If you didn't read the latest article by John Markoff, be sure to check it out. The article called Vast Spy System Loots Computers in 103 Countries talks about a web of espoinage that has been going on on various embassies, government and private offices around the world. Most fingers point towards the Chinese and I personally think that this has been coming for quite a while.
What is interesting is that the paper on which the NYTimes article is based, mentions Malta quite a few times. Here's a quote in page 5:
Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.
On page 43 the authors provided a table which lists the organizations infected, the location and number of infections. On the whole, the Embassies of Malta appear to have had 17 infections! Many other embassies are mentioned, and organizations like Deloitte & Touch in the NY as well.
Today is Friday - and that's good because there is a long weekend round the corner. Unfortunately for me though these coming weeks I'm cramped down doing my thesis and preparing for my final June exams =(
To humor me G has fished this from Eatliver.com ... and I couldn't help not sharing! Click the thumbnail for this post and you'll understand why I rolled over with laughter...
Yesterday's presentation entitled 'The realm of Digital Forensics' went great! Good turnout, engaged audience and healthy discussions. I was pleasantly surprised to see a balanced mix of people include females. I would like to thank Gordon and Anthony of the local ISACA chapter for having given me this opportunity to give my talk. The powerpoint presentation is available on request.
Finally, we DO have a March competition winner. So thanks to all those who send in their entries for the competition. We will be announcing the winner on Twitter - so if you haven't joined yet, get cracking... and follow us.
I will be giving a presentation as an educational event organised by the ISACA Malta Chapter entitled The Realm of Digital Forensics details of which are below:
Date: Thursday 26th March 2009
Venue: Malta Federation of Professional Associations (MFPA) Sliema Road, Gzira
Time: 16:30 to 18:30
Once again, another article I stumbled upon talks about passwords. It seems that this extremely convenient and widely dispersed method of authentication always makes the headlines --- and the main reason behind it is that despite all the awareness around us that we should take care when picking passwords, we still don't --- and that is the problem.
According to CIO.com 33% of web users reply on the same password for a number of websites. WOW... now if I was a hacker with all these social networking websites sprouting like mushrooms, I definetely have a perfect playground when it comes to choosing which website to hack --- especially knowing that users tend to use the same password across websites like Amazon and Paypal.
According to the security firm[Sophos], just 19 percent never use the same password twice. Sophos added that three years ago, 41 percent of web users said they used the same password, indicating that just 8 percent of web users have realised the importance of strong, unique passwords.
Do we actually realise that having the password for several websites is like throwing all your eggs in one basket? Is is that difficult for users to choose an intelligent password?
Like we've done before in previous articles, we've discussed why passwords suck, however here are some tips we'd recommend:
1. If you have to use a password, choose a passphrase, not a common dictionary word - associate it with something current
2. Use a firefox extension like PasswordHasher - perfect for unique passwords on different sites
3. Don't choose anything less than 8-13 characters
4. Use some special characters to replace normal characters for example '@' instead of 'a' - perfect for making bruteforce hacking that much harder
5. Store a list of your passwords in a program like KeePass(free)
6. Finally - change your password every so often
Update1: Thanks to Graham of Sophos, you can watch this video with more suggestions
Update2: Here's another short video from author and speaker Michael J. Santarcangelo, II (read whole post)
Looking at the local scene, I still see a lot of local businesses holding off the idea of making sure that what they do is done in a secure manner. Sure, we invest in physical security systems which is the minimum one can do to say the least, however the concept of protecting data/information at a logical level has not yet hit home. For many, it would be that "Hey, nothing has happened so far - has it? So why the need to spend extra cash on IT security at this point in time?" --- in reality the security perspective that a person saying that would have is categorically wrong. If you look at it as an insurance to what data/information is important to your business, then the opinion might change. Sure -- you would be spending money with no apparent return, however have you thought of what you're safeguarding?
In an article on The Register, Jon Collins strikes the nail on the head...
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
In yet another article on The Register a recent survey showed that three quarters of IT staff were reputed to take security seriously.
Amongst the many security fairs and conferences that there around (you can check a lot of them here), this April I will be attending Infosec London @ Earls Court. Having already visited the Infosec fair in 2007, this time I have carefully planned out what I intend to do.
One of the main reasons that I am going up this year is to follow some of the technical track seminars -- some of which I know for a fact I will be referencing in my thesis. Some of the more interesting ones are mentioned below:
- Identifying Insider Threats Using Behavioural Analysis Mr Geoff Sweeney, Chief Technology Officer, Tier-3
- Security Testing: The Future Of Internal Assessment And Assurance Mr Alex Horan, Product Manager, Core Security Technologies
- Vulnerabilities Of Encryption – It’s A Cold, Hard World Mr Dave Jevans, CEO, IronKey
- Is Deploying A NAC Solution Really Complicated? Mr Sanjay Beri, VP, Access Solutions, Juniper Networks
- Bridging The Gap Between IT Security And User Accessibility Mr Stewart Gale, Network Services Manager, Meggitt
- Trends In Information Security Compromises - A Pragmatic View From A Hands-On Incident Response Team Mr Dan Haagman, Chief Operating Officer, 7Safe Information Security
- How Virtualisation Technologies Impact PCI-DSS Compliance Mr Gene Kim, CTO and Founder, Tripwire
That is not to mention the business seminars going on and the multiple vendors exhibiting. For one thing I am expecting the presentations to jam packed - hopefully this time round accommodation will be adequately seen to. Back in 2007, the queues were amazing - especially for the keynote speech entitled The Psychology of Security of Bruce Schneier.
As usual there will be the Hackers Panel which panel list is never released for legal reasons until the actual talk. The title of Corporate Espionage is very much in line with the topic of my thesis, so once again I hope to absorbing ideas and including them to further prove my point.
If anybody is going up, feel free to drop me an email -- I never mind meeting up to chat over a few beers =)
Twitter
Amongst the many security fairs and conferences that there around (you can check a lot of them 
