Microsoft MVP Troy Hunt has put together a free eBook on the OWASP top 10 for .Net Developers.

Go download it! It'll be the best free book you buy all year.

2011 has almost come to a close, and it may well be remembered as the year when data breaches truly went mainstream.

Vodafone kicked off the year, exposing customer data through shared/poor passwords on an internet accessible customer management system. Vodafone went into damage control, resetting employee passwords daily and eventually some staff were fired as a result.

Then came Sony! Sony's massive multiple breaches (aka the 'sownage') made ongoing front page news and caused plenty of concern in boardrooms around the world due to it's scope and the high-profile nature of the target (I mean, who doesn't have a Sony product at home somewhere!?!).

Less noteworthy for many outside the industry, but a bombshell for those of us in it, was the RSA data breach. When the company whose technology is used to secure millions was so easily penetrated and 'something' stolen (did they ever give a clear indication as to what?), many people started questioning the security of their multi-factor authentication provider. RSA offered new tokens and assured all was well - until Lockheed Martin was breached and pointed the finger at the RSA attackers.
Showing hacking knows no industry vertical boundaries, email marketing giant Epsilon was also popped, exposing the details of many customers of some of then world's top companies.

Closer to home, web hosting provider Distribute.IT was pwned and driven out of business in a particularly malicious and destructive attack. While the cops got their man, it was too late for many of the company's customers who lost all of their data.

Corporate 'hacking' made the mainstream news - or indeed was the mainstream news - when Rupert Murdoch's News of the World UK newspaper was outed as having been routinely hacking voicemail messages of celebrities and victims of crime. The main outrage was the claim that journalists had deleted voicemails of an abducted young girl  - a claim that has now been claimed to be inaccurate. Nonetheless the scandal was enough to have Murdoch shut down the paper, and not rule out shutting down a second.

Journalist hackers have been in trouble here in Australia as well, with the Melbourne Age Newspaper under investigation for hacking a database of a political party.

Certificate Authorities weren't immune either, with Diginotar hacked and issuing valid certificates for bad guys. The end result was game over for the Dutch CA, but with unverified claims from the hacker that he's pwned other CAs as well.

High profile data breaches came to Japan in 2011, first it was Sony (as mentioned above), followed by the Japanese parliament and defence contractor Mitsubishi Heavy Industries. Japanese Parliamentarians were reported to be using their personal devices to store confidential government data which has other implications all of their own.

Proving that no good deed goes unpunished, First State Super in Australia provided a textbook-like lesson on how not to deal with reported vulnerabilities in web applications by attempting to shoot the messenger. Thankfully a rethink meant the messenger was spared, but the public humiliation remained, along with the potential loss of a multi-million dollar deal.

Australia's biggest Telco, Telstra, helped keep data loss in the news when it was revealed an internal customer database was accidentally exposed to the internet. Perhaps having learnt the lesson of First State Super, Telsta declined to shoot any messengers and reacted fairly swiftly, taking down the site and contacting 60,000 effected customers. However, it wasn't enough to avoid an investigation by the Privacy Commissioner, nor a phishing campaign.

I'm sure there were others that escape me at the moment, but nonetheless these examples alone show that data loss and intrusion were big news in 2011. With more press comes a growing customer awareness that companies may not be securing personal data as the public expects and perhaps a growing pressure from consumers for companies to meet higher data protection standards. Or will increased awareness and reporting mean we end up with 'breach fatigue' where data breaches become so common consumers just tune out?

Here in Australia, data protection (or 'cybersecurity') recently moved from the Attorney Generals Office to the Department of Prime Minister & Cabinet (an area which has had it's own problems in the past), so it remains to be seen what (if any) legislative changes are made here and whether we end up with any kind of mandatory breach notification laws or legislated security controls.

Time will tell! Onwards to 2012!

Richard passed me this, perhaps the perfect stocking filler for the social engineer to give to his targets?

Pocket sized and perfect for recording all the things those pesky security guys tell you not to write down - all in one convenient place!

Worryingly, it is currently out of stock...a best seller perhaps?

Well OK, "not my problem" is perhaps a little harsh. But not my responsibility could be more accurate.
I think it is definitely time to rethink 'Availability' (as in the classic security 'CIA' triangle of Confidentiality, Integrity, and Availability) as being the responsibility of the Security area.
Availability, and it's bigger, uglier cousin Disaster Recovery, have long been a part of the Information Security mantra, from entry level CompTIA Security+ level up to CISSP or CISM level. Why is this so?

While you could argue that availability is a security responsibility in the case of a DoS attack, does it remain a responsibility if, for example, a lack of disk space causes a server to come crashing down? Does that mean capacity planning is now Security's responsibility? Or if the single power supply dies and a server or router is unavailable - should Security have ensured that the critical system has sufficient redundancy to avoid an outage due to hardware failure?

I think in the dim dark past that Availability fell under security so it would be 'somewhere' and someone would be thinking about it - even if the 'security guys' weren't the most appropriate people.

I don't think the CIA triangle is going anywhere soon, but in my opinion you're better off concentrating on Confidentiality and Integrity and leaving Availability and DR to the IT department...

Well, that's the CISSP exam out of the way... On to CEH?

