Welcome

Welcome everyone to my Security blog, I will have migrated over previous posts from http://www.morganstorey.com as we go.
All of the ones from the previous few months have been coppied across, any beyond that will have been indexed by google(and was before I used tags so it will take to long).
I have added RSS and ATOM feeds to both blogs, please subscribe over on the left if it interests you.

Makes the blood boil.

So if I haven't already ranted at you in some way shape or form, you may not know of the Australian government's short-sighted plan to add us to the ranks of oppressive regimes such as Iran and China. In fact that is unfair as Iran's proxy is considered to be looser than the one Senator Conroy wants to implement.
The long and short of it is that Conroy wants to restrict what pages are available to Australian internet users. Sure it is for the kids (won't someone think of the children)… But as I have said to people I would rather my children see the entirety of the disgusting underbelly of the internet than have one single thought provoking site blocked. Not to mention the degradation to performance in a country that is already considered one of the worst in the world for connectivity. In Sweden groups appealed to the government saying 100mbps is welfare. Here most people are still on 1/200th that speed, and with Conroys plan that 1/200th would lose anywhere from 2-80% of its speed, welcome back to dial-up days.
There are a plethora of sites that are likely to be blocked because they aren't "kid" friendly. June next year you will probably see the below when going to user content generated sites such as Youtube and Facebook:

Here is a news flash senator; kids get hold of porn even if you restrict it, even in the pre-internet days. So what your doing will only have negative effects. Parents with no IT knowledge will have a false sense of security and not monitor their kids browsing habits, these same kids will find ways round your precious filter, and these methods that will become popular may even make it harder for parents and educators to monitor their usage.
The filter will slow down internet access and again the people with little IT knowledge will have no idea how to get around it for legitimate sites that are blocked. Then there is the cost which you are expecting ISP's to mostly cover off their own bat, which will increase internet costs in a country that already pays too much for too little.
Way to go Senator you deserve your award:

I feel lost; I don't know what to do. I feel as though someone has decided freedom of information is a bad idea, so let's mandate it. Then what do you do. Once the book burning starts it is hard to stop.
I have emailed the Senator and his opponents, and the letters are in the mail.
I urge everyone to look at the following sites and take action: http://nocleanfeed.com your silence is all they need to pass this and then you are no better than them.
Peace out all, except Conroy and his supporters who can just unplug their computers, televisions, and burn their books for the same effect they are trying to mandate.


PS: I am starting up a dedicated security Blog as I want to separate the two, this of course crosses both blogs so expect to see it on both. My new Security blog is linked on the left or here: http://security.morganstorey.com

Social Engineering

I think possibly the equal first security threat facing all business today is that of Social engineering. I say equal first, because a lot of insider threats would probably fall under this banner. The employee, lets say his name is John calls up the helpdesk, he tells them his name is Sam, and that he has forgotten his password. You of course see where I am going with this, the helpdesk happily resets Sam's password, John knows Sam is out to a long lunch and has access to files he doesn't. He logs in as Sam, gets the files he needs and then logs out, maybe even leaving a post-it on Sams screen saying the helpdesk had to reset his password to blah, so the helpdesk doesn't get another call and get suspicious.
John know has all the files on his cheap USB disk, or in hard copy and does with them whatever it is nefarious people do with data to make a buck.
I have seen mitigation techniques for the one I mentioned above, all users have a password reset word, something they wouldn't have as a password and stored in plain-text for the helpdesk to see. This will mitigate it, unless John says he forgot it and to send someone down, the helpdesk guy may not know John or Sam, and as long as John is in Sam's office still acting like he owns the place he will probably get away with it.
Social Engineering is scary for another reason in that even non-technical users can do it. I remember I had a client once who had a relitively new employee call up asking for some permissions to files he needed for work. I knew his role was to do with those files and I knew his voice over the phone (as funnily enough he had moved from one client to another). Still I decided to call his manager to get the ok. She didn't give it, and was a bit distrubed that he had asked for the access. Horray one for the good guys.
Have a look here at how easily some guys doing a sprite commercial pulled off some non-harmful social engineering.
Here is a very thourough article on the subject.
And here is my first shirt design on cafepress, totally on topic.
Really though combine some social engineering with technical knowledge the smarts to think of the good-guys mitigation techniques and the connections to make money off your exploits and you have a major foe to be reaconed with.
I think in future we will need to audit our people as much as we do our security systems. Having someone who won't suffer the repricussions of the law come in randomly and do spot checks would keep people on their toes, but it also comes down to having the personal touch, knowing people by name, by their voice, by their face. Maybe the solution is smaller decentralised IT departments, say one for each department and at least one at each site, this lessens the body of knowledge but increases the likelyhood of the staff member knowing the other. I don't know, someone will come up with a solution eventually.