Wikipedia & Reputational Risk

A while ago I came across an interesting story on the register where Wikipedia have banned an IP address for posting racist comments - the catch? The IP address belongs to Volvo's IT division.

Wikipedia is a site that I imagine is not blocked or banned in many companies, as it's used as a major source of information by people all through business (the merits or accuracy of which is a discussion for another time).

Volvo aren't the first organization to be caught wikifiddling, when the Wikiscanner was released a few years ago a range of organizations were found to be questionably editing information, including the then-Australian Prime Minister's department and the CIA.

As far as I know the previous organization's 'outed' were mainly revealed to be engaging in pointless vandalism, such as changing Wolf Blitzer's name or adding 'jerk' multiple times to George W. Bush's profile.

A charge of racism is, however, a whole different situation, and one that can certainly bring extremely damaging attention to an organization.

But what to do? Blocking access completely is too draconian for most companies. Policies on blogging and editing online web 2.0 type sites (such as Wikipedia) are a start. Educating the workforce on the type of damage they can do and ensuring they know their access is monitored can act as a proactive deterrent. Combine this with web monitoring/auditing of access to enable follow-up on offenders can allow for quick follow-up in the event of an incident.

It often seems that even 'IT-savvy' staff can completely forget that their actions on the internet can be tracked, traced and may well leave a permanent imprint, especially when it comes to social networking. Adding some general awareness to Information Security education programs along with the usual 'don't click on attachments' may pay off in the long run.

CERT Australia

Looks like our govenment has decided to increase it's efforts in 'cyber-security' by retiring the old GovCERT and rolling the excellent AusCERT into the new CERT Australia (although they need a snappier name!).

It's encouraging to see the government making an effort to assist and encourage increased information security awareness, amongst both businesses and individuals. I can only hope it all works out better than the National Broadband Network and National Internet Filtering Scheme have so far...

Next week David Campbell, the Director of Australian Government Computer Emergency Readiness Team is speaking at the AISA Annual Seminar Day in Sydney, so I'm looking forward to hear what he has to say about this new body, it's mandate and goals.

The SID Duplication Myth

Microsoft's Mark Russinovich (formerly of Winternals fame) has posted a great bit of information busting a popular myth about duplicate SIDs on cloned machines.

I admit, I always thought running something like NewSID was mandatory on cloned machines for correct Windows domain and WSUS functionality, but apparently that's not the case.

I can recall some product (it may have been Trend AV, but I could be wrong) that did seem to rely on the machine SID (ie: on cloned machines pre-NewSID there were problems), but then Mark does mention that while no Microsoft applications look at the machine SID, other 3rd party applications may still require the use of something along the lines of NewSID.

Also be wary of cloning machines after joining them to a domain as duplicate domain SIDs are a different thing entirely and can cause headaches...

World's greatest resume?

Not really security related, but with the CISSP endorsement process requiring an updated resume, when an email with the below hit my inbox I had to share.

Having been a fine arts student and with a hobby interest in design, this has to be one of the most imaginative and visually stunning resumes ever!

CISSP

I'm happy to say I received my CISSP results today and have passed.
Big thanks to Mark Gill for organizing a CISSP study group through AISA that really helped keep my studies on track. I hope I get the chance to replay him by assisting in the study group when it runs again next year. Thanks also to the guest speakers and my fellow students at the study group who offered their insights, experience and expertiese (and bad jokes!)

For anyone preparing for the CISSP who is interested, I used the Shon Harris 4th edition CISSP textbook, the ISC2 official CBK and the Exam Cram CISSP text for reading on the train.

The Shon Harris book is quite in depth, going too deep in some areas compared to what you need to know for the exam, but good as a reference text. I found the official CBK is very dry and hard to read, but useful as a companion to the Shon Harris book to compare the amount of treatment different areas received (it can vary widely between the two books). The Exam Cram book is, as you might expect, brief and to the point. I felt it was a good review book due to it's portability, but not enough to use as your only text.

I also used the sample review exams at cccure.org, but to be honest found many of the questions there to be quite dated (lots of 'Orange book' questions rather than Common Criteria for example) and a few answers to be incorrect. Better than nothing I guess, but I wouldn't take your results on their sample exams as a strict indication of your preparedness for the exam itself.

So what's next? So much to learn, so little time...

Even more default passwords!

It's been widely reported that an Australian man has developed the new iphone virus that 'rickrolls' owners of jailbroken iphones.

The virus spreads via ssh using the iphone's default password of 'alpine'. Normally ssh access is not available on a standard iphone, but enabling access is a requirement of jailbreaking the iphone to get around restrictions placed on the device by Apple.

This comes hot on the heels of a ransonware scam with a dutch hacker holding jailbroken iphones 'hostage' for €5 which uses the same method to gain access to jailbroken phones. (The dutch hacker has since apparently stopped asking for money and has now provided instructions on how to undo his changes).

Does this represent a big security hole for Apple? Not really, as both attacks only affect jailbroken iphones. If you are jailbreaking an iphone, or modifying any device against the manufacturer's instructions, then the onus of providing a secure device has passed from the manufacturer to the end user - something which most end users probably don't think about.

While both 'hackers' have claimed the release of their viruses was a educational 'wake up call' for users with jailbroken iphones to ensure they change their default passwords, the simplicity of the attacks could mean something more sinister is on the horizon.
The pair of them may be in hot water as even a relatively harmless change like rickrolling can have unintended legal consequences (the attempted extortion from the dutchman aside).

If you have a jailbroken iphone, change the default password asap!

*edit* I just came acoss this post from Sophos which has a screenshot of some of the virus source code: