Thought you deleted your iPhone photos?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Twice a year, an international contest called Pwn2Own – the Olympic Games of competitive hacking, if you like – gives the world’s top bug-hunters a chance to show off their skills.

The word pwn, if you aren’t familiar with it already, is hacker jargon for “own”, as in “owning” someone’s computer – and, with it, their data – by taking control of it behind their back.

In case you’re wondering, pwn is a deliberate mis-spelling, based on the fact that O and P are adjacent on most keyboards. In theory, therefore, it should be read aloud as own, the word it denotes, in much the same way that the word St is read aloud as saint, or Mr as mister. In practice, however, it’s pronounced pone – just treat it as own with a p- added in front.

Like the Olympics, which alternates every two years between summer and winter sports, Pwn2Own alternates between desktop hacking at the start of the year, and mobile device hacking at the end.

Top 5 Security links

Patch your servers, not your brand!

Cyber-crime is everywhere in a world where businesses are relying on IT to provide value for the business and customers. Data has become as key to business survival as the classic economic theory factors for production; land, labor and capital, and protecting it is vital. Most businesses already do a lot, but the truth is no-one can expect 100% protection so doing the right things, the things that are truly effective without costing a fortune, are the actions that need to be put in place first. One of these are security patching, boring and tedious, but which done effectively provides a very good basic protection, and doesn’t require swathes of highly paid, not to mention hard to find, experts to sort out. In this blog post Esten Hoel our SVP Quality and Security explains what you need to do to reduce the risk of ever having to try to patch your company’s reputation and brand.

Protecting your data

Businesses nowadays are more or less always and completely relying on IT to provide value to their core business and their customers. For many companies, products are provided to customers via the Internet, but even those selling physical things like cars, drugs or real-estate are heavily dependent on IT-systems in their production, marketing and sales activities.

In classic economics theory, resources used in production, referred to as factors, used to be three; land, labor and capital. These factors facilitate production, but are not visible parts of the end products. It’s fair to say that data should be included in this list, as a primary production factor number four.

So, when companies for centuries have become familiar with the concept of protecting their land, their people and their finances, now is the time to apply the same protection for their data.

Protecting data is just another term for Information Security. Sounds familiar?

Keep track of the CIA

Information security is all about the protection of three main components, the CIA triad; Confidentiality, Integrity and Availability. In short, data should always be available to those who actually need it, never available for those who should not have access to it, and data in your systems has to be accurate, complete and trustworthy. For different types of companies, the relative importance of the three components will be different as well, but it’s hard to imagine anyone not needing to protect all of them.

When designing and implementing features to protect your data’s CIA you also must take into consideration who your threat actors are. Are you mainly worried about your own staff, who accidentally or willingly are damaging your business by destroying, manipulating or stealing your data? Are you worried that your competitors get to see things in your business systems? Do you think you are a target for cyber-terrorism because you have a political agenda? If you run a small business, have little public exposure, operate in a stable part of the world and trust your staff, you have nothing to be afraid of, right?

Cyber-crime is blind

Well, unfortunately, cyber-crime is often, as most other types of crime, blind. Blind and opportunistic. In the sense that many types of attackers are trying to make money, and they couldn’t care less who they get it from. So when they launch for instance ransomware campaigns, they might send emails to just about anyone, hoping that at least someone, somewhere, accidentally opens the attachment, downloads the encryption-software and that it’s able to run on your network. By the way, if that actually happens to you, don’t even consider paying the ransom!

Another example of very common cyber-crimes are DDoS attacks. They can be small and smart, or they can be large-scale but rather simple. In fact, DDoS start-kits can easily be bought online, so anyone who feels bored and want to have a bit of fun can get a 15 minute, free-of-charge DDoS toolkit delivered from a network of infected computers (yours could be used as well), or even more worryingly, from a network of infected IoT devices. Imagine your refrigerator being used to DDoS your online Bank…

I am soon getting to the point here, stay with me.

We have probably by now established that you and your business rely on your data and IT-systems. We know that someone, somewhere would like to target you directly, or that someone, somewhere, accidentally could find your IT-system while looking randomly for potential victims. Remember that in the old days, attackers needed to be present at your site to actually break in. You being online provide them with that opportunity wherever they might be in the world. Sounds scary, right?

So, what should you do about this?

There is a lot you can do. In fact, you probably already are doing a lot, and you are now considering doing even more. All in the interest of protecting your business, your customers and your brand.

You can never be 100% protected

However, truth is, no matter how much money you spend on sophisticated Information Security systems, you will never be 100% secure. Which is why you need to think carefully about where you place your bets. Remember that capital was one of the other production factors, so if you spend all your money on state-of-the-art security systems, your business will suffer as well.

Let’s spend a minute thinking about your house or apartment. You can get really fancy door locks, connected to security guards that can respond to break-ins, that costs a fortune. That doesn’t help you if you carelessly leave the front door unlocked. And it doesn’t help much if you have a back-door with far less protection either. You probably remember to not display your most valuable assets through the biggest window you have before you leave for your two-week vacation. And by the way, if that vacation is in, say, Africa, you probably remembered to visit your doctor to get the right vaccinations before you left.

It’s the same with Information Security. It has to be built both top-down and bottom-up. Top-down first; you need to have someone in charge of it. He/she need to be talking directly to your top management to align and get the necessary priorities and resources. You need a structured approach to analyze risk, figure out what your business needs to protect and how, and build the right level of security awareness in your workforce.

Top 5 protects most threats

Then, the bottom-up; make sure you get a base level of security in all parts of the business. A really good guide is provided by Center of Internet Security, and their CIS Controls. It’s a list of 20 things you should consider doing. Luckily, as research shows, if you only manage to implement the first five out of the twenty, you already have eliminated between 80 and 95% of all known security vulnerabilities.

