CyberFUD. The stories and anecdotes from the Information Security World that spread Fear, Uncertainty and create Doubt.
Sometimes it is hard to come up with a timely article for a Security Blog as although there are many things hitting the press, many of them are just CyberFUD. In a week that has seen the completion of The BlackHat 2015 conference you would think that there was something really good to write about, but in reality it was a bit of a grey event.
I did write an article about a fortnight ago to coincide with the launch of Windows 10, but with it being covered in depth by the other Security Blogs I decided not to publish it. There’s more than enough CyberFud out there with the Hacker news and within the Infosecurity-Magazine blogroll. There really wasn’t much more I could add.
Edit : Although I am laughing at the ultimate loop of death KB3081424, where someone thought automatic security updates without an opt-out option was a good idea.
The news channels have been given a constant drip feed of CyberFud for the last month since the disclosure of The Hacking Teams code base, with near daily announcements of a 0-day vulnerability existing within [Insert the name of something you depend upon to run your life]. So much so, it might be time to buy shares in BacoFoil as people start to adorn tinfoil hats before getting out of bed in the morning.
So is this constant drip drip drip of CyberFud actually affecting anyone? Are lives or the freedom of people actually at risk? It might only be an opinion, but nothing much has changed. Sure you can be driving a Chrysler down a road and someone can possibly remotely actuate the throttle (or maybe the brakes), but the loss of control isn’t much different from where we were only a few years ago. Is a throttle-by-wire system any less safe than a mechanical wire, and consider the consequencies of what happens when a mechanical carbrettor sticks open or a brake line springs a leak.
CyberFud would have you beleive you lose complete control of your car, whereas reality is that you still have full use of the steering, clutch and handbrake. There’s been no publicised malicious use of the flaw exploited – yet bad CyberFud would make you want to believe that there are 1.5 million vehicles across the planet that cannot be driven until they have all been recalled and patched by hand.
I’ve spent many years becoming a Certified Information Security Professional. I have to spend many a day generating CPE’s to ensure my qualifications remain unto date, which is both costly and time consuming. Therefore it is now very annoying to start receiving emails from Recruitment agencies advertising courses in “How to be a certified Security Professional in a week“. You too can earn £85K per annum being an Information Security Architect.
It is like the early 90’s when everyone was jumping into HTML to be a website coder, or the late noughties – where you too can become a driving instructor and be your own boss. Now I’ve nothing against either of those vocations – but to be a professional takes time and experience. To become certified you need to demonstrate that experience to your peers and a professional body – so please, can we not tempt the great unwashed into being our first line of defence.
Surprised it wasn’t CyberFud
One little snippet of information that didn’t make the news this week was that one of my ex-employers suffered their Twitter account being hacked. It was 60 hours before anyone noticed and removed the unpleasant tweets that had been published (see the previous post about waiting for a Friday night to launch an attack) and very surprising that they still dont monitor the account out-of-hours. Many a year I had mandated that 2 Factor authentication and secure passphrases had to be used, but then again – I was just the crazy InfoSec bod suffering from Fud sitting in a corner wearing a tin foil hat.
Flash, it’s time to die
It’s time to die, don’t try to drag it out any longer Flash – as it only gets more...