Stealing your data while you watch

December 20th, 2014 No comments
Reading Time: 3 minutes

medium_4612834833 In IT and IT Security there is a constant complaint about the risks of shadow IT, and the adoption of consumer collaboration and sharing tools. Over the last couple of years we also saw the emergence of novel exfiltration techniques including the persistent ultrasonic technique, where the infected devices  communicates with other compromised hosts via high frequency; or the Twitter based technique, where malware sends out data 140 characters at a time for anyone to read;  and the more recent Video technique, encrypting data in video files and putting corporate secrets onto video sites or later retrieval.

Read more…

Adapting to change with technology

December 13th, 2014 1 comment
Reading Time: 1 minutes

origin_3752428880We all go through change at some point.

Changing your process to meet the new requirements of a product or service in response to market change is a relentless march forward.

Some organisations hold on to a way they do things despite the issues and inefficiencies in them. These might be because of a number of reasons including working around deficiencies in older technologies, individuals or business structures.

Technology and Service organisations spend millions, sometimes hundreds of millions, looking to find the best way to streamline a process and build that into their application(s), why then do smaller organisations  feel the need to customise these applications to meet their, potentially, less efficient processes?

Wanting to become more mature in what you do requires change, so why do companies always fight technological change?

photo credit: AndYaDontStop via photopin cc

Ethics in Technology

November 3rd, 2014 Comments off
Reading Time: 2 minutes

Warning, today is a bit of a rant. I had an email and chat exchange with a friend that wasn’t treated well recently and felt compelled to ramble.

Ethics is extremely important in business as it is the foundation of relationships. Ethics in the IT business is especially important as members of the Technology team(s) are responsible for representing IT to the wider business. Through the relationships IT builds with the business it is able to better understand the needs of the business itself and can develop real value through the strategic use of IT, using the collective smarts (IP) of the team. The Technology teams inside an organisation supports the business’ strategy, balances the wider strategic needs of the organisation and business units with the explicit needs of IT and IT strategies. Unethical behaviour can destroy this.

Let me be clear, when I say unethical I mean behaviour that isn’t:

  • Honest;
  • Courteous;
  • Done with Integrity;
  • Performed Efficiently; and
  • Respectful of Property

Our individual actions ultimately reflect our ethical beliefs.When we are in a position of authority these also shape the way those around us operate.

The consequences of unethical behaviour in our IT teams is that it breaks the relationships, both internal to the team and the external ones to the organisation. This can cause team-members to become disconnected and jaded, holding back the IP that could make a difference between completing that aggressive project on time, creating that innovative new product or demoralise the wider team around them. The greater flow on affect is that IT will become disconnected from the business (again) and relegating it to that group that just cost a lot of money and doesn’t deliver anything.

It is easy to be dismissive in the heat of corporate action, but let’s face it, for the most part corporate IT is not life and death. Take the extra minute to think about the repercussions of the decisions you make and the actions you take, it may mean the ultimate success or failure for the perception of IT in the business.

/rant.

OK I think I’m prepared for that Ethics section in today’s exam!

ThruGlassXfr starts to make an impact

October 2nd, 2014 Comments off
Reading Time: 2 minutes

logoIt is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

 

Putting money where mouth is!

September 9th, 2014 Comments off
Reading Time: 1 minutes

medium_2586245742Yesterday I decided that I’d no longer be an armchair commentator on the state of IT services and the direction it, as an understanding as a discipline, is going. So to that end I ponied up my own own money and bought myself a membership to the itSMF (IT Service Management Forum) and robbed myself in to participate in the next Special Interest Group meeting at the end of the month.

The itSMF isn’t as sexy as the technology groups and bodies that I’ve been a part of before, but  I think that it is a lot more real and accessible to the non-technical in the industry (yes, there are a lot of non-technical people in IT) and a way of bridging the gap between IT and “the business”.

I hope to gain some insight into the wider Australian market’s changes and perceptions as well as supply my 1st hand experience and understanding when it comes to solutioning, negotiating and delivering Technology and IT Services in the APJ market.

photo credit: Chimpr via photopin cc