So it appears that First State Super have decided not to prosecute the customer that informed them of a (possibly longstanding?) vulnerability in their website - how kind of them. Of course it did take being lambasted in the media to cause the about face and has resulted in unwanted attention from the privacy commissioner...
And the fallout doesn't end there, as it appears that the company responsible for the (in)security of First State is also responsible for other superannuation websites - including recently being awarded a contact for looking after the security of a Government employee superannuation fund...uh-oh!

In not entirely unrelated news, the SEC in the US has released new guidelines requiring disclosure of InfoSec incidents. While only guidelines at the moment, I think this is a step in the right direction. Even if little else changes, it might give us some better data on the rates of intrusions/incidents in these big companies.

Two posts in two days, I'm not sure I can keep this pace up!

I came across the following article this morning and since it keeps up the theme of building architecture it makes a nice follow on to my previous post. While I agree that developers should have a good grasp of secure coding techniques, I think security is still seen as something of an infrastructure problem i.e. firewalls, ACLs, disk encryption etc rather than something that developers need to worry about. Technologies like web application firewalls do nothing to help dissuade developers of this. The only way to ensure that security is 'built in' to applications is to ensure that there is consultation at the design phase between the development team or architect and the security team or architect. Application design needs to be viewed more like the design of a military installation rather than a sky scraper. In the same way that security specialists lay out the security of the base the security guys should be laying out the security of the app and reviewing the developers implementation of the security design.

Yesterday, while attending a presentation at the VMware vForum event in Sydney, the presenter offered a view on architecture from 1st century Roman architect Vitruvius which struck a chord with me from a security perspective. Rather than wait for the slide deck to get emailed to me (no, I didn't think to write it down verbatim at the time) I visited the great oracle Wikipedia, et voila:

According to Vitruvius, a good building should satisfy the three principles of firmitas, utilitas, venustas, which translate roughly as –

Durability – it should stand up robustly and remain in good condition.
Utility – it should be useful and function well for the people using it
Beauty – it should delight people and raise their spirits.

According to Vitruvius, the architect should strive to fulfill each of these three attributes as well as possible.

While I think these concepts are pertinent to all aspects of IT architecture, be it application, infrastructure or enterprise architecture, this is a security blog.

Durability, well that's obvious enough, if your design doesn't stand up to the threats it will encounter throughout it's lifespan then it's not much of a security solution. Easier said than done I know, people have been trying to build secure systems for as long as there has been something to protect and, by and large attackers have found a way around these defences. That doesn't mean it's not a worthy quality to strive for in a solution however.

Something which is too often forgotten when developing security solutions is usability, security measures can be obstructive to the end user experience which ensures that people will either find a way around them or, where they have an option, not use the system at all. Balancing the utility of the system with security helps ensure that security is not seen as a burden and is included by default in systems rather than as an afterthought

Beauty... That doesn't seem to fit with security, your average security guy generally isn't the prettiest and no, this isn't referring to the subtle shading on your Visio diagram. For me, beauty in this context infers an elegance and simplicity of design. Too often designs are overly complex and, as a result, prone to errors or they are clunky, inelegant and not fit for purpose. Complexity creeps in to design for a number of reasons, from poor initial planning to integrating with legacy systems. While the architecture of IT systems is an inherently complex topic, beauty (simplicity and elegance) is an important aspect to keep in mind when developing your solution.

While it won't always be possible to achieve 100% success including all these aspects in the design, I do think they represent a worthy set of goals to keep in mind when deciding on which hue of pink would be the best background for your next Visio diagram.

Here's one for the shame file. An Australian security researcher, while accessing his superannuation fund's website, noticed a security flaw - a direct object vulnerability when the website displayed customer statements.

He notified the company, provided them his personal details and the details of the vulnerability. He even notified the ex-colleague whose records he accidentally viewed. The companies reaction? Call the cops, engage the lawyers and even threaten that he may be held liable for the cost of fixing the vulnerability!


Seriously? What planet are these guys living on? Would the outcome have been better if he had sold or disclosed the vulnerability to some less ethical party? Or done nothing and waited for someone else to exploit it in future? Maybe it's time to implement some kind of whistleblower-style laws to protect researchers in these circumstances.

I guess no good deed really does go unpunished. This kind of URL manipulation (ie: changing a single digit) hardly constitutes hacking in my mind. It'll be interesting to see the outcome here, and how our judicial system handles this case (if it gets that far).

Just when you thought it was safe to go back in the water Playstation Network, it appears that "Sownage II: Son of Sownage" may be beginning as Sony gets hit with another big Data breach. Or where they? This article (and the message from the Sony CISO) makes it sound more like someone who has compromised data from other sites (perhaps gaming related?) is running their stolen credentials against the Sony Network.

I feel pretty sorry for Sony at this stage. Even the most hardworking and talented Security guys can only do so much at once and this sort of attack - which they may legitimately have been able to do nothing about (other than tell people to not use the same password for Sony as other sites) is still going to be publicized as a "Sony Breach".

Of course I feel less sorry for them after their TOS upgrade that requires end users to mail a letter to opt out of the new terms.

It looks like data breach notification laws are back on the radar here in Australia. 2011, 'the year of the high-profile hack' has brought the need to better protect customer/consumer data back into sharp focus for our politicians.

Personally I think this is a good thing, at least in principle. How it works out in practice will depend, as always, on the details.

Other parts of the world have had data breach notification laws for some time now, and some research [pdf] has shown their impact to be limited. Security guru Bruce Schneier  wrote an essay on the effect of the laws back in 2009 (and Marcus Ranum's counterpoints are here), and despite admitting that the effect may have been minimal, he believes the laws are a step in the right direction. As Bruce put it: "The laws rely on public shaming. It's embarrassing to have to admit to a data breach, and companies should be willing to spend to avoid this PR expense".

In the aftermath of the "Sownage" of earlier this year, I imagine more than one company began a security review to avoid that exact PR nightmare.

My (occasional) co-blogger Richard has passed me some very cool links.

The first is a site that creates hashes of files in your browser. Browser #ash allows you to drag and drop files on to the page and returns their hash in MD5, SHA-1 and SHA-256. Very cool!

The second is from Security Xploded and is a great reference of the location and encryption method of the passwords stored by many Windows applications such as browsers, IM clients and email clients. The safest way to manage these passwords - don't let the application remember them....

 I think anyone working in corporate IT (and especially security) is dealing with the headaches of the 'iPad invasion' (which extends well beyond Apple's 'must-have' products to all things new and shiny).

While I can understand the clamor of users who want the newest gadgets (IT staff can be the worst offenders), there is always the need to balance the implementation of such devices with the overall security requirements of the organization.

It's easy to argue that companies should just allow BYOD policies and protect the data rather than the perimeter or the endpoint, actually implementing these changes for many organizations can be a daunting task; and expensive in terms of dollars and manpower; with the business benefits not always apparent  - in terms of productivity rather than simply goodwill.

This recent article about the trial of iPads by the Western Australian Government highlights many of the problems faced today. I am personally appalled at the parliamentarians who "threatened "industrial action" if iPads were not considered in the list of devices available as part of their laptop allowance" and who are quoted as saying: "We told them, 'If you don't give it to us, we will turn around and pass a law so you will give it to us!'".
Way to abuse your powers, jerk.

Sharing Government documents was also highlighted as a problem with parliamentarians using cloud storage service dropbox (which has had it's own security problems), claiming "We are only one FOI [Freedom of Information] request away from having to hand it over anyway...So it's not something we have been focusing on".
If that is the case, why protect any parliamentary documents at all? Post everything on a public website. Because it's not like governments ever deny FOI requests.

Threatened abuse of lawmaking powers and throwing taxpayer dollars on a device based more on marketing than an actual use-case. I'm just glad I don't live in W.A....

IT News had an interesting article about a bank here in Australia discovering a physical wire tap and phoney card reader installed in a branch that was siphoning off credit card informaion and PINs and broadcasting them over radio to the 'bad guys'. I wonder how long it had been there?

Very old school hacking, considering these days most credit cards are stolen from half a world away without the need for physical access.

With all the emphasis on protecting against the virtual attacks, sometimes the physical vulnerabilies get forgotten, such as the 'cutting the phone lines' attack I blogged about in 2009.

It's the 90s all over again as a 'death worm' (Morto Worm) is squirming through the internet knocking on RDP ports (3389/TCP). In this day and age an attack as simplistic as this one, it replies on brute forcing admin accounts from a predefined username password list, shouldn't be able to infect any corporate machine....right?

Microsoft have some more info on this retro attack, including listing the usernames it attacks:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

...and the passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If you are using any of those passwords (especially on Windows boxes), change them immediately and go sit in the naughty corner for half an hour.

One of the big tech stories of the week is that HP has suddenly killed off it's WebOS tablet after lackluster sales.

The sudden death of a OS is not such a common thing, especially in consumer devices (obsolescence is another matter) which left me wondering what happens to those WebOS users if (when?) security vulnerabilities are found in their shiny new tablets?

Admittedly it's a tiny minority of the tablet market and the internet user base as a whole, but most of the time consumers have had a good few years (14 years in the case of Windows XP!) to use their PC/Tablet/phone/etc before support is yanked - not a matter of weeks or days - or in the case of the bargain hunters, no support from the get-go.

It's an unusual situation. Maybe they just all install Android....

McAfee have released an interesting piece of research called 'Operation Shady RAT'.

According to Dmitri Alperovitch (McAfee's VP of threat research):

I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

With the recent (allegedly) state-sponsored high-profile attacks such as 'Operation Aurora' and 'Night Dragon' [pdf] it's a statement that is (depressingly) possibly more accurate than not.

Terms like 'state sponsored' or 'state actor' are often a PC way of saying 'China'. McAfee don't go as far as to name the state they suspect, but China has nonetheless taken offence to the report - slamming it (via the People's Daily) as 'irresponsible'. McAfee do point out some of the interesting attacks that occurred around the time of the Beijing Olympics on targets of "likely no commercial benefit", such as the IOC and World Anti-Doping Agency, and if there's one thing I learnt from watching too many cop shows growing up - whenever there's an investigation the first question from the detective is "who stands to benefit from the crime?"

Who indeed?

The pdf verision is also available here [pdf]

Courtesy xkcd.org

 The upside of big data breaches involving passwords is that it gives us Security Pros an understanding of what users are actually doing when they're selecting their passwords. The cynic in me thinks that we can spend time trying to educate employees, family, friends and neighbours into using strong passwords and changing them frequently - and they'll nod and smile and agree it is important...and then go back to using 'abc123' on their Internet banking.
I've blogged before on past analysis into exposed passwords, and now with the recent Sony breach Troy Hunt has posted an analysis of 37,000 of the exposed Sony passwords. Does it contain anything groundbreaking? Well..no. It's a good bit of analysis that pretty much confirms what my inner cynic suspected - half of the passwords had only one character type (with 90% of these being lowercase only) and 45% of the passwords were numbers only. Only 4% of the passwords analyzed were what is commonly considered 'strong' passwords.

One of the nice things Troy did with his analysis was compare the uniqueness of the passwords across the different Sony databases exposed - a luxury one usually doesn't have when examining breached passwords - 92% of passwords where identical for the 2,000 accounts that had the same email address. Troy even managed to cross reference these accounts against the Gawker data breach and found of the 88 common accounts 67% were the same.
Oh and '123456' and 'password' were once again in the top few passwords used.

In other Sony related news - did Sony really sack a bunch of Security staff just before the data breach? That adds a new wrinkle to this most newsworthy of all breaches this year. I haven't seen it suggested, but could a disgruntled ex-employee have played a part?

The Defence Signals Directorate (DSD) in Australia has released a document called "Strategies to Mitigate Targeted Cyber Intrusions" [pdf] that lists the top 35 recommended intrusion mitigations, ranked by effectiveness, user resistance and cost.It an interesting little 2 pager that is worth reviewing. There was a version released in 2010 as well [pdf].

A whole new level of phishing...even the employees are fooled!

SC Magazine has an article entitled "Lazy auditors lay Australia's security bare" that extensively quotes fellow CSU alumni Craig Wright. Good article, but the blame can hardly be left solely at the feet of the auditors. Networking equipment is routinely forgotten when audits, vulnerability assessments or even risk assessments are conducted. The focus is often on the database server or the client workstation and commonly overlooks the equipment that allows these devices to communicate. Networking equipment is often hidden away in comms cupboards or deemed 'too risky' to patch or update.

The auditors can however take more blame for the whole 'checkbox compliance' attitude - I know I've sat through audits from major auditors that were little more than a joke, conducted by (often junior) auditors who had little idea of the meaning of the questions they were asking. If this is combined with management that are happy to see a box checked  rather than try and understand the details (such as the scope and depth of the audit, the experience of the auditor, the real gaps and risks, etc.) - in a fashion most would never do for a financial audit - then the problem is multiplied.

Does your organization's patch policy include these often forgotten items such as it's networking equipment? Have your auditors assessed them? Do they even know what they are or how these devices (if not properly managed) are a risk to the organization?

Two recent events have thrown the real potential impact of 'hacking' into a different light. The first was the attack on Australian domain name registrar and hosting provider Distribute.IT, who were attacked back in March by hackers who thoroughly trashed servers and destroyed data. Customers suffered an extended outage and much of the lost data proved unrecoverable (we'll leave any arguments about good data back practices for the time being). The attack was so malicious and targeted that an an insider or disgruntled ex-employee involvement is suspected. The attack was so devastating that Distribute.IT was sold for a song, effectively closing the doors for the original business entity. This is one of the few examples I can recall of a company being forced out of business because of a hacking attack - something that certainly didn't occur to TJ Maxx, Sony or RSA - despite any financial loss and reputational damage.

The other event is interesting for because it offers the opposite perspective. Rupert Murdoch has closed the 'News of the World' tabloid newspaper in the UK in the wake of a hacking scandal - but this time the company weren't the victims but the perpetrators of the attacks, hacking into voicemail message systems in order to get the latest scoop to feed the insatiable appetite of Joe Public for more juicy gossip.
Despite the outrage, 'no tech hacking' - such as dumpster diving or social engineering (known as 'blagging') - has long been a staple of tabloid journalists - posing as hospital staff to photograph celebrity operations or even going undercover as a staff member at Buckingham Palace. Somehow the latest antics have crossed a line (from the gutter to the sewer as a former British PM remarked), that has resulted in the closure of the News of the World (the self proclaimed 'world's greatest newspaper') after 168 years.

Two wildly different hacking events, same outcome: out of business...

Th Sydney Morning Herald has this story today about the loss (apparently on a USB stick) of the blueprints fore the new headquarters of the German foreign intelligence service. What hope do we have?

Blue Coat security have released their mid-year security report [pdf].
From the report:

The majority of web threats are now delivered from trusted and popular web sites that have been hacked for use by cybercrime. For this reason, reputation defenses become less effective...

... Search engine poisoning (SEP) ranks as the number one web threat delivery method at this point in the year. To be more specific, image searches have passed text searches and are now the top vector for malware delivery....


...From a user agent perspective, some Mac users are searching for pirated goods and images and falling into known malware delivery vectors. While exploit kits today focus on Windows users, many Mac users have their noses pressed against the glass of cybercrime. When cybercrime’s focus switches to the Mac, these users will be lined up like lambs....

It's short, but worth a read.

Perhaps it's the ex-Fine Arts student in me, but I'm always interested in data visualization, especially that which is able to describe complex data ideas in an easy-to-digest fashion. I came across this article on some unusual resume ideas which fits into that category.


I also picked up this book recently, so hopefully it will also some more interesing ideas on how to visually present security (and other complex) topics.

