Sunday, July 25, 2010

AU Government Censors Document On Planned Web Snooping

I'll just send you to the Slashdot article as it has it all there and I'm getting ready for Black Hat/Defcon.

Just in time for the impending federal election...

Best quote:

"Online users' lobby group Electronic Frontiers Australia spokesman Colin Jacobs said what was released was "a joke".
"We have to assume the worst," he said. "And that is that the government has been badgering the telcos with very aggressive demands that should worry everybody."
Emphasis mine.

- J.

Thursday, July 22, 2010

Default Passwords and SCADA: Siemens Fails

Finally we're seeing malware in the wild targeting SCADA systems.What is the root cause analysis? Siemens have a default password. Of course, Siemens are not advising their client's to change it for fear of breaking communications between WinCC and the database.

I can appreciate Siemens concern for interrupting business operations but time and time again - fear of interrupting business is not a reason for ignoring security threats. It is a consideration - sure - but not a reason for ignoring.

This is a prime example of security fail.

Why can't Siemens advise changing the password but stress the potential business implications? Other mitigating controls might include:
  • disabling USB drives,
  • application whitelisting,
  • operating system hardening,
  • segregation of management networks,
  • disallowing critical infrastructure direct Internet connectivity.
The list goes on. Why not advise clients how to change the password within the application and database? I'm obviously presuming it is permissible - if not, clearly it is a double fail.

Anyway, I realise SCADA infrastructure often runs on ancient, unsupported operating systems and patch levels, but other controls can be applied to reduce the attack surface and potential damage such malware can perform.

While this is an excuse that is often thrown around in enterprise environments time and time again, what is interesting now is that it is being thrown around in relation to critical infrastructure, (presumably) arising from industrial espionage.

Some relevant links from Siemens can be found here and here (official release) - and yes,Siemens official release is terrible.

- J.

EDIT (23-7-2010): AusCERT have released a bulletin on this. It's a good writeup - I heartily endorse anyone interested in this subject to read it further.

Monday, July 19, 2010

Internet Censorship in AU, Black Hat/Defcon

I have had a sudden drop off posts this past month, owing to a combination of factors. Firstly I was flat chat finishing a unit in my Masters, then it was the inevitable burnout of posting + study + full time work and other commitments. I needed a break to re-invigorate myself.

With that said and done, there's two things I want to post about:

1) Internet Censorship in Australia
What is the current status? Well, with the impending Federal election, this politically touchy topic has been put on hold. Yes, while Conroy has publicly backed down, it is important to realise that this topic is NOT DEAD. Labour STILL want to roll out the policy. Also, where is the Coalition on this policy? Strangely enough they aren't saying a hell of a lot either. Now you have to ask yourself "why would the Liberal Party remain relatively silent on this issue?" The obvious answer is that they want to roll out this policy too but they don't want to publicly say it. I hope the public continue to apply pressure on Tony Abbott and ask him questions publicly and grill him on this offensive policy.

The only political party with a truly vested interest in truly eliminating this policy is the Australian Sex Party. While I don't want to use this blog as a political platform, its pretty clear that the Australian Sex Party cannot support such a policy without offending its entire constituency and gutting its support base.

I encourage anyone who actually cares about this election to really research the policies of the political parties out there and vote for the party you believe will best represent your interests.

2) Black Hat USA 2010/ Defcon 18
I will be attending Black Hat USA and Defcon in Las Vegas this year. This will be my first time attending the conference, I'm keen to learn from the industry's best and brightest as well as network with people and generally just have a good time. Regrettably, I'll probably have to work on my assignments for my MBA as well but hey, thems the breaks.

When I get back I'll be sure to provide a post or two about what happened at Black Hat, takeaway observations, lessons and trends.

I'll make a more concerted effort to post more frequently.


- J.