j-j.co.za
Sharing thoughts and ideas on business, security and photographyNew ISACA audit programs: Cloud computing, Crisis mgt, Infosec mgt, Active Directory, Oracle eBusiness #in
Posted on September 02, 2010ISACA has recently made 5 new audit programs available, 4 in August and one in July, bringing the total number of available programs to 31.
These new audit programs cover :
- Cloud Computing Management Audit/Assurance Program (Aug 2010)
- Crisis Management Audit/Assurance Program (Aug 2010)
- Information Security Management Audit/Assurance Program (Aug 2010)
- Windows Active Directory Audit Program (20 Aug 2010)
- Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition – Audit programs and ICQs (July 2010)
They are all available for download on the ISACA knowledge centre website.
ISACA makes the material available at no cost as a benefit of ISACA membership. Anybody wanting to contribute material to share with fellow professionals can send it to ISACA via research@isaca.org.
ISACA Annual Conference 2010
Posted on August 30, 2010Dates: 13 to 15 September 2010
Venue: Indaba Conference Centre, Fourways/Johannesburg
Over the last few years the ISACA SA Conference (#isaca2010) has drawn between 230 – 260 delegates. High profile local and international speakers provide delegates with insight into the latest developments in the IT, security and governance. The 2010 conference has 3 streams of presentations and focuses on the latest strategies to address business, managerial, operational, auditing and security challenges associated with information technology and information systems. The conference topics are applicable to a wide range of attendees from CEO’s and CIO’s through security, audit, risk and IT professionals.
Follow @isacaza on twitter for #isaca2010 conference news and updates
Attendance
Should you be interested in attending the conference use the online booking facility at the ISACA website or contact Nadine on admin@isaca.org.za.
See you there for another great conference.
2010 Data Breach Investigation Report – Who stole my client’s cheese? #in
Posted on August 25, 2010The first-ever joint report by the Verizon Business Risk data crime investigation team and the U.S. Secret Service presents a fascinating and current insight into the murky world of data theft and cyber crime. Contrary to general expectations 85% of all stolen data records can be traced back to organised crime. Woaah. While almost 50% of cases had active insider involvement, these were small-time jobs resulting in only 3% of records lost. So yes, watch out for your employees, but beware of those syndicates!
Read more in Woody Leonhard’s summation of the report here.
Download a copy of the VBR/USSS report from Verizon Business here
ISACA Whitepaper “Securing Mobile Devices” #in
Posted on August 25, 2010ISACA have released a whitepaper on the securing of mobile devices. This is the first in a series of documents which will eventually include audit/assurance programs for such devices. The overview of these documents can be found here.
Abstract of white paper
Mobile computing devices have become a critical tool in today’s networked world. Enterprises and individuals alike rely on mobile devices to remain reachable when away from the office or home. While mobile devices such as smartphones, laptops, personal digital assistants (PDAs) and Universal Serial Bus (USB) memory sticks have facilitated increased convenience for individuals as well as the potential for increased productivity in the workplace, these benefits are not without risks. Mobile devices have been, and continue to be, a source of various types of security incidents. These stem from issues such as device loss, malware and external breaches. As the availability of human resources and systems continues to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate as will the features that these devices offer. It is therefore imperative that proper risk management be applied and security controls implemented to maximize the benefits while minimizing the risks associated with such devices.
Securitysearch.co.uk writeup on the whitepaper here.
Standard Bank phishing attacks
Posted on August 16, 2010Over the last few weeks I have been getting emails “from” Standard Bank on a regular basis, probably one or two a week. Today I received two more. I am not a Standard Bank customer, so it is immediately obvious that they must be fake. Perhaps a little less so for those who bank with Standard Bank? Both of these mails look a little different, originate from different email addresses, and have slightly different profiles. Standard Bank (or someone) is on the ball (thankfully) as when I tried to follow up on the mails to see how the attacks were working both had been blacklisted with Firefox/Mozilla as phishing sites, and the offending pages had also been removed. There was one a few weeks back that had not yet been blocked at the time I tried to access it, so I have a little more info on that attack, which I will post as an update when I get a chance (probably on only the weekend).
Update on Oracle password hashes and crackers #in
Posted on August 16, 2010As mentioned in my very first post on this “new and improved’ site, my original site from way back when had some information on Oracle password hashes and a list of default passwords. This initial work was taken and improved on by Marcel-Jan Krijgsman and subsequently Pete Finnigan (read more about it here), who now runs what is probably one of the best Oracle Security resources available on the net.
During those early days not much was known about Oracle password hashes. There also weren’t too many options when it came to cracking them. Adam Martin came up with a plan in the early days, writing some code that would take create an account, and then change the password to each word in a dictionary (stored in another table) using the oracle password change functionality, and then grab the hash after the change to compare it to the hash you are trying to crack. It was slow (around 10 passwords/second if I recall correctly). I wrote my own version to automate the process and build a “pot” of known hashes along the way. I was busy getting this ready for release when Orm released his far superior tool. At that stage I stopped development and released my list of known hashes.
Orm’s tool was orabf. This tool changed the game, as it was a completely offline tool not needing a running database and it was orders of magnitude quicker. It is probably still the best password cracker around for pre 11g hashes. The early version was a little buggy after a few mails Orm quickly fixed it and has improved it since then. (History here). Download orabf here.
A little about Oracle password hashes and the algorithm (Oracle 7- Oracle 10g)
Passwords can be up to 30 characters in length. The username and password are concatenated and all characters are converted to uppercase, then an eight byte hash is generated using the DES encryption algorithm without any salt (just the username).
The hashes can be obtained using either
* SELECT username, password FROM DBA_USERS;
* SELECT name,password FROM SYS.USER$ WHERE password is not null;
The second is potentially safer if there is a suspicion the server may have been compromised.
Use orabf (download as per link earlier) to crack these hashes, or get the modified version of John the Ripper.
Oracle 11g pasword hashes
Oracle 11g password can be up to 50 characters in length, and passwords are no longer case insensitive. The passwords are stored in two ways (Ala LANMAN hashes – don’t they learn from mistakes of others?), the old style DES (password field) AND the new SHA-1 (spare4 field).
Oracle 11g concatenates the password and salt, then applies SHA-1 to obtain the hash.
Password hashes can no longer be selected from dba_users, so can only be obtained as follows :
* SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;
For more detail on the the Oracle 11g password hashing read the writeup at Recurity Labs.
To crack Oracle 11g hashes you can use The Hackers Choice (THC) OrakelCrakert which handles both brute force and dictionary attacks. Check first though to see if the old-style hashes are available first, as it’s much easier to crack the new style password if the old style is known first, THC explain how this works in their post linked above.
That’s pretty much where things are at currently with Oracle passwords and hashes. There are many more tools out there to help with hacking and securing Oracle. Google is your friend 
Upcoming ISACA chapter meetings in East London and Jhb #in
Posted on August 13, 2010There are two chapter meetings coming up in East London and Johannesburg in the next few days. Hope to see lots of people there. I personally hope to attend the Jhb meeting, travel plans allowing.
Date: 18 August 2010 at 2:30 pm
Venue: PricewaterhouseCoopers , Palm Square office park , Acacia House , Bonza Bay Rd , Beacon Bay
1) Andrew William Mpofu will be presenting: “Information Security as a strategic business asset”
2) Chris Knox will be presenting: “Information Security Risk Assessment methodologies”
3) Networking & Refreshments
Date : 24 August 2010 5pm Registration with the event starting at 5:30pm
Venue : PriceWaterhouseCoopers offices in Sunninghill, Johannesburg
1) Jason Gottschalk will be presenting on “Access Governance – The precursor to Identity and Access Management”.
2) Gerhard Hechter, PKF will be presenting on “Taking risks cleverly / Business intelligence”
Attendance
To confirm attendance to either of these meetings please contact Nadine on 011-8030803 or admin@isaca.org.za
Congratulations
Lastly, congratulations to all those who wrote and passed CISA, CISM and CISSP. I believe results for all 3 were released today.
Process control / automation control systems /SCADA Security rootkit (Stuxnet) #in
Posted on August 10, 2010Having done a fair amount of work in the area of process control systems, and the design/implementation of control frameworks and minimum standards for these environments in the last few years, I am always interested in reading up on issues and threats being identified in this area.
My experiences have always been that the clients we have dealt with are relatively immature in their dealing with these environments (from an information security point of view) and have been reluctant to acknowledge the threats and take the necessary steps to protect themselves. They are reluctant to even carry out the basics such as patch management and installation of anti-virus, often pressured by the solution vendors not to.
I noticed a short while back that there was some noise of a new “virus” that targeted WinCC, at the time I read about it briefly and was interested to see that it targeted one specific environment and appeared from the comments to have been designed to attack one specific environment.
Details that are emerging now seem to indicate something altogether different. This virus not only targets on specific environment, but is also a security rootkit. It targets Siemens Step7 and WinCC. Step7 is used to program the Programmable Logic Controllers (PLCs) of the Simatic S7 family.
In an updated blog post found here, Symantec explain in a bit more detail the seriousness of what Stuxnet is and what it does :
“Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.
Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.”
Two infographics have been shown in various places (Source : app Symantec), that show the distribution of the worm globally. This is not a localised phenomena that affects just one place in the world.
stuxnet global distribution
Iran, Indonesia and India are the areas most widely hit.
Stuxnet distribution graph
This virus is not just some theoretical proof of concept. In reading through some of the forums I came across this post, which could just as easily have originated from a South African organisation as a foreign one :
“Hi, currently I am in Iran, xxxx commisioning of our project for steel making plant.
We have this virus everywhere here, on WinCC server, clients and so on.
This virus was probably transfered from some USB stick from customer.
In this time I downloading Simatic patch and antivirus software from links above.
I am sure, that I have had this virus minimal one month ago in my project backups too.
So tomorow I try remove this virus and i will inform you. ”
From this it is clear that the environment they are in at least follows the basics of keeping the process control network separate from the organisations administration network and the Internet. This virus is smart, smart enough to know the target environment and run across multiple attack vectors. At very least, this virus is infecting USB memory sticks to get itself across to the process control environment. It is then infecting windows computers through open shares (and other vectors) and then attaching itself to the .DLLs on the WinCC machines and injecting itself into the S7 PLC’s, then modifying code on the PLCs to prevent it’s detection. This is serious stuff and introduces a few degrees more complexity than has been seen before in a worm targeting these sensitive devices.
If that wasn’t bad enough, once this virus has acquired targets, it is then reporting information back to it’s Command and Control centre, and also appears to have the ability to receive remote commands and execute them, as well as download further software from the command centre.
If you run a process control environment / SCADA / PLC’s then you should be concerned. IT security threat to the environment is no longer a theoretical or remote one. It is real, and you could be attacked, if you have not already been. It is important that you have the right governance and processes in place to provide you with both technical and procedural protection against attacks.
Has anyone heard of any infections here in South Africa?
Justin
Further reading:
Stuxnet introduces the first known rootkit for industrial control systems
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
Findings from the field : Stuxnet and Siemens
http://findingsfromthefield.com/?p=480
The Stuxnet worm and options for remediation : Download PDF from Industrial Defender here or get it from http://www.industrialdefender.com
Feedback on ISACA KZN chapter meeting control frameworks presentation
Posted on August 07, 2010On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb, David Volschenk, as he had other work commitments which prevented him traveling to Durban for the day.
It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.
There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.
Off the top of my head (I was presenting rather than taking notes 
the main areas of discussion were around :
- Getting executive buy in for the project
- Getting adequate funding
- Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
- What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
- The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
- The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
- The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task
In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”. It seems there are a lot of failed control framework and security framework implementations out there.
I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me. j-j (at) worldonline (dot) co (dot) za or on Twitter.
Thanks to Ernst & Young for hosting the chapter meeting.
See you next time at PKF.
Justin
You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.
Microsoft’s largest security patch release (ever?) #in
Posted on August 06, 2010Microsoft are set to release their biggest set of patches ever next week Tuesday. According to the Microsoft Security Response Center, Microsoft will issue fourteen Security Bulletins addressing thirty four vulnerabilities, and that excludes the out of band patch release done earlier this week for the LNK vulnerability. The list of affected operating systems includes all supported versions of Windows, as well as various versions of MS Office (for Mac and Windows) and Silverlight. They will also be updating Windows Update, Windows Server Update Services and Microsoft Update.
Microsoft will host a webcast after the patches are released. See the details here.
Find the full content of Microsoft’s bulletin advance notice here.
Network security podcast covers Cisco 2010 Midyear Security Report #in
Posted on August 04, 2010I was listening to the Network Security podcast this morning (Blackhat mini-cast) and they had an interview with Mary Landesman, a Senior Cisco security researcher, who discussed the Cisco 2010 Mid-year security report that is now available. Download here. Direct link to PDF.
Quoting the intro from the report :
The Cisco 2010 Midyear Security Report examines the major forces of change reshaping the global security landscape. These changes demand that organizations rethink their approaches to enterprise security. Current shifts — from the virtualization of operations to collaboration and social networking — provide new opportunities for criminals to infiltrate networks and steal high-value business data.
The Cisco 2010 Midyear Security Report includes:
- Results and analysis from two new Cisco studies — one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
- International trends in cyber-security and their potential impact on business
- Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
- An update on global spam trends since late 2009 and spam volume predictions for 2010
- Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
Read the Cisco 2010 Midyear Security Report, and find the best strategies to help you meet current security demands for your organization.
During the podcast it was also mentioned that Cisco put out weekly and monthly reports. I hadn’t seen these reports before and have just whipped through some quickly and it’s quite interesting, definitely something I will come back to and have a look at on a weekly basis. To quote the site blurb “The weekly Cyber Risk Reports provide strategic intelligence that highlight current security activity. The reports address seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical.”
You can find the weekly reports and supporting podcasts here.
ZaCon call for papers closes 20th August 2010 (17 days folks)
Posted on August 03, 2010Just a reminder that the free (low cost) security conference ZaCon is being held on Saturday 9th October 2010 at the University of Joburg.
The call for papers went out some time ago and closes on the 20th August. If you are interested in attending, diarise, if you have something to share then write up that abstract and send it through.
Sophos mid-year 2010 Security Threat Report
Posted on August 03, 2010IT security company Sophos has released its mid-year 2010 Security Threat Report. The report provides some insight into Cybercrime as well as other IT security trends and developments for the first half of 2010.
The report provide a short history and background into the cybercrime economy, then covers some noticeable arrests and sentences over the last 12 months, making for interesting reading. Of particular interest is the particularly “tolerant” attitude of those survyed to government cyber-crime activities.
Some thoughts around social media as an attack vector are also explored, as well as some insights into the threats to the major mobile platforms (iPhone, Blackberry, Android).
The report also provides details on the top malware/spyware hosting countries for January to June 2010.
Security and ethics presentation to UKZN MBA class – copy of presentation
Posted on July 30, 2010On Tuesday evening (27th July 2010) I did a presentation to the University of KwaZulu Natal MBA class. The presentation was rather enjoyable (from my perspective) and with all the questions and interactions with the class we spoke for around and hour and a half or so.We did go a bit over time for the normal end time for the lecture, so thanks to the class for their patience and thanks again for you attention and questions.
Attached is a copy of the presentation for anybody who is interested.
What people say
Close block