With World Cup fever sweeping most of the globe, this snippet of the Wireless SSID and password for the World Cup’s security center being accidentally exposed in the background of a media photo made me chuckle!

The fact that SCADA systems and embedded controllers are woefully insecure is hardly news to security folk. But is is always somewhat eye opening to see how some of these systems can be compromised. One of those is in this blog post from IOActive Labs that a friend sent to me, where they used remote control drones to hack the systems that send data to the  traffic control systems.
While the specific details haven't been revealed yet, IOActive did reveal the responses they received after reporting the bugs to the manufacturers including in one case where:

(T)he vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed, and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue.

Nice to know the poor security isn't an accident, it was done on purpose due to customer demands!

Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the ICT Security Controls Required by the Australian Privacy Principles.

Came across this interesting article today about a new anti-forensics tool that can basically add a bunch of stuff into memory to obfuscate what an attacker has really been up to, or even plant evidence to implicate someone else! Interesting stuff, I'm looking forward to hearing more about it!

I came across this advisory today, which i believe is the result of the DDoS attacks that were launched against a number of online games platforms such as Steam and the Playstation Network over the Christmas break.

Team Cymru have s secure NTP template available for Cisco, Juniper and Unix systems, the Canadians have more information available here and CERT have some information; including how to verify if you're vulnerable; here.

The VMware hardening guide for vSphere 5.5 has been released and is available here: https://www.vmware.com/support/support-resources/hardening-guides.html

You know I'm referring to passwords right?

Also from the article:

"studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst."

Did that study include *nix admins?

Also from the BBC, an an analysis on the Adobe passwords that were leaked. No real news here, except to say people still choose terrible passwords....

Top 20 passwords

• 123456
• 123456789
• password
• adobe123
• 12345678
• qwerty
• 1234567
• 111111
• photoshop
• 123123
• 1234567890
• 000000
• abc123
• 1234
• adobe1
• macromedia
• azerty
• iloveyou
• aaaaaa
• 654321

We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!

Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.

What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!

Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!

Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!

It's been quiet around here lately as I've been travelling and extremely busy with work. However it's time to get back to blogging on a semi-regular basis (I don't know what Richard's excuse is!)

While checking out the new IOS7 features recently (although I've yet to upgrade) I came across this gem:

Apps can now be configured to automatically connect to VPN when they are launched. Per app VPN gives IT granular control over corporate network access. It ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee's personal web browsing activity, does not.

Now that's a nice feature (and about time), especially in the BYOD era. Speaking of BYOD, I recently had a chance to meet a number of Security managers from around the world and BYOD was a hot topic. However here in Japan it is not even on the radar for many organizations. A Logicalis research paper [pdf] from last year showed Japan as significantly trailing other markets in regards to corporate IT actively promoting BYOD and, perhaps unsurprisingly, leading the pack in the measure of 'IT don't know about it but we're doing it anyway'.

Why is Japan slow to embrace this trend? My personal view is it is a combination of inherently conservative companies and IT departments (who are unwilling to give up control) combined with the strict labour laws regarding overtime work. As we've seen in the west, mobility and BYOD blur the lines of work/life significantly and risk putting companies here on the wrong side of the law if employees are found to be working excessive overtime.

As we move into the age of the Internet of Things, expect to see more and more stories like this one, where a luxury toilet firm here in Japan have developed a Android-app controlled 'smart toilet'. The problem? All the toilets are hardcoded to a PIN of 0000 -- allowing anyone with the app (in bluetooth range) to control the toilet.

While the actual benefits of a Android-app controlled toilet escape me at present (and the impact of an attack is admittedly pretty minor), the poor security in the execution is unfortunately all too common. Today it's a toilet, tomorrow implanted medical devices (actually that is also today...).

The toilet pales in comparison to the Smart TV Hacking [pdf] research from Korea. Which is extra creepy if you're watching your smart TVon your smart toilet...

Remember when getting hacked was a bad thing? Now apparently it is a marketing opportunity!

US Food chain Chipolte faking it's twitter account being hacked to generate 'buzz' as a marketing exercise.

Of course while others have claimed twitter accounts were hacked to cover up embarrassing behavior, this is the first time I've seen someone making a claim of being hacked as marketing.....

Irony: Emails about Governments snooping on private data used to distribute malware that allows criminals snoop on your private data...

Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.

Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

Privacy is getting more and more attention in Australia, with the Privacy Commissioner recently stating:

"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects"

Someone asked me about this today, so I thought I'd add a link. for a while now Microsoft have regularly published an excel spreadsheet with all the details on their patches. It is quite useful as a quick reference!

It's available here under "Download Detailed Bulletin Information". Or direct link is here.

This was sent to me by a friend is an interesting read about a recent massive DDoS (distributed denial-of-service) attack that was aimed at Spamhaus.
The attack was a type of DNS-recursion amplification attack [pdf] that uses bogus queries to DNS servers to massively amplify the amount of bandwidth consumed by the attackers to over 300Gbps at times.
Cloudflare have another great explanation of this type of attack here.

The website at http://openresolverproject.org/ can be used to help you identify if you have DNS servers configured to allow recursion, and provides some configuration suggestions (such as rate limiting)
.

This was from a little while back, but I hadn't got around to posting it yet. Dan Kaminsky offering a different view of passwords:

"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."

An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory. 

He certainly brings up a good point. The problem may not be passwords, but bad passwords. And why do we get bad passwords? The same reason we get single passwords used across multiple systems or people using their birthdays as PIN numbers - "Password1" or "P@ssw0rd" is easier to remember that "w4dHu92#".

But will passphrases change that? It will involve a seismic shift in mindsets and many users having to 'unlearn' what they've been told previously. The 'passphrase' movement has been around for a while and the first reaction from users when you say "Now your passwords have a 12 character minimum" is generally not positive - even if you do away with the complexity requirements. People already forget their passwords with alarming regularity, I'm not sure if passphrases will be must easier to remember.

Passphrases have their limitations too - they don't help with password reuse, and won't stop a user changing "fourscoreandsevenyearsago" to  "fourscoreandsevenyearsago1" on their next passphrase change.

But I do agree with Dan that passwords work better than we probably give them credit for, and maybe passphrases will work a even better.

The Australian Attorney-General's office has released the long-awaited Australian Privacy Breach Notification discussion paper [pdf]

It seems to be generating interesting discussion both for and against.

I have commented previously on data breach legislation and haven't really changed my view. The only thing I'd add is that maybe the 'public shaming' fallout isn't as bad as it used to be, simply as the result of so many companies being hacked.

It is interesting that Information Security is back on the political agenda in Australia, as it is to in the United States with President Obama considering using an executive order to reinstate the "Cybersecurity" bill that was previously defeated in the US Senate. Probably not surprising though, as it is an election year....

I haven't read the AG's discussion paper in detail yet, but will hopefully get to it this weekend and provide my thoughts.

The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

I've just finished reading Parmy Olson's new book "We are Anonymous". It is an enjoyable and well written book that focuses on the group of Anons who eventually formed LulzSec, went on quite the hacking spree and were (mostly) eventually arrested.

Even for those of us who had followed the press reports and public escapades there is a wealth of new information gleaned from interviews with a number of the now not-so-anonymous former anons, such as LulzSec spokesperson Topiary and hacker-turned-FBI-informant Sabu.

Tracing the stories of several individuals, from hanging out on 4chan /b/ to the early rise of the 'anonymous' brand and the schism that developed between those hacktivists with an agenda and those who were in it 'for the lulz', Parmy does a great job of weaving the narrative together and filling in the gaps between the headline stories, such as the attacks on Paypal or Sony.

I think it's a great read and any Security pro; or anyone with an interest in better understanding some of the darker subcultures of the internet; will have a hard time putting down.