Cyber Diplomacy – a course from UN Office for Disarmament Affairs

I just finished the online course “Cyber Diplomacy“, a course from the United Nations Office for Disarmament Affairs. For me it was interesting to find out how much from the real world has been already applied to the cybersecurity world. Unfortunately, by seeing this, I realized that actually nobody cares about these UN resolutions. For example, did you know that a country should not allow hackers to perform attacks on another country from within its territory? And how should this be controlled? We hear almost every week that Russia, China, Iran, North Korea, and many more are performing cyberattacks on “their enemies” (observe the quotes). If they are members of UN (click the links above to see details. Conclusion: The course is interesting, even if you don’t actually learn new concepts about cybersecurity. You do learn how serious cybersecurity is being taken by the UN. And this is good…

Read More

The sad status of online advertising … now gets to the real topic

I wrote a few days ago a post about the The sad status of online advertising, talking about the practices of Forbes which forces the read to disable ad-blockers. Later, in a second post called A new type of fraud: News Scareware, I mentioned Washington Post that is enforcing the email address of the user in order to allow reading. Now, I have seen the cherry on the top of the cake: Wired .   They request the user to either disable ad-blockers or to pay $1/Week for an ad-free version.   Again, I am not against paying for a magazine. I am against these practices. If they do good journalism, and most of them actually do, then they will get the money. In my opinion, this is a failed business model.   PS: Wired also displays a “Thank you” popup after you disable the ad-blocker.

Encryption is not solving all cybersecurity problems

I visited last week the IAA in Frankfurt, Germany. IAA stands for International Automobile Exhibition and takes place every year in Frankfurt, Germany. This is the place where every year the latest cars are being presented but also the newest technologies around cars. This year it was a lot about mobility, interaction, autonomous parking and driving, interconnectivity between cars and IoT. I went there to address more the car parts suppliers (Tier 1 and 2) than the car manufacturers. For us it was more interesting to get involved in the devices that are easily and directly attackable. Things like entertainment systems, connected devices of the car, GPS devices,etc.. Not a single car parts manufacturers we talked to wants to openly speak about security. Not because they don’t have it or because they don’t address it. My impression was that speaking about security is like speaking about something that nobody wants to happen?  The most used argument was: “Why would anyone hack us/our device? They don’t have anything to gain.” I wrote a dedicated post about this visit and what I think about the state of cyber security in cars.   The other argument I’ve heard was: But the connection to all…

No Image

(ISC)2 EMEA: Quote for the Day

In the News Quote for the Day “It is no secret that the cyber criminals are where the money is. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them.” Sorin Mustaca, CSSLP, covers the basics for small to medium business inComputerWorldUK’s Infosecurity Voice and on the (ISC)2 blog.

No Image

IT Security essentials for small and medium enterprises

Since I first published the free eBook "Improve your security" dedicated to end users, I've been asked many times to give advises for small and medium enterprises. At first, I thought that this is a very different topic than what I wrote before. However, after some thinking, I realized, that difference between the behavior of end-users at home and in the office of a small to medium companies, doesn't differ that much. After all, it is no secret that the cyber criminals are where the money are. If the targets are easy to breach, it is even better since this improves the ratio effort/outcome for them. Usually, small to medium size companies are preferred targets because they fit in this category: they do have money, more than the private users, and are very easy to infiltrate. The tips below help these companies not only to survive in the cyber world, but also keep the attackers away.   1. Make the employees understand and care about security. Teach them how to act and react. There are multiple aspects to the people problem: attitude and usability of security. First, is that the common attitude in companies: „security is IT department's business“. IT tries to…

No Image

What is a security expert?

I've been called a "security expert" many times and I've heard many times other people around me called the same. The reason I am writing this article is that I am frustrated by how some security experts are seing and implementing security in their every day jobs. But, let's start with the beginning: What does actually make someone a security expert? Or, when does someone become a security expert? The first thing that comes into my mind is, of course, his or her level of knowledge in this area. The more he knows, the better. I guess that things like certifications in IT Security, articles written, books published are counting. An important factor should also be some "on the field" experience (practical). But is it enough to just be able to get a job properly done? Getting the job done properly, is translating usually to "make the system as secure as it can be". We all know that this doesn't mean anything these days because anything you do it is only valid for a very short period of time. What about communication? It is not a secret that the biggest problem with IT security in companies is the fact that…

No Image

WordPress 4.0.1 update – important security fixes

All my blogs use WordPress. Why WordPress ? Because it is customizable and I can tweak it in any way I want… Well, almost… But from time to time there is the need to update it. Yesterday the update 4.0.1 was release which fixes important security bugs: Three cross-site scripting issues that a contributor or author could use to compromise a site A cross-site request forgery that could be used to trick a user into changing their password. An issue that could lead to a denial of service when passwords are checked. Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. My ISP can’t update it automatically, so I have to update it manually. But it is not hard to do that and so far I managed to never…

No Image

Quoted in the (ISC)2 newsletter

    EMEA members are also sharing their expertise on the (ISC)² blog. Why we continue to fail on Cyber Security is the question explored in the latest post to the (ISC)² Blog by Germany-based CSSLP Sorin Mustaca, in his fourth post now archived to the Blog; It is actually 5th post, but it was my fault that I haven’t marked it in my category. Now I did 🙂 Click on the picture to see the article:  

No Image

Why we continue to fail on cyber security

I've been asked a lot of times, especially when I was working for an antivirus producer, why can't we simply write a software that always protects the users. Well, there is a short answer and a long answer. Short answer: Because 100% security does not exist and because most people are hackable due to being ignorant on what security is (of course, until he/she is hacked first time, and sometimes not even after such an event). Long answer, which I massively shortened by not touching all areas and not going into details: The reason is the ignorance about everything that might happen but it is not certain that it will happen. I mean, would anyone close an insurance if it would have not been required by law or be afraid of the consequences?   By the way, you can use this article to convince your C-level people to pay for that expensive cyber security training for the entire company.   According to, the definition of IGNORANCE is:   – a lack of knowledge, understanding, or education : the state of being ignorant [noncount] ignorance is bliss — used to say that a person who does not know about a problem does not worry…

No Image

The sad state of Java security

The problem of Oracle is that they bought a technology that was stretched out to be actually “write once, run everywhere”. The Virtual Machine that provides this functionality had to be ported to all devices, and lately (in the past few years) also on mobile devices. As written in the news, even if the “run everywhere” meant initially “run on every platform” – so cross platform – this concept has been now extended to actually run on platforms used by mobile devices as well (ubiquitous computing). During the last years, Java evolved while it has been ported to the new platforms and devices. Each version of Java brought improvements and changes, sometimes not backward compatible. During this time, the applications that were created against a certain version of Java, for different reasons, were never updated to use the latest version. So, the users of these applications never upgraded their application and therefore they didn't have to update the Java version required by these programs.   The difference between updating and upgrading is a matter of interpretation by the implementer. Usually, the term update means to improve an existing version by fixing bugs or adding minor functionality. The main functionality, supported platforms and…

%d bloggers like this: