July 2014 Newsletter

July 09, 2014

Includes the latest from the Securus Newsroom, Partner Updates, Community Engagement, Tech Talk, Career Ops and more.

View as PDF here: https://securusglobal.createsend.com/reports/viewCampaign.aspx?d=j&c=8529664D569F40FB&ID=C09E8E4AF5539137&temp=False

You can also subscribe to our newsletter: http://www.securusglobal.com/subscribe/

Penetration Testing in Australia

It is always interesting to look at theoretical investment being made by companies in Australia. Based upon our experience, the assumptions made in a recent analysis by Nick Ellsmore, are in our opinion realistic. Read full article here: http://www.dellingadvisory.com/blog/2013/4/5/penetration-testing-market-analysis-where-is-all-the-revenue

Should you be using this as your guide to your own strategy in regards to penetration testing? Well that depends on your own circumstances, your risk tolerance assessed against those assets and the overall potential impact to you in case of a breach. (Related to your risk assessment and that risk tolerance level).

Taking aside the financial aspect in terms of costs of penetration testing across the board, a key factor for consideration, based on Securus Global’s own 10+ years of experience in this market, is that 95% of web applications we test for the first time have major to critical vulnerabilities in them. If even only 50% of those applications were already in production before we tested them, (with the actual figure higher), that equates to an alarming number of websites in Australia (and globally given those statistics do not differ for our international clients), being insecure and open to compromise, if they haven’t been compromised already.

It’s clear that a great deal of Australian business do not have an effective security assurance program in place. With cyber crime on the rise and media reporting of breaches increasing exponentially, it doesn’t present a confident picture of cyber security in Australia, nor globally.

(Nick has followed this up recently with a brief analysis of the US and Global markets: http://www.dellingadvisory.com/blog/2014/6/26/a-market-size-formula-for-the-security-assurance-of-everything )

Imperva Releases June Hacker Intelligence Initiative Report: “The Anatomy of Comment Spam”

The June report presents an in-depth study of how a relatively small number of attack sources are responsible for the majority of comment spam traffic.

The report goes on to show that identifying comment spammers quickly and leveraging IP reputation management to block their attacks will prevent most of their malicious activity. The report is based on data collected through monitoring of more than 60 web applications by Imperva’s ThreatRadar Reputation Services and it provides valuable information on the anatomy of comment spam from both an attacker’s and victim’s point-of-view.

The report concludes with details on how websites can defend themselves against comment spam attacks using a number of mitigation techniques.

Key findings from the report include:

  • 80% of comment spam traffic is generated by 28 per cent of attack sources.
  • 58% of all attack sources are active for long periods of time.
  • Identifying the attack source as a comment spammer early on and blocking their requests prevents most of the malicious activity.
  • IP reputation helps to solve the comment spam problem by blocking comment spammers early on in their attack campaigns.

To read more on the Imperva Hacker Intelligence Initiative Report visit: http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf

Community Engagement – OWASP

OWASP Sydney has been rather active this year, running consistent weekly practical workshops on various security topics and moving through public wargames. This is open to anyone with an interest in expanding their practical security skillset through hands-on exercises.

During the second half of this year, OWASP Sydney intends to expand to be more inclusive, instead of being just a “security club”, and hosting various events and presentations to raise awareness of (nominally, web application) security, as well as sharing content with other OWASP chapters. Recently, OWASP Sydney and Melbourne held a technical demo of such a presentation, sharing content from the OWASP Melbourne chapter, which gave us a good idea of how such a session could work out.

OWASP Sydney aims to continue this in the coming months, with three smaller practical workshops and one content-focussed presentation per month. The details of future meetups will be on the Meetup.com page [ http://www.meetup.com/OWASP-Sydney-Web-Application-Security-Group/ ]: if you are interested, please RSVP there (or email the Sydney Chapter Lead & our own CTO at norman.yue@owasp.org ).

IT Insecurity Jeopardising your Physical Security

It’s a concern when you consider that so many aspects of business and our day to day lives are now going digital. We want to control everything by computer, see the status of systems and devices that previously weren’t in the realms of digital technology and have everything conveniently under a central management system/console. We know it won’t be long before each of our homes and appliances/systems within it controlled by us on the Internet. (Really, it’s already started).

Here’s one example of some research we’ve been involved in, in this space:

We have been investigating RFID access control security and the models typically implemented by businesses in Australia. The iClass line of devices developed by HID are an interesting subject as they are commonly used throughout Australia (and globally) and have been proven to have security flaws. We conducted some research to see if we could create a covert cloning device for use in our engagements. Read on for more details of our successes:

Breaking lcg_value()

Latest post from our CTO about PHP’s lcg_value function:
Warning… Tech Heavy! :)

“First looked at by samy in 2010, lcg_value is a PHP pseudo-random number generator, which generates a random 64-bit floating point. To cut a long story short, this function works as follows (variable names taken from samy’s lcg_state_forward.c):

…Within lcg_value, “s1″ and “s2″ are internal state variables – PHP keeps track of them, and for each iteration of lcg_value, it updates them. If an attacker were to know the values of “s1″ and “s2″, the attacker can easily predict future values of lcg_value.”

Read More: https://www.securusglobal.com/community/2014/07/03/breaking-lcg_value/

How To Dissect Android Simplelocker Ransomware

An interesting blog post from our wider community, for all the Pen Testers out there…

In this blog post we’ll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.
This is the first reported case of ransomware being used on smartphones so I’m keen to find out more about this new malicious app.

Read more: http://securehoney.net/blog/how-to-dissect-android-simplelocker-ransomware.html#.U7Skl6iZpI5

Careers with Securus Global

As Securus Global continues to grow, we are currently looking for new employees in our Sydney Office!

Positions currently available:

  • Principal Security Consultant
  • Penetration Testers

More info: https://www.securusglobal.com/community/2014/06/18/were-hiring-principal-security-consultant/


Securus Global Community

Connect, Follow or Like us on social media to stay up to date with everything SG related: LinkedIN / Twitter / Facebook .

Also be sure to checkout our tech team’s blog and other industry news that we publish regularly on our website here: https://www.securusglobal.com/community/

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *