Monthly Archives: March 2014

Australian banks targeted by Malware


March 29, 2014

Australian bank customers could be at risk as a new virus designed to steal banking information has begun spreading.

Australian customers have recently fallen victim to a slew of Malware attacks. Called Hesperbot, the trojan was first observed overseas in Turkey, which remains its most targeted area. The virus has subsequently been seen in Portugal and the U.K, as well as the Czech Republic.

Continue reading

Board communications security and the move to mobile technologies.


March 27, 2014

This case study follows a review we undertook for an ASX Top 20 company. It addresses security of information at the Executive and Board levels – communications, distribution, sharing etc with the move to mobile technologies in the Boardroom.

The results of our work went straight to the top and culminated in the company re-assessing how they were protecting this strategic and highly confidential information. The implications of not doing so, could have had dire results in the event of a compromise. Once we delivered our results, the company understood and responded immediately. (However, most companies are still not doing this as they are unaware of the risks).

Download here: Case Study – Securing the Technology Change Agenda

Cyber criminals may be changing tactics


March 25, 2014

Cyber criminals may be changing tactics as technology evolves, focusing on new devices that haven’t had proper security systems developed.

Often these new devices are privy to sensitive information, and a data breach could lead a business into significant trouble. Any change in criminal tactics should be cause to update enterprise security systems.

Continue reading

Ensuring business security with the Internet of Things


March 21, 2014

The Internet of Things (IoT) has been a major area of growth for the IT sector over the past few years, promising a wide array of benefits for businesses moving into the space.

Adoption of the trend could lead businesses into security troubles, though, as many won't be equipped to deal with the sheer amount of data produced. As such, security and testing need to become primary considerations for businesses moving into IoT operations.

Continue reading

Case study: Securing the Technology Change Agenda.

Understanding and managing the security risk of technology change initiatives.

ABSTRACT:
Businesses are increasingly seeking to leverage new technologies such as mobile and cloud to enable strategic initiatives, realise business efficiencies, support a flexible, productive workforce and facilitate innovation.

Although these initiatives provide many business benefits, the rapidly evolving technology landscape can also introduce significant security risks that threaten the confidentiality, integrity or availability of sensitive corporate information. In the modern, connected age such compromises can have a significant negative impact to corporate reputation and business performance.

Understanding, identifying and mitigating the security risks inherent in the use of such technology is necessary to allow businesses to realise the benefits of investment in new technology initiatives while maintaining their desired security posture.

Download here: Case Study Securing the Technology Change Agenda

Case study: Security Pitfalls of a Shared Portal.

Lessons learned from a custom portal development project.

ABSTRACT:
This paper sets out to examine the lessons learned from a client who commissioned a custom web portal to be developed. During our security assessment, we found a number of significant security vulnerabilities which lead to data theft, account take over and system compromise.

The security pitfalls which lead to the compromises will be outlined along with the recommendations and strategies for avoiding these issues within your own projects.

Download here: Case Study – Client Portal

Do wearables pose a business security threat?


March 20, 2014

Wearable devices are set to be the next area of IT growth, and will certainly see business implementation due to their efficiency and financial benefits.

These devices offer fast communication at lower prices than that of mobile phones or tablets. By using these devices businesses will be able to speed up both collaboration and communication. Security risks, however, will be presented with device adoption.

Continue reading

Smart Connected Devices could open businesses to unknown threats


March 18, 2014

Growth in the smart connected device (SCD) market this year will enforce the need for businesses to place mobile technology at the forefront of security concerns. Failing to do so could result in data breaches, leaks and reputation damage.

PCs, tablets and smartphones saw shipments climb over 16 million units in the fourth quarter of 2013 in the United Kingdom alone, with other parts of the world experiencing similar growth. This data comes out of a recent report from the International Data Corporation (IDC). These devices will likely have found their way into workplaces across the country.

Continue reading

How I got root with Sudo


March 17, 2014

By Sebastien Macke, @lanjelot

Introduction

During security engagements, we regularly come across servers configured with the privilege management software Sudo. As with any software, the principle of least privilege must be closely followed, users must be granted the minimum possible privileges to perform necessary tasks or operations. Therefore to securely configure Sudo, user accounts must be restricted to a limited set of commands that they can legitimately execute with elevated privileges (usually those of the root account).

Out in the real world, we don’t often see Sudo configured according to the principle of least privilege. But when we do, we always uncover a mistake or two that allows us to escalate our privileges to root, at which point it’s game over. We win.

The purpose of this post is to present a series of examples of common mistakes and insecure configurations that we have seen and leveraged on production environments during security assessments and how you can make our team’s life that little bit harder.

Continue reading

Australian telco experiences massive privacy breach


March 15, 2014

A large Australian telecommunications provider recently breached privacy laws when the information of 15,775 customers from 2009 and earlier was found to be accessible via the internet. Of this total number, 1,257 were active silent line customers, a service that filters calls.

"This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information," said Privacy Commissioner Timothy Pilgrim.

Continue reading