Monthly Archives: June 2012

Presentation Slides now Available


June 29, 2012

Securus Global has a strong team recognised locally and abroad as specialists in their fields and respected by their peers. Our staff are regularly sought after to present and provide their opinion as experts to industry, media, education and our clients.

If you would like to view the latest presentation slides which are now available on our website please see below;

  • Industry Security Briefing – ‘SDL What’ – War stories and tips for securing your SDLC. Presentation Slides.
  • AISA Brisbane Conference – Social Engineering Risks and Tactics. Presentation Slides.
  • Industry Security Briefing – ‘PCI DSS Staying Compliant – Lessons From The Field’. Presentation Slides.

AFP issues young people with warnings for cybercrime activities

Cybercrime is no longer solely the domain of professional criminals. Today, many teenagers and young adults have access to complex technological equipment which can be exploited for criminal purposes.

That is why constant vigilance through penetration testing or ethical hacking assessment is so important in ensuring that businesses keep private information safe and secure at all times.

Yesterday (June 26), the Australian Federal Police (AFP) released information on an operation that saw six young people issued with warning notices for suspicion of cybercriminal activities.

Earlier this month officers attended residences in Brisbane, Sydney and Perth in order to educate both the suspects and their guardians on the risk of such behaviour.

“Activities such as hacking, creating or propagating malicious viruses or participating in DDOS attacks are not harmless fun,” said the national manager of high tech crime operations Neil Gaughan.

“They can result in serious long-term consequences, such as criminal convictions and perhaps jail time.”

However Mr Gaughan added that no arrests had been made, and that the operation was purely intended as a deterrence measure to help educate the community while preventing any further illicit behaviour from taking place.

“These activities are just part of the on-going commitment by law enforcement to deter cyber criminals,” Mr Gaughan added.

Serious cases of cybercrime being perpetrated by young people are becoming more common in the media. Earlier this month, Essex police indicted a 19-year-old man on suspicion of violating the Computer Misuse Act and the Criminal Law Act 1977.

Ryan Cleary was accused of developing and maintaining a large botnet which was used to conduct DDOS attacks as part of the Lulzsec hacking group.

According to the AFP, hacking and other computer related cybercrime offences can carry a maximum penalty of up to ten years in prison.

The AFP encourages Australians to use the internet and other technology safely in order to ensure they stay safe from cybercrime.

PCI DSS best way to prevent hacking incidents

Federal agents in the US have confirmed a massive sting operation aimed at hackers and cybercriminals has led to the arrest of 24 individuals.

“Clever computer criminals operating behind the supposed veil of the Internet are still subject to the long arm of the law,” said Manhattan US attorney Preet Bharara.

The investigation stretched over two years and involved FBI agents going undercover on internet forums to pose as fellow hackers. All the men arrested were aged between 18 and 25 and could face up to 40 years in prison.

While the news is a positive breakthrough in preventing future cybercrime, businesses should not rest on their laurels when it comes to ensuring the security of user data.

The men arrested were found to be exchanging stolen credit card details, as well as trading information on the best way to access secure databases.

Payment Card Industry Data Security Standard (PCI DSS) compliance remains the best way to ensure your company is meeting its responsibilities when it comes to handling debit and credit card information.

US authorities in New York have reported that the investigation prevented upwards of US$205 million in possible losses.

Almost half of the 24 men were arrested in the US, while the rest came from a range of countries including Australia, Reuters are reporting.

Importance of PCI DSS compliance highlighted in Wyndham lawsuit

The US Federal Trade Commission (FTC) has filed a lawsuit against Wyndham Worldwide, accusing the hospitality company of failing to adhere to suitable security protocols – actions which lead to the theft of 619,000 payment card accounts.

“Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorised access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years,” reads the lawsuit, which was filed June 26 (local time) in Arizona.

“Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”

The news is further evidence of the importance of Payment Card Industry Data Security Standard (PCI DSS) compliance, and for businesses to ensure that they are taking the measures necessary to protect user data.

The FTC claims that Wyndham Worldwide’s security practices led to unnecessary exposure of customer details to unauthorised access and theft.

Payment card information stored on Wyndham databases was kept in clear, readable text, while account passwords were overly simplistic and easy to guess, according to the FTC.

Hackers first gained access to the Wyndham computer network in April 2008 after compromising an administrator account by using a brute force attack.

They then installed memory-scraping malware on the server, allowing them to steal payment card information from over 500,000 hotel guests.

The FTC goes on to say that even after this incident, Wyndham Worldwide failed to integrate proper security measures.

Hackers were then able to gain access to private information in May 2009, and again towards the end of that year, stealing the details of a further 119,000 credit cards.

Wyndham Worldwide has denied the charges and has claimed to have made significant security improvements since the incidents.

“We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company,” reads a statement from Wyndham released to online security website CNET.

“In a time when cyberattacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide.”

New PCI DSS requirements will come into effect on June 30

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement set down by several of the world’s leading payment card providers for any retailer who processes debit or credit card information.

However the scope of PCI DSS compliance, and the fact that individual requirements vary depending on the size of a company, can often make it confusing for businesses to understand.

And it may soon become even harder to internally evaluate PCI DSS compliance with new updates coming into effect on June 30.

Retailers will now be required to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities”, according to the security standards council – something which was previously only considered a best practice.

This means that businesses will not only have to be aware of and understand vulnerabilities, they must also be able to rank those vulnerabilities based on the relative risk to their systems.

The importance of having a secure system for managing payment card information has been highlighted in the media lately, with news breaking earlier this week (June 26) that the US Federal Trade Commission has filed a lawsuit against Wyndham Worldwide, accusing the hotel group of not properly securing customer information leading up to the theft of 600,000 payment card accounts.

State of Information: Annual Report – Are you publishing one?

Updated from Beast or Buddha (August, 2010).

As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same… so at least, “better the devil you know”. Many in our industry have a continual battle trying to do their job and fighting every step of the way for even small gains. It’s always been like this. Continue reading

Google data shows value of penetration testing and regular security audits


June 26, 2012

Alongside penetration testing and regular security audits, ensuring safe online browsing practices can be one of the best ways to ensure your business remains protected from external threats.

A new blog post published June 19, from Google principal software engineer Niels Provos, has confirmed just how many malicious websites are out there and posing a danger to internet users.

“We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users,” writes Provos.

“We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing.”

The new information has been released to commemorate the five year anniversary of Google’s Safe Browsing effort, which is an initiative aimed at ensuring users remain safe while using the internet.

Malicious websites are often used as a way of spreading information-stealing malware software, which can allow cybercriminals to externally access private information, disrupt computer operations or track user activity online.

Google suggests that users who want to protect themselves from online threats pay attention to any official warning messages that pop up.

Furthermore, by selecting the check box that appears on the red warning page, people can assist Google by submitting information on potentially dangerous or unscrupulous websites.

Businesses concerned about the danger of online malware and viruses spreading onto company servers will want to ensure they are running up to date anti-virus software and regularly reviewing vulnerability management reports.

“The threat landscape changes rapidly. Our adversaries are highly motivated by making money from unsuspecting victims, and at great cost to everyone involved,” writes Provos.

However Google has moved to reassure people that it will continue to invest in safe browsing and maintaining internet security in order to deal with evolving cybercrime technology.

Businesses must ensure PCI DSS compliance in age of online retail shopping

As technology evolves, consumers are being provided with more tools than ever before with which to meet their shopping needs.

While this offers an exciting new frontier for innovative retailers, it is worth considering the importance of consumer safety and Payment Card Industry Data Security Standard (PCI DSS) compliance during this time.

The IBM Center for Applied Insights has just released a new study into the modern world of digital retail, titled The Value of a Smarter Shopping Experience, and the results are an indication of just how enormous the potential for online business success is.

"To win in today’s increasingly competitive marketplace, it is imperative for retailers to understand how consumers engage with their brand across all possible points of interaction," reads the document.

"No longer is a one-size-fits-all approach good enough, as today’s smarter consumers demand that retailers meet their unique needs and timeframes."

According to the International Telecommunications Union (ICT), there are now 5.9 billion mobile-cellular subscriptions worldwide – that's global penetration of 87 per cent.

Furthermore, the ICT states that one-third of the 1.8 billion households worldwide now have internet access.

In order to fully capitalise on this market, IBM suggests that retailers deliver an engaging, timely and consistently aware online shopping experience for users.

However it is important to note that any business which accepts credit or debit card payments, whether it be online or in a traditional bricks and mortar environment, needs to ensure that it is up to date with PCI DSS compliance.

This standard guarantees that retailers are fulfilling their obligations when it comes to protecting customer information, in order to ensure any potential for cybercrime or information theft is minimised.

IBM asserts that five key competencies are required for retailers to realise the rewards of investment in a smarter shopping experience – integrated information, prescriptive insight, precision marketing, relevant experience and continuous dialogue.

Increasing popularity of BYOD a security risk, study confirms


June 25, 2012

Handheld devices such as tablet computers and smartphones are revolutionising the way modern offices do business. However these gadgets can bring with them a variety of risks for anyone who fails to ensure the security of their company.

Network security company Fortinet has released the results of a recent survey into the popularity of these new forms of technology and the growing population of Bring Your Own Device (BYOD) users.

The firm surveyed 3,872 university graduates from 15 different countries – all in their 20s and in full time employment – who owned their own smartphone, tablet or laptop computer.

It found that while 42 per cent of respondents understood the increased risk of data loss and exposure to security threats that comes with BYOD, 36 per cent admitted that they would still take the chance of bringing such devices into work even if corporate policy forbid them to do so.

Furthermore, 30 per cent of those surveyed admitted that they would be willing to use non-approved applications in the workplace.

‘The survey clearly reveals the great challenge faced by organisations to reconcile security and BYOD,’ said Fortinet’s international vice-president of international sales and support Patrice Perche.

“Within such an environment, organisations must regain control of their IT infrastructure by strongly securing both inbound and outbound access to the corporate network,”

If you are concerned about the risk that BYOD brings to your workplace, it may be worthwhile to consider a Due Diligence Assessment in order to fully assess any threats and compliance gaps in your system.

Due Diligence Assessments provide you with the means to evaluate whether your business is fully protected against the latest security risks, and equip you with the information necessary to ensure that you remain protected in the future.

Microsoft recently announced that it would be entering the tablet market with the release of the Surface, a move that is sure to bolster the popularity of BYOD even further.

Lawsuit argues LinkedIn failed to meet vulnerability management obligations


June 22, 2012

Security breaches like the one that affected professional social networking site LinkedIn on June 6 can be costly, both financially and in terms of lost consumer confidence.

Penetration testing can often prevent such instances and help ensure your company is storing user information securely.

LinkedIn is now facing a class action lawsuit over the aforementioned incident, which saw cyber criminals hack its information database and release 6.5 million user passwords onto a Russian internet forum.

The lawsuit, filed in Canada, asserts that LinkedIn did not meet its obligations of vulnerability management, as it did not salt its passwords – a practice commonly considered standard industry protocol.

"Despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilise basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format," reads the lawsuit.

LinkedIn responded by arguing that no member accounts were breached and that no user has suffered any undue injury relating to the incident.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation," said LinkedIn.

LinkedIn could potentially find itself liable for $5 million in damages if the lawsuit is successful.