AISA Revolution!

Well it's been a couple of weeks since the AISA annual conference in Sydney and I've just about caught up from the day off!

I just really wanted to post an account of the conference as it truly was a red letter day for the Australian Information Security Association.

I've been to a few annual seminar days held in Sydney usually hosted at one of the bank's and spoken at one in Melbourne (as one of my last duties as outgoing branch executive) and this was the best!

Let's just go through some key points why it was so awesome:

- Sydney conference center

- delegates from Melbourne, Sydney and Brisbane.

- 650 plus people registered (and it looked like they all turned up)

- 30 plus exhibitors

- two international speakers (Bruce Schneier and Marcus Ranum)

- CIO of one of the largest banks in Australia speaking

- CSO of Cisco speaking

- FREE yes FREE to AISA Members (membership is $55 per year)

I put a few faces to names at the coffee cart by suggesting a tweet up. I quickly realised how tall @caseyjohnellis is in real life and what a cool accent @VS_ has.

I ran into Marcus Ranum at the coffee cart line and Bruce Schneier on the floor. I have to admit to being a little star struck!

I really enjoyed the presentation from John N Stewart Cisco's CSO. I really thought it was a useful presentation with lessons learnt. I was really dreading this one as, I thought it would be very "producty" where it was actually the most pragmatic of the day!

Marcus Ranum's presentation went right off on a tangent! The less free thinking in the audience probably were all like "What is this guy on about? Is he trying to encourage us to start a revolution and commit criminal damage and computer crime?". I really took his presentation as a challenge to us security professionals to think like a "misguided hacktivist" and consider how our organisations could be "pranked" and subjected to "economic denial of service" by protestors motivated by an organisational policy they dis-agree with.

AISA really is kicking a few goals at the moment in my humble opinion some examples below:

-new website (finally)

-ongoing focus group meetings http://www.aisa.org.au/for-members/focus-groups/ so you can talk to other security professionals in your area of expertise

- 1600 members

- AISA is providing submissions to the Australian Government on their "Cyber Whitepaper" on behalf of Australian information security professionals

- AISA is policing members for non-compliance with the code of conduct.

It's been a while

Well here's a little update from me:

- I have written a product review which was printed and a few online
articles for IDG's publication CSO magazine. I'm now a regular blogger
on that site too. Do I qualify for a press pass? Hmm all readers
please report in on events I can "cover" especially those with
delicious snacks :) CSO seems to be taking off, much more so than my
little venture http://www.ozsec.net.au

- I've been thinking a bit about creating an open source security
operations maturity framework project inspired by OWASP OPENSAMM
project. Just need to find an organisation to help me champion it.
Something like this would really help to illustrate where on the
security journey an organisation is and where they would like to go. I
have thought of ISC2, AISA and the ISF but maybe it is SANS?

- my little business is developing, I've delivered a few successful
engagements and now I even have a glossy brochure.

There's nothing new under the sun....some nostalgia from matt

Back in the day my mother was a sysop of a CDC PLATO system...in 1973 it had all on old school green screen/orange plasma:

touch screen

instant messaging

chat room

screen sharing

bulletin board/news groups

flight simulator

3D multi-player games

and..... wait for it...

freecell

I used to dial up to it at the university on a 300baud modem and play games with uni students.  They would make jokes that would go way over my head, I must have been like like eight years of age or so!

http://en.wikipedia.org/wiki/PLATO_system 

         

• Plasma display, circa 1964, by Donald Bitzer for PLATO IV
• Touchscreen, circa 1964, by Donald Bitzer for PLATO IV
• Answer Judging Machinery, ?date?, a set of about 25 commands in TUTOR that made it easy to test a student's understanding of a complex concept.
• Show Display Mode, 1975, a graphics application generator for TUTOR software, precursor to Apple's QuickDraw picture language editor.
• Charset Editor, an early precursor to MacPaint for drawing bitmapped pictures stored in downloadable fonts.
• Monitor Mode on PLATO, 1974, used by instructors to help students, precursor of Timbuktu screen-sharing software.
• Pad and a few months later, system-defined Notesfiles, 1973, the first general-purpose computer message board, and precursor to Unix Newsgroups, Digital DECnotes and Lotus Notes.
• Talkomatic, 1974, a 6-person real-time chat room (text-based), precursor to Instant Messaging Conferences.
• Term-Talk, 1973, precursor to instant messaging.
• Gooch Synthetic Woodwind, circa 1972, A music device for the terminal, precursor to sound cards and MIDI.
• Airfight, 1974, a 3-D flight simulator written for PLATO by Brand Fortner; this probably inspired UIUC student Bruce Artwick to start subLOGIC which was acquired and later became Microsoft Flight Simulator.
• Empire, circa 1974, a 30 person multi-player inter-terminal 2-D real-time space simulation.
• Spasim, circa 1974, a 32-player first-person 3D space battle game
• Pedit5, circa 1974, likely the first graphical dungeon computer game.
• dnd, 1974–1975, a dungeon crawl game that included the first video game boss.
• Panther, circa 1975 by John Haefeli, a 3-D tank simulation and forerunner of Atari's Battlezone game.
• Build-Up, 1975 by Bruce Wallace, based on a story by J. G. Ballard, the first PLATO 3-D walkthru maze game. The maze itself was also 3-D, having holes in the floor and ceiling.
• Think15, circa 1977, 2-D outdoor wilderness quest simulation, like Trek with monsters, trees, treasures.
• Avatar, circa 1978, a 2.5-D graphical Multi-User Dungeon (MUD), a precursor to EverQuest.
• Freecell, 1979 by Paul Alfille, which probably spawned the Windows version.
• Mahjong solitaire, 1981 by Brodie Lockard, popularised in 1986 by Activision as Shanghai.
• Emoticons, by 1973

Privacy - if you're not paranoid you're not paying attention!

Security & Privacy are two very separate almost opposing disciplines. Some of my colleagues are very privacy aware. I really haven't paid enough attention to privacy and am having a bit of an awakening at the moment and thinking more about it.

There are some major challenges with preserving privacy. If governments allow privacy for all, then criminals will have the ability to plan and commit crimes undetected by law enforcement. Does it all come down to judicial oversight?

I welcome your comments to enlighten me of significant incidents and issues that impact on an individuals right to privacy.

Some examples include:

Printer manufacturers embedding codes into printed materials - perhaps this was done to satisfy legislators worried about forgery of currency. A better solution is to prevent printers from copying currency by embedding a code into the currency

RFID chips in passports - These chips can be read at very long distances. Chris Paget illustrates
He got a read from 66m with easily accessible hardware.

Apple recording GPS location history in Iphone - so a large company is recording history of your GPS location by default on a fairly insecure platform that can easily be hacked.

Google recording location of Wireless Access Points, wireless clients via Street View Cars - At one stage Google could be queried for the MAC address of your mobile phone and if a street view car had picked it up its location could be identified (perhaps your home or work address).

If five years ago I would have warned of giant corporations and government tracking your location with hidden codes and chips in documents and wireless signals people would have called me a paranoid schizophrenic!

advice for young whipper snappers --get off my lawn!

The recent news story (now recanted) about Microsoft hiring a 14yr old
kid after identifying him as cause of a security incident brought up a
few thoughts for me that I'd like to share:

Firstly media please refrain from calling alleged computer criminals
hackers. If you must call them crackers, thieves, fraudsters etc You
don't call white collar criminals bankers right?

Secondly kids - If you are interested in "hacking" or computer
security there are plenty of options open to you than committing a
crime. If you want to learn about breaking systems how about you just
run up a few instances of YOUR OWN on Amazon EC2 and start breaking
them. You will have cheap or even free access to the latest operating
systems, much better than what we see commonly used. Also no need for
hardware or pirating software and downloading it. If you are after
making a "name for yourself" why not look for some 0day
vulnerabilities in open source software and report them to the project
rather than giving yourself a problem with pre-employment screening in
the future?

Well it's been ages - time for an update from me

It's been quite a while since I've posted on my blog. I've been doing some contracting and consulting, some policy development and some pen-testing directly under my Ronin Security banner and supporting other professional services firms under theirs. Also I have been working directly with Enex TestLab acting as their General Manager of their Security Testing Division in a business development and practice development capacity.

I'm also working a little on my two start-ups, when I get the chance :

• OzSec - http://www.ozsec.net.au - I hope this can become a "yellow pages" to the information security industry in Australia.
• Centre for Application Security - http://www.appsecratings.com - The very early stages of a certification scheme for rating application security for shrinkwrapped consumer software and cloud service providers.

Threat vectors

I don't often post on technical topics due to NDAs preventing me discussing the really good stuff.

However I had a great conversation with the guys over at Securus Global the other day and they mentioned a threat vector I hadn't thought of, whilst discussing a PCI-DSS interpretation/good practice query.

Back in the day, when I started in infosec more than 10 years ago, threat modelling was almost a waste of time. It was all webserver compromise, pivot to own other boxes in the DMZ, compromise database listener, exfiltrate database etc. etc. Most websites were static HTML content and there was no dynamic content and opportunity for SQL injection etc. etc. and the easy way in was compromising the web server software. It was more valuable to spend your time scrambling to patch web server software, set database listener passwords, tweak firewall configurations and drop in an Intrusion Detection System.

Now with the focus on client side attacks and web 2.0 it may be worth your while dusting off your threat models and "attack trees" to make sure you have covered all of your bases. That way the bad guys won't be all en.wikipedia.org/wiki/All_your_base_are_belong_to_us

Here's some examples of threat vectors for a stock standard website performing a password protected transactions and storing some sensitive information. The ones in bold you may not have thought of:

• Core web server software or web server software extension is compromised, a link to malware is hosted on your website or even worse you are used to host malware!
• SQL injection attack is undertaken, extracting the contents of the database via responses from the web server, or the attack drops out to the operating system of the database server and uploads the whole database up to their server.
• SQL injection or a persistent Cross Site Scripting attack is undertaken, linking your visitors to a site hosting malware, a web page looking like a windows screen lock screen to steal their password or simply stealing their session tokens
• You have a flaw in the implementation of your session management mechanism or encryption of session tokens is not performed consistently allowing an attacker to hi-jack sessions (probably requiring some recon before hand using their or a stolen account).
• You have an insecure direct object reference vulnerability allowing an attacker to cycle through information stored by users of the system
• Your advertisement service provider is compromised, resulting in malware being advertised on your website
• You don't have a split DNS set up and DNS poisoning redirects your intranet web page to a copy hosted externally (with some nasty malware hosted on it)
• Your system administrator is emailed a PDF (of interest to them) containing custom malware that downloads and installs a remote access trojan enabling the attacker to capture administrative credentials which work on an internet accessible administration interface
• Your system administrator is social engineered to visiting a website (hosting malware) by phone call, voicemail message, a letter or a flyer
• Your system administrator is sent malware on a USB key vendor freebie in a package addressed to them with vendor sales collateral

Controls you may want to consider to combat the above include:

• Security awareness training
• Secure development standards
• Automated Source Code Analysis by an application security professional
• Testing your application security to criteria
• Web and Email Content Management (maybe combined with PDF sanitisation if you are a high risk organisation)
• Restricting outbound internet access only to proxy servers from workstations
• Monitoring web proxy logs for unusual activity
• Restricting server initiated outbound internet access to web servers, application servers and database servers (remember the proper use of stateful inspection firewalls)