Edit: I also just came acrss this book, which looks like it mioght be worth picking up. In the same series the book Beautiful Security was very good, and Richard assures me that Beautiful Code was also well worth a read.

 I recently came across a interesting article about PIN codes on iOS devices where an app developer pulled the login PIN numbers for his app to do some statistical analysis.

His findings are far from encouraging - or surprising - with (you guessed it!) '1234' taking the top spot, followed by '0000' (seriously...why bother with a passcode at all?).

This is pretty much in line with what i've blogged before about passwords. Of course if Mrs Shepherd-Barron hadn't gotten her way, the most popular PIN would probably match the most popular password...'123456'!

On passwords, a developer has taken all the recently exposed accounts and provided a nice web interface to allow you to see if your password may have been exposed. If your'e worried, run your login ID through the checker and see. The site doesn't ask for passwords, but considering many site usernames are email addresses - use it at your own risk!

On better Security news, the DSD (an Australian Government three-letter Agency) has released a preliminary guide to hardening iOS [pdf]. A more in-depth guide is expected in September 2011.

A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

• Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
• We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
• Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
• Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
• Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
• Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
• Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.

Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.

We're halfway through 2011 and the breachapalooza* continues unabated!

Sony have been hit so many times in fact there's a new term for it: "Sownage". Add to the ever-growing list senate.gov, Citibank, Honda Canada and the IMF.

Although it isn't really news to Security folk, the mainstream media has picked up on it (largely thanks to the scale of Sony's woes) and are continuing to report on the never ending tide of high profile defacements and smash-and-grabs. A quick look at datalossdb shows the number of incidents so far this year (322) is only slightly up on this time last year (300) and behind 2009 (376); while Sony's 77 million records lost is still well behind Heartland's 130 million back in 2008.

With mainstream media interest undoubtably leading to increased interest in boardrooms with executive asking "Can it happen to us?" and "what do we need to do to stop it happening to us?" the question has to be asked are the actions of lulzsec good or bad for the industry? Patrick Gray ruffled a few feathers with his thought-provoking "Why we secretly love LulzSec":

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

Which lead to an equally interesting response from Adam over at the Newschool site.

I think the answer may be a little from column A and a little from column B. In Patrick's defence, he's probably right to some degree. Every Security guy or gal who has ever been overruled or just plain ignored when explaining the need for better security testing, implementation, tools, monitoring, etc etc; probably has a little voice somewhere saying 'I told you so'.
Adam is right too when he says:

We’re being out-communicated by folks who can’t spell.
Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

Although I would point out that sometimes even framing the problem in the right language to the right audience still doesn't result in the desired outcome. The old 'you can lead a horse to water, but you can't make him drink' problem exists if a mentality of 'it can't happen to us' rules. The only plus out of LulzSec actions is that they may be breaking down some of that mentality.

However the most disappointing, or possibly telling, thing is that from what has been reported, is that very little of what lulzsec has accomplished has been particularly difficult or sophisticated. This is not really surprising as it matches what Verizon revealed earlier in the year [pdf] when they reported that 92% of the breaches investigated where 'not particularly sophisticated'. SQL injection may be old school, but it's more popular than ever.

In the meantime, Paul Ducklin from Spohos issued a challenge to the LulzSec group to use their skills, and there obvious spare time, to do something worthwhile like supporting Johnny Long's Hackers for Charity.

That may have to wait until after LulzSec are done warring with 4chan/anonymous, which at the very least may provide some relief to Sony and may give other companies a break.**


*just heard Patrick Gray's risky.biz podcast from last week call it the pwnpocalypse. Why didn't I think of that?

**Edit 18/6:  or maybe they're not as they're still exposing records.

Not specifically security-related, but a friend recently posted a link to a old (2009) article about managing IT Staff that is one of the best I have read.


From personal and anecdotal experience it really hit the nail on the head in a few areas about how 'geeks' respond to authority and management and the currency of respect.

Click on the image to go to the Government site for details and great resources such as factsheets, security quizzes and a small business security assessment tool

Sony's woes continue, as although they have restored their PSN network, they are being accused of still having plenty to do with flaws in their password reset function and multiple vulnerabilites being discovered by researchers in their other websites.
Adding salt into the very public wound, an investigation into Sony's data protection measures by the UK Information Commissioner's Office mirrors the announced investigation by the Australian Privacy Commissioner. It will be interesting to see the findings.

Sony are learning the hard way a lesson that many other organizations should be heeding, computer networks are incredibly complex and difficult and defending them is even more complex and difficult. If your business is providing online services to a large customer base, security needs to be part of the culture of the company - it needs to be evaluated, implemented and questioned at every level with every developer, every DBA, every sysadmin, every network engineer taking responsibility to proactively secure their area and every project manager and every business manager understanding the importance of security and the potential damage of a significant breach. Maybe it's too much to ask...?

 To my mind it is quite a surprise that Sony did did not have a CISO and unfortunate that it took such a major incident for them to appoint one. It seems it may have been a typical 'it can't happen to us' attitude that many managers and executives adopt.

Hopefully the major publicity surrounding this breach will lead to other organizations to reassess their data security efforts.

Data breaches are big news recently and it seems no-one is immune...

From Sony Online Entertainment's huge breach (and criticized response) to the Australian Government and the (slightly less recent) incredible embarrassment of Security Vendor RSA's breach and the Epsilon breach, which was largely publicized in Australia as the 'Dell Australia' breach.

Will the sheer number of high-profile data breaches provide some more motivation for businesses to employ better security safeguards and to demand vendors provide more secure products? Will they wake up the general populace to the importance of not using the same password for everything and opening every attachment that promises dancing pigs?

I won't hold my breath, but I will cross my fingers and hope.

The always interesting Verizon Annual Data Breach report [pdf] is out for 2011 and is (as always) as interesting as it is depressing. A big upswing (+22%) in externally-sourced attacks and a change of targets from Financial institutions to hospitality and retail are interesting. The fourth-highest number of breaches resulting from default or easily-guessable passwords is depressing.
Download it as it is well worth a read.

The cloud has arrived down under! Well at any rate it has registered on the radar (weather radar?) of our Government officials.

Last month the Defence Signals Directorate (DSD) has issued a paper on Cloud Computing considerations [pdf] that aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

This came hot on the heels of the Federal Privacy Minister voicing his concerns with the compatibility of cloud services and the National Privacy Principles and has been followed up by the Victorian Privacy Commissioner releasing a Cloud Computing information sheet to give "a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies"

Personally, I'm happy to see privacy concerns are getting some serious consideration. I'm certainly not anti-cloud, in many ways it is very cool, but I don't want to see businesses running headlong into a potentially disastrous (security & privacy-wise) situation without giving the consequences due consideration. Firm Cloud standards and Government guidelines (and industry guidelines -eg: ASIC) will go a long way to helping any move to the Cloud be successful in the long run (again from a security & privacy perspective).
Assuming you cloud service is up and running that is! (sorry for the cheap shot Amazon!)

Finally on privacy, this week is Privacy Awareness Week, so go and check your facebook privacy settings (because they change pretty often!)

Being horribly sick at home with a nasty chest infection has some small benefits - such as being able to catch up on some TV. I just finished watching 'The Egyptian Job'  which is a speculative recreation of the robbing of the tomb of pharaoh Amenemhat III.

Amenemhat III was one of the richest rulers of the Middle Kingdom and had a state-of-the-art pyramid protected by the best security of the time - blind passageways, dead-ends, massive immovable stone doors and a 45 ton slab of quartzite sealing the burial chamber.

But it was all for nought! Using stone tools, ingenuity and elbowgrease, a determined group of thieves managed to dig a 100 metre tunnel, move several 15+ ton doors and crack through the 45 ton quartzite slab to pull off one of the richest heists in history.

So what's the lesson? The usual one that no matter how good your defences may seem, a truly determined attacker with time on his/her side will find a way through. Amenemhat III's pyramid used static defences, giant blocks that were 'set and forget'. If the graverobbers hadn't made off with his loot 3700 years ago, Egyptologist Flinders Petrie, with 'modern' tools and techniques would have taken the lot in 1888.

So bearing in mind that one day your defences will fail, the next important step is to be properly prepared for that eventuality. In the aftermath of September 11, and more recently the Christchurch earthquake and Queensland cyclone Yasi, many businesses created or updated their Disaster Recovery and Business Continuity Plans.

While DR/BCP plans are important, such large scale disasters (or even smaller ones, such as your building catching fire) are relatively rare. A statistically more likely occurrence would be for a business to lose critical data - through either malicious or accidental means, or to suffer some other type of network breach such as a large scale virus outbreak or website defacement. But how many businesses have response plans in place to deal with these types of incidents?

Regardless of the business size, having some type of incident response plan to deal with these types of occurrences is a good idea. The very basics of clearly defining who needs to be notified internally (and has the authority to make decisions such as if a compromised critical system can be/should be shut down or if law enforcement needs to be informed) or under what circumstances external bodies must be informed (regulatory bodies or reporting the loss of PII data) is a solid starting point. Predefined statements for the media (or at least determining who is allowed to talk to the media) are also a good idea in case the breach is made public.

Identifying who has the skills to perform an investigation (internally or externally) and has budget authority to engage investigators (nothing is ever free!) is the next steps as it is far better to have this sort of thing defined well in advance in calm circumstances that making high-pressure decisions on the fly at 3am when a major data breach may or may not have occurred (or indeed still be in progress!).

Where investigations are handled internally, having adequately trained and resourced staff is essential - you can't just rely on your 'regular' I.T. staff or Information Security staff to be able to collect evidence and perform forensics without specialized training - and these skills need to be kept up to date through regular incident response drills that expose a sufficient number of staff to the response process (primary responders and backup team members so that a missing key team member doesn't derail the response process).

If a third-party is to be used, ensure they have the employees with sufficient skills to investigate and collect evidence - this is especially important if the incident ends up going to court - and preferably has a proven track record of performing such investigations. Understand how long different types of investigations take and how much they're likely to cost - the cost of the investigation always has to be balanced against the damage of the incident.

Finally of course is being able to tell if an incident has occurred. Sometimes it is easy, but sometimes an organization may not know for months that its network and information systems have been compromised. Sometimes it may be a false positive and no incident may have occurred at all. Understanding what is 'normal' in your environment is critical - as is being able to quickly detect when something is not normal.

It's not new (in fact it's from 2008), but today I came across this nice piece on Security by Obscurity.

Well worth a read and will some nice points and counterpoints from the likes of Steve Riley and Jesper Johannson.

Now I always thought us Aussies were a pretty savvy lot, with an ingrained cultural skepticism of things that seem 'too good to be true'.

It is reported that a forthcoming study from the ACCC (Australian Competition and Consumer Commission) shows that over 50 Aussies a week are falling prey to online scams, paying out over $1.5 million per month.

Ouch!

Following up my previous Flash Forensics post, there is another paper [pdf] from some local researchers over in Perth that describes how the 'garbage collection' algorithms that purge data from the drives can wipe valuable forensic information - even when the drive was attached to a PC with a write-blocker!

It seems that the increasingly common use of flash/SSD drives is going to cause headaches for investigators and end users - not always deleting data when you want it gone, and sometimes removing data when you may want it kept (bearing in mind that forensically recovered data may be used to show innocence as well as guilt)!

This is an area of research worth keeping an eye on...

I recently came across a couple of interesting articles on the difficulty of securely wiping data from solid state disks.
Both articles are based on a paper [pdf] from a University of California team that tested sanitizing both an entire disk and individual files on SSDs using standard ATA commands.
The outcome? Full disk sanitization was usually (but not always!) effective, while single file sanitization "consistently fail(ed) to remove data from the SSD".

Interesting stuff!

With SSDs rapidly dropping in price, and becoming more and more common in a wide vaiety of devices (especially portable devices) the paper is well worth a read for those tasked with protecting sensitive data from loss.

Lush Cosmetics seem to be the latest Australian retailer to have suffered a credit card breach.

From the article:

"Yesterday we were contacted by the web hosting provder to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holds and working through the process of how to address the problem and what steps we need to take."

"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."

 While I do applaud the company's reaction of going public immediately and contacting their 39,000 Australian customers, I do find it a little disturbing that security comes under "enhancements" - it does make it sound like a luxury add-on (eg: leather car seats) as opposed to a pretty fundamental requirement (eg: seatbelts or airbags).
Real details on the breach are scarce, so there's no indication if they were storing credit card numbers in cleartext (hello PCI-DSS!) or if they suspect the bad guyshad just pwned the server and were capturing transactions as they occurred.

I guess the good news it that it is hitting the major news sites down under - so other businesses may review their web security and ask themselves "have we done enough?"

Care of Slashdot I saw this post on the potential ramifications of breaching an Acceptable Use Policy based on a recent judgement [pdf]  in Western Australia.

The defendant was a Police Officer, who would normally be held to a higher standard than Joe Public, and the system in question was a Police database, but as the blog post points out: "Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation"

Nick Gifford in his book "Information Security: Managing the Legal Risks" (which I have mentioned before) describes AUAs (Acceptable Use Agreements) as "a contractural mechanism for managing the risks to the organisation associated with granting user access rights" and as a contract I can understand that there would be a legal risk to those who would breach that contract.

What about your company's Acceptable Use Policy? Is it up to date and consistent with employee duties?
Have all of your users read your organisation's AUP? What about those staff who have been there 10, 15 or 20+ years? Has your AUP changed over that period, and have those users acknowledged those changes? Do they have to re-acknowledge the AUP regularly? (yearly?)
Does it explicitly state that there should be no expectation of privacy when using email, browsing the internet or storing data on comapny assets? Does it allow for monitoring employees and clearly state potential penalties for breaches?

While it's a little late for New Year's resolutions (maybe a Chinese New Year resolution?), make it a priority to look into your AUP and how you track acknowledgement and ensure compliance. And if you don't have an AUP, the ever-useful SANS website has a sample [pdf] to help get you started.

I came across an article on PCWorld entitled "7 Cyber Crime Facts Executives Need to Know" and thought I'd add some comments:

Cyber crimes are far more costly than taking steps to harden an environment beforehand
Prevention is always cheaper than cure (cheaper in time, resources and dollars!). This doesn't just go for security, but other areas such as software development as well. Retro-fitting is always difficult, always expensive and never as good as if you'd 'done it right the first time'. The quote:
"the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success" is an interesting one, as in my experience (and from talking with peers) many CROs in Australia are still primarily focused on financial and operational risk, with little understanding or appreciation of Information Risk. Perhaps it's a bit different in the US however (and I hope the trend is slowly changing here as well....thanks Julian Assange!)


Cyber crimes are pervasively intrusive and increasingly common occurrences
Recent high-profile events such as Wikileaks and the recent Vodafone breach have probably helped raise some awareness about Information Security and the 'reality' of cyber-crimes, although your less tech-savvy executives may think that having anti-virus installed = magical cyber-crime prevention forcefield.

The most costly cyber crimes are those caused by web attacks and malicious insiders
Web attacks I agree with, but I think there has always been some controversy about the real threat of insiders. While they can't be discounted (OK Wikileaks again....), they shouldn't be overestimated either. Insiders know they're more likely to get caught than the anonymous hacker in Russia or some other place with no extradition laws....
IMHO your web stuff is more likely to get attacked than you are to suffer an internal breach, especially with the rush to throw as much as possible onto the internet.

At onset, rapid resolution is the key to reducing costs  
Rapid identification and handling of incidents is a must in order to reduce damage and cost. Like point #1, preparation is the key and will make all the difference when the bits hit the cyber-fan.
Oh and notice I mentioned identification - you can't handle or resolve that you don't know about!

Loss of information due to theft represents the highest external cost, followed by the costs associated with the disruption to business operations
This may vary industry to industry and country to country as laws such as breach disclosure are different across the world. But in general, if it was worth breaking in and stealing, it must be worth something to someone - a competitor, a rival government, etc. Resuming operations is certainly easier than retrieving data posted on the Internet or consumer confidence in the face of a privacy breach.

All industry verticals are susceptible to cybercrime
If you have data worth something, then you're a potential target. Whether you're in medical, finance or widget manufacture, you may be a target for cybercrime. Unfortunately it's a fact of life today. Of course some industries (like finance) are far more likely to be targeted.

If you deal with senior or Executive Management in your organization, these make great starting points to present some information to them. Use sites like datalossdb to find incidents in your area or industry to emphasize your points. Don't assume they know these things, go out there and educate them!

What's wrong with this picture?

(Thanks to Richard for the pic)

I came across a copuple of interesting reads over at the UK-based Cloud Legal Project site (which is part of the Cenre for Commercial Law Studies, Queen Mary University of London).

The first is a survey of Cloud vendor contracts ('Terms of Service Analysis for Cloud Providers'), which highlights risks such as the vendor right to change ToS at any time without niotification, cancellation of accounts for disuse or AUP violations and limited liabilities for loss of data.

The second paper is on Information Ownership ino the Cloud, which highlights the need for strict definitions in contracts as to who retains the ownsership rights of various data types.

Both papers are well worth a read.

Vodafone - one of the world's biggest telecommunication companies - has been hit with an embarrassing data breach here in Australia. While the details are in dispute (some stories say the data was open to everyone, others say not), they all acknowledge that there has been a significant breach at a time when the company is already reeling from negative press about poor reception and data transfer speeds on their network.

To quote Vodafone:

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,"

Well it must be secure. They used the word secure twice!

Seriously though, while I can understand with all the partners and shops nation-wide that Vodafone found the easiest way to provide CRM access was to use the internet; it is a serious lapse in judgement for Vodafone to not require multifactor authentication on their web portal. What were they thinking?*


The Australian points out that it's likely that Vodafone won't get more than a public 'slap on the wrist' as the Privacy Commissioner currently has no power to act on breaches of the Privacy Act. Gah!

Adopting security is often about incentives. If the Privacy Commissioner can't 'punish' the company for the breach and implementing something like multifactor authentication can't be sold as a customer benefit ("Sign up with us and your data won't be stolen again!") then we're left relying on the company to 'do the right thing' - which has been shown again and again to not be a great incentive to businesses (it could be argued that if 'doing the right thing' was a sufficient incentive, Vodafone would have already used multifactor authentication on their CRM portal - I imagine someone inside of Vodafone is saying "I told you so" today...).


*probably that usernames and passwords are cheaper than multifactor authentication. Which they are, just not safer...

State of Security have a nice post about the 'Post-Zeus/Stuxnet World'. In a year that saw what many believe was the first real government created 'cyber-weapon' or 'weaponized malware' that did more than just knock a site offline, but destroyed physical infrastructure.
Combine this with events such as an arms manufacturer buying an Australian security company that (among other things) performs penetration tests and the future certainly looks..interesting.

More over Military Industrial Complex and hello Military Digital Complex?

This is nothing that was unexpected, the logical progression of military might is from the physical to the digital realm. For a smaller, less technologically developed nation, striking with weaponized malware at your larger more advanced and more techonolgy-dependant foe (especially if no one can prove it came from you!) has to be attractive.

Any security professional knows defence is hard. An attacker only has to find that one weak point, while the defender has to protect and monitor the whole perimeter. Unlike the castles of old, digital perimeters look more like the Great Wall in scale and are constantly changing.


The bad guys are smart, and they learn. The complexity and effectiveness of the likes of Stuxnet will have been noticed and will be part of the next generation of crimeware. As Government or Military contractors develop increasingly weaponized malware, the techniques and methods they use will filter into the ranks of the black hats and criminals - just as advances in military technology have always flowed into civilian life. Radar? TCP/IP? The Internet?

2011 is shaping up to be an interesting year...

Although it's a few years old, I just came across this great post from the ITSkeptic that likens ITIL to the Hitchhiker's guide to the Galaxy and COBIT to the Encyclopedia Galactica.

Brilliant!

The Australian is reporting on a preview of a report from the Kokoda Foundation that "paints a damning and frightening picture of a complacent nation that has not grasped the scale of the threat posed by cyber hackers to national security, the economy and personal privacy".

Some interesting points made by the article are that "Australia has the fifth-highest level of malware infections in the world" and "the country still lacks a whole-of-nation, government-led integrated long-term National Cyber Strategy and Plan".

The latter point is not really surprising. Does it sound more familiar if it is changed to "the organization still lacks a whole-of-company, executive-led integrated long-term Information Security Strategy and Plan"?
From my discussions with friends in the security industry, once you get outside of the big banks and major financial institutions, Information Security in Australia is still commonly an afterthought or an 'IT Problem'. Hopefully this attitude is changing, especially with the incredible amount of reporting on incidents sich as Wikileaks.

The Kokoda Foundation report should be available later this month.