Posts

Showing posts from June, 2013

PRISM, Meta Data & Minority Report: Why you should be conerned

Image
As the privacy debate continues to rage about PRISM, assurances are surfacing defending the US government agencies PRISM approach, namely the covert monitoring of all internet traffic. The arguments put forward are that "we need to have PRISM to combat terrorism", "you have no need to worry if your not a terrorist" and "don't worry its only meta data we keep".  How does PRISM combat terrorism? What is meta data? Should we really be concerned if we are not terrorists? The definition of meta data is, information about information, still not clear?  Let me explain with an example.  Take a phone call, the meta data is not the actual recording of the call, but is the information about the phone call, so who the call was made to, the length of the call, the date, time of day, and keywords spoken on the call (via voice recognition). This is an example of the meta data most likely kept. In an email monitoring context, the meta data is the recipien...

Man City Hack: When Information is worth more than money

Image
The Manchester City scouting database hack  is close to my heart on two counts, it highlights the corporate espionage side of information security, and involves my other passion away from security, the beautiful game, football. Funny but it's no laughing matter for MCFC City Scouting Database Compromise is Clouded What is clear is Manchester City officials believe their confidential scouting database, has been taken a rival club employee, but how this data was compromised is cloudy.  The City scouting data was stored in a cloud based (online) application called ProScout7. Scout7, a Midlands based company, were quick to deny their system had been hacked, and suggested the fault lied with City's scouts password management. In other words that either a City scout had not protected their username and password, or perhaps the PC the scout was using to access Scout7, had been compromised with  a keylogger  or trojan software, pas...

PRISM: How I would set up covertly monitor of a Country's Internet Traffic

Image
If I worked for a government intelligence agency, and I was tasked to devise a way to monitor the public Internet traffic data covertly, I would target the source of the Internet connectivity provision. The source of the internet connectivity resides within the telecommunications operators (telcos) e.g BT, Virgin Media. AT&T. Many telcos double as ISPs, but its the telcos who ultimately provide access to the Internet to ISPs. An advantage in monitoring at the source is  I don't need to tell or ask the permission to do so from a series of private companies, like Google, Facebook, Apple and Microsoft, as I can simply intercept and record all of the public's sent and received internet network traffic on route to these private companies. Typically teleco companies provide fast Internet connectivity to their clients (ISPs) over fibre optic cables. If I were to split the light signals sent over these fibre optics cables, I could allow traffic to continue on its merry way ...

New OWASP Top Ten 2013 released, actually its gone to a Top 11

Today, OWASP officially released their updated list of the Top 10 Web Application (website) risks. The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organisations to develop, purchase, and maintain applications that can be trusted. The Top 10 list identifies some of the most critical risks facing organisations in web application security, and is a trusted resource and is often referred as the best practice to adhere to in application security within the information security industry. OWASP update their Top 10 list every three years, this, the latest OWASP Top 10 list was released today on 12 June 2013. OWASP Top 10 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Unvalidate...