Whiff WAF

Way back in 2008, Alexander Boris de Pfeffel Johnson caused something of a stink about the origins of the game of Ping Pong. Boris (man of the people) claimed it to be invented not by the Chinese, but by the British, batting wine corks around after dinner as far away as The Raj using cigar boxes. The Jaques family protested, nobody listened, BoJo moved onwards and upwards eventually to rule over the riff raff.

But we aren’t here to talk about him, or even any other political matter (cue rapturous applause), oh no. We are all about threats, hmm.

This week a leading provider of security services Imperva announced that it had been breached, losing ‘email addresses, scrambled passwords, API keys and SSL certificates for a subset of its Web Application Firewall (WAF, see what we did there) users’. Of course, one person’s subset is another’s disaster.

If you are a user of Imperva’s Incapsula product, you should be very concerned. The Almighty Brian Krebs has provided a decent write up, but if you need to know what to do, look no further than this ITC Threat Horizon produced by our in-house team of ace SOC analysts, it is recommended reading.

Imperva is obviously derived from Impervious, itself derived from the Latin Impervius. No matter how you decline it, even using ablative (remember that from school, shivering and terrified at an old school desk?), you can bet that someone at Imperva is going to the head teacher’s study with a security manual down their pants and a resignation letter in their pocket. Rather them than you!

Now, as they say, for something completely different. This week the United States Defence Advanced Research Projects Agency (DARPA – you know the ones that did and didn’t invent the Internet) made significant waves, especially amongst the tin foil hat wearing brigade (good job there are very few of those around here) by asking this over Twitter:

@DARPA. Aug 28, 2019
Attention, city dwellers! We’re interested in identifying university-owned or commercially managed underground urban tunnels & facilities able to host research & experimentation.

What the actual? They wanted it in 2 days? It has been suggested (by sages of this parish, thank you) that rather than simply having lost their copy of Quake or wanting to play something similar in real time, that this might be a signal of the impending Apocalypse, Zombie or other. It certainly couldn’t be much more sinister and should come with its own music. Surely the truth is out there.

The minor skirmishes (which is exactly what they are) between Google and Apple have continued this week as Ian Beer from Google’s Project Zero team (praise them) has announced that an ‘unprecedented’ iPhone hacking has been ongoing ‘for years’, via a small number of hacked websites. Google reported this to Apple on the 1st of February, Apple released a patch on the 7th and now it has been broken as a piece of blatant marketing, sorry, responsible disclosure. Imagine if you had this information and made a competitive product?

If you are a resident in the wild west world of virtual currencies, you will be very pleased to hear that the highly secure, very stable and mightily ethical Swiss Financial regulator has given licenses to two Crypto Banks; Seba Crypto AG and Sygnum. In accordance with tradition, these entities may well become where Bitcoins plundered from poorly secured Bitcoin wallets or currency exchanges will end up.

ITC Towers does not have a sprawling underground lair (mwahahaha) that we can lend to DARPA, it is of course already fully occupied. We can however help you with Web Application Firewall vendors losing your stuff, or any other Internet security issues you may have. If you would like to talk, or have a quick game of Quake, contact us at: [email protected] or 020 7517 3900.

P.S. A very well done to those who tackled the holiday special quiz a few weeks back, for some it was not to be, but one, enjoy the raspberry pie.