Monthly Archives: July 2012

Why PCI DSS compliance is a valuable investment

July 30, 2012

With a whole range of different requirements and recommendations which can often vary based on the size and scope of the organisation, it is understandable that some people might feel overwhelmed when tackling PCI DSS compliance.

Like any part of business, adhering to PCI DSS brings with it various expenses, but it is important to consider the reward that meeting these requirements can bring as well.

Continue reading

Microsoft security blog offers vulnerability management advice

July 27, 2012

Microsoft group program manager Eric Doerr has provided some basic vulnerability management tips aimed at reducing the risk of cyber criminals exploiting your private information.

In a new Windows security blog post published July 15, Mr Doerr noted that the biggest mistake many users are making is reusing passwords between multiple accounts.

"Criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then ‘replaying’ that list against other major account systems," wrote Mr Doerr.

"When they find matching passwords they are able to spread their abuse beyond the original account system they attacked."

He went on to encourage all internet users to choose strong, unique passwords and to be careful when using private accounts in public places, as well as to install strong anti-virus software.

In a time when news of security breaches and information theft seems to be emerging all too regularly, this is a valuable reminder of the importance of having a good security policy in place at your organisation.

If you are concerned about the risk of cybercrime to your business, than a professional third party security audit can be an excellent way of reducing the risk of unauthorised access and making sure your employees understand the value of correct security protocols.

Continue reading

Def Con 20 an example of ethical hacking in action

July 26, 2012

Look out Las Vegas, Def Con is coming.

One of the world’s largest annual computer hacking conventions, the event will see technophiles from across the globe gathering in the city of sin to discuss issues such as unique research, new cyber security tool releases and cybercrime.

Founded in 1993 by The Dark Tangent (known in the offline world as Jeff Moss), Def Con not only allows computer hacking – it encourages it. Continue reading

New survey to shed light on state of cybersecurity in Australia

A new survey conducted by the National Computer Emergency Response Team (CERT) will soon be shedding light on the state of vulnerability management and cybercrime in Australia.

Nearly 500 organisations from across the country will take part in the Cybercrime and Security Survey, sourced from industries ranging from finance, communications, energy, food and even the transport sector.

According to attorney-general Nicola Roxon, the survey will provide insight into the impact of cybercrime on Australian businesses as well as the wider economy.

"Cyber security is an important issue so I will be writing to CERT Australia’s stakeholders to request their contribution to the survey," said Ms Roxon on July 20.

"Cybercrime is a global problem but while international reports and experiences are informative they don’t provide a clear picture of what’s happening here."

Continue reading

How red cell ethical hacking assessments can benefit your business

Cybercriminals are unpredictable by their very nature. They strike often when you least expect, using technology and strategies that you may not have prepared for.

Their goals and intentions may vary, from financial theft to vandalism to misdirected attempts at protest, but no matter what they are trying to achieve it is certain to be massively disruptive to your business.

Internal security assessments are the bare minimum for ensuring that your confidential information is protected by potential attacks, but for organisations determined to prevent hackers from penetrating their systems, a red cell assessment is one of the best options available.

Red cell assessment teams consist of highly trained and knowledgeable ethical hacking experts who are equipped with the skills required to pre-empt the most unpredictable of cyber threats.

Using techniques designed to simulate a real attack, a red cell team will attempt to penetrate your system and locate a hidden folder in much the same way that a real cybercriminal would.

Of course, because this is a professional service, you are guaranteed that your private company information remains secure and that there will be minimal downtime or productivity loss to your business.

At the end of the simulation you will be provided with a complete evaluation of the strengths and weaknesses of your system, alongside a comprehensive report into the ways in which you can improve your security protocols.

Computer hacking is not just the domain of fiction and Hollywood films, with recent incidents at LinkedIn and Yahoo! demonstrating just how real the risk of cybercrime is to modern businesses.

For organisations looking to ensure that their confidential information is secure, red cell ethical hacking assessments are an essential part of ensuring that vulnerability management is up to scratch.

Continue reading

HTTPS In Abrupt – by ThiĆ©baud Weksteen

For any of you who have ever played with the Android emulator, you may have noticed the following hiccup: when trying to establish an HTTPS connection – the browser tries to connect to the IP address of the server, rather than its FQDN. Even though in normal usage this is not a problem, it might still create some trouble when using classic HTTPS proxies (e.g. when performing security testing of an application).

HTTPS proxies

Here is an example of how an intercepting proxy works (e.g. Burp Suite):

  1. The browser connects via the proxy using something like “CONNECT HTTP/1.1”
  2. The proxy will answer that the connection has been established and at the same time generate a new certificate with the required domain name.
  3. What happens next will depend on your configuration:
    • If your browser has the Burp CA certificate installed, it will send the request.
    • If your browser does not have the Burp CA Certificate installed, a warning will be displayed on screen (CA unknown).

As you can see this works perfectly for standard usage of HTTPS. Continue reading

Mobile phone uptake highlights need for PCI DSS compliance

New research has confirmed that people around the world are buying into the smartphone craze in greater numbers than ever before.

Around three quarters of the global population now have access to a mobile phone, according to a new report from World Bank and infoDev entitled Information and Communications for Development 2012: Maximizing Mobile.

"Mobile communications offer major opportunities to advance human and economic development – from providing basic access to health information to making cash payments, spurring job creation, and stimulating citizen involvement in democratic processes," said Rachel Kyte, World Bank vice president for sustainable development in a press release date July 17.

"The challenge now is to enable people, businesses, and governments in developing countries to develop their own locally-relevant mobile applications so they can take full advantage of these opportunities."

Just over a decade ago, in the year 2000, global mobile subscriptions numbered less than one billion. Today that number is over six billion, with the majority of that growth coming from developing countries.

According to Tim Kelly, lead ICT policy specialist at the World Bank, this increase in mobile uptake can be attributed to a range of factors, including the availability of cheaper technology and more powerful networks.

"The mobile revolution is right at the start of its growth curve: mobile devices are becoming cheaper and more powerful while networks are doubling in bandwidth roughly every 18 months and expanding into rural areas," said Mr Kelly.

As mobile phone uptake increases around the world, enterprising retailers are capitalising on this trend by providing new and innovative ways for consumers to shop via their cellular devices.

While this uptake of technology is taking the way we shop to exciting new frontiers, it also brings with it a variety of risks and dangers concerning information theft.

That is why, if you are involved in a business that accepts credit or debit card payments, now is a good time to consider how compliant you are with the current Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is a set of rules and regulations set down by several of the world's leading payment card service providers in order to ensure that customer information is safely managed by retailers.

It applies to any business which processes credit or debit card information, no matter how big or small they may be, and covers both traditional brick and mortar stores as well as retailers operating in the online environment.

The World Bank report also found that more than 30 billion mobile applications were downloaded in 2011, an indication of how much cell phone users value convenience and innovative technology.

Continue reading

Facebook releases Malware Checkpoint

Social media service Facebook is aiming to assist users with vulnerability management by providing access to a malware checkpoint service free of charge.

Malware, shorthand for Malicious Software, is any type of software used by cybercriminals with the objective of disrupting usual processes or stealing confidential information.

In the past, any user which Facebook believed may have been affected by malware received a notification and was provided with the necessary software to remove the infection.

Facebook users will now be able to download this software free of charge at any time if they suspect they may be infected with Malware

"Previously, if you suspected you may have malware installed on your device, you would either need to run anti-virus on your device or wait until Facebook identified an actionable threat," reads the announcement, published in a blog by Facebook Security on July 11.

"Now, with our new self-enrollment [SIC] malware checkpoint, you will be able to proactively obtain your choice of a free anti-virus product to scan and clean your system."

Problems may have already risen with the technology however. At the time of writing, an update at the top of the aforementioned post indicates that some users may be experiencing problems with one of the malware checkpoints.

The Facebook security team noted that it is currently working to resolve these issues and will release more information as it becomes available.

Use of Facebook and other social media services in the workplace has become more prevalent in recent years and while this offers certain benefits to employee morale and communication capabilities, it can also bring the same risks that are often associated with internet usage.

Businesses concerned about the risk of malware or other cyber threats should consider undergoing a regular security audit check in order to ensure that company protocols are up to scratch.

Continue reading