Malta Info Security

If you didn't read the latest article by John Markoff, be sure to check it out. The article called Vast Spy System Loots Computers in 103 Countries talks about a web of espoinage that has been going on on various embassies, government and private offices around the world. Most fingers point towards the Chinese and I personally think that this has been coming for quite a while.

What is interesting is that the paper on which the NYTimes article is based, mentions Malta quite a few times. Here's a quote in page 5:

Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.

On page 43 the authors provided a table which lists the organizations infected, the location and number of infections. On the whole, the Embassies of Malta appear to have had 17 infections! Many other embassies are mentioned, and organizations like Deloitte & Touch in the NY as well.

Posted by Sandro Gauci

Just stumbled upon a cool twitter site that will come in handy (especially if you're not going to infosec Europe next month)

It's http://monitter.com.  Just add in #infosec and soon you'll feel like you're experiencing the event first-hand...sorta...kinda.

Posted by

Today is Friday - and that's good because there is a long weekend round the corner. Unfortunately for me though these coming weeks I'm cramped down doing my thesis and preparing for my final June exams =(

To humor me G has fished this from Eatliver.com ... and I couldn't help not sharing! Click the thumbnail for this post and you'll understand why I rolled over with laughter...

Yesterday's presentation entitled 'The realm of Digital Forensics' went great! Good turnout, engaged audience and healthy discussions. I was pleasantly surprised to see a balanced mix of people include females. I would like to thank Gordon and Anthony of the local ISACA chapter for having given me this opportunity to give my talk. The powerpoint presentation is available on request.

Finally, we DO have a March competition winner. So thanks to all those who send in their entries for the competition. We will be announcing the winner on Twitter - so if you haven't joined yet, get cracking... and follow us.

Posted by Donald Tabone

I will be giving a presentation as an educational event organised by the ISACA Malta Chapter entitled The Realm of Digital Forensics details of which are below:

Date: Thursday 26th March 2009
Venue: Malta Federation of Professional Associations (MFPA) Sliema Road, Gzira
Time: 16:30 to 18:30

More details can be obtained from here.

Download the event PDF from here.

The presentation will be available as a download after the event.

I look forward to seeing you.

-Donald

Posted by Donald Tabone

We are advised that ClearDimension will be starting a Security + course at the end March 2009.
It will be a 50hr course, once weekly for 15 sessions.

For more information, please call Clear Dimension Ltd. on +356 27018611 or visit their website www.cleardimension.net

Posted by Donald Tabone

Once again, another article I stumbled upon talks about passwords. It seems that this extremely convenient and widely dispersed method of authentication always makes the headlines --- and the main reason behind it is that despite all the awareness around us that we should take care when picking passwords, we still don't --- and that is the problem.

According to CIO.com 33% of web users reply on the same password for a number of websites. WOW... now if I was a hacker with all these social networking websites sprouting like mushrooms, I definetely have a perfect playground when it comes to choosing which website to hack --- especially knowing that users tend to use the same password across websites like Amazon and Paypal.

According to the security firm[Sophos], just 19 percent never use the same password twice. Sophos added that three years ago, 41 percent of web users said they used the same password, indicating that just 8 percent of web users have realised the importance of strong, unique passwords.

Do we actually realise that having the password for several websites is like throwing all your eggs in one basket? Is is that difficult for users to choose an intelligent password?
Like we've done before in previous articles, we've discussed why passwords suck, however here are some tips we'd recommend:

1. If you have to use a password, choose a passphrase, not a common dictionary word - associate it with something current
2. Use a firefox extension like PasswordHasher - perfect for unique passwords on different sites
3. Don't choose anything less than 8-13 characters
4. Use some special characters to replace normal characters for example '@' instead of 'a' - perfect for making bruteforce hacking that much harder
5. Store a list of your passwords in a program like KeePass(free)
6. Finally - change your password every so often

Update1: Thanks to Graham of Sophos, you can watch this video with more suggestions
Update2: Here's another short video from author and speaker Michael J. Santarcangelo, II (read whole post)


Simple tips for better web password security from Sophos Labs on Vimeo.

Continue reading "Time to change your passwords"

Posted by Donald Tabone

Unauthorised software was yesterday identified by the Information Security and Risk Management Department of the Malta IT Agency (Mita) on a server used for the storage of user credentials of personnel in Maltese embassies abroad.

This unauthorised software was identified by security monitoring and alerting tools which have been recently implemented by the agency within an overall framework of security tightening.

Immediately upon detection Mita requested its US-based IT security advisory firm to provide it with an assessment of the potential breach based on the evidence collected by Mita.

The preliminary analysis indicated that the said software had the potential to extract user names and passwords on the embassies server only.

