprises start preparing for the inevitable and set in motion processes which will ensure full compliance with POPI.

As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more

The post Enterprises non-compliant with POPI Act in South Africa can get fined up to R10 million! appeared first on Seqrite Blog.