ENISA – Report – IoT security standards gap analysis

« An ENISA analysis, which maps the existing standards against requirements on security and privacy in the area of the Internet of Things (IoT) yields that there is no significant standards gap – every requirement can be met by an existing standard. While standards exist for many different elements of making a device or service secure, when referring to IoT, one refers to an ecosystem of not only devices and services. Moreover, the context of use of IoT, its high scalability and other features further call for flexible approaches. The gap in IoT device standards for security is that the standards are not treated holistically. Therefore, it is possible to introduce to the market a device that can authenticate its user, can encrypt and decrypt data transmitted and received, can deliver or verify the proof of integrity, but which will still is and remains unsecure. »

enisa.europa.eu/news/enisa-news/forest-for-the-trees-an-iot-security-standards-gap-analysis

SSI-GOV – Stratégie cyber des Armées

20190118 – Stratégie cyber des Armées – Discour de Florence Parly, ministre des Armées

« Aujourd’hui, nous refusons le conservatisme qui voit le numérique comme une mode et la naïveté de ceux qui le regarde avec béatitude, sans en comprendre les dangers.

Aujourd’hui, nous envoyons un message ferme à nos adversaires et nous tendons la main à nos alliés.

Aujourd’hui, nous nous dotons d’un cadre clair et nous l’assumons : oui, la France emploie et emploiera l’arme cyber dans ses opérations militaires »

www.defense.gouv.fr/salle-de-presse/discours/discours-de-florence-parly/discour-de-florence-parly-ministre-des-armees-strategie-cyber-des-armees

RGPD SSI – French data revolution – millions of records exposed by a job agency

« On the 21st of December 2018, while researching another output of Shodan search results, we discovered an unprotected Elasticsearch cluster exposing millions of records with very sensitive data.

MisterTemp data base exposure

The names of the indexes and their content left no doubt as to the owner of data – an “online temp agency” known as MisterTemp – which claims to be a place where anyone can quickly apply for a temporary job and offers “temporary assignments throughout France” in a variety of sectors. »

blog.hackenproof.com/industry-news/millions-of-records-exposed-by-french-job-agency/

China – Millions of CVs exposed

BBC Cyber News – Millions of Chinese CVs exposed on cloud server

« In early January, Beijing police arrested a man who was allegedly stole data on five million rail travellers. The hacker is believed to have targeted the widely used 12306 online rail booking system.

In August 2018, Chinese police were reportedly investigating a data breach that involved 500 million records about customers of the Huazhu Group, which operates hotels across the country.

The data lost included customer registration information, booking records and personal data. »

http://www.bbc.co.uk/news/technology-46864584

Hardware attacks – Hackers aims for the jackpot

« There are two main types of hardware attack. » ;

« One is to try to subvert the device in normal operation, generally by attaching something to an I/O port or to the PCB itself. »

« Another level of attack is to try to peer more deeply into the target in the hope of reverse-engineering the design or to pull out encryption keys and other sensitive data …  »

www.newelectronics.co.uk/electronics-technology-ezine/Hackers-aims-for-the-jackpot/199672/183634/

CLUSIF – Panorama de la cybercriminalité – Année 2018

« Le Panorama de la Cybercriminalité du CLUSIF s’est imposé depuis plusieurs années comme un événement incontournable dans le monde de la sécurité de l’information.

Cette conférence dresse le bilan en matière de cybercriminalité mais également en matière d’événements sociétaux et parfois accidentels en relation avec la sécurité de l’information. »

clusif.fr/conferences/panorama-de-la-cybercriminalite-annee-2018/

Linux – Systemd Privilege Escalation Flaws

#RGPD – Security by design

#CyberEdu – Education à la sécurité; du bon usage d’un compilateur et de ses options

« Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the « systemd-journald » service that collects information from different sources and creates event logs by logging information in the journal.

The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian, according to the researchers.

However, some Linux distros such as SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not affected, as « their userspace [code] is compiled with GCC’s -fstack-clash-protection. » »

thehackernews.com/2019/01/linux-systemd-exploit.html