The future of storage?

Now this [pdf] is cool. Data encoded into DNA in bacteria by a team from Hong Kong University - according to their slides they could encode 900TB of data in 1 gram (wet weight) of E.Coli bacteria! It even proposes an encryption scheme by shuffling DNA (a genetic caesar cipher?).


The ACMA are warning us that 30,000 Australian PCs infected every day. I wonder, are they unique infections? If so then if 78% of households have a computer and there are 7,600,000 households (roughly - 2006 figure) then every household should have one infected PC by 5th August 2011! (oops forgot to minus the 80,000 pre-infected machines, so that would actually be 2nd August 2011).

Are we really all that doomed?


This is interesting. While I can understand the US Government feels the need to 'do something' (a feeling common to politicians of all nationalities and sides), I'm not sure if a Government-mandated set of compliance rules is the best solution. Companies that have spend millions on SOX and PCI-DSS compliance have proven far from invulnerable to cyberattack or data breach. It not like the DHS can keep their own house in order as it is (although they have apparently been improving).

They could always ask the EPA for help!

Of course if this does pass into law in the US, it will only be a matter of time before it being discussed here in Australia...

WarGames: The Dead Code

Did you know they made a sequel to the all-time hacking classic WarGames?
Neither did I! Having recently watched this straight-to-DVD 2008 sequel, there's a good reason you haven't heard of it...

In brief, the Government has developed a supercomputer called 'RIPLEY' that...wait for it...runs an online game that is designed to identify terrorists as only terrorists would be good at a game where slaughtering people in a city with biological weapons was the goal. Hijinks ensue when the main character (a mom's basement-dwelling hacking whizkid who commits credit card fraud for fun and can penetrate the US Government's most top secret network from any wireless access point) plays the game and is mistaken for a terrorist. In a shocking twist, RIPLEY goes haywire and decides to nuke Philidelphia but only the intervention of the reactivated WOPR - who teaches RIPLEY 'tic-tac-toe' and the concept of 'Mutually Assured Destruction' can save the day. Or something. My attention was really fading by that point...

In one amazing show of skill, the whizkid hacker plays (the now cancelled) Stargate Worlds MMO. The ability to play unfinshed cancelled games? Now that's some super-hacking! (I'd insert a Duke Nukem Forever gag here but, you know)

The classic WarGames quote: "A strange game. The only winning move is not to play" (re-used in this film) could be rephased "A strange film. The only winning move is not to watch".

I really hope the new TRON sequel is alot better...

SANS Sydney 2010

I attended the SANS 504 Hacker Techniques, Exploits & Incident Handling here in Sydney last week, the first time I have attended a SANS/GIAC course and must say I was very impressed by both the course content and the skill of the presenter Bryce Galbraith, who was assisted by Chris Mohan.

I found the course to be a terriffic eye-opener and introduction to the ethical hacking/penetration test side of the industry with a focus on the countermeasures that can be implemented and incident investigation. The 'capture the flag' on the final day was also alot of fun and really helped tie together some of the techniques and thinking we had learned during the first 5 days.

I'm looking forward to playing with the tools and getting a better understanding of the techniques over the christmas break and hope to sit the GIAC GCIH exam in January (but for now the focus remains on the looming CISM exam that is quickly approaching!)

If you are considering doing a SANS course, I'd have to recommend it. While there is a lot to learn in a small amount of time, the hands-on nature and expertiese of the presenter make it well worthwhile (and far superior to the 'instructor reading the textbook to you' style training I have suffered in the past).

Google Hacking

Remember Johnny Long's Google Hacking database?

Well it's back

The team at Exploit Database have recently resurrected the GHDB to help you harness the power of google to do reconnisance or just be nosey. Use it to check out your webservers or network and your users before the bad guys do! a lost laptop

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

"The Great Cyberheist"

The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.

Fashion sense?

A friend passed along a link to the must-have accessory for the aspiring data smuggler this year: USB Flashdrive cufflinks!

Of course hidden USB drives is nothing new, from USB drive Barbie, a chap stick, chewing Gum or cigarette lighter to the 'hiding in plain sight' USB Bowling ball drive!

I hope it holds more than 64MB!

If they're all too big you can go for a MicroSD card hidden inside a coin instead (just don't spend it by accident!).

The point of bringing up these amusing and imaginative storage devices is that it's trivially easy to transfer large quantities of data in a non-obvious fashion (well except that bowling ball...). The best way to protect aganist them all is to have your defences on the data and if you allow the use of unfettered USB storage and are protecting portable confidential information, have some kind of host-based DLP strategy.

As for the USB cufflinks, I don't claim to know much about fashion, but they're ugly enough that a strictly enforced dress code might protect you...

The stealth cloud

IT world have an interesting article on what they're calling the 'stealth cloud'. It's not an exactly new concept - mostly bigger companies have had to deal with the 'shadow IT' problem for some time now.

How to spot a Shadow IT user...

However the recent proliferation of cloud service providers has the potential to greatly exacerbate the problem. As organizations already struggle with governance and meeting requirements such as SOX, PCI-DSS, Privacy Laws and industry regulation; having business units run out and sign up to external SaaS/Cloud services to fast track projects sounds like a disaster (if not a lawsuit or breach fine) waiting to happen...

Many of these services are pitched at consumers, who use them and enjoy the benefits of the likes of cloud file storage or a personal online knowledge base and these same consumers come to the office and want the same services at work.

So how do you combat the problem? There's no easy answer (like just about everything in Security!) but a combination of education/communication - ensure the managers of the business units understand why storing confidential corporate documents via dropbox is risky - and being prepared to be able to formally evaluate the security and risks of the SaaS/Cloud providers to allow resulting decision made out in the open may go a long way to easing the headache.

It's been said before but is worth saying again, most business computer users have no understanding of security. In a recent conversation an office worker was somewhat shocked to hear that email was not 'secure' or even particulary 'private'. Education and communication are the keys and probably the best way to combat those pesky Shadow IT ninja or Stealth Cloud Shinobi! (since they won't let me bring a katana to work...)

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme