While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions Ltd..

The following was the type of data on the memory stick:

• Routes through the airport and security measures for royalty and VIPs
• Security patrol timing
• Locations of CCTV cameras
• Types of ID card required for different areas
• Escape routes for the Heathrow Express railway line
• Details of the ultrasound detection system that protects the perimeter fence

Just like the Swedish Government’s data breach (the third story in this post), this sort of information, falling into the wrong hands is incredibly dangerous and could have cost people their lives. I don’t say this to be hyperbolic. If a terrorist organisation got their hands on this data, they could have planned a highly effective attack on Heathrow.

It is plain madness that it was possible for the information to be placed onto the USB memory stick in the first place. For an organisation that has to consider likely terrorist threats, they should have the strictest information security measures in place. There are easily implemented technical solutions to prevent use of unauthorised USB devices. These solutions can also be set to automatically encrypt any information that is stored on authorised USB devices.

Heathrow Airport authorities are obviously investigating this incident. Perhaps they do have these type of solutions in place and that it might emerge that it was an external contractor what done it. Sometimes when external contractors are brought in to do specific pieces of work, their laptops might not have the same security measures applied as would be the case for an employee. In scenarios where you are dealing with the security of people’s lives, you need to have the strictest policies and procedures applied to all who work on it.

As a final comment, the person who found the USB memory stick on the street was wise enough to plug it into a computer in a library rather than their own home PC or Laptop. Maybe they had read Commandment 9 and didn’t want to risk potentially infecting their personal equipment. ?

The post Heathrow’s dangerous data breach appeared first on L2 Cyber Security Solutions Ltd..

Since we were warned so far in advance about Ophelia, I made sure to be as prepared as possible. I charged up my supply of rechargeable batteries for torches and the radio. I made backups to the cloud regularly throughout the morning of 16th October. I kept my phones on charge as well. When the power finally went out and I was running on Uninterruptible Power Supply (UPS), I made one last backup to an external disk. I then shut everything off and waited out the storm.

One of the problems of being in a rural area, is there are very few mobile network cells serving the area. A couple of hours after the power went out I lost coverage from Vodafone. I only had “Emergency calls only” showing for service, which mean’s some other provider was still operational. That didn’t last long and I had “No Service” by Monday evening. It was this that caused me a little problem. The battery on my phones seemed to drain a lot more quickly. I got a low battery warning on my personal Samsung Galaxy S4 (elderly, but dependable) by 9:00pm. It should have lasted until the following afternoon. Perhaps it was using up power trying to find a network to connect to.

I wasn’t concerned, as I knew I had one of these car cigarette lighter USB gizmos in the car. So I switched the phone to Flight Mode (to stop it looking for non existent networks), went out the car with my USB charging cable, opened the glove box and … nothing! There was only the car manual and a spare headlight bulb. Then I remembered. Last year, I’d given a loan of it to a friend who was going on a touring holiday in Europe. He had forgotten to give it back to me.

Fortunately I remembered that I happened to have one of these little USB power packs, which I had charged over the weekend. So that saved my Samsung. My business phone, a Google Nexus 6P, was in better shape battery wise when I switched it to Flight Mode. I was confident of it lasting until I got to my alternate location the following morning. However it raised a question in my mind. Would I be able to use that same USB power pack to charge my Nexus, if I needed to?

The answer is no. It’s not a power issue either. It’s to do with the type of cable. The Nexus charging port is a USB Type-C and both ends of it’s charging cable are just the same. So I have nothing, other than it’s three-pin adapter, that I could use to charge my Nexus with.

On Tuesday morning, as I was en-route to work in an alternate location I picked up a USB Type-A to USB Type-C cable to be able to use the battery pack or my laptop. I also got a 300 Watt inverter (below), that I could connect to my car’s battery and get a 3 pin plug socket, which I could connect an extension lead to and then have enough juice inside the house to run my laptop and charge both phones at the same time.

I’m very fortunate that I can run my business with just my laptop and mobile phone. I’m also pretty well prepared from a Business Continuity perspective. However the real life test that came with Hurricane Ophelia highlighted that I made an assumption that I could power my mobile phones from my car, when I could do no such thing.

The lessons learnt here are:

1. When you are preparing for a business disrupting event, check everything! Do not assume that something is where you left it.
2. Have alternate methods of charging mobile devices where possible, particularly if they have different types of cables.
3. Finally, if something forms part of your business recovery plan, don’t give it on loan to your friends

Be prepared.

The post What Ophelia taught me about power. appeared first on L2 Cyber Security Solutions Ltd..

The post Snail mail delivers USB keys … WTF? appeared first on L2 Cyber Security Solutions Ltd..

As I’d mentioned in the detail section of a previous blog post there was a prototype USB memory stick that is designed to fry the electronics on a laptop or desktop, the instant it gets plugged into it.

The post A desktop/laptop killing USB device is on sale for €50. appeared first on L2 Cyber Security Solutions Ltd..