White listing vs Black listing

I have always found this an interesting concept; whitelisting and blacklisting. From what i can gather;

whitelisting means one is given access to a specific entity and there is an implicit deny to all others trying to access it.
blacklisting means one is given explicit allow to the entity and a list of deny is given to those who are not given access to.

Per Schneier,
Access control is whitelisting: if you know the password, or have the token or biometric, you get access. Antivirus is blacklisting: everything coming into your computer from the Internet is assumed to be safe unless it appears on a list of bad stuff.”

For a firewall, i would perceive that doing an access control list which implements whitelisting would be the way to secure your parameters as there is too many vectors to deny in a common web space.

Thanks to Schneier, i finally got the right idea. The best article for this:
https://www.schneier.com/blog/archives/2011/01/whitelisting_vs.html

cbdfree, free of authentication

cbdfree is a free Wi-Fi service given by Wellington City Council for the city habitants. It is a massive project which covers the golden mile, and perhaps a particular radius of the city bounds. Up to a few months back, the cbdfree has a typical public wi-fi make up where by you connect to the Wi-Fi hotspot/AP, cbdfree and you are re-directed to a login page. You then, accept the terms of use and you get to use it for a given time and you click ads to continue usage.

Good… 
Today, I realised that this was not the case, i just connected to the AP and i did not have to do any form of term and conditions agreement, and voila i am surfing the internet. Wellington City Council has to review this as some bad guy might harvest information through an open network and compromise all users of the free service. 

Agile Project Management and Risk Based Approach

As the security landscape gets really dynamic and threat landscapes increase, there is a big need in change the way business owners think in improving their security architecture and design.

The first lesson learnt when one is working in a big enterprise, is the use of the risk-based approach. Risk based approaches take for account the calculative measures of risk to the action taken to counter it. A great definition of what risk based approach means in the context of information security is given by SANS under their Information Security Risk Management paper, the MGT442. They give ten great points which are the following:

1. Develop basic security and policy standards
2. Establish an asset inventory ( yes you know where this came from; the SANS Top 20 CC)
3. Establish Information Security leads
4. Implement an Enterprise Risk Committee
5. Define a common approach to risk calculations
6. Establish a threat and vulnerability assessment program
7. Establish a compliance to standards review process
8. Conduct basic risk assessments for vendors
9. Implement a risk and assessment tracking system
10. Launch a risk awareness campaign.

Given all the points above, we can always fall short to follow up on one of this ten points in implementing the RBA (Risk based approach). To counter this, we can implement AGILE to run active follow ups and improve the maturity of the security space in the organisation. So one might ask. what is AGILE? AGILE is …

https://en.wikipedia.org/wiki/Agile_management

Yes its a dynamic and iterative method of managing a project. It complements with the dynamism of the security and risk space in the current age.

So, are you ready to implement this marriage of two systems into your organisation?

Snapper.co.nz | SHA1 remediation needed.

Snapper is a known service that Kiwis use for a lot of things, from car park fees to buses, and sometimes even food shops.

Out of curiosity i decided to sneak peek the SSL certificates of Snapper and to my surprise it is.. still on SHA1. The best part of this notion is, my ever trusty Google browser gave me an indicator that the site might not be secure.

What is SSL?
https://www.digicert.com/ssl.htm

So to cut the story short, i was surprised that my logged in account showed insecurity

I do agree that it can be secure, but perhaps it is Partially secure due to its weak signature algorithm through out its trusty chain. I have indicated this to Snapper on their twitter channel, and i hope they remediate this soon.

Another flaw on the site, is the bad design of having a feedback page on HTTP when it is supposed to be on HTTPS. It is a transaction of personal information and confidential information to Snapper. The least they can do is secure it proper. Time to step up, Snapper.

Just a point to note, Snapper is behind the AWS cloud, still does not warrant a weak SHA1 D.S.A and a weak RC4 Cipher.

Process Driven Approach vs Fundamentals

I have worked for 3 years in a huge multinational company; driving tickets, making decisions, bringing systems up. Yes i was great in my previous organisation but what did all that teach me? It taught me about business and it also taught me that fundamentals is not the key driver in getting things done; it is the speed of a solution.

Fundamentals, a long forgotten art of learning. It is a forgotten thing in multinational companies in Malaysia. I wish i had taken that time back and spent time learning.

My advice; learn your fundamentals.

Aura Info Sec Hack it Challenge | how do you practice?

Maybe i have posted this before but i thought i would post it again. If you want to be a pen tester at Aura, this is where you start. Aura is the boutique company for security testing 🙂

Pentesting at Aura.
https://www.aurainfosec.com/penetration_testing.html

The challenge; get it right and send your cv and you have a chance to join them.
http://canyouhackit.no-ip.biz/aws/signup.php

How do you practice to take the Aura challenge:) Yes we all aint geniuses so we need practice!
https://cyberchallenge.com.au/

CYSCA is an awesome competition to pick future talents in Australia. It is a competition amongst universities. Have a look into that site and you will have to download: https://cyberchallenge.com.au/inabox.html

Play around, practice and you will be ready for the challenge, at least. Practice makes perfect 🙂

Software Defined Networking

SDN is an interesting concept adapted to give more control to network administrators to play around with how data traverses in a network. From access control lists to routing information, this empowers engineers to configure what they need minus the blackboxed codes made by vendors like Cisco and Juniper.

Sounds good? Yes its awesome, but how do you put this idea to a bunch of guys who only understand risks, accountability and standards of practice. I believe SDN is a dated technology which needs more focus on a common standards of practice. Lets leave that for another day.

What is SDN;
http://searchsdn.techtarget.com/definition/software-defined-networking-SDN

Want to learn for free?
https://www.coursera.org/course/sdn

First this is the link to the workshop;
http://ecs.victoria.ac.nz/Events/SDNWorkshop

Second; Mininet is an awesome emulator for SDN. Look for ryu-controller as well.
https://github.com/mininet

Third;
the big boys are in the game too, like VUW, Reanzz, Google and Catalyst. The government? Not sure.

leave me a note if you are keen to have a further discussion on this.

Safe website settings

Websites are great for marketing. They are always great for gaining personal information. Yes, personal information. How do attackers gain advantage? Simple, by “listening” to your encrypted transactions. The latest issue is about the SHA-1 use for signing the message which is deemed not secure anymore.
How do you then secure your site which holds personally identifiable information? Get certificates with SHA2 as a signing algorithm. Google Chrome has made it easy for us to identify how secure our website is.

First step; update Google Chrome.
Second step; tell your website admin to update your certs to cover SHA2 and use TLS1.2
Third Step; practise safe coding practices. Like CSP.

For more information; hit me a note.