Tag: information security

Blockchains, Data Protection, and GDPR

Blockchains, Data Protection, and GDPR

Recently I came across an interesting problem which is to do with data regulation and blockchains: what are the regulations surrounding storing data on blockchains? While there are very few regulations which are specific to blockchain technology it is worth considering which existing laws already apply to blockchain technology. Governments, and their associated regulatory institutions, have been fairly hands off but that’s not to say that no laws apply.

The SEC in the US have strict laws around registered exchanges. Simply setting up an exchange using blockchain technology in order to skirt around the SEC isn’t going to cut it.

Read More Read More

Always take your credit card receipt when paying by contactless

Always take your credit card receipt when paying by contactless

Quick post: it is worth taking your credit / debit card receipt when paying by contactless.

Why: if you take the receipt you will notice that there is a card number displayed in full without the stars (“*”). Not everytime, but too many times. Personally, I think that is bad practice although not actually illegal in terms of a contract breach under laws of payment card use (PCI DSS).

The number being printed on your copy is “fine” since it is your number, and it is “fine” to be on the merchant copy since they are supposed to dispose of the receipts securely, too often receipts are just thrown in the bin. 🙁

When paying by chip and pin the card number is always hidden with stars (except the last 4 digits). This number is the same as the one display along your card. The number printed when using contactless is actually different, but just poor practice.

When will hedge funds become interested in the security posture of a company?

When will hedge funds become interested in the security posture of a company?

At some point the security posture of a company will be of great interest to hedge funds and investment managers. That is to say that they will be interested in how secure other companies will be and whether that can affect their investments.

The companies of interest are more likely to be a publicly listed company, although it could be of concern for investment managers looking to acquire a share of a private company. For hedge funds and other managers with an appetite for more exotic investment vehicles the security posture of a company could indicate a potential shorting opportunity (making profit from the decline in a company’s share price).

Read More Read More

It may look complex and unpredictable but is it really?

It may look complex and unpredictable but is it really?

A key idea in security is that of unpredictability. If I can’t guess your password then it ought to be secure. This is almost true, except the problem isn’t about whether I (as a human) can guess your password but whether a computer can iterate through all possible passwords and find your particular password within a sufficiently short timeframe. There is a mistaken assumption that if your password is hard for a human to guess then it is a good password to use. I heard an anecdote that went something like “My password is ‘JohnSmith’. No one will guess that because my name is Bill Jones.” This line of thinking is based on whether someone you know is likely to guess your password.

Read More Read More

Investigating the security of anonymous messaging over the Internet

Investigating the security of anonymous messaging over the Internet

The topic of strongly encrypted communication has been receiving a lot of press coverage over the last few years and is a politically sensitive issue. Adding the possibility of making such communication anonymous makes it more sensitive. This work is based upon the thesis that I submitted for my MSc. The layout of the sections plus some of the wording has been tweaked to fit better as blog posts. The intent is to present the information across several pages.

Anonymity over the internet
Can we be anonymous on the Internet?

In this post I am introducing a new section of the blog which will be devoted to anonymity and privacy.

This blog will investigate to what degree anonymous communication over the Internet is possible. The result is unclear: theoretically possible but unlikely to be true in most real situations. Sources will be provided where necessary and may be acaedmia in nature or from the media. The combination of the two will show the cultural relevant of the topic and to highlight the interface between researchers, software developers and the general public who have no formal training in this area.

Read More Read More

Setting up a secure Linux web server

Setting up a secure Linux web server

Goal: by the end of this guide you should have a reasonably secure Linux web server.

Part of the reason I set up this was to improve my understanding of creating a secure website. I know how to assess a website for security problems but I didn’t have as much practical knowledge on the implementation side. As I worked through various online guides and books I decided that it made sense to document what I was doing and then share it here.

I could have just created a static website made purely from HTML and congratulate myself on having a secure server, but there are almost no real world scenarios where this is useful. Most people want a feature and content rich website which is also secure.

Many of the principles apply equally well to Microsoft IIS servers but from my own personal perspective going the Linux route is easier.

Secure server
Securing a server

[Currently a work in progress]

 

Read More Read More