The top 5 basically are:

  1. make sure you know what data and IT assets you have
  2. use them in a secure way
  3. apply security patches once they are released
  4. limiting administrative access to your systems to those who should have it
  5. know how to use your systems

Sounds simple, but truth is, this requires lots and lots of tedious, quite often boring work. That’s why I sometime tell people to make sure they apply boring security in their organization. The good news is, you don’t need a huge team of highly expensive, highly certified security experts to do this. All you need is that people have basic security understanding, and is encouraged and mandated by management to apply it in their day jobs.

You can do this. Or you can have someone do it for you. All it takes is discipline and hard work. And as a result, you will significantly reduce the risk of your business being seriously disrupted by, at least, blind cyber-crime. If you are ever hit by an attack even though you did all of this, your insurance company, your stakeholders, your customers and any other interested party will be much easier to talk to, than would be the case if the incident was caused by your lack of fundamental controls.

That brings me back to the title of this post; By making sure you apply security patches to your servers and applications, you have reduced the risk a lot of ever having to try to patch your company’s reputation and brand. Sounds like a good idea, right?

If you want to know more please contact us or read our Digital Ability Report how to transform security in the digital age.



Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.


Esten Hoel, SVP Security and Compliance, Basefarm

258,000 encrypted IronChat phone messages cracked by police

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Police in the Netherlands announced on Tuesday that they’ve broken the encryption used on an cryptophone app called IronChat.

The Dutch police made the coup a while ago. They didn’t say when, exactly, but they did reveal that they’ve been quietly reading live communications between criminals for “some time.” At any rate, it was enough time to read 258,000 chat messages: a mountain of information that they expect to lead to hundreds of busts.

Already, the breakthrough has led to the takedown of a drug lab, among other things, according to Aart Garssen, Head of the Regional Crime Investigation Unit in the east of the Netherlands. He was quoted in the press release:

Top 5 Security links

Security Software & Tools Tips – November 2018

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have choosen for the following:
* Naxsi
* Forseti Security
* Security Monkey
* OWASP Zed Attack Proxy


Naxsi is a module that you can compile with nginx and it then provides “Anti XSS & SQL Injection” capabilities for nginx.

Information from the Naxsi GitHub page:

NAXSI means Nginx Anti XSS & SQL Injection.

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.



This tools is a free open source host-based intrustion dectection system (HIDS) and it is easy to install, cool thing is that they are compliant with PCI-DSS

Information from the OSSEC website:

OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring.

When attacks happen OSSEC lets you know through alert logs and email alerts sent to you and your IT staff so you can take quick actions. OSSEC also exports alerts to any SIEM system via Syslog so you can get real-time analytics and insights into your system security events.


Forseti Security

This are basically a bunch of tools that will help you improve the security of your GCP.

Information from the Forseti Security website:

A community-driven collection of open source tools to improve the security of your Google Cloud Platform environments.


Security Monkey

This is a monitoring tool created by Netflix it checks your configuration, and or for policy changes then it can provide you with alerts.
It currently works both on AWS and on GCP.

Information from the Security Monkey GitHub page:

Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories.

It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.

Security Monkey can be extended with custom account types, custom watchers, custom auditors, and custom alerters.


OWASP Zed Attack Proxy (ZAP)

Information from the OWASP Zed Attack Proxy website:

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.


Photo by arvin febry on Unsplash

Russia accused of Energy Sector Siege

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Advanced attackers, most likely from Russia, seem to be in the reconnaissance phase of a cyber war, according to a research report from threat hunting firm Vectra. The attackers are using stealthy tactics seemingly to prepare and position themselves for possible future of cyber warfare, using Energy and Utilities as important elements.

Typically over the course of several months the attackers patiently use already installed tools on systems, living off the land, to grab documentation and observe operator behaviors. Performing lateral movement to expand access, while take care to not set of common alarm bells.

United States DHS computer emergency readiness team released an alert known as TA18-074A in March 2018 regarding this.


Top 5 Security links

IT-strategy and waffle consumption

It used to be easy. IT strategy and management was about recruiting the right employees. But, things have changed. Here is a little something to inspire your strategy foundation for the coming decades. And a few words about waffle consumption.

Half of Execs Feel Unprepared to Respond to a Cyber-Incident.

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

According to Tara Seals in an article for

“Half of Execs Feel Unprepared to Respond to a Cyber-Incident.”

Nearly half (46 percent) of executives in a Deloitte poll say their organizations have experienced a cybersecurity incident over the past year — and that they’re still no closer to being ready for the next event.

Read more

Top 5 Security Links


Web Security Vulnerabilities and How to Fix them

Wondering how to fix web security vulnerabilities? Scan regularly with tools like Detectify, do in-depth fixing and establish a security directed culture. This is easier with DevOps tools.

Data Thinking: A Guide to Success in the Digital Age

How do we keep up with the pace of digitalization and take control over our own digital development? And how do we learn new skills and routines that lead to successful digitalization? It all starts with a modern way of thinking and acting. At Basefarm we call it Data Thinking.

Cloud computing is creating new challenges

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

According to Mike Kun in an article for

“Cloud computing is creating new challenges among security professionals as attackers embrace the “as-a-service model”, giving unsophisticated cybercriminals a leg up in carrying out attacks.”

“This evolution creates new challenges for defenders. New technologies are constantly reshaping the business landscape, but business leaders also must consider how these can enable new attacks – or make old mitigations obsolete.

Read more

Top 5 Security Links