Monday, February 25, 2013

AusCERT - Cyber Crime and Security Survey Report 2012

Over half of respondents have increased their expenditure on IT security in the previous 12 months

The recently released Cyber Crime and Security Survey Report 2012 conducted by CERT Australia, in partnership with the Centre for Internet Safety at the University of Canberra, is readily available from CERT Australia’s public website – see

It is highly recommended reading for IT & Information Security professionals within Australia.

Some 450 businesses were approached to participate in the CERT Australia Cyber Crime and Security Survey, from which the report was developed. It is suggested that you share the report with your IT colleagues (and vice versa).

The report highlights cyber security issues and may be suitable for referencing as external source - providing justification for funding of IT/control system security initiatives.

The inaugural Survey was designed to obtain a better understanding of how cyber incidents are affecting the businesses that form part of Australia’s systems of national interest – the businesses that partner with CERT Australia.

The survey consisted of 24 questions, both closed and open ended, to ascertain:

  • business description
  • types of IT security used
  • types of cyber security incidents experienced, and
  • industry reporting of incidents.

The findings from the survey provide a picture of the current cyber security measures these businesses have in place; the recent cyber incidents they have experienced; and their reporting of them.

Refer here to download the report.

Friday, February 22, 2013

Six Types Of Information Commonly Leaked

Mandiant Highlights Broad Range of Information Stolen from Victims

IT security provider Mandiant lists six categories of information that's commonly pilfered from business and government computers by hackers from a Chinese military unit it dubs APT1.

Mandiant's findings appear in a comprehensive report issued Feb. 18 that the security firm contends documents how APT1 has breached computers in enterprises that conduct business mostly in English, especially in the United States [see map below]. China denies the allegations presented in the report.  

According to Mandiant, the data stolen relate to:

  • Product development and use, including information on test results, system designs, product manuals, parts lists and simulation technologies;
  • Manufacturing procedures, such as descriptions of proprietary processes, standards and waste management processes;
  • Business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures and acquisitions;
  • Policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
  • E-mails of high-ranking employees;
  • User credentials and network architecture information.

Mandiant says it's often difficult to estimate how much data APT1 has stolen during its intrusions because the People's Liberation Army unit deletes the compressed archives after it pilfer them, leaving only trace evidence that is usually overwritten during normal business activities.

Tuesday, February 19, 2013

How Facebook Got Hacked?

Zero-Day Exploit Bypassed Java Protections to Install Malware

Even the most savvy information technologists aren't immune from cyber-attacks. Just ask Facebook. The social-media titan says it fell victim to a sophisticated attack discovered in January in which an exploit allowed malware to be installed on employees' laptops.

In a blog posted by Facebook Security on Feb. 15, the company said it found no evidence that Facebook user data was compromised.

Here's what happened at Facebook, according to its blog:

Several Facebook employees visited a mobile developer website that was compromised.

The compromised website hosted an exploit that then allowed malware to be installed on these employees' laptops. "The laptops were fully-patched and running up-to-date anti-virus software," the blog says.

"As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement and began a significant investigation that continues to this day." Facebook Security flagged a suspicious domain in its corporate DNS (Domain Name Servers) logs and tracked it back to an employee laptop.

The security team conducted a forensic examination of that laptop and identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

The social-media company says it is working with law enforcement and the other organizations affected by this attack. "It is in everyone's interests for our industry to work together to prevent attacks such as these in the future," Facebook says.

The Facebook attack is reminiscent of the 2011 breach at security provider RSA, when a well-crafted e-mail tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems

Wednesday, February 13, 2013

In-House App Stores is MUST for Enterprise?

A Do-it-Yourself Approach to Ensuring Mobile Security

As personal mobile devices become ubiquitous in corporate networks - even in organizations without official bring-your-own-device policies - IT and security personnel are implementing new approaches to prevent malware and ensure data integrity. 

One approach beginning to take root is the creation of in-house corporate app stores, where organizations offer users access to custom-built, secure applications designed specifically for that organization, along with access to approved public apps for smart phones, tablets and other personal devices.

Tackling Application Insecurity

With malware infesting the authorized commercial app stores, including the two largest - Google Play for Android and to a lesser extent, the Apple iOS App Store - corporate security and IT executives are exploring new strategies to limit the use of unauthorized applications on devices connected to corporate networks.

Because of the rapid growth in the use of personal devices for work-related tasks, IT departments generally do not permit users to install any application on corporate computers but many companies still have not yet established similar policies for personal devices. 

Companies that opt for a private app store can minimize much of that risk by requiring users to select only from applications that are certified by their employer as safe.

Any suggestions or ideas?

Wednesday, February 6, 2013

Need To Invest Time In Facebook Privacy

An Embarrassment is Coming

If they don't invest the time in reviewing the information that's been published about them, Facebook users are in for a potentially embarrassing surprise. That's because Facebook is working toward making more of its content searchable with its Graphs Search feature. 

What will be searchable? All the information (personal, professional, pictorial) you post, and that other Facebook users post about you. Additionally, your likes, and in many cases simply the websites you've visited that have hooks back into Facebook, will be searchable.

This article explains it well, and in it, writer Meghan Kelly gives one of the best analogies for Facebook I have read:
Facebook is like a safe containing a ton of your personal information - which you've purposefully and willfully cracked with an axe.
Beyond searching for what's already out there about you, commit to practicing good social etiquette. Don't "check in" your friends for them (without their knowledge!), post pictures of them they may not appreciate or tag them to one of your posts without their permission. Even the tamest of details may cause trouble for them, not to mention, trouble for your relationship. 

Tuesday, February 5, 2013

How To Control "Tagging" on Facebook?

Tame the "Tagging"

Being "tagged" on Facebook means another user has added content and publically associated you with that content. A friend may post a picture of you at the beach. By tagging you, that photo will show up on your profile (if your settings allow).

There is a setting in Facebook that allows users to approve any tags before they are posted to their timeline. This blog post on Business2Community does a great job of showing readers exactly how to set Facebook to alert them to requests for tags.

This isn't just a good way to easily give friends permission to tag you; it's an excellent way to keep track of the content in which you've been tagged. Who needs to have someone else associate them with things to which they have no legitimate connection?

The post goes on to explain the difference between Facebook Profiles (now known as "Timelines") and Facebook Pages. There are some unique features about Pages that make these tags post differently, so if you manage a Product, Brand or Person Facebook Page, this will be an especially good article for you. 

For more emerging tagging concerns, see: 

Sunday, February 3, 2013

New PCI Guidelines for E-Commerce

New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.

The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.

Securing the Payments Chain
  • The guidance offers a checklist of security recommendations and reminders, such as:
  • Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
  • Regularly test software and applications to detect if card data or other information is being stored unintentionally.
  • Evaluate risks associated within e-commerce technology.
  • Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
  • Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
  • Define best practices for online payment application security.
  • Implement security training for internal staff.
  • Establish best practices for consumer awareness.
Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to: 
  • Online injection flaws;
  • Cross-site scripting, or XSS;
  • Online cross-site request forgery, or CSRF;
  • Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
  • Weak authentication and/or session credentials; and
  • Application and software misconfigurations.