Thursday, May 22, 2008

AusCERT 2008

On Wednesday I attended AusCERT 2008. AusCERT is an annual conference for the IT Security industry organised by the Australian Computer Emergency Response Team. Held at the plush surroundings of the Crown Plaza Royal Pines Resort on the Gold Coast, the event is a chance for vendors such as Check Point, Microsoft, Symantec, CA, and the likes to show off their wares, and also a chance to hear presentations from industry leaders, as well as get some free training to boot (although it's not free). Representatives from such luminaries as the US Department of Homeland Security and NSA were also in attendance.

The event is similar to an annual event I used to attend in the UK - InfoSecurity Europe - which is held at the London Olympia. Although AusCERT is not nearly the size of InfoSecurity Europe.

I was pretty disappointed by AusCERT 2008. I thought I might have made a bad choice with the presentations I attended but after speaking to others the general consensus was that it was pretty crappy all round. There were a couple of gems in their but mostly it was presenters telling me stuff I already new. A lot of the presentations were too high-level to be of any value.

Every year you find that there's a new theme - a new subject which is getting the industry in a flap. This year it was web 2.0 security. This is not surprising really with the amount of stories you hear about privacy issues around Facebook, MySpace and other similar social networks that are able to harvest vast amounts of personal data. I advise everyone to be very careful about what information they put on social networks. Even if you set up your privacy settings properly it doesn't necessarily mean that your data is safe.

A combination of factors means that your data could still be at risk. The look and feel of Facebook is slick because it uses AJAX - a web scripting language for which hackers keep finding new vulnerabilities. Also, many of the applications that you may add to your Facebook, such as FunWall, aren't built by Facebook, they are built by third parties. Meaning that these third party applications, that Facebook has little control over, is also accessing your private data and could be doing anything with it, as this BBC article explains.

The one presentation that I did find interesting was presented by the Standard Chartered Bank and was an overview of their project to roll-out two-factor authentication for their customers across 15 countries. I know many banks have been trailing this for a while now but not many banks have actually implemented it due to the cost and administration issues around issuing and managing tokens. However, this is set to change as they slowly get over the issues; and as the take-up of internet banking continues to increase, so does the risk of internet fraud.

So if you use internet banking you're probably likely to find that the way you log-on is set to change in the next couple of years.

Two-factor authentication means that when you use internet banking, instead of just presenting your username and password, and maybe some secondary information like the 1st and 4th character in your PIN (this is all classed as one-factor authentication - something you know), you will also require a second factor of authentication, such as something you have, or less commonly, something you are (biometric identification such as fingerprint, face scan, retina scan, etc). The most common implementation of two-factor authentication is using a token that creates a One-Time-Password. The bank would issue you a token which displays a randomly generated number, This number is usually either generated when you press a button, or it's a number that constantly changes every 60 seconds or so. By entering the number displayed on the LED screen on your token, you're proving that the person authenticating to internet banking is the person that was issued the token, i.e. you, or so the theory goes. Obviously it's not fool-proof, but it does add another level of security to the process.

Many companies use two-factor authentication for employee remote access to their networks. One of the big issues with token-based two-factor authentication is the cost of the tokens and the management of them. This is particularly a problem when you're using it in a business to customer (B2C) environment like a bank, when you may have to issues tokens to 1 or 2 million customers.

To get around this, another option is to use the customer's mobile phone as the 'something you have' device. So for instance, when entering internet banking a text message could be sent to your mobile phone with a random number that you would enter into the internet banking login screen. Alternatively, there's a thing called IVR callback, which basically means that you would receive an automated phone call from your bank which would say something like 'Someone is attempting to log on to your internet banking account, if this is you, press 1'.

None of these methods are fool-proof - they all have an element of risk. For instance, when it comes to using mobile phones for two-factor authentication you're then relying on a third party - the telecommunications provider - as part of the process.

Anyway, the findings from their surveys were quite interesting, as was the story the presenter told about banking fraud in Malaysia.

Some of the other presentations were dire though.

One presenter, who was doing a presentation about the security risk management lifecycle, I swear must have based her presentation skills on David Brent in The Office. At one point, to the amazement of all of us, she actually picked up a bag full of some stupid plastic keys that they were handing out to everyone with their branding on it, and dramatically threw them across the stage. As they scattered everywhere across the stage she shouted 'You see people, how on earth can you get a grip of your network if you're having to manage that many applications' or something like that. I was gobsmacked and had to stop myself from laughing out loud. What did she think she was proving by that display? Didn't she feel a bit stupid that she now had to go and pick all of those keys up?

The good points about the day was 1) we got served a really nice meal at lunch time, and 2) I came home with some freebies, although one of these was a Microsoft t-shirt which has the words 'Microsoft: Our Security Rocks' printed on it, which I thought was a bit ironic given the awful reputation of Microsoft's security.

No comments: