Tuesday, September 30, 2008

Crime and punishment

Things have pretty quiet locally, it seems – on the news front at least. A few bits of good news from overseas, though.

The UK has issued an update to its Computer Misuse Act. First off, the maximum penalty for unauthorised access to a computer system has been changed from six months to two years imprisonment. Here’s to hoping that will deter would-be criminals even further.

Also, denial of service attacks (DoS) have been declared a criminal offence – with miscreants looking at up to ten years in prison – so you better off gaining unlawful access ;-P.

Finally, distributing hacking tools for criminal intent has been declared a punishable offense. I am quite surprised it wasn’t already!

On that note, the US has just passed a bill that significantly increases the penalties relating to copyright infringement, although there has been major debate about it already.

Gartner says

A recent presentation from a Gartner executive brought up the issue about mobile security. Although his statements are nothing new, John Girard, a Gartner vice president is again reminding organisations that security risks are rising as smartphones become even smarter.

He did have some very good advice, though, “Data on devices should be encrypted, proper identity and access controls should be implemented and intrusion prevention systems should used to ensure that rogue devices don't access sensitive information,” he said.

He also told delegates at the IT Security Summit in London yesterday that Gartner is predicting that wireless ID theft and phishing attempts targeting mobile devices will become more and more prevalent throughout next year.

Friday, September 19, 2008

Be proactive – or walk the plank

Some of the latest research released by Frost & Sullivan shows that the security assessment industry is doing pretty hot. According to a recent article on ITWeb, the global vulnerability assessment products market earned revenue of $297.5 million in 2007, and estimates this to more than triple by 2014.

Although this is good news for the security industry and just about everyone else who has private information floating around on other people’s networks, we find that South Africa is still meeting all this with a bit of resistance. Why, though?

The answer is quite a simple one – assessments are becoming a regulatory requirement from many countries’ governments. And this simply does not apply to us here in deep south of Africa…. Well, as of yet, at least.

There is a wonderful thing called the Protection of Personal Information Bill that will make a big difference in all of our privacy once it is passed as an Act. And companies are actually being advised to prepare for it properly now – because it will come into effect in the next few years.

The way it will influence the security assessment industry locally, for instance, is by forcing companies to not only ensure that all their client data is under the virtual version of Fort Knox, but that they have regular assessments done. As in, on a regular basis. Forever and ever.

However, this does not mean that companies can just relax in the mean time and wait for the Act to be born. Companies need to be proactive about this – those of you that take the initiative NOW to secure your corporate environment and to set up regular audits, will be way ahead of your competitors when the Act comes into effect. And possibly even avoid a jail sentence.

As soon as it becomes law, companies might not even be granted a grace period to ensure their security policies and procedures are in place, either. This means, they may be treading on illegal ground from day zero.

And don’t think you can easily pass under the radar – the Act will have its very own Big Brother in the form of a dedicated Commission. And although a set fine has not yet been established, you can look at about 12 months if you’re not properly prepared. And, if you hinder, obstruct or unduly influence the Commission, you can land yourself in jail for 10 years.

Have an awesome weekend – and ponder on it will ya! :-)

Tuesday, September 16, 2008

OMG, Telspace goes to Canada

Just a short blog post to let everyone know that Telspace Systems will be presenting at SecTor in Canada during early October 2008. Our talk will be based on hacking internal proxy servers, more details can be read up at www.sector.ca

Telspace Systems is also going to be doing training at SecTor this year. Focusing on Bluetooth and Wireless hacking. Our course already has many students signed up, so we would appreciate it if you booked as soon as possible to miss out on the opportunity! It's going to be fantastic.

We are really looking forward to this awesome event again. If you are from anywhere near the region or you are attending SecTor, pop in and say hi!

P.S Telspace Systems is hiring again, so give us a call if you think you have what it takes.

Friday, September 12, 2008

Zombie networks go bos

There has been a dramatic increase in the number of zombie networks cropping up lately. Recent metrics by the Shadowserver Foundation shows that in the last three months botnet numbers have quadrupled. Although strangely enough, there seems to be no accompanying increase in spam levels.

According to BBC News, "In June 2008 Shadowserver Foundation knew about more than 100,000 machines that were part of a botnet. By the end of August this figure had exceeded 450,000 machines."

Reason for this hectic spike are not clear, but there are many theories floating around the net. According to the SANS Internet Storm Centre, it may be more than a co-incidence that the dramatic rise in these networks is more or less parallel with the massive SQL injection attacks we experienced recently.

It is also being said that because it happened during schools holidays in the USA, it could just be due to bored kids. Maybe all the cool kids are doing it... but more than likely it is due to a combination of factors, rather than a specific one.

Whatever the reason behind the huge swell of compromised machines, users should more than ever before be vigilant with their security. Patch, patch, patch, and don't click on weird stuff... it can never be stressed enough.

Also, just a quick mention that our Hands on Hacking Unlimited course with Zone-h has been postponed until the 11th and 12th of November. If you have not yet sent in a booking form, please do so – it's gonna be awesome.

Monday, September 8, 2008

MySQL and SQL Column Truncation Vulnerabilities

I've found a really interesting blog post this morning by Stefan Esser discussing a problem he calls 'MySQL and SQL Column Truncation Vulnerabilities'. This vulnerability takes advantage of the max_packet_size configuration by placing a large number of spaces and then a random character after the spaces. This basically allows an attacker to add "duplicate" entries to your database.

As you can image this would bring around pretty big issues with services like user registration. You can read his excellent post for a good breakdown of this vulnerability here.

This morning the first exploit for this kind of vulnerability in a web application was also released. This affects the latest version of Wordpress.

Thursday, September 4, 2008

ISGA meeting in Bryanston

The turn-out of today’s Information Security Group of Africa (ISGA) meeting at the Cisco Offices in Bryanston was really impressive.

Numerous information security role-players from many different companies (including Discovery, BCX, RSA, Deloitte, and Investec) convened to hear what their peers had to say about the industry.

On the ISGA front, Karel Rode, acting chairman, showed the crowd a slide of the ISGA website’s new look. “We will be displaying security-related live content from various sources onto the homepage,” he said.

The first talker of the day was Dion Fowles from Alexander Forbes who spoke extensively about the new Protection of Personal Information (PPI) Bill and what its impact will be on the corporate environment. He outlined and discussed the Bill’s eight principles, specifically Principle 6 (security safeguards) which is the only principle that deals with IT-related issues.

He took a layman’s approach to explaining the Bill and used his psychology background to make the presentation not only enjoyable, but understandable. All in all, a great presentation.

Mike Silber from Michalson’s Attorneys focused his speech around more ‘fast-tracked’ Bills. He believes that the PPI bill will be put on hold until the next elections.

He attempted to demystify the Companies Bill, the Competition Amendment Bill and the Consumer Protection Bill, which he sees as the mother of all Bills – complicated at best.

It was clear from both Fowles’ and Silber’s presentations, however, that it is a very lucrative time to be in the information security service busines. Once more of these Bills are passed, network breaches and compromised client data will have to be publicly disclosed and even announced through the media.

After the initial break, Jacques van Heerden from GTSP spoke to the audience about virtualisation. He mostly spoke about virtualisation in general – its definition, what a hypervisor is, where to start, pros and cons, although he did touch briefly upon how to handle your security if you plan on rolling out virtualisation.

He mentioned VMWare quite frequently during his talk, particularly pointing out how good their products are. What he did fail to mention, however, was a recent security vulnerability that was reported on milw0rm that exploits an ActiveX method in VMWare.

Finally, Peet Smith from Aptronics discussed security governance in IT. He believes that IT governance is currently maturing as there is a high awareness among corporates. Some of the keys drivers of this include legislation as well as customer requirements.

Well done and thank you to Karel and the Cisco guys for a great opportunity to network and learn. Looking forward to the next one!