Security SysAdmin

On Successful Deployment of Access Management Solutions

I have seen many access control/identity/privilege management projects fail miserably because of an unstructured approach to implementation by Corporate Governance. A tool is bought and implementation attempted with no engagement with or buy-in from the technical people who will have to surmount the inconveniences of the tool when it misbehaves at 3AM on a Sunday morning.

The correct approach is to engage those who know the systems best – System Administrators, DBAs and application teams. In that order. Management sign-off comes last.
At the very least the engagement should cover the following:
1) Explain the tool and what it does
2) Outline the project goals
3) Identify what is considered implementation success
4) Describe the flow of network traffic and control, provide network diagrams so techies can understand the firewalls and routing involved
5) Offer training and make known the third-level support options for System Administrators
6) List safety mechanisms for when the network fails or the server goes down so that we can still manage the systems that the system manages
7) Choosing a subset of systems for testing and verification of successful tests

If you don’t at least cover those points, you will not get the Sysadmin team on board. If you can’t get the administrators behind you, your tool will never properly enhance your security posture, and you’ve wasted a whole lot of money.

Entertainment Freedom Music Rants Security Technology

MusicDNA Is MusicDOA [Audio Format Foolishness]


It’s sprayed all over the SA IT media: “MusicDNA will rescue the MP3 from oblivion”, “MusicDNA to succeed MP3“, “MusicDNA predicted to rival MP3“, “MusicDNA: New digital file that is son of MP3 unveiled“. And it’s all a crock of shit.

MusicDNA should be MusicDOA.

Why? Well firstly, (Mail and) Guardian, file formats are female, in the same way that LPs are female. They always have been, and always will be – ask any geek. So, if MusicDOA is the son of MP3, then it’s not a welcome part of the music family.

But issues of gender aside, Apple has already invented MusicDNA – they just called it the “iTunes LP“, a much nicer name. Bundling additional digital content and interweb-link-crud along with the MP3 is not the revolution. It’s not even a warning shot over the bow. It’s more like “a tribute to the zip archive”. Yet some musically challenged business-moron (Stefan Kohlmeyer, the chief executive of Bach Technology, which has developed the file) feels that *this*, a rehash of MP3, will save the record companies?

C’mon, guys, it’s already over. The music label is done. Over. Archaic. Closed. Piracy does and always will prevail. Artists will make money from performing. Additional revenue streams will open up here and there, but the giant middle-man of music has been turned away at the gates, left to wonder (and wander) at how they ended up hat-in-hand, shunned by the masses.

We simply don’t need another audio file format. MP3 / FLAC / AAC is probably good enough, until we have flying cars anyway. And we especially do not need another proprietary format that is riddled with DRM and all kinds of consumer-abusing mechanisms (think tracking cookies, spyware, behaviour profiling). And of course alongside this “MusicDNA archive” will be the potential to literally hack the shit out of the consumer who buys and uses it. No longer will viruses be delivered by email, but by iTunes (or equivalent) instead. If we ever do need another format, it will be open source, patent-free and flexible, such as Ogg Vorbis.

So here’s to MusicDOA and the millions of stupid dollars spent developing an obfuscated zip file. Well fucking done, clowns. When you’re done pissing money away, please build me my flying car.

politics Rants Security Technology Web

FIFA World Cup Durban Site Cookie Fail

Apparently the 2010 Durban FIFA World Cup site cost 6.5 million bucks to develop. Yeah. R6.5 million. R 6 500 000. I’m making that a tax deduction on my IRP5 next year.

I asked for more details, but only time will tell if they release that info.

Anyway, according to their Privacy Policy the site does not use cookies. Firefox has something else to say about that.

Durban 2010 Website does make use of cookies.
Durban 2010 Website does make use of cookies.

It doesn’t really matter, but it adds to the general feeling of incompetence coming from Adapt-IT, the site “developers”.

Hacking Security Technology

Ph33r the D0n th4t i5 LowVoltage [FUD]

Bruce Sterling, author of The Hacker Crackdown
Image via Wikipedia

Here’s one that’s good for a laugh. This ‘LowVoltage’ guy sounds pretty evil. Shew!

The ‘Low Voltage’ hackers

He runs with the name “Low Voltage” and is the don of South Africa’s underground movement of techno trouble-stirrers who could, with the click of a mouse, cause your company to fall into the 90% bracket of enterprises which will suffer significant financial loss by 2005 through breaches in security.

Delegates attending a presentation on computer hackers, hosted by the KwaZulu-Natal branch of the Institute of Directors, in Durban on Wednesday, were told there was a huge hacking community in South Africa run by someone who calls himself “Low Voltage”.

This information – along with other shocking statistics – was released by Pragasen Morgan, assistant manager of Global Risk Management Solutions, a security division of PricewaterhouseCoopers.

“They meet regularly in Johannesburg to share information, programs and secrets as well as methods and passwords for hacking into certain systems. They work together to overcome different types of security measures,” said Morgan.

Although Morgan couldn’t give any more details on the dark dealings of this group, he did say that there were a number of local “vendors” from whom you could easily pick up the tools for hacking.

“At the end of last year hacking activity increased by 40% worldwide. Hacking among South African corporations is on the increase, but companies won’t talk about it because they run the risk of being branded an unsafe company.

“For example, in financial institutions people would fear leaving their money or information with a company that has been hacked.

“There are a number of local sites where programs can be downloaded, and there are even more advanced international sites which I’d rather not mention because the information available is far too dangerous for people to get hold of,” he said.

You H4ve B33n H4cked (you have been hacked) is just one example of a less vulgar slap-in-the-face reminder that may be left behind after a hacker has had his way with your system.

Morgan said hackers did what they did more for a challenge and very rarely to hold a company to ransom.

“They are in it for the fame and glory, the tougher the security system the bigger the chip on his shoulder.

“August 1 to 19 this year was tabled as the worst period for viruses spread with more financial loss in this week than on September 11 and this is because in that week there was a worldwide hacking competition.

“Other reasons for hacks could be competitors who approach hackers for inside info or disgruntled employees,” he said.

As if having a dark underworld prowling your space isn’t enough, according to PricewaterhouseCooper global statistics, companies need to be wary of an art-of-war type of situation in which the enemy may very well be within your quarters.

Said Morgan: “More than 55% of hacks happen by authorised employees. From a threat point of view the employee poses the greatest threat in hacking. Not only do they know your networks and passwords but they often open e-mails with viruses and spread them.

“The most common form of hacking is through viruses via e-mail spread to cripple a network and hacking into web pages, where they are defaced, leading to major losses in revenue.

“An example of this was a major retail client that we dealt with where an employee hacked into the company’s system resulting in a day-long down time at the cost of around R1 million,” said Morgan.

He said that since the introduction of Windows in the late 1980s, there was an increase in vulnerability.

“Companies need to constantly update their security systems and step up on staff awareness. On a number of social engineered techniques for clients we’ve managed to enter major organisations posing as repair men or cleaners or even just plain suits blending with the environment.

“We then access a computer and get into their network. In most cases you are not stopped if you look confident and like you fit in.

“It’s also very easy to hack in to a system through a home-made wireless mechanism. We were able to construct one of these using some information we got off the net.”

Bala Naidoo, Director of Communi-cations for the South African Police Service in KwaZulu-Natal, said: “We are not aware of this hacking community and if any information regarding this is brought forward we will investigate it.

“So far in Durban we’ve dealt with about 52 cases of internet banking fraud and have no hacking cases reported. We investigate these cases through our commercial crime unit which has the expertise to
handle this,” he said.


Computing Entertainment Security

Handy list of Facebook Privacy Settings recently published a handy list of 10 Privacy Settings Every Facebook User Should Know.

Included in the list are instructions for creating custom friend lists, removing yourself from search results, preventing tagged photos of you from being visible to all, and restricting access to stories and contact information. It’s a very handy guide with some seriously good tips on how to protect yourself in the big bad world of friendface. 🙂