Monthly Archives: February 2013

PCI SSC releases cloud computing security guidelines


February 27, 2013

The PCI Security Standards Council (PCI SSC) has looked to clear up confusion surrounding the emergence of cloud computing by releasing a set of guidelines regarding the safe usage of this technology earlier this month.

In a statement released earlier this month, the PCI SSC – which is the authority behind the Payment Card Industry Data Security Standard (PCI DSS) – explained that businesses would be able to use this resource as a guide for selecting safe cloud solutions and cloud providers.

Continue reading

[FAQ] Security Considerations for Customised Off The Shelf (COTS) Product Security

Introduction

There are a number of elements that relate to the early stages of the Software/System Development Lifecycle (SDLC) that should be considered in regards to security. Unfortunately, for a number of projects, our company becomes involved at the final stages of the process, which often results in highlighting a lack or ineffective due diligence at the early phases. It is difficult to manage a project where the software is found out to be inherintly insecure and often leads to excessive launch delays, greatly increased budget requirements for additional resolution or even an outright cancelling of an expensive project.

While many people hate the analogy of “buying a car” when it is applied to IT, it is actually particularly relevant for product selection. In both cases, you have to be wary of products being rebadged, inferior internals within the product, whether it performs well in a test drive, an inability to easily conduct ongoing maintenance and poor after-purchase support.

Surely if I bought a product from a large software vendor everything would be fine?

A product that carries the supposed weight of a large multinational corporate has absolutely no bearing on its quality. Keep in mind that large corporates typically tend to conduct company acquisitions today rather than gamble on developing a product from scratch internally. The quality of the product is usually directly dependent on the company who authored the software – whom you may not have even heard of.

Continue reading

[Data Breach] – Fund Focus – Jan 2012

An Australian online investment website, Funds Focus, part of Wealth Focus owned by Sulieman Ravell, was temporarily shut down after being hit by a massive distributed denial of service (DDoS) attack.

The Russian masterminds that were behind the attack demanded the owner ransom money to stop the malicious operation that prevented the company from performing its tasks.

Read More: http://news.softpedia.com/news/Funds-Focus-Shut-Down-After-DDoS-Attack-Hackers-Demand-Ransom-246697.shtml

Also: http://www.scmagazine.com.au/News/286905,melbourne-it-hit-with-ddos-legal-threat.aspx

[Breach List] – Fairfax owned tradingroom.com.au – Feb 2012

The Fairfax-owned tradingroom.com.au is the latest financial services related website to be hit with a distributed denial-of-service attack (DDoS).

DDoS attacks make online services unavailable by flooding them with millions of requests for page views at once. They are used to cause business disruption to the targeted site, either by protest – known as hacktivism – or financial gain.

[Breach List] – ANZ bank’s E*Trade – Jan 2012

AUSTRALIA’S second-biggest online broking business, ANZ Bank’s ETrade, was forced to shut down over the Christmas-New Year period by a ”malicious” cyber attack offshore.

The shutdown was prompted by thousands of emails bombarding the broking site, in a denial-of-service attack. The lockout was first noticed by ETrade customers trying to access the site overseas, as the bank shut off access to all overseas users. It is understood that, as risk assessments were performed on individual countries, access was restored.

[Breach List] – Netfleet – Feb 2012

Computer hackers penetrate database of Netfleet, possibly accessing addresses and credit card numbers.

In an email to clients, Netfleet said: ”There appears to have been a security breach of our database … this may have resulted in unauthorised access to some of your customer account information, such as your name, email address, billing address, phone number and a cryptographically scrambled version of your credit card and expiry date.”

Malware, data breach threats highlighted in new McAfee report


February 25, 2013

The McAfee Threats Report for the fourth quarter of 2012 has been released, and it is a document that may be of interest to any organisation concerned about vulnerability management and cyber security.

According to the report, one of the biggest digital security concerns of the last year has been the terrifically rapid growth of mobile malware threats.

Continue reading