Google Transparency

Google has released it's transparency figures for the period January to June 2012 which details requests made by various countries to access user data held by Google. The figures provided by Google only give the total number of requests which (I think) can be a little misleading, I'm no statistician but I thought it might be informative to have a look at the figures relative to population. Other interesting comparisons might relate to law enforcement budget or be somewhat more subjective such as the goverment's stance on data retention.

Australia ranks second behind the US for requests that were complied with when accounting for population, fourth for total requests when accounting for population and ninth for total number of requests.

I think one interesting aspect of the graph below is the discrepancy in certain cases between the number of requests made and the number complied with.

Interestingly, there's a note on the US stats that states:
"Government requests for user data from the United States include those issued by U.S. authorities on behalf of other governments pursuant to mutual legal assistance treaties and other diplomatic mechanisms."

Default Passwords in Telstra Home Routers

There is simply no excuse for this appalling display of security ignorance by (I assume) Netcomm

Hardcoded passwords leave Telstra routers wide open - Networks - SC Magazine Australia - Secure Business Intelligence



WWII Carrier Pigeon

Nice story, it'll be interesting to see if they can decode the message

Living on the edge

I'm sure there's a security metaphor in there somewhere...


"A Clash of Development Cultures"

Not strictly security related, but I wanted to point out an interesting post over on a blog written by Symanetc's Anthony Langsworth titled 'A Clash of Development Cultures'. It is an interesting viewpoint and one that I thing also fits into other IT realms, such as Infrastructure or Security.

I met Anthony while studying for the CISSP, and he's a smart cookie. His blog is worth checking out.

Once more unto the breach dear friends....

The Australian Attorney-General's office has released the long-awaited Australian Privacy Breach Notification discussion paper [pdf]

It seems to be generating interesting discussion both for and against.

I have commented previously on data breach legislation and haven't really changed my view. The only thing I'd add is that maybe the 'public shaming' fallout isn't as bad as it used to be, simply as the result of so many companies being hacked.

It is interesting that Information Security is back on the political agenda in Australia, as it is to in the United States with President Obama considering using an executive order to reinstate the "Cybersecurity" bill that was previously defeated in the US Senate. Probably not surprising though, as it is an election year....

I haven't read the AG's discussion paper in detail yet, but will hopefully get to it this weekend and provide my thoughts.

Shaky Security Isles

The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

Cyberwar in One Handy Graphic


"We are Anonymous"

I've just finished reading Parmy Olson's new book "We are Anonymous". It is an enjoyable and well written book that focuses on the group of Anons who eventually formed LulzSec, went on quite the hacking spree and were (mostly) eventually arrested.

Even for those of us who had followed the press reports and public escapades there is a wealth of new information gleaned from interviews with a number of the now not-so-anonymous former anons, such as LulzSec spokesperson Topiary and hacker-turned-FBI-informant Sabu.

Tracing the stories of several individuals, from hanging out on 4chan /b/ to the early rise of the 'anonymous' brand and the schism that developed between those hacktivists with an agenda and those who were in it 'for the lulz', Parmy does a great job of weaving the narrative together and filling in the gaps between the headline stories, such as the attacks on Paypal or Sony.

I think it's a great read and any Security pro; or anyone with an interest in better understanding some of the darker subcultures of the internet; will have a hard time putting down.

Waiter? Can I get fries with my Firewall?

Having both waited tables and worked in InfoSec, I can appreciate this article on "What Information Security Can Learn from Waiting Tables"

Although I can't remember anyone ever tipping me for providing Security advice....

Mars Attacks Hacks

Came across a cool article today on NASA's firmware upgrade of Curiosity and the question of - could you hack the rover? The answer is probably yes, but it's not all that easy!

Security Awareness Training

Recently I've been involved in some security awareness training for business users, and in some discussions around the effectiveness of such training, including the question "should we even bother?".

Funnily enough, as I was contemplating this post, I came across PCI Guru's post on the why you should do awareness training which was a response to David Aitel's article on 'Why you shouldn't train employees for security awareness'.

I'm on PCI Guru's side of the fence on this one. Just because awareness training isn't 100% effective (or perhaps even close) is no reason to stop doing it completely. In my view awareness training is one of the ways to get a message across, to present the information contained in all those organizational security policies no one reads and most importantly - communicate to the end users what is expected of them. Will they always do what you ask? Probably not, but there will be those who do internalize the message and alter their behaviour as a result. I can recall genuine surprise on the faces of some employees when I explained that email is not 'private' - scoff  if you like, but to the non-IT or non-Security folks out there the fact it's not private may have never occurred to them - same as they don't expect their cell phone calls or SMS messages to be intercepted. The 'revelation' altered end user behaviour as they understood they may have been doing the 'wrong thing' because of their previous belief. Without security awareness training, how would the message have even reached them?
I also think that good security awareness training should also be aimed at the individual, explain how they can address risks to themselves and their family through altering their behaviour and then explain how this can carry on to their behaviours in the office.

I don't disagree that Dave's alternatives to training are also very beneficial to a company, and like so many other areas of security, are part of a defence-in-depth strategy, but one that should include awareness training:

One thing that isn't mentioned is the use of security awareness training to alter the end users opinion of the information security department. Too often the security team is seen as 'the cops' or a roadblock (and I think some of them like being seen that way) and part of that reason is the threats and risks we are trying to address are unknown to the general audience. Through awareness training we can give end users a glimpse of the world from our point of view and (hopefully) start to find some common ground when it comes to working together to addressing information risks.

I don't believe we can solve our security problems with technology alone, people need to be part of the solution (and more people than just us security propeller-heads). Security awareness training may be far from perfect, but for now, it beats not doing anything to educate your workforce.

An Apple a day...

This is probably the most interesting account of an employee sneaking into work after being fired that I've ever heard!

Although it is the exception rather than the rule - so make sure you're removing departed user access and maintaining your physical security controls!

I'm sure Apple now has stricter security....except when it comes to losing prototype iPhones. Speaking of which, isn't it about time for an iPhone 5 to get left in a bar soon?

Get on the Good foot.

A new twist in multi-factor authentication..Bio-Soles!

The concept is based on research that shows each person has unique feet, and ways of walking. Sensors in the bio-soles check the pressure of feet, monitor gait, and use a microcomputer to compare the patterns to a master file for that person. If the patterns match the bio-soles go to sleep. If they don't, a wireless alarm message can go out.
A good thing my company doesn't use these. I twisted my ankle last week and would still be setting off alarms...

Still, interesting concept. Up there with the Inner Ear Biometrics (pdf here) or the "Butt Biometrics".

Interesting, yes. Practical? Hmmm

More Password Leakage

There is speculation floating around the net that at least one of the recent disclosures of passwords was a SQL Injection attack (my bet would be several), I this find equally as disturbing as the fact that the passwords weren't even hashed. Seriously people SQL Injection? It's 2012...

Not the end of the world as we know it....

DNS changer has been big in the news of late. even ran a headline featuring a nuclear explosion!

The Australian government has a DNS changer check page - - to help you determine if you are affected. With the impending shutdown of the DNS changer servers, some are estimating 30,000 - 40,000 devices will be affected - really a drop in the ocean of the millions and millions (billions?) of devices connected to the internet. 

I figure some people will find their internet isn't working, shrug their shoulders as they assume it's another 'computer gremlin' and get someone to help fix it. No Cyber-Armageddon of Internet Doomsday.....

Megaupload recap

I've been quiet on the blog since relocating to Japan, and had started a bunch of posts that I never finished. Rather than finish them all, I'm going to start recapping on the stuff I found interesting over the last few months, and then move on to hopefully a more regular schedule.

The Megaupload fisasco, where the site was shut down for illegal filesharing and owners arrested under US law even though the site was located in Hong Kong and the owners non-US nationals in other countries. All this despite NZ's extradition agreement with the US requires the crime to have been committed in US territory. An interesting article here on the legality of it all and what it may mean in the future. 
No one seems to have covered themselves in glory here with the FBI fedex-ing cloned data out of NZ (possibly illegally) and now ordered to return it combined with the recent news that the search warrant used to search Kim Dotcom's home and clone his HDDs was ruled illegal

And oh, of course, there was an 'Anonymous' response to the whole thing and the question of did the high profile bust and take-down accomplish anything anyway?

It raises all the old questions in regards to 'cyberspace' - who 'owns' the internet? Is it a transmission medium or a place? This case will be one to watch...

Macs do get viruses apparently...

'bout time

Hope Conference

Nice! There is a security/hacker conference in the US call HOPE Hackers on Planet Earth

How not to deal with passwords...

There is some incredibly bad security advice flying around this thread over on Whirlpool... which makes me feel like this

Dinis Cruz blog: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)

I really like this idea, it keeps security concerns front of mind while developing.  Though in some ways I think it should be integrated as a test suite into a unit testing tool and have security flaws treated as any other bug.

Dinis Cruz blog: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)

Tor and SIEM

I've been doing a piece of work with a client recently using a SIEM tool to monitor web and application logs for suspicious/fraudulent activity. One interesting strategy they are using is to look for Tor exit nodes in the web logs and flag activity in these sessions as suspicious. I think this is a sensible approach, these days there is a lot more to security decisions than the binary allow/deny of a traditional firewall. The fact that it is coming from a Tor exit node does not automatically make it malicious (there are plenty of legitimate uses for Tor) however it is one part of the toolkit that someone with nefarious intent may use to hide their true identity when attempting to breach your systems. This uncertainty means that the traffic from these addresses isn't an appropriate candidate for blacklisting but rather warrants further investigation. There is a wealth of data like this available, much of it freely available, that is useful to correlate with your own data in order to build a picture of the traffic which is reaching your network. For Example:

Tor Exit Nodes Matched against the source IP address
Google Safe Browsing API Matched against the referer in your web logs (anti-phishing)
SANS Top Sources Matched against the source IP address
Team Cymru Lots of interesting data
Project Honey Pot/ More interesting data

I suppose the drawback to this approach is that it is still a little reactive and requires human intervention to investigate which may or may not be a problem depending on volumes. One possible enhancement is to use this data as part of the decision making process (possibly with a low weighting) in a preventative mechanism that utilises a scoring mechanism to decide if traffic is malicious such as a WAF or IPS, though I'm sure this is already implemented to some extent.

Leaky LinkedIn

So since I heard about the leak of the LinkedIn passwords, I've been waiting to see what the first analysis of the dumped hashes would reveal. Theoretically LinkedIn is a bit of a different beast to other sites that have been breached, as the target users are working professionals, the type of people who have more than likely been educated again and again on passwords by their employers.

And here are some results from Qualys, where they pretty quickly obtained 2 million passwords with not a great deal of effort, including gems such as 'm0c.nideknil.' Overall something like 98% of the hashes have now been cracked.

As for LinkedIn, using unsalted hashes to store passwords? This is security 101 stuff and quite frankly, embarrassing for a company of their size and age. Of course the unsalted part may not be the worst, the big question still remains about how the passwords got stolen in the first place.

As Richard previously posted - change your password! And if you are interested in seeing if your password was included* in the released ones:

(*not specifically YOUR password, but a hash of the same password as the one you were using.)

LinkedIn Password Breach

Atari fail.

This arrived in my inbox yesterday:

Atari recently learned of a potential security violation in connection with the unauthorized access to Cryptic Studios’ user databases that occurred in December 2010.  At that time, Atari owned Cryptic and the intrusion may have affected users on Atari’s databases as well and, therefore, we are taking proactive measures to correct the issue. This includes notifying certain users who are registered on and (Test Drive Unlimited 2).
As a precaution, on and, we have reset all accounts for users which we believe were affected. This will require you to reset your password upon attempting to log into each site separately to regain access to your account.  To do so, please refer to our website at for detailed instructions and more information about this issue.
If the existing user name and password was used to access other online accounts, we highly recommend that you update those passwords as well.
We take the security of our user accounts very seriously and are investigating this issue further with Cryptic Studios.   Please note that this was not an intrusion on our existing database, but one that occurred prior to our divestment of Cryptic Studios in July of 2011.  Cryptic no longer manages Atari’s databases.  Our deepest apologies for the inconvenience.
December 2010? And it took until April 2012 to tell impacted customers? *sigh*.
Look at what else occurred between the breach and the notification:

  • "Arab Spring" uprisings oust leaders in Tunisia, Egypt, Yemen and Libya,
  • Southern Sudan became an independent republic.
  • The earthquake/tsunami and reactor meltdown in Fukushima, Japan
  • British Royal Wedding
  • Osama Bin Laden killed by US special forces
  • End of the US Space shuttle program
  • European economic crisis
  • Severe flooding in Thailand and Fiji
  • The entire 'occupy' movement
  • Encyclopaedia Britannica stops hard-copy publication
  • Steve Jobs, Elizabeth Taylor, Peter Falk, Whitney Houston, the King of Tonga and Randy "Macho Man" Savage all died.
Not good enough Atari. On the bright side, despite once owning the home console market, you're less of a household name than Sony so probably won't get as much press....


This has to be one of the more blatant cases of FUD I have seen in a while

2012 - planning ahead.

2012 is well and truly here. Possibly the end of the world if you believe the Mayan Calendar conspiracy types, but perhaps more likely the end of some businesses (and their employees) if the lessons of 2011 haven't been learned.

Last year felt like a tipping point in the awareness of information security threats in the boardroom. With so many high-profile hacks that saturated the mainstream media, even the most cynical of executives probably caught themselves wondering whether their organization was doing enough to protect their data.

So what sort of questions should business executives be asking themselves? (in no particular order...)

Do you truly understand your critical data and assets?
What is it? Where is it? Who has access to it?
Determine what is critical for your business: is it your e-commerce server? Your customer data? Your R&D data? Once you've identified what it is, you need to understand how valuable it is - try this exercise: imagine you were selling your company tomorrow. How much would it be worth? Now imagine your most critical data asset was not included in the sale - by how much does that decrease the companies' value?
Once you understand what you're trying to protect (any hopefully how valuable it is), you need to locate it - both physically and logically - before you can look at protecting it.

Who is responsible (and accountable!) for protecting that critical data?
If nobody is responsible or accountable, then odds are nobody is protecting your critical data and any data loss or breach will be 'somebody else's problem'. Hopefully by now you have an understanding of the value of your critical data and can see the need to protect it adequately. However identifying and appointing someone is only half the job - do they have the skills and resources required to do the job? Are the objectives of your security program clearly defined? Equally importantly, do they have the authority to make any required changes; to data access, storage location or use? As the expression goes: "if you're responsible for security but don't have the authority to enforce security; then your true role is to take the blame when things go wrong"

How do you measure the effectiveness of that security?
Is your security in the right place? Are the right risks being addressed? Is that security reviewed regularly to ensure it is still adequate? How do you measure that? Have risk appetites for information security-related risks been set?
Many books have been written on measuring security effectiveness, and I doubt there is a single 'right way'. My advice is to measure the things you can control - not the things you cannot. For example, don't measure the number of intrusion attempts from the internet; measure your response metrics from detection to closure.
A clearly defined risk appetite is also critical - not just for information security, but for all of your operational or financial risks. At it's core, Information Security is a practical application of risk management, so having a clear understanding of hown much risk you're willing to tolerate; and under what circumstances; is critical.

Can you detect breaches? Do you know what to do if one occurs?
How mature is your 'security intelligence'? Some organizations have been infiltrated for months before a data breach was detected. Do you have a CERT/CSIRT plan for responding to breaches?
Like Disaster Recovery/BCP or even a fire drill, knowing what to do when something bad happens can stop a bad situation from getting worse. Having a plan alone isn't enough, it must be regularly tested to ensure all participants understand their role and can perform under the pressure of a real security incident where time may be of the essence.

Does your security program meet compliance requirements?
With ever increasing legal requirements does your security program still match up? Have you reviewed your current processes against SOX, HIPPA, PCI-DSS, or any other applicable legislation recently? Are there proposed changes on the horizon that may effect the way you currently protect your data? How often do you review your security, not only against the changing threat landscape, but against changing regulations, technologies and best practice?

Is the company culture 'security aware'?
Information security staff can only do so much. Like a neighbourhood watch, diligent employees are the best defence against information security incidents. Do your employees know not to open random email attachments or how to spot a social engineer? Do they know who to contact if they suspect an incident has occurred? Do they undertake regular security awareness training?

Can your current security practices evolve with the business?
The IT industry is in the middle of one of it's biggest shake-ups in recent history. With the increasing consumerization of IT driving the need for flexibility such as BYOD programs, cloud computing pushing in from all sides and the ever growing need for company data to be highly mobile and accessible, securing your sensitive corporate and customer data has probably never been more challenging. As all of these external pressures aren't going to go away, is your current Information Security program or strategy flexible enough to cope with the changing environment?

There are undoubtedly other important questions you could ask yourself, but if you can answer these few with confidence then you are most likely ahead of some of your peers and on your way to being able to sleep soundly at night.

“By failing to prepare, you are preparing to fail.” - Benjamin Franklin

Killer Virus

While speaking with a friend over Christmas about the pros and cons of quarantining infected PCs from the internet (not a new idea by any means as it was brought up by Microsoft several years ago) and the analogy with diseased humans, one point was that computer viruses haven't killed anyone (yet?).

But might a virus let a killer go free?

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme