Articles

Another week, yet another Monday as exams draw in closer.

This morning my thin client (Epatec/ebox 3850 w/Debian) has shown me the hand all of a sudden and refuses to power on. My linksys router (WRT54GL with DDWRT v24 SP2 Eko 10600) also seems to be playing up. Every so often whilst streaming from my Dreambox (500S) connected over a WPA_WDS connection I would get suddenly disconnected !?!?! Disabling the WiFi adapter and re-enabling it kinda gets me to reconnect but it's d**n frustrating when it happens during the best part of a film you're really into. (wife hates it too and gives me bad looks)

Nevertheless - yes - I've spent several hours researching, troubleshooting and tweaking to no avail Curiously it is not a case of WiFi drivers on my netbook (EeePC 901) playing up -- as even my NokiaN95 seems to disconnect right at the same time my netbook got disconnected. I really don't feel like reverting to the original Linksys firmware -- so we'll wait and see... patience is a virtue (or so they say)

On to something more positive this morning ... everybody likes lists - especially top 10 lists. This morning I encountered an article which talks about the coolest security jobs. Well I come in ranking @ number 7 and number 1 seeing that I also teach Computer Forensics for the NCC Advanced Diploma course ... Not bad ! -- according to a survey conducted by the SANS Institute.

Here a summary of the list according to Sans:

1. Information security crime investigator/forensics expert.
2. System, network and/or Web penetration tester.
3. Forensics analyst
4. (Tie) Incident response, incident handler
4. (Tie) Security architect
6. Vulnerability researcher
7. (Tie) Network security engineer
7. (Tie) Security analyst
7. (Tie) Sworn law enforcement officer specializing in information security crime
10. (Tie) CISO/ISO or director of security
10. (Tie) Application penetration tester

The top-ranking "coolest" IT security jobs according to non-government security employees:

1. (Tie) System, Network, and/or Web penetration tester
1. (Tie) Information security crime investigator/forensics expert
3. Forensics analyst
4. Vulnerability researcher
5. Application penetration tester
6. Security architect
7. CISO/ISO or director of security
8. (Tie) Incident response, incident handler
8. (Tie) Sworn law enforcement officer specializing in information security crime
10. Security evangelist

Catch the full article here...

Posted by Donald Tabone

Reading up on this months ISSA Journal, comes an good article by Yuval Ben-Itzhak entitled Organised Cybercrime. Yuval interestingly compares the strategic ways cybercrimes are carried out to the hierarchy of the crime organisations like the Cosa Nostra or Mafia.


What is even more interesting though are the figures he presented in a section entitled The Effects of Cybercrime.
We know it exists, we know breaches happen -- but to what extent are we really effected?

Target attacks perpetrated by organized crime are on the increase due to the high return on investment.(MArcus Alldrick, March 13 2008)

Some figures...

Master or VISA credit cards can be purchases for $15 each while a stolen EU or UK VISA credit for sale is priced at $90 each. These figures should begin to put things in perspective.

According to the 2007 Annual Survey: Cost of Data Breach by the Ponemon Institute, the average cost per reported incident in 2007 amounted to $6.3 million, while the cost of lost business per reported incident was estimated at $4.1 million in 2007 - an increase of 30% compared to 2006.

The average cost of each compromised record was $197 while the cost of a data breach in the highly regulated financial sector was $239 per compromised record.

Compromised records per data breach are also on the increase.. TJX parent of TK Maxx --> 45.7 million credit/debit cards stolen by 11 cyber criminals --- total cost for TJX so far, a whopping $500 million - including litigation fees and government fines.

Some questions...

Should we begin to take more notice of who we trust with personal details? What guarantee are consumers we as clients given when confiding? I certainly think so! So far its a matter of trust...

Should there be a regulatory body setup in Malta that enforces Insurance companies, lawyer firms, doctors, financial institutions and even the government sector to comply to some regulation similar to the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX)? I would certainly tend to agree!

Does adherence to these regulations make us more safe? Not necessarily, but it enforces due diligence and makes people responsible.

What do you think?

Posted by Donald Tabone

Following reports of a breach in one of the Governments agencies (MITTS), Dr Gatt (Communications Minister) has announced that a National Information Security Agency will be setup in Malta in the coming days.

Quoting the Times of Malta, Dr. Gatt said it would be separate but complimentary to the Malta IT Agency and the Malta Communications Authority in the sector of information security.

Will we follow an EU General Information Security Strategy framework such as the EU's European Union's Network and Information Security Agency (ENISA)? We find some info here in a PDF found on the ENISA website.

Information security management identifies the adequate level of protection for all information assets with regard to a number of information security principles, such as confidentiality, availability, and transparency, and ensures that all assets are protected accordingly. To reach this goal, it has to provide efficient technical and organisational security measures such as Risk Assessment and Risk Management, which are recurring Information Security Processes for ENISA.

No further details are available at this moment, however we will be posting more info as it becomes available - nevertheless we are glad that this initiative has been taken - albeit following a major mishap.

Following this political turmoil, we sincerely hope that people become more aware of the importance of Information Security in this day and age. You can follow recent events from the links below:

Source
More info @ ISACA - Malta Chapter
ENISA info here

Posted by Donald Tabone

We are pleased to announce that Computer Domain will be holding a CISSP Seminar details of which are below:

Date : Monday 27th October - Friday 31st October 2008

Time: 0830hrs and 1730hrs

Download Application Form

Download CISSP syllabus information

We were advised that this course is fully covered by myPotential scheme. More information can be obtained by directly contacting Computer Domain. Remember that should your inquiry originate from Maltainfosec, you will be eligible for a special discount on the course.

UPDATE2: This CISSP exam will be held on Saturday 15^th November 2008

UPDATE: Computer Domain are now offering an early bird registration discount of €350 for those who apply and pay before the 15^th September 2008.

Posted by Donald Tabone

As reported on the Times of Malta today, the Passports Office has started issuing biometric passports, providing holders with a more secure travel document. At the moment, the new passports contain the same information as the old ones, with the difference that the information is held in a more secure manner in a chip embedded in the document. In the future, the chip will also carry an image of the holder's fingerprint.

(The minister) Dr Gatt said the introduction of the new passports was also an important step by Malta to meet US requirements for eligibility to the visa waiver programme.

As some of the people correctly pointed out on the original article, that there already are some hacks out and about - More can be here however the EU is also counteracting. A recent article on The Register talks about 'second generation' electronic passports and the measures the EU are taking to ensure the encompassing security.

This second-generation framework, known as Extended Access Control (EAC), is intended to combat impersonation as well as forgery through the addition of biometrics such as a finger print or iris scan. This biometric data is then digitally signed and included in an ePassport.

The Register (19 Sept 2008) continues to discuss testing times ahead, but the race and challenge between them being cracked and security has only just begun --- putting to question the overall security design. Needless to say, whilst some are arguing the overall costs of this whole new implementation, this is the way forward and there is no going back. We'll have to wait and see what happens next (and I hate saying that..)

More information on the hack can be found here (1st Oct 2008)

Relevant links:

Times of Malta Source
Original Times of Malta article
More official news from Ministry of Foreign Affairs
Biometrics Deployment of EU-Passports Specification can be found here

Posted by Donald Tabone