j-j.co.za
Sharing thoughts and ideas on business, security and photographyISACA Annual Conference 2010
Posted on August 30, 2010Dates: 13 to 15 September 2010
Venue: Indaba Conference Centre, Fourways/Johannesburg
Over the last few years the ISACA SA Conference (#isaca2010) has drawn between 230 – 260 delegates. High profile local and international speakers provide delegates with insight into the latest developments in the IT, security and governance. The 2010 conference has 3 streams of presentations and focuses on the latest strategies to address business, managerial, operational, auditing and security challenges associated with information technology and information systems. The conference topics are applicable to a wide range of attendees from CEO’s and CIO’s through security, audit, risk and IT professionals.
Follow @isacaza on twitter for #isaca2010 conference news and updates
Attendance
Should you be interested in attending the conference use the online booking facility at the ISACA website or contact Nadine on admin@isaca.org.za.
See you there for another great conference.
ZA WWW 2010 – 12th Annual conference on World Wide Web Applications
Posted on August 30, 2010Date : 21 – 23 September 2010
Venue : Graduate School of Business, University of KwaZulu-Natal, Durban, South Afria
The ZA-WWW2010 conference in Durban is multi-disciplinary event. Researchers (academics and collueagues from industry) will represent the wide spectrum of human knowledge: with Web applications as the common denominator.
This year’s ZA-WWW conference will feature
- Prominent keynote speakers
- Multiple programme tracks covering e-Learning, Web development and e-Commerce
- Peer-reviewed papers as well as invited presentations
- Poster presentations
- Proceedings published in electronic format in the Conference’s website
Some of the speakers and topics include :
ISPA and UniForum SA’s Annual conference, September 2010, Jhb #in
Posted on August 29, 2010The Internet Service Providers’ Association of South Africa (ISPA) and UniForum SA (the co.za administrators) will be hosting their 9th iWeek annual conference from 15 – 17 September 2010 at Kloofzicht Lodge , Muldersdrift, Johannesburg, South Africa.
This premier event attracts speakers and attendees from a broad spectrum of the most important players in South Africa’s telecommunications industry. Representatives from Internet service providers, product resellers, network operators, telecom end-users, government, the ICT-focused legal fraternity and regulators will assemble at iWeek 2010 to discuss the latest challenges.
Read more about iweek here, take a look at the 3 day conference programme, the speakers, or head straight for registration.
I didn’t see a price anywhere, so this appears to be a free conference. Let me know if you hear otherwise.
Lifehacker.com article on creation of PhotoSynths
Posted on August 28, 2010Lifehacker.com’s Adam Dachis published an interesting “how to” on the creation of photosynths. Check it out here. Between the article and the followup comments this is a really good intro on how to put together your own Synths, as well as some links to some really good synths.
One of my favourites is a HDR panorama of Chateau de, Maulmont, done in a full 360degrees horizontal with 180deg vertical, done by M9. Check it out here : Link
Also checkout the PhotoSynth’s of sandcastles done by Alexander Riccio here.
Some pretty awesome work. Give it a go and share your results.
Google acquisition trail Feb 2001 – Aug 2010 #in
Posted on August 26, 2010This is a rather impressive info graphic put together by scores.org laying out the timeline of Google acquisitions from Feb 2001 to current. Take a look through, a walk down memory lane 
The acquisitions are categorised (left to right) according to the revenue intent behind the acquisition, into either revenue growth, competition reduction, or a bit of both.
The inner circle is a colour coded pie chart reflecting whether the key asset obtained through the acquisition was People (yellow), Market (red) or Technology (blue).
The sizes of the outer circles also shows the relative size of the acquisitions. The relative sizes don’t take into account the size of Google at the time of the acquisition nor inflation so take care before reading too much into these sizes.
The list is quite comprehensive although it is not believed to be complete, the author has indicated the graphic will be updated to reflect corrections.
Click through to see the full infographic (It is extremely long so isn’t included here on the front page).
2010 Data Breach Investigation Report – Who stole my client’s cheese? #in
Posted on August 25, 2010The first-ever joint report by the Verizon Business Risk data crime investigation team and the U.S. Secret Service presents a fascinating and current insight into the murky world of data theft and cyber crime. Contrary to general expectations 85% of all stolen data records can be traced back to organised crime. Woaah. While almost 50% of cases had active insider involvement, these were small-time jobs resulting in only 3% of records lost. So yes, watch out for your employees, but beware of those syndicates!
Read more in Woody Leonhard’s summation of the report here.
Download a copy of the VBR/USSS report from Verizon Business here
Howto : Small Business IT Governance Implementation #in
Posted on August 25, 2010One of the key challenges of IT governance is how to break it up and make it understandable and implementable for small businesses. Cost/benefit is always a key challenge and unless there is a practical sensible way that adds value to the business then IT governance is not going to work in small business.
ISACA have released a nicely put together article in their J-Online section of the website. Small Business IT Governance Implementation by Janeane Leyer and Katelyn Quigley provides useful practical advice on how to implement. In doing so the article provides three key questions in a simple framework and discusses six critical success factors for the implementation.
Abstract
The largest risks to businesses today are failure to align information technology to real business needs and failure to use information technology to create value for the business. Effectively managed IT can provide small businesses with a competitive advantage, whereas ineffective management can impair the business as a whole. With recent increases in demand for cost reduction, the need for small businesses to actively manage their IT resources has never been greater.
This article will provide an overview of IT governance, discuss the benefits to small businesses, suggest a framework for implementation in small businesses and discuss critical success factors.
ISACA Whitepaper “Securing Mobile Devices” #in
Posted on August 25, 2010ISACA have released a whitepaper on the securing of mobile devices. This is the first in a series of documents which will eventually include audit/assurance programs for such devices. The overview of these documents can be found here.
Abstract of white paper
Mobile computing devices have become a critical tool in today’s networked world. Enterprises and individuals alike rely on mobile devices to remain reachable when away from the office or home. While mobile devices such as smartphones, laptops, personal digital assistants (PDAs) and Universal Serial Bus (USB) memory sticks have facilitated increased convenience for individuals as well as the potential for increased productivity in the workplace, these benefits are not without risks. Mobile devices have been, and continue to be, a source of various types of security incidents. These stem from issues such as device loss, malware and external breaches. As the availability of human resources and systems continues to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate as will the features that these devices offer. It is therefore imperative that proper risk management be applied and security controls implemented to maximize the benefits while minimizing the risks associated with such devices.
Securitysearch.co.uk writeup on the whitepaper here.
ISACA SA Chapter meetings in October (Dbn, Jhb, Pta) #in
Posted on August 25, 2010Three of the ISACA chapters are having meetings in October. Details are below and will be updated as confirmation of speakers is obtained. Don’t forget the #isaca2010 conference in September.
KZN regional chapter meeting
- Date : 7 October 2010
- Venue : PKF Offices in Umhlanga
- Topic : To be confirmed
Pretoria regional chapter meeting
- Date : 14 October 2010
- Venue : To be confirmed
- Topic : To be confirmed
Johannesburg regional chapter meeting
- Date : 26 October 2010
- Venue : To be confirmed
- Topic : To be confirmed
Confirmation of attendance
As always, please confirm your attendance with Nadine on 011-803 0803 or admin@isaca.org.za a few days ahead of time.
163 Megapixel panorama : View from my lounge
Posted on August 22, 2010This morning I created and uploaded my Gautrain panorama (see previous post). That encouraged me to try and make a more detailed and refined panorama using a better camera. I have always enjoyed the view from my lounge / balcony so decided to try and create a panorama shot from there.
Using a basic tripod and a Canon EOS 550d DSLR camera I took a series of 31 photos which were then run through Microsoft ICE and uploaded to Photosynth. The resulting image is the 163 megapixel panorama image present below. What is really impressive is the level of detail present in the synth. Try zooming into leaves on some of the trees, cars on the freeway in the distance or to windows on the office block. This really is powerful technology which anybody can enjoy.
This second synth was taken over lunch using my Nokia E71. The quality isn’t great as it was taken handheld. The synth has many gaps and misplaced photos. I took 77 photos and ICE used 66 of them to give a 360 degree vertical coverage and 144 degrees horizontal. I uploaded it out of interest thinking it would be a bit of a disaster but after playing with it for a while made it public and added some highlights. Its amusing to play with for a short while.
You can download the Microsoft ICE tool here at the Microsoft Research website.
Gautrain station photo synth (3d image composite)
Posted on August 21, 2010Below is a very “rough and ready” photosynth of the Gautrain station platform in Sandton. It was created from 35 photos taken handheld on my Blackberry Bold 9000 (without flash) the other day while waiting 10m for the train to arrive.
The synth was put together with Microsoft Image Composite Editor (MS ICE) and the Microsoft Photosynth plugin for it. All free software that does quite an amazing job of stitching together a bunch of randomly ordered photos that you drag into the window. I will add some more screenshots and information in another post later. In the meantime here is the synth.
Excuse the gaps (in pics) and occasional mismatch, I did move forward at one stage to avoid getting too many people in on the platform to the right, and this caused a little bit of a mismatch with the railway line.
I’m very impressed by what can be achieved with such a low end “camera” and some very nifty software from Microsoft. I am very attempted to take along the DSLR and tripod next time to see how that would come out. Comments and feedback welcome.
Click on the picture below to “activate” the synth then expand to full screen and move the view around to enjoy the full 3d effect.
Standard Bank phishing attacks
Posted on August 16, 2010Over the last few weeks I have been getting emails “from” Standard Bank on a regular basis, probably one or two a week. Today I received two more. I am not a Standard Bank customer, so it is immediately obvious that they must be fake. Perhaps a little less so for those who bank with Standard Bank? Both of these mails look a little different, originate from different email addresses, and have slightly different profiles. Standard Bank (or someone) is on the ball (thankfully) as when I tried to follow up on the mails to see how the attacks were working both had been blacklisted with Firefox/Mozilla as phishing sites, and the offending pages had also been removed. There was one a few weeks back that had not yet been blocked at the time I tried to access it, so I have a little more info on that attack, which I will post as an update when I get a chance (probably on only the weekend).
Update on Oracle password hashes and crackers #in
Posted on August 16, 2010As mentioned in my very first post on this “new and improved’ site, my original site from way back when had some information on Oracle password hashes and a list of default passwords. This initial work was taken and improved on by Marcel-Jan Krijgsman and subsequently Pete Finnigan (read more about it here), who now runs what is probably one of the best Oracle Security resources available on the net.
During those early days not much was known about Oracle password hashes. There also weren’t too many options when it came to cracking them. Adam Martin came up with a plan in the early days, writing some code that would take create an account, and then change the password to each word in a dictionary (stored in another table) using the oracle password change functionality, and then grab the hash after the change to compare it to the hash you are trying to crack. It was slow (around 10 passwords/second if I recall correctly). I wrote my own version to automate the process and build a “pot” of known hashes along the way. I was busy getting this ready for release when Orm released his far superior tool. At that stage I stopped development and released my list of known hashes.
Orm’s tool was orabf. This tool changed the game, as it was a completely offline tool not needing a running database and it was orders of magnitude quicker. It is probably still the best password cracker around for pre 11g hashes. The early version was a little buggy after a few mails Orm quickly fixed it and has improved it since then. (History here). Download orabf here.
A little about Oracle password hashes and the algorithm (Oracle 7- Oracle 10g)
Passwords can be up to 30 characters in length. The username and password are concatenated and all characters are converted to uppercase, then an eight byte hash is generated using the DES encryption algorithm without any salt (just the username).
The hashes can be obtained using either
* SELECT username, password FROM DBA_USERS;
* SELECT name,password FROM SYS.USER$ WHERE password is not null;
The second is potentially safer if there is a suspicion the server may have been compromised.
Use orabf (download as per link earlier) to crack these hashes, or get the modified version of John the Ripper.
Oracle 11g pasword hashes
Oracle 11g password can be up to 50 characters in length, and passwords are no longer case insensitive. The passwords are stored in two ways (Ala LANMAN hashes – don’t they learn from mistakes of others?), the old style DES (password field) AND the new SHA-1 (spare4 field).
Oracle 11g concatenates the password and salt, then applies SHA-1 to obtain the hash.
Password hashes can no longer be selected from dba_users, so can only be obtained as follows :
* SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;
For more detail on the the Oracle 11g password hashing read the writeup at Recurity Labs.
To crack Oracle 11g hashes you can use The Hackers Choice (THC) OrakelCrakert which handles both brute force and dictionary attacks. Check first though to see if the old-style hashes are available first, as it’s much easier to crack the new style password if the old style is known first, THC explain how this works in their post linked above.
That’s pretty much where things are at currently with Oracle passwords and hashes. There are many more tools out there to help with hacking and securing Oracle. Google is your friend 
Upcoming ISACA chapter meetings in East London and Jhb #in
Posted on August 13, 2010There are two chapter meetings coming up in East London and Johannesburg in the next few days. Hope to see lots of people there. I personally hope to attend the Jhb meeting, travel plans allowing.
Date: 18 August 2010 at 2:30 pm
Venue: PricewaterhouseCoopers , Palm Square office park , Acacia House , Bonza Bay Rd , Beacon Bay
1) Andrew William Mpofu will be presenting: “Information Security as a strategic business asset”
2) Chris Knox will be presenting: “Information Security Risk Assessment methodologies”
3) Networking & Refreshments
Date : 24 August 2010 5pm Registration with the event starting at 5:30pm
Venue : PriceWaterhouseCoopers offices in Sunninghill, Johannesburg
1) Jason Gottschalk will be presenting on “Access Governance – The precursor to Identity and Access Management”.
2) Gerhard Hechter, PKF will be presenting on “Taking risks cleverly / Business intelligence”
Attendance
To confirm attendance to either of these meetings please contact Nadine on 011-8030803 or admin@isaca.org.za
Congratulations
Lastly, congratulations to all those who wrote and passed CISA, CISM and CISSP. I believe results for all 3 were released today.
What people say
Close block