Archive for the ‘Security’ Category
Obviously, the elites haven’t learnt from the Panama Papers. Setting up these offshore structures take a long time, and to de-construct them take significant effort too. So what are the Paradise Papers?
They are 13.4M records acquired from the law firm and corporate services company called “Appleby”. It involves people and organisations.
Interestingly, Singapore has largely kept itself out of this leak.
Anyway, here’s a copy of the paradise papers dataset.
In 2005, a research team led by the Electronic Frontier Foundation (EFF) broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known.
“We’ve found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer,” said EFF Staff Technologist Seth David Schoen.
You can see the dots on color prints from machines made by Xerox, Canon, and other manufacturers (for a list of the printers we investigated so far, see: http://www.eff.org/Privacy/printers/list.php). The dots are yellow, less than one millimeter in diameter, and are typically repeated over each page of a document. In order to see the pattern, you need a blue light, a magnifying glass, or a microscope (for instructions on how to see the dots, see: http://www.eff.org/Privacy/printers/docucolor/).
EFF and its partners began its project to break the printer code with the Xerox DocuColor line. Researchers Schoen, EFF intern Robert Lee, and volunteers Patrick Murphy and Joel Alwen compared dots from test pages sent in by EFF supporters, noting similarities and differences in their arrangement, and then found a simple way to read the pattern.
“So far, we’ve only broken the code for Xerox DocuColor printers,” said Schoen. “But we believe that other models from other manufacturers include the same personally identifiable information in their tracking dots.”
You can decode your own Xerox DocuColor prints using EFF’s automated program at http://www.eff.org/Privacy/printers/docucolor/index.php#program.
Xerox previously admitted that it provided these tracking dots to the government, but indicated that only the Secret Service had the ability to read the code. The Secret Service maintains that it only uses the information for criminal counterfeit investigations. However, there are no laws to prevent the government from abusing this information.
“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”
EFF is still working on cracking the codes from other printers and we need the public’s help. Find out how you can make your own test pages to be included in our research at http://www.eff.org/Privacy/printers/wp.php#testsheets.
Yes, we have a copy of it. No, we’re not selling it. However, we’ll be putting our data analytics and data quality glasses on to see what lies within.
Several Australian cities featured prominently on the list of AM users. Singapore, which had banned the website was highly represented.
There is nothing special about Ashley Madison’s leak except that the brand attracts alot of negative emotions. They probably stepped on the toes on a capable geek. Reality is that nothing is safe on the internet, and transparency is your only defence.
Should Ashley Madison have done more to protect their data? Yes! The next simple step of basic data encryption should have been done. But it wasn’t.
Bye bye Ashley Madision. You’re not the first, and I am sure you won’t be the last. There is no defence against cheating spouses expect character, honesty, truth and love.
The Open Web Application Security Project (OWASP) has opened a chapter in Canberra. Kicked off by Andrew Muller of Ionize, OWASP brings to Canberra expertise in web application security. It also brings the small community of security professionals to meet, discuss and engage in the crucial business of securing applications.
OWASP Canberra is committed to monthly meetings, and the occasional “special” meeting. See you there!
OWASP has a project called ‘The OWASP top ten project‘ which list the top 10 security threats for web-based applications.
OWASP Current Top Twelve ThreatsCross-Site Scripting (XSS) Malicious File execution Insecure Direct Object References Cross-site Request Forgery (spoofing) Information Leakage and Improper Error Handling (I’m guilty) Injections Flaws Broken authentication and session management Insecure cryptographic storage Transport Layer Protection (TLP) Failure to secure URL access (I’m guilty) Security Misconfiguration Unvalidated Redirects and Forwards
Ok, which ones are you guilty of?
Here are some updates on VMware. Also sometimes called “The Cloud”, it’s the current fad in IT infrastructure.
1) Virtualisation is going to happen whether we like it or notThis was driven initially by under-utilized servers, but ease of management and configuration has taken over as the leading reasons for virtualisation. Currently only 30% of organisational server infrastructure is in the virtualised environment. If an organisation doesn’t reach 80% virtualised, it doesn’t gets the efficiency benefits of virtual infrastructure, but ends up with large overheads managing both virtual infrastructure and traditional infrastructure. VMware hopes to push this to 50% in 2011-12 The issues with adoption are confidence levels in application-infrastructure interoperability, and security. VMware has notoriously low security, and is itself a gateway to accessing the entire virtualised infrastructure. (Search Google for “vmware hack”)
2) OverheadsVirtualisation comes with overheads. If installing Vista, or Windows 7 was not enough, virtualisation can help by adding 10-20% overhead to CPU usage. VMs also generate alot more network traffic.
3) ConfigurationVM configuration is going to be crucial as “the server” as it is spread over a VM, SAN storage, and network “bus”, and actual physical locations. So when we have slow VMs, it could be the result of alot of different factors now. A clone of VM for failover/failback scenarios can also generate alot of network traffic. So virtualisation increases network overheads.
4) The Virtual DesktopVMWare hopes to bring back thin-client computing with virtualised downloadable profiles from VM infrastructure. Personally, I think this is a shot in the dark, as the PC-era is gone, and computing is already transitioning to the fragmented plethora of thin-clients (eg mobile devices, ipads, netbooks) with profiles stored in SaaS applications. The benefits of centralized profiles is supposedly in data security, however, with SaaS, fragmenting application, platforms, I doubt the virtual desktop will make it to the enterprise before iDesktops.
5) CapabilityVMWare ESX 5 now supports upto 32 cores, and upto 1TB RAM per VM. These are called the “Big VMs” (or “Monster VMs” if you were a VMware sales person) that VMware has now released. This may support the more computationally intensive applications, but only if the virtual infrastructure has been upgraded.
6) VisibilityFrom an application development point-of-view, understanding the performance and capability of an application in the virtual infrastructure is less transparent as performance issues are less transparent. (eg. is a network, or disk bottleneck? or over-utilisation of the CPU?) Processor CPU utility within a Windows/Unix VM is not an accurate reflection of the actual processing capability available to your application. So VM infrastructure performance statistics needs to be actively shared (in real-time) with application teams. Using SPEC CPU benchmarking tools is another way to measure application-infrastructure performance. However let’s hope for an open environment with open information sharing.
7) Super-Computing / Grid ComputingAlthough there has not been any noted implementation of supercomputing in VM infrastructure, there are no reasons why this is not possible. Grid Computing, and maybe some aspects of super-computing is probably possible on VM infrastructure with the appropriate HPC software in place.
8) The Carbon FootprintThe Carbon Footprint is now the new driver for VM infrastructure. Running un-optimised / under-utilitzed servers kills the environment. If electricity prices go up by 30% in the next 2-5 years, what will organisations have to do to mitigate that?