Another fantastic keynote at #OWASP global appsec conference this morning by @SheHacksPurple 
I, and half the conference attendees, want to be Tanya when we grow up.
I, and half the conference attendees, want to be Tanya when we grow up.
Ellie
- 346 Followers
- 259 Following
- 12 Posts
@dangoodin The #TravelTech industry is extremely fragmented and runs on decades old legacy systems. And of course security was not a priority for many parts of that system until recently. While the data comes from #Booking, my experience tells me the leaks actually come from hotels, property management system, channel managers and many of the other players, who need to data to fulfill bookings but lack the required security.
I've written a few more thoughts on this here. Travel tech security is a frustrating but fascinating place to be working in.
Ellie (@[email protected])
Interesting but imo misleading [article from ArtsTechnica about Booking data leaks](https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ ). It is clear the data is leaking from somewhere, but for having worked in the travel tech industry, Booking is probably not to blame here. Hotels are running on extremely old tech infrastructure, and security has historically not been a priority or concern. If the leak was indeed coming from Booking, the scale of the scam would be much larger. To me, it seems that individual property management systems, usually on prem at hotels, were hacked, and the data used to scam people. Of course that data would include the fact that the booking was made through Booking, and Booking controls enough of the market to make the scam worth it. I am not familiar with the internals of Booking, but it must have a way for hotels to message their guests, which would explain how an email could come from the scammer/hacked system through a legit Booking email address to customers. It would be interesting to know how this could be made more secure, if the integration is compromised... #TravelTech #Booking #Scam
@triciakickssaas I highly recommend "Rest Is Resistance" by Tricia Hersey (or her interview about it on the "We Can Do Hard Things" podcast).
My favorite quote from her book: "Grind culture is spiritual death".
"Stack Overflow driven development" 😂
Today is a good day to add canary tokens to your infrastructure!
Did you know you can get free #CanaryTokens from @ThinkstCanary to alert on suspicious activity?
On https://canarytokens.org/generate, you can generate a whole range of “canaries”, or assets that look like one thing but will actually email you as soon as someone or something interacts with them.
A canary can be a pdf file called “password.pdf”, left on server, a computer or attached to an email.
A canary can be AWS keys, left in a config file or committed in a private git repo.
A canary can listen for SQL commands or command being run.
A canary can be an email address, included in customer or employee lists.
They are traps you place, so you know something’s been compromised and your team can start investigating immediately *.
Check out the documentation for more examples and use cases: https://docs.canarytokens.org/guide/
Set up your free #HoneyPots this month! #NewYearResolutions
* These are free so there are some limitations, but still super neat to have.
Nice to spot some good news on a Monday morning.
"US Farmers win right to repair John Deere equipment"
Important PSA from @pluralistic:
"New Yorkers! The state legislature has passed landmark Right To Repair legislation, but Governor Hochul hasn't signed it and it might die. This would be a travesty. If you're in New York, visit https://eff.org/rtr to help tell the Governor that we can't afford to wait (and tell your friends in New York, too!)."
The European Commission is looking for feedback on its proposed Cyber Resilience Act. It aims to introduce cybersecurity rules for manufacturers and vendors of digital products and ancillary services.
You can read the current regulation proposal (87 pages long), along with other comments that have already been submitted throughout the different stages of the process. All the comments will be summaries and presented to the European Parliament to feed the legislative debate.
This is a chance for the cyber security community and subject matter experts to help shape regulations. Anyone can get involved. In the previous round of feedback, a majority (~30%) were from EU citizens, about ~23% were from private businesses and ~2% from non-EU citizens. The rest came from business associations, NGO, academia and other industry or public groups.
The deadline for submitting feedback is 23 January 2023. Read more and participate here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en
#EUPolicy #CyberResilienceAct #InfoSec #CallForFeedback #GetInvolved #PublicPolicy #EuropeanCommission #CyberSecurity #EuropeanUnion
Lunch breaks are for going to the public library to pick up new books for the cold and rainy weekend.
#publiclibrary #stadtbibliothek #stuttgart #bookstodon #Bookwyrm
#feditips You can see the #local feed of another instance by going to their `/public` page, if you are not logged into that instance.
For example https://mastodon.art/public or https://infosec.exchange/public.
This is saving me from having a dozen mastodon account 