“THEY USED A HASH
They used a SHA1 hash
A SHA1 HASH
Implemented in Flash
A SHA1 HASH
It was easy to smash
A SHA1 HASH
Now I got all your cash”
With yesterday’s unsalted password dump at LinkedIn (seriously LinkedIn, wtf are you doing not salting your passwords?), the password dump of eHarmony and today’s suspected compromise at last.fm, this would be an ideal time to provide a service that tells the truth behind an eHarmony profile simply by matching email addresses and passwords.
For example you could enter an eHarmony profile ID in, and it would check the user’s LinkedIn and last.fm profiles. A sample output could be:
“Sorry love, you know that 28-year-old, dashing, handsome, eco-friendly power company executive who loves 80s and 90s ballads whilst sunset walks on the beach, kittens and surprise weekends away? He’s actually a married 45-year-old IT Support Executive who’s favourite hobby is being Waldorf on World of Warcraft (as per the Twitter feed connected to his LinkedIn account). His favourite bands are Slayer and Megadeath, but recently has been listening to the Eurovision Song Contest Dusseldorf 2011 CD … a lot.”
Not a bad idea, hey? Please send all revenues from this service, if you implement it, to one of my nominated charities. Or buy me a book from my Kindle Wish List.
I am yet to be convinced that the current "Cloud Computing" wave is little more than vendor-driven marketing hype, driven by technologists that are chasing business revenue through the promise of "bottom line cost savings" – whilst conveniently ignoring business-critical issues such as Information (and not just IT) Security.
As a colleague highlighted to me recently, all Cloud Computing is, in reality, outsourcing IT to shared infrastructure – running your stuff on other people's kit via an internet connection. It is easy to see how the Outsourcing vision has rarely delivered the promised business value to the customer, as promised during the sales cycle from consultancies, offshoring shops and global system integrators. Whilst there has undoubtedly been costs savings in technology and skills acquisition; these savings have been negated by the increased overhead of "managing" the outsourced provider … re-insourcing is common even here in Australia.
The recent CA/Ponemon Survey around Cloud Computing Security highlighted some distribing issues – that the majority of Cloud proivders regard Information Security as the customers' problem and responsibility to deal with, rather than theirs: Gideon's blog is a nice summary at http://www.rationalsurvivability…. Sahil, this is in direct contrast to your Myth #8 (although to be fair SaaS != "Cloud" per se!)
One example is avaiability. Until CSPs increase the business value of their service through some sort of shared risk, shared reward model with the customer I can't see how businesses can justify the Cloud for anything above non-sensitive information. Look at Amazon EC2's compensation for its lack of availaility – 10 days hosting credit. Does this even come close to the estimated lost revenue for its major customers who were affected?
The Australian Government's Defence Signals Directorate have an excellent guidence note for organisations considering cloud. I would like to see CSPs review this – particularly para. 17 onwards – and if they can come up with a commercially viable answer to questions such as these, then the implementaiton of on-demand Cloud Computing may live up to the promise: http://www.dsd.gov.au/publicatio…
As many of you will know, southern Australia is currently suffering the worst bushfires in peacetime history of Australia. Over 173 are confirmed as dead with many more injured, towns have been destroyed completely and people losing everything. The SBS and the ABC have particularly good online coverage of this ongoing disaster. What makes it worse is that police are investigating a number of sites where the fires were suspected to have been (re)started by firebugs (arsonists) and even by thrown cigarette butts. IMHO those responsible should be tried for murder with sentences served consecutively.
I’ve just watched Prime Minister Rudd address the Australian Parliment (ironically, via the BBC) where I was pleasently suprised to hear, quite early in his speech [Link Available Soon], that the Government will direct its departments to provide assistance to people re-establish their legal identity. Things like passports, birth certificates, marriage certificates and so on are difficult enough to get hold of, but even worse when all of your “identity sources” are destroyed in disasters such as these fires or the floods ravaging Northern Queensland. Being able to provide a positive and trusted identity “token” (drivers license, passport, etc) about yourself is nowadays a virtual prerequisite to living a normal life in todays society. If you have none – how do you identify yourself? PM Rudd paused from reading his speech to convey, in his personal tone, this difficulty to the rest of Parliament. This is the first time I have ever heard a senior politician even understand this difficulty, simplistic as it may sound. Maybe its because he saw The Chasers’ Julian Morrow demonstrate how easy it is at a recent Identity Fraud conference in Sydney.
However – this got me thinking, as of course I work in the Information Security and Identity spaces. What provisions will the Commonwealth put into place to stop those evil people take advatage of this tragedy to assume the identities of victims? How do you prove your identity when your primary sources have been destroyed? There is an excellent case study of an affluent lady in NSW [Citation Needed] who has lost her home (including title deeds), car, digital identities, bank accounts, and so forth after having her identity stolen by a criminal gang whilst she was abroad. (The suspected Russian-based gang proceeded to sell everything she owned, obtained passports and birth certificates in her name, bankrupted her and racked up massive debts in her name, and she is still fighting to this day to clear her credit record years later – which nobody seems to know how to do, due to the lack of legaslative process in Australia). And all from stealing mail from her mailbox. Australians – put an unbreakable lock on your mailbox or get a PO Box, is all I can say.
Although its not proof of identity, people born in England and Wales can order as many copies of their birth certificates as they like (well – to be accurate – certified copies of an entry in the register of births and deaths) over the internet. A very useful service. Indeed, I’ve ordered quite a few copies of my own, based on only knowing basic information about my parents and where I was born. What is a scary thought is that this can then be used to apply for an identity elsewhere, for example my Australian Citizenship, my passports in multiple countries and even my French Carte de Sejour (itself a de facto Identity card). I don’t know what processes there are in place to stop you, or anyone else, doing that with such a copy. I bet you that the various governments around the world don’t check the validity of every birth certificate copy they are presented with.
Whilst digital identity is a complex area, we must also not forget the issues around dealing with the offline world. Identity theft and fraud is a growing crime, not just done by neer-do-wells, but also in a profitable manner by the organised gangs. And they’ve been doing it for years. All we can do as individuals is to protect our own identity as best we can. Something I will blog about in the near future.
Australian National Disaster Support
Many Australians, including myself, have dug deep and already donated well over $15m in less than 24 hours of the appeal fund being set up by the Red Cross and the Victorian Government. Fires also continue to burn in not only Victoria, but also South Australia and New South Wales. With over 173 confirmed dead in the fires, the toll continuing to rise and many more injured, losing loved ones, pets, their homes and/or their businesses. Once the immediate situation has passed it will take a long time for those affected to recover, both physically and psycologically. I urge anybody reading this blog to please donate to this very good cause. As always, Australians, all donations over $2 are tax deductable (they email you a tax receipt) and for those abroad, the relative weakness of the Aussie Dollar at the moment means your donation will go much futher. Thankyou for your support.
Some think its only a Koala, but I think this guy is actually a close relative of the Koala – you know from the line of Koalas and Dropbears that interbred … can’t remember the latin name but it was something like dropbearuskoalainfestcityus. Other species of Dropbear have also been sighted recently, but not so far into the CBD.
Scientists thought that this particular species of dropbear had been killed out after they concreted over the CBD. Just seen in the Courier-Mail that there is now concern because these dropbears only came out between dusk and dawn, its very rare to see one in attack mode during daylight hours.
Brisbane City Council have warned everyone in the CBD today to wear dropbear repellent, or if you can’t get hold of it (there’s a run of repellent at the chemists apparently), smear some Vegemite on your nose. They hate the taste of it, hence why they don’t attack Australians unless desperate (they can sense it coming through our heads).
Security is not just about information security, or network security. Its also about people – a lot of information about an organisation is held within the minds of its employees and contractors. How would your organisation survive with the loss of key personnel due to a natural disaster or incident such as a dropbear attack? Today’s incident has highlighted the need for Queensland-based organisations to include the likelihood of this in their business continuity planning strategies.
Most of you know I work in the Information Security area. You probably also know I am passionate about Australia. However, this post is not about the technical ineffectiveness of the technologies that have been proposed (which I will write later). This is more about the method in which the Australian Government is pursuing the implementation of those ineffective technologies. Yet another example of Australia – The Nanny State (funnily enough, which is the complete opposite of the culture of the Australian People).
For those of you who don’t know (and, given the lack of reporting in the mainstream media about the subject, I wouldn’t be suprised), the Australian Government is currently undergoing trials to enforce filtering of “illegal and objectionable material” at the Australian ISP level. What does this mean in practice? They want to filter your internet access using methods that just don’t work, just like the governments of China, Saudi Arabia, Iran, and many others do – but without the people to validate what is being filtered properly.
