On the move

Security Circus has moved to it's new home at http://www.security-samurai.net/

Please update your bookmarks and join us in the dojo!

Google Hacking

Remember Johnny Long's Google Hacking database?

Well it's back


The team at Exploit Database have recently resurrected the GHDB to help you harness the power of google to do reconnisance or just be nosey. Use it to check out your webservers or network and your users before the bad guys do!

Sadness...is a lost laptop

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

"The Great Cyberheist"

The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.

Fashion sense?

A friend passed along a link to the must-have accessory for the aspiring data smuggler this year: USB Flashdrive cufflinks!

Of course hidden USB drives is nothing new, from USB drive Barbie, a chap stick, chewing Gum or cigarette lighter to the 'hiding in plain sight' USB Bowling ball drive!

I hope it holds more than 64MB!

If they're all too big you can go for a MicroSD card hidden inside a coin instead (just don't spend it by accident!).

The point of bringing up these amusing and imaginative storage devices is that it's trivially easy to transfer large quantities of data in a non-obvious fashion (well except that bowling ball...). The best way to protect aganist them all is to have your defences on the data and if you allow the use of unfettered USB storage and are protecting portable confidential information, have some kind of host-based DLP strategy.

As for the USB cufflinks, I don't claim to know much about fashion, but they're ugly enough that a strictly enforced dress code might protect you...

The stealth cloud

IT world have an interesting article on what they're calling the 'stealth cloud'. It's not an exactly new concept - mostly bigger companies have had to deal with the 'shadow IT' problem for some time now.

How to spot a Shadow IT user...

However the recent proliferation of cloud service providers has the potential to greatly exacerbate the problem. As organizations already struggle with governance and meeting requirements such as SOX, PCI-DSS, Privacy Laws and industry regulation; having business units run out and sign up to external SaaS/Cloud services to fast track projects sounds like a disaster (if not a lawsuit or breach fine) waiting to happen...

Many of these services are pitched at consumers, who use them and enjoy the benefits of the likes of cloud file storage or a personal online knowledge base and these same consumers come to the office and want the same services at work.

So how do you combat the problem? There's no easy answer (like just about everything in Security!) but a combination of education/communication - ensure the managers of the business units understand why storing confidential corporate documents via dropbox is risky - and being prepared to be able to formally evaluate the security and risks of the SaaS/Cloud providers to allow resulting decision made out in the open may go a long way to easing the headache.

It's been said before but is worth saying again, most business computer users have no understanding of security. In a recent conversation an office worker was somewhat shocked to hear that email was not 'secure' or even particulary 'private'. Education and communication are the keys and probably the best way to combat those pesky Shadow IT ninja or Stealth Cloud Shinobi! (since they won't let me bring a katana to work...)

The OS that would not die!

Halloween is not a big deal down under. Certainly when I was a kid, nobody celebrated halloween, but these days it is starting to pop up more and more. What does Halloween have to do with security you ask? Well it seemed quite apt that on Halloween night I saw this article from computerworld on how 48% of surveyed companies plan to run XP post Microsoft end-of-support in 2014.

Now if that isn't scary I don't know what is! While I can understand the pain in the need to to test applictions, run a pilot group, train users in a new interface and finally roll out a new desktop OS, I suspect it pales in comparison to getting your desktop fleet pwned by the first never-to-be-patched-in-your-OS vulnerability on April 9th 2014.

Don't get me wrong. I liked XP. It did what was needed and was a solid OS. It was rock solid enough to make it's successor, Vista, look like crap. I still have it running on one machine at home. But Windows 7 is no Vista. IMO it's worth the switch. Anyway by 2014 I doubt I'll even still be using Windows 7, (with plans for Windows 8 in 2012) let alone a 13 year old OS!

I don't care how much you 'like it', continuing to use WinXP post april 2014 for your desktops is just asking for trouble. Think about it.... a 13 year old OS. That's akin to using Windows 95 in 2008. Or continuing to use Windows 98 until next year.

Now that's scary!