Black Hat Keynote – Jennifer Granick talks about keeping a free Internet in 20 years

Listen to Jennifer’s concerns on privacy and freedom of speech in 20 years time.

The mystery of the odd sock….

So it’s Monday morning and you need to get to the office, but you only have odd socks in your draws. Where have the matching socks gone?

I have a theory that there are little people living under our houses that run around collecting ‘odd-socks’, to save us from the err of becoming too predictable and symmetric. I call them “the Collectors”. They don’t only collect odd-socks, they collect hair clips, pens, and here is where the information security bit comes in… USB memory sticks,  commonly referred to as ‘thumb-drives’.

How else can we explain where our USB sticks disappear to? How many have you purchased or acquired in the last 10 years? Where are they now? Fortunately for us “the Collectors” are not interested in what is contained within this little plastic sticks, so it really is not a concern to us security conscious individuals. Or is it? Because although it really is no big deal if you turn up at the office with odd socks, it has become pretty cool nowadays. The memory sticks are a bit tricky. How much data is stored on them and is some of this personal data?

But what is personal data? This is difficult. Nowhere has a clear definition of personal data been stated, although  Personal Identifying Information (PII) and sensitive data has been defined. In the EU even the IP address is classed as PII.  The problem is that data can be combined from different data sources to become identifying data, that could be on one or more of yours, or your employees’ memory sticks.

The new EU Data Protection Regulation due out December this year, potentially January 2016, will have the power to impose fines on those companies that lose personal data. Numbers we have at the moment is between 2% and 5% of revenue for each data loss. In public sector the fines will be fixed. What this means is that when one of your employees loses one of their memory sticks your company is liable to the consequences.

So what’s the solution? Well this is what is rather nice, it is simple when it pertains to data that is stored on movable persistent storage, e.g. memory stick.

  1. Request all your employees to turn in their memory sticks;dataAsur encrypted memory stick with PIN
  2. Destroy them, securely;
  3. Replace with an encrypted stick, that has a simple PIN code build in;
  4. Enforce the use of encrypted sticks using a Port-LOCK functionality found in most virus scanning packages today that is often not implemented;
  5. Log all data that is copied to and from USB devices.

This is not difficult to implement, and pretty inexpensive. This mitigation will block one of the main channels/threat vectors for data loss in your organization.

You could of course just keep hoping that it is ‘the Collectors’ who have all of your mislaid memory sticks in your organization? If I am right about that too…. but I wouldn’t believe me, if I were you 😉

Race to Stay Safe Online – Phishing Recognition Test

I love this initiative from Symantec. It is the BEST method I’ve come across so far to help us be better at avoiding phishing attacks. It’s fun…..try it yourself!

What is a Warrant Canary?

Warrant Canary - graphic
A warrant canary is a posted document stating that an organization has not received any secret subpoenas during a specific period of time. If this document fails to be updated during the specified time then the user is to assume that the service has received such a subpoena and should stop using the service. Read more at

Privacy treasure-trove


Thanks to SecurityNow podcast, I found an amazing treasure-trove of privacy tools and advice at Check it out!

Today I committed FaceBook suicide! – Part 2

2518864-8236474736-tombsA followup to my post of 21 May where I discussed not only the FB suicide, but how I did it. The question is: How am I coping since committing FB suicide? The question popped up when I had some time today to check my LinkedIn feed. It was Shared from Wired (I’m Quitting Social Media to Learn What I Actually Like).

So how am I coping? The answer is ‘very well, thank you’ 😉

I have some friends in my new anonymised FB profile. Although clearly I will never achieve anonymity so long as I have connections to friends. Nevertheless although I have few friends, my feed was filling up again….. panic! Not that I’m not interested in what my FB (and now only physical) friends are up too, it’s just I would prefer to choose when I check them out. You know when I have an hour to spare one evening, with a cup of my favourite tea, sitting in my favourite couch 🙂

So I unfollowed all my FB friends. It is a dream, I now have the advantages of FB without the intrusions on my life. No adverts, as I’ve clicked nothing outside of my direct FB friends, and no feeds, except those that really interest me, e.g. data protection commission. It is lovely, sometimes I am thinking, I wonder what so-and-so is up to nowadays? Then I take a look, but only if I have the luxury of time and I’m in the mood 😀