Remember, this is the same population of civil “servents” that has made it illegal for you, the Australian citizen, to purchase fireworks without having to physically travel to Canberra. Which, of course, is punishment in itself.
The policy will be enforced by two levels of blacklists – one of which is mandatory for all internet connections, the other is an “opt out” for those who need their fix of “restricted’ online porn, up to R18 level. However, even the Government’s own trials have shown a shockingly high false-positive rate, which means that the filters have incorrectly filtered innocent information even using the deep-packet-inspection technology that is quite advanced compared to the URL-and-IP-address-blocking that you are used to when trying to get to Facebook from your work desk (and you already know how to get around that, don’t you?)
ACMA have not detailed the governence around this “solution”. And where does it stop? What will stop Big Media (the Music and Movie industries) from lobbying – hard – to block all technologies used to distribute files online, because they *might* be used to distribute Rhianna’s latest album? (Hint: get the videos instead, she is gorgeous). What else will they add? Any websites or people critical of Government policies, similar to the Freedom Fries debacle of the US Government when France refused, correctly I might add, to support the invasion of Iraq based upon failed intelligence about WMDs? Given the Australian Government’s useless performance at yesterdays climate change talks, I wouldn’t be suprised that most environmental groups suddenly have their websites filtered due to lobbying by the Resources sector.
I tried to make an argument on the government’s consultation blog about this, but must admit I got into one of my infamous rants that also included Telstra’s ablility to slow down the information economy. But I was also happy to see that many other Australians have found the blog and submitted similar messages. Many more have also signed petitions and will be attending protests in each Australian Capital tomorrow (Saturday).
Prime Minister Rudd, I voted for you because I thought you would bring much-needed change to Australia. The Apology, and signing Kyoto were very good starts. But your Government’s recent actions – the lack of them in particular with regards to Climate Change, the lack of action against the Japanese slaughter of whales in Australian oceans, and of course the Great Australian Firewall – is starting to make me think that the other lot wern’t so bad after all. It is true that Australians do NOT have any freedom of speech protections – something I think you should fix and protect our freedoms just like every other democracy. As a fellow Queenslander I don’t want to stop supporting you, but you are making that a difficult position to maintain.
BTW – With regards to the Child Porn issue. I do not condone this. I would happily work with the Australian Government (contact me) on addressing this issue. My personal view is to set up a dedicated unit in the AFP (or similar) tackling this issue, to monitor, gather evidence, capture and prosecute each and every single cretin who is involved with this. I alledge (got that lawyers, I alledge – I don’t have proof!) you guys already have the technologies to do this, and in fact are already doing this, (example here), for National Security interests. Why not leverage the same technologies, resources and do something similar in the non-classified environment?
Back to the Child Pornogrophers … once these bastards are found guilty in a court of law, based upon the evidence collected asbove, I propose they are castrated – without anasthetic any medical support – using blunt, rusted, metal knives and left to rot in a cell. That is the minimum punishment that these sick bastards deserve. Lets stop this problem at the source.
A colleague of mine at work started blogging again last weekend, highlighting a very good point that if 2-Factor Authentication is being offered to online gaming players, they why the hell are there still governments and financial institutions across the world that still rely on basic UserID and Password authentication to their online services?
Although an interesting debate, I’m not going to go into a rant about this today. What has caught my eye though as an article in todays Australian IT highlighting that a survey reveals that the majority of Australian Organisations are confident in the security of their IT systems, have rarely had that tested and can withstand all types of attacks.
Although I would like to see the details of the survey, this statement scares me. The article describes how:
[…] organisations have reached a level of comfort with security, as most internal security projects have been completed. Read more
A very interesting article caught my eye which is being presented to BlackHat Europe and HITB Dubai conferences. Two Indian graduates have developed a Vbootkit, which is just like a standard rootkit in Windows … but importantly is invoked before the OS Read more
A question posed by Gerry Gebel at the Burton Group around the difficulties of implementing authorisation management solutions.
I’m not sure if the use of external authorisation solutions (the “Access Manager” products”) is the most appropriate in all cases. Sure, for use in Web Access Management/Control, they Read more