Analysis and assessments of any evidence of similar attacks on other servers was carried out with no such evidence resulting. In the meantime, more assessments were being carried out, Mita said

It said that although it had no evidence that any breach had occurred, to ensure absolute safety of the integrity of data in its responsibility, Mita throughout last night carried out an operation which entailed the disabling of all accounts of users on the said servers and users occupying sensitive positions.

Although currently there was no indication whatsoever of a breach on the servers hosting the user credentials of people in sensitive positions, this preventive measure ensured that these users were not exposed to unnecessary risks.

The rest of the users would be requested to change their password credentials to close out even the most remote risk.

The detection of this attempted breach and the neutralisation of its potential impact was possible following a series of investments made in the recent months by Mita, including the deployment of intrusion prevention systems, tighter policies and stronger password storage technology.

As a direct result of these measures, the length of time required for a perpetrator to decrypt a password is significant and well beyond the short period of time within which the said accounts may have been possibly exposed.

In the meantime, Mita was currently communicating the state of play to all the IT services users in the government and was working through chief information officers in ministries and public sector entities to ensure that users were made aware both of the incident and also of the preventive action taken by Mita to safeguard their information security.

In the meantime the concerned server has been isolated and the police have been informed. Source

Continue reading "Embassies' server suffers cyber attack"

Posted by Donald Tabone

Looking at the local scene, I still see a lot of local businesses holding off the idea of making sure that what they do is done in a secure manner. Sure, we invest in physical security systems which is the minimum one can do to say the least, however the concept of protecting data/information at a logical level has not yet hit home. For many, it would be that "Hey, nothing has happened so far - has it? So why the need to spend extra cash on IT security at this point in time?" --- in reality the security perspective that a person saying that would have is categorically wrong. If you look at it as an insurance to what data/information is important to your business, then the opinion might change. Sure -- you would be spending money with no apparent return, however have you thought of what you're safeguarding?

In an article on The Register, Jon Collins strikes the nail on the head...

At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).

In yet another article on The Register a recent survey showed that three quarters of IT staff were reputed to take security seriously.


Source

Continue reading "Taking IT Security seriously"

Posted by Donald Tabone

A free lecture in the series of Lectures from St Martin's Institute of IT is being offered to the interested public on Friday, 6th March 2009 at 6:00 pm.

This lecture will be delivered by Dr Lizzie Coles-Kemp B.A.(Hons), M.Sc. Ph.D. (London) from the Information Security Group, Royal Holloway, University of London.and will discuss the topic:

ISO 27001: the challenges of gaining and maintaining compliance with a security management standard

Further details including booking available through [email protected]

ISACA MALTA CHAPTER

Posted by Donald Tabone

Amongst the many security fairs and conferences that there around (you can check a lot of them here), this April I will be attending Infosec London @ Earls Court. Having already visited the Infosec fair in 2007, this time I have carefully planned out what I intend to do.

One of the main reasons that I am going up this year is to follow some of the technical track seminars -- some of which I know for a fact I will be referencing in my thesis. Some of the more interesting ones are mentioned below:

- Identifying Insider Threats Using Behavioural Analysis Mr Geoff Sweeney, Chief Technology Officer, Tier-3
- Security Testing: The Future Of Internal Assessment And Assurance Mr Alex Horan, Product Manager, Core Security Technologies
- Vulnerabilities Of Encryption – It’s A Cold, Hard World Mr Dave Jevans, CEO, IronKey
- Is Deploying A NAC Solution Really Complicated? Mr Sanjay Beri, VP, Access Solutions, Juniper Networks
- Bridging The Gap Between IT Security And User Accessibility Mr Stewart Gale, Network Services Manager, Meggitt
- Trends In Information Security Compromises - A Pragmatic View From A Hands-On Incident Response Team Mr Dan Haagman, Chief Operating Officer, 7Safe Information Security
- How Virtualisation Technologies Impact PCI-DSS Compliance Mr Gene Kim, CTO and Founder, Tripwire

That is not to mention the business seminars going on and the multiple vendors exhibiting. For one thing I am expecting the presentations to jam packed - hopefully this time round accommodation will be adequately seen to. Back in 2007, the queues were amazing - especially for the keynote speech entitled The Psychology of Security of Bruce Schneier.

As usual there will be the Hackers Panel which panel list is never released for legal reasons until the actual talk. The title of Corporate Espionage is very much in line with the topic of my thesis, so once again I hope to absorbing ideas and including them to further prove my point.

If anybody is going up, feel free to drop me an email -- I never mind meeting up to chat over a few beers =)

-Donald

Posted by Donald Tabone