By Martin Quinn (Principal Consultant) 2 March 2015

Many of us use the super convenient dial-a-hire car/rent-a-driver service freely available on our mobile phones. (It’s much easier to get an Über driver at 12pm on a Friday night than it is a Taxi in some metro areas).

For those of us that don’t know anything about Über, Über is a forerunner and poster boy for the sharing economy. It uses the collaborative consumption model, meaning it is based on sharing or pooling of resources for consumption by many (think of the old car pool but on a more individual scale).

Anyway, to use the Über service, you download the app, register your details and credit card information and you’re off to the races. The app allows the consumer to view any available “hire” cars within a 5-10km radius, book their ride and pay without using cash.

Über being the flavour of the month or more the year (2014), has only just disclosed that it was breached last year, in May, and didn’t discover it for 4 months (September). 50,000 drivers details were exposed – drivers names and addresses and driver’s license details (so far this is all they have divulged as being breached). Über has been very quick to provide assurances that no customer data, usernames or passwords were accessed. For me though, this is a contradiction, Über drivers are as much customers as the consumers in my book. This was only disclosed on Friday, which raises the question, why so late in the game? Were drivers notified individually closer to the discovery date? And if they have this attitude towards their drivers, how does this differ for the consumers?

The company has indicated that they will provide a year of identity theft protection for those affected, but what does that mean?  It seems like an empty promise and more like a PR exercise without having to deliver anything.

Its not the first time Über has copped flak for lazy security and privacy though, and it makes me wonder, what more is needed? Will it take a breach that brings their business to its knees before they spend time and effort to become secure? I suppose time will tell.

A cavalier attitude that overrules security with convenience, will unravel soon enough. Sound policies and processes are just good business, and greatly reduce the risk of exposure and security breaches, its something that Über is not strictly following from this latest breach.

If you believe that your company is not addressing security or privacy in a way that protects your business, your customers and/or information that relates to either or both of them, contact Intact Security. We can perform a health check on your security, privacy or if you believe you have suffered a breach, Intact Security can perform digital forensics to determine how it happened and how to make sure it doesn’t happen again.

Contact Intact Security today for an obligation free consultation. We help you protect your business and your customers

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 21 November 2014

You frantically try to understand how these bad guys got in, and then your thoughts turn to what did they access and take?

For many businesses, they don’t know where to start or what steps to take. But if your business acts quickly and follows these 3 steps, you may well recover quickly and end up having a more secure business as a result.

Step 1 – Identify and Contain

Naturally, the first step is to understand the nature of the breach.

• What happened?
• Where did it come from?

Whether it was from a dodgy phishing scam or dubious click on a social media site, the result was the same. So the first step is to identify the entry point and contain the malware. This can easily be done should your business have technology which logs and monitors for this type of activity. But if not, your best bet is to disconnect the device from your network, stop all network activity by turning off wireless, or disabling Ethernet ports. This way, the malware cannot phone home and you have isolated it from potentially infecting other devices and systems.

Step 2 – Eradication

Now, that you have identified the culprit, and stopped it from spreading, its time to clean it up. Malware can be a slippery sod, so the use of robust and up-to-date antivirus and malware protection may do the job, but malware can be cunning, embed itself into processes, hid within plain view and burrow deep into the core of your system. So, its prudent that you use secondary and tertiary products to reinforce your current solutions, tools such as Malwarebytes or Spyware seek and destroy for example.

Even if only one or a few devices appear to be infected, all devices should be scanned and cleaned. Additionally, the domain from which the malware originated must be identified and blocked to prevent future downloads and stop the malware from phoning home. Its good practice to assume that the credentials on the device have been compromised and the users (or better still all users) should change their passwords. This prevents the evil actor from visiting the scene of the crime later. (BTW, A password breach is an excellent opportunity to beef up password strength requirements).

Step 3 – Recovery and Lessons Learned

Next, organizations must work to discover exactly what damage may have been done due to the breach. Here’s where user and application activity monitoring solutions can come handy. If they’ve already been deployed, IT can comb through the logs to identify suspicious behaviour, for example; frequent logins, login attempts, logins at unusual times, and large or otherwise anomalous file downloads or data access. If you do not have a robust activity monitoring solution implemented, the task of rooting out what data has been stolen becomes much more difficult but provides an opportunity to educate on the value of such solutions in future.

If any sensitive or confidential data has been stolen or exposed due to the security breach, the organization should follow the guidance of its legal counsel as far as disclosure and further legal action.

Finally, security breaches almost always demonstrate a need for more user education. If the breach was due to malware, it is time to remind all employees of the dangers of media links and how to identify and avoid suspicious ones. On the other hand, If the breach was due to a phishing scam, employees may need a refresher course in online stranger danger. As mentioned above, account credential compromises also present an opportunity to beef up password strength requirements and to educate users on the importance of strong passwords.

Security breaches can be cause real damage and be very alarming, but they need not be the end of the world. By taking quick action, your business can rebound quickly and become safer than before. You only need learn from the mistakes.

Intact Security hopes to have assisted your business with these steps, if you have any questions or even some further tips, please contact us.

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 4 October 2014

Rebuilding trust is an expensive exercise that most businesses should avoid at all costs. Trust is something that is often earned over time, and once lost, is difficult to recover. In business this also rings true, businesses forge trust over time, whether it be business to business (B2B) or business to consumer (B2C), trust is earned by consumer confidence, brand reputation and delivering good products or services.

If your product or service becomes sloppy, disconnected or quality becomes inferior, a business can quickly address this by; increasing quality, tightening up delivery, and reconnecting with customers. But, when consumer confidence or brand reputation are damaged, this is a long road to recovery.

This type of damage can occur in many forms, for example;

• a privacy breach
• being hacked,
• loss or exposure of data, or
• just lackadaisical business processes.

A privacy breach, not only causes damage to the business, but with the enforcement of the new Australian Privacy Principles (for businesses of $3M revenue), this could also incur a hefty fine ($1.3M). An organisation that has been hacked could not only have a privacy breach, but could also have had intellectual property stolen (lost data), which could jeopardise market and competitive edge. Poor business processes can cause damage by leaving an organisation open to litigation (internal and external), careless business processes can also directly affect the bottom line profit and loss.

Organisations can protect themselves through a multifaceted security and risk based approach. A risk based approach takes into account those items which are considered important or sensitive, and reviews the threats to these items, what the likelihood of the threat is and finally if the threat occurs, what is the impact on the business, if the final result is high impact, then this item requires security and protection.

A risk assessment helps a business identify the threats, likelihood and the impact and provides the business focal areas to apply security and protection. Those areas where the threats are unknown, businesses should look to test the current security and protection. This way the business understands what is coined the “threat landscape”. If adequate protections are in place, great, the threat is understood. However, if protections are lacking, the business can look at reinforcing or replacing the current protections and the threat and risk is understood.

Doing the above can help assist in rebuilding trust once it has been damaged, and it will definitely help to solidify trust moving forward. But once trust has been damaged there will always be some residual damage.

Intact Security has extensive technical knowledge and experience in assisting businesses address, overcome and improve their security posture and strengthen trust. With the capability to perform risk assessments, privacy impact assessments, vulnerability assessments, penetration testing (ethical hacking), security awareness and policy development, you can relax, your security is Intact.

So be proactive, don’t become a statistic, security is impossible to retrospective implement, contact us today for an obligation free consultation.

Intact Security offers a 1-hour free consultation. Please contact Intact Security today to book your consultationon on (02) 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 1 October 2013

So you think you may have been hacked, you engage a specialist (like Intact) to detect, clean up and eradicate any type of malicious code or backdoors that a hacker may have put on your systems. Your systems are given a clean bill of health but the question that lingers is, what were the hackers after and what did they get?

Many businesses think firstly that they aren’t targets of hackers, they believe that they are too small or don’t have anything of value that a hacker wants (i.e. we’re not a bank), but this is not true. The reasons a hacker will attack is because you aren’t a bank!

The hacker’s modus operandi (MO) is an easy target, that had little no security or security resources and again a business that operates with a mentality that they aren’t a bank. That way the chances of successfully getting in and being undetected are greatly increased. And for them do collect and extract what they are after.

So, once they have identified your business as a target, they poke and prod your business for an way in, the most common is to forge or impersonate an email with an attachment and send this to a bunch of employees, with the hope that someone will click and open it…..and sadly someone will. This gives them their entry point. From here the hacker then goes about searching and accessing local files and then share drives looking for personally identifiable data or anything that resembles credit card details (e.g. that share folder with expense claims is usually a gold mine)

So now they have identified the information, and begin to extract it from your business, what next?

Depending on the amount of information and the hackers motivation, they will either use the data locally (buying items on the internet, etc.) or place it on the underground market and sell the information. One might think that this information is sold at a premium and to the highest bidder….wrong, it becomes a cheap commodity, some credit card details can be sold for as little as 20 cents each.

Hackers view these as victimless crimes, with banks and insurance companies bearing the brunt of damage. However identity theft can cause long term credit problems for individuals and in extreme cases have criminal implications (in recent times a victim of identity theft was wrongfully associated with a paedophile syndicate).

If you believe that you have been hacked, are worried you may have been hacked or your systems are acting unusually strange you may have been the target of hackers. Intact Security can check if you have been the victim of an attack and assist in responding and recovering from hackers to get your business back on track and protect you from further attacks.

If you would like further information on how we can help you secure your business and/or website, please contact Intact Security on (02)8070 0083.

Relax. Your security is Intact

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 30 September 2014

There has been an amazing amount of media coverage in the past week regarding Shellshock or the Bash (Bourne Again Shell) vulnerability, (if you haven’t heard about it you must be hiding under a rock). However, Shellshock is not new, it’s a bug that’s been around for over 20 years – a true sleeper amongst us.

Shellshock is a vulnerability found in the Bash shell, a common user interface that uses a command-line interface to access an operating system’s services in Linux, Unix, BSD and Mac OS X. The Bash command interpreter lets users execute commands on a computer, and it is this ability that the vulnerability targets, allowing attackers to run malicious scripts in systems and servers – i.e. game over. Shellshock is the real deal – the US National Vulnerability Database has assigned Shellshock a 10/10 severity rating, due to is widespread use it has the potential to do significant and widespread damage.
The Shellshock vulnerability, when exploited, serves as a backdoor for a hacker to carry out commands, take over a machine, dig into servers, steal data and deface websites. Most computers and Internet-enabled home devices such as routers, Wi-Fi radios, and even smart light bulbs running on Linux OS are most likely affected.
CCTV cams for example, are often Linux-based and these devices can also be hacked and used as infection vectors.
Just several hours after the news on the bash vulnerability (covered under CVE-2014-7169) broke out; it was reportedly being exploited in the wild already. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code, to defacing the website, and even stealing user data from databases among others.

Malware protection vendors have been quick on the uptake to address the issue and have already detected malware such as ELF_BASHLITE.A which is capable of launching distributed denial-of-service (DDoS) attacks and to do brute force login, enabling attackers to possibly get the list of login usernames and passwords.

It was also reported that Shellshock may affect Bitcoin/Bitcoin mining, meaning attackers may possibly/potentially create armies of bots to perform these tasks.

What can you do?

Update firmware and operating systems, and install security updates. Use Shellshock detection tools or plug-ins to scan likely vulnerabilities and exploits. For system admins, patch your systems immediately and closely track your network activity.

If you or your business believe you have fallen victim to an attack, contact Intact Security today, we can assist; in the incident triage; identifying how you were breached; and reducing the risk of this ever happening again.

Intact Security offers a 1-hour free consultation. Please contact Intact Security today to book your consultationon on (02) 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 3 July 2014

Many of my customers and colleagues alike have been asking the same question in recent times, do you think we should get certification/certified? Or what value to you see in being certified? My answer is – it depends on your organization.

I have been an ISO27001 auditor for several years, I have also been involved in PCI certifications, APRA and I-RAP assessments in one form or another for almost 8 years, so have a good grasp of what is involved in the certification process.

So why would and organization want certification? Is it to meet a business requirement? Is it to gain a competitive edge over the competition? Is it a legislative requirement? Is it to become more efficient and effective?

Most organisations fall into one of the above categories.

No business wants to scrutinize the way they operate and be answerable to a 3^rd party just for kicks – there needs to be a strong reason.

That said, certification does provide a lot of positive outcomes for an organization.

Businesses, which are certified, have proof positive that they operate in a defined, managed and repeatable method, and an external, unbiased body has verified this method.

The value that this provides, is two fold for:

Prospective customers

• reduced costs in due diligence (additional assurance that they can trust the business)
• meet business requirements

Current customers

• improves product and service quality and consistency
• continuous improvement culture already in place

And many businesses who proceed to obtain certification often have a better understanding of how their business operates through understanding the relationships between stakeholders and technical capabilities, making for a more efficient, and often collaborative approach in meeting their business objectives.

As stated earlier, Intact Security has extensive experience across many governance, or compliance regimes. Where we provide value is through assisting businesses, to prepare for and achieve these requirements for certification in less time than it would for internal resources.

Drawing on this experience, Intact Security provides preparation advice, guidance and focus on what meets the certification requirements, in the context of your business, clearing a path to certification.

Intact Security offers a 1-hour free consultation to understand and advise whether your business is suitable and ready for certification. Please contact Intact Security today to book your consultationon on (02) 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 20 January 2014

Many businesses may not be aware of the imminent changes regarding the Australian Privacy Principles (APP) and how they affect their business. Previously these principles were known as the National Privacy Principles (NPP), and as of 12 March 2014, the amended principles will be enforceable by the Office of the Australian Information Commissioner.

The NPP previously covered 10 principles, the new Australian Privacy Principles have been expanded to cover 13 principles. Under the new changes, a number of APPs are significantly different, for example Australian Privacy Principle  7 on the use of personal information for direct marketing and Australian Privacy Principle 8 on cross-border disclosure of personal information.

The Australian Information Commissioner (the Information Commissioner) will also have enhanced powers, which include the ability to:

• enforce undertakings
• seek civil penalties in the case of serious or repeated breaches of privacy
• conduct assessments of privacy performance for both Australian government agencies and businesses.

You can understand that the playing field has changed significantly. But the main questions are how does this affect me? Business need to ask themselves the following questions and be able to adequately answer them through documentation and processes:

1) Do you handle Personal/Sensitive information? Do you have a privacy policy?

Answer: Only collect information you need, Ensure that individuals know what you collect and why.

2) Do you currently have any procedures for handling this type of information? Do you know what to do in the event of a complaint?

3) Do you collect sensitive data that requires higher protection than other sensitive data?

Answer: Document and Tell people how you are going to handle the personal information you collect about them. Make sure individuals, if they want to, can access their personal information.

4) Do you receive unsolicited personal information? How do you deal with it?

5) What purpose do you disclose personal information?

6) Do you use personal information for direct marketing purposes?

7) Does your business utilise government identifiers? Are you permitted to use these identifiers?

Answer: Think before disclosing personal information. Make sure you understand what you can and cannot disclose.

8) Does your business reconcile the personal information to ensure it is up to date, complete and accurate? How does your business make corrections to personal information if need be?

Answer: Keep personal information accurate and up to date.

9) Has your business taken measures to ensure that personal information is protected? And how do you destroy the information when it is no longer needed?

10) Does any personal information leave our borders? Do you have arrangements with the recipients on how they deal with this information?

Answer: Keep personal information secure. Don’t keep information you no longer need or that you no longer have to retain

As you can see there is a lot to think about and implement in a relatively short period of time. If your business needs help to understand the 13 Australian Privacy Pricipless or needs to overhaul your current processes and policies contact Intact Security today, for an obligation free quote on (02) 8070 0083

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 12 December 2013

Mobile cybercrime is on the rise both here in our own back yard and across the globe. Over the past year cybercrime has cost upwards of $1.1bn with victims averaging a around $200 according to the 2013 Norton Report on security.

This dollar figure is almost on par with the US which was US$1.1bn and an average cost per victim of US$298. Cybercriminals have maximised on ever increasing smartphone (both iPhone and Android) exploits with 32 per cent of Australian smartphone users experiencing some form of cybercrime over the past 12 months, with 60 per cent of adult smartphone consumers having experienced cybercrime during their lifetime.

What is most alarming though is that many smartphone users are unaware that security solutions exist to mitigate and combat these cybercriminals, many of which are free or low cost. These range from file encryption, antivirus and malware protection, spyware protection, personally identifiable information/privacy protection and anti-theft GPS tracking utilities to name a few.

But these statistics cannot be squarely aimed at the device itself, cybercrime can occur when the user joins a local unsecure/unknown Wi-Fi hotspot, leaving them open to man-in-the-middle attacks and data sniffing.  So users too, have to have their wits about them, we as users should be ever cognisant of trading security for convenience.

That said cybercriminals are often on the front foot, with recent exploits being discovered in the underlying telemetry operating system which co-exists in all smartphones to communicate with the base stations of which calls are made (similarly likened to traditional man-in-the-middle attacks). This overlooked operating system has the capability to override or bypass the smartphone (application) operating system without the user being aware that anything has happened at all.

As the lines have blurred between traditional work orientated devices (i.e. the old Blackberry of days gone), to devices which today many people live their lives through (banking, email, calls, calendars, gaming and other leisure apps), its clear and apparent that cybercriminals will be able to milk the smartphone cash cow for some time to come.

If you believe that your business would benefit from Intact Security performing a security health check to measure whether your business is at risk, contact us today for a no obligation consultation on 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google

By Martin Quinn (Principal Consultant) 6 December 2013

Data sovereignty is a hot topic when talking in security circles. Many organisations who move to the cloud and use services like Amazon or Azure often overlook the issues of data sovereignty, blinded by huge cost savings and lower TCO or massive redundancy and uptime on offer.

So why is data sovereignty an issue at all?

Well, only until recent times did cloud providers Amazon offer services which were physically located within the Australian continent. The location of a cloud provider can make data accessible to non-nationals and international government agencies under their local laws. For example the Personal Data Protection Act (Singapore & Malaysia) and the German Federal Data Protection Act (FDPA) (Bundesdatenschutzgesetz, BDSG) all have caveats regarding how personal information is accessed by government agencies and businesses, and the Patriot Act (USA) contains provisions allowing the US government access to records for intelligence and terrorism investigations.

Then what of privacy concerns?

Any organisation moving their information into the cloud must have a reality check and do so with their eyes open.  With greater accountability and obligations on individuals and businesses when the (previously “toothless tiger”) Privacy Act comes into force of March next year (2014), those businesses found to be in breach, could face fines in excess of $1.3 million.

The Privacy Act and subsequent Australian Privacy Principles (APP) outline that organisations must take reasonable steps to protect the personal information of customers and individuals from misuse, modification, loss or disclosure. To avoid breaching the APP’s, businesses that utilise a cloud provider, need to know where data is transferred, processed and stored.

What about Security?

Whether moving your organisation to the cloud (or MSP for that matter), it invariably means that the business releases some or all control over its data. Because of this, businesses must take into account (and perform due diligence) of how their data is handled whilst in transit and while at rest in remote storage. Businesses must feel comfortable with the assurances that the cloud provider security provides and that contracts reflect responsibilities and penalties should these not be met. It is usually a good idea to seek an independent security audit early as well as establishing an ongoing audit regime for peace of mind. Compound this with well defined policies and procedures on how data is accessed and your business should be comfortable in closing off any security concerns.

Having taken into account these three issues, are they serious questions that need to be answered – Yes, are they just a storm in a teacup – Perhaps, but if you have any concerns or apprehension as to whether the cloud provider you have been looking to move to doesn’t tick all of these boxes then maybe they aren’t the right provider for your business.

Intact Security understands information security and the pitfalls of privacy, security and data sovereignty. We can help you develop a strategy on how to best manage this for your organisation. Call today for a no obligation consultation on 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google