8 things to stop doing immediately

We can always take online security a little for granted but some behaviours put us at more risk than others. This isn’t an exhaustive list so if you can think of more, please add it to the comments. Another one I wanted to add but couldn’t find a picture for is failing to verify a BSB/Account Number with someone you are transferring money to. You should always verify over two different mediums before transferring e.g. sms/email/phone (especially if you are transferring a large amount of money). People have lost a lot of money by missing this simple step.

1. Give away personally identifiable information about children’s whereabouts, likes/dislikes and birthdays.


2. Plastering family/bumper stickers all over your car. You might as well wear a “come rob me” sign.


3. Using Windows XP and/or Internet Explorer 6. No anti-virus/spyware protection


4. Checking emails/banking accounts/social media accounts over “Free Public Wifi”. Ok so if this is a little hard to avoid, at the very least be aware of the risks, avoid doing banking over this channel and change your passwords frequently. Also, set different passwords for your accounts…


5. Logging in/entering your password details from email links. This can be a phishing attack to steal log in credentials. Instead, always log in via the official website.


6. Going to the official site and entering login/password details in without checking the URL/certificate details. Instead, look for a green bar.


7. Doing stupid things in public like Karen Bailey’s epic racist rant against Chinese people. You will be publicly disgraced and even arrested.

Do: Stand up to racists (non-violently). The guy in the background became a national hero after hitting back with “You’re scum”


8. Posting stupid things online that you can never take back. Justine learnt the hard way after losing her job after this tweet. The tweet spread like wildfire and a campaign for her immediate dismissal had taken off during her return flight. By the time she landed, she had already lost her job.


Cracking the Enigma: How Alan Turing was destroyed by the people he saved

alan-turing-s-100th-12-celebratory-images-from-across-the-web-f0424e174dDuring WW2, Germany coordinated their war strategy through a series of encrypted messages, passed from central command to their armed forces. German cryptologists used an Enigma machine to do this. Enigma used Symmetric Cryptography, meaning that the same key was used for both encryption and decryption. Each letter was sent through a series of circuits (consisting of a plug board and 3 rotating wheels) to create a highly randomized output.  The key is the Enigma set-up itself, which is the choice/order of the wheels, the ring setting and plug connections. Enigma configurations were changed daily. Every month, the Germans distributed a key sheet to Enigma operators. This contained a list of different configurations for each day of the month. This key sheet was critical to be able to decrypt the codes. As there were 159 million possible Enigma settings, the time taken to go through all the possible Enigma configurations to decrypt a message would not have been worth the effort.
2009-09-25_3946 The British needed a fast method to decrypt the codes. German troops were advancing fast and the Allied troops needed an advantage. They hired a team of mathematicians and problem solvers to create a decryption machine. Alan Turing lead efforts in Bletchley Park to create one he called The Bombe (not to be confused with another Polish machine of the same name). Exploiting a critical flaw in Enigma, the Bombe was able to decrypt Enigma messages in under 20 minutes. As the Enigma has a rule that a letter could not become itself, the Bombe worked backwards to deduce all the impossible rotor and plug board configurations that violated this rule. It was able to do this very quickly via electrical circuits.

Click here for more information about how Enigma worked and how it was finally broken: 

As the British wanted to continue to spy on the German forces, the operation continued on in secret. This action resulted in the saving of countless lives and the allied success of key battles, including D-Day. After the war, Alan Turing went on to work for the National Physical Laboratory and published a paper on Artificial Intelligence in 1950 called “The Turing Test”.

Despite all his achievements, Alan Turing’s contributions to allied war victory went mostly unnoticed. He was disgraced and arrested for homosexuality in 1952. He was given a choice of imprisonment or hormone treatments to “cure” his homosexuality. He chose hormone treatments. This didn’t “cure” his homosexuality, instead it resulted in his suffering of emotional and physical scars during the ordeal, eventually culminating to his death at the young age of 41. It wasn’t until 2009 that Britain issued an official apology to Turing.


Gordon Brown “He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war,” said Brown. “The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. … Alan and the many thousands of other gay men who were convicted as he was convicted, under homophobic laws, were treated terribly.”



Alan Turing is now regarded as a father of Cryptography, Artificial Intelligence and the modern computer. In 2014, Benedict Cumberbatch starred as Alan Turing in The Imitation Game, which became the highest grossing independent film in the year. It was nominated in eight categories in the 87th Academy Awards and won the People’s Choice Award at the 39th Toronto International Film Festival. This film was also honored for bringing Turing’s legacy to the public. Alan Turing was also honored at the 2015 London Pride march as a Pride Hero for his contributions. His family represented him in the march. This also happened to coincide with a landmark USA Supreme Court ruling that gay marriage would be recognized under the US Constitution, making all marriages legal across America


How hackable are you really?


As long as we are online, we are vulnerable to malware, viruses etc. that can steal sensitive information, hijack web sessions/webcams or spy on our keystrokes. This is especially true in cases where individuals are specifically targeted by those who have the persistence, time and skills to profile and craft an attack.

There are some things you can do now to minimize your risk and reduce the impact, should you get hacked. This is by no means a comprehensive list but a good start. Please share any additional tips in the comment section below. This information is applicable for home personal use.

1. Backup personal/sensitive files frequently. Encrypt, store & backup personal/sensitive information in a detachable hardware device (e.g. USB/hard disk). Any sensitive information should at least be encrypted and stored separately from a network-attached device. VeraCrypt and CipherShed are two free open-source encryption software solutions that are readily available for download. Just make sure you store your private keys in a safe location.

2. Optimize your firewall. You can use a free utility like Shields UP to allow you to check if you have any open ports that can be exploited. The utility also provides detailed explanation for the results you see and some advice about how to proceed. While enabling a firewall is certainly better than having none, default firewall configurations are often not restrictive enough (e.g. allowing connections to never-used applications installed during setup). Although you can configure your firewall to disable most outbound traffic, this requires some knowledge of firewall rules to set-up without stuffing up your internet connection. This is why it is important to…

3. Invest in a good Anti-Virus solution and keep your OS patched. Don’t skimp on anti-virus. The paid ones are often better at keeping up-to-date with the newest virus signatures. It is also important to ensure that you keep up-to-date with OS updates too. With Microsoft, you can also turn on automatic updates so you get the latest patches. If your OS is too old to be patched (e.g. Windows XP) – time to upgrade!

4. Switch to using Chrome. Chrome is considered the safest browser while Microsoft Internet Explorer has been plagued by malware and security defects. Another great thing about Chrome is that you can download an extension to use HTTPS everywhere to encrypt non-encrypted http traffic for added security

5. Go Green. Before submitting login/password details or inputting any sensitive information online (e.g. credit card information), make sure you are connecting via an encrypted https session. Furthermore, you can also check the organization that owns the certificate. In Chrome, you can do this by clicking the green lock on the address bar and viewing the Security Certificate.

More tips: http://www.techrepublic.com/blog/10-things/10-ways-to-avoid-viruses-and-spyware/

Using your FitBit to login? Anything is possible


Did you know that each individual has a unique heartbeat? Researchers from the University of Toronto (Foteini Agrafioti and Karl Martin) have fitted a watch with an electrocardiogram (ECG) sensor to scan your heartbeat and compare it to a database of pre-recorded cardiac rhythms for a match. If successful, this can be used to authenticate the user for email, online banking etc. This is called Nymi, created in 2011 and has been successfully trialled by the Royal Bank of Canada and Halifax – Lloyds Banking Group. If this takes off, every smart watch may be used for user authentication (e.g. Fitbit)

The good: Seamless user experience, less reliance on passwords, works even during elevated heart-rate

The bad: False positives, man-in-the-middle attacks (from continuous authentication), competition against Apple Pay

The overall: Wearable technologies will disrupt the way in which we carry out our everyday tasks. Great competition in this area will hopefully result in a better overall experience for the end user.

For more reading:




5 Lessons from the SHA-1 deprecation

When Microsoft announced that they will no longer accept SHA1 certificates from 1 January 2017, and Google said that they will start showing warnings as early as 2015, a cold sweat ran down the backs of IT operators across the world. This was a ticking time bomb, one that would require many wires to be carefully cut before services dropped dead come 2017. For those working in environments which may be infested with hundreds of these SHA1 instances (possibly hidden in legacy servers, clients and applications), this was going to be one messy clean-up exercise.

Even as you are busily working away all your SHA-1 dramas, know that you are not alone! We can get through this together. In fact, the greatest thing is that there are tons of support out there. So let us grab a drink (non-alcoholic if you are on-call) and recap over what we have learnt over the past couple of months.

  1. Cuz Microsoft hurts too…

The fact that the active deprecation of SHA1 is Microsoft led and that even the Certification Authorities were ill-prepared for this change, bought a lot of questions to mind. Was this a joke just to show us how powerful they are? Will Microsoft take it back in time? Unfortunately, this isn’t a joke and Microsoft are deadly serious.

What may have contributed to this is the Flame virus, discovered by Russian antivirus firm Kaspersky in 2012. Attackers performed a hash-collision on a weak md5 certificate to create a fake certificate. In doing so, they were able to impersonate Microsoft and distribute malware through their Update Service. This was used for spying and espionage on infected targeted systems in Iran, Lebanon, Syria, Sudan and the Israeli Occupied Territories for an unknown period (2-5 years potentially). Although this was a rare and highly sophisticated attack requiring massive amounts of computing power and one that is difficult for the standard attacker to replicate, it is fair to say that this is probably something Microsoft doesn’t want a repeat of.

  1. Microsoft and Google ARE almighty.

When Google announced that they were going to begin showing warnings as early as 2015, from the “Secure, but with minor errors” to the flat-out “Insecure” warnings, many of us wanted to boycott Google Chrome and tell our users to use another browser. However, after additional thought (30 seconds), this was replaced by a sigh of resignation. After all, Google Chrome do own a huge slice of the pie when it comes to market share. In Australia, they own the majority of market-share and they ARE trying to do the right thing.

Their view is that, as long as SHA-1 continues to be supported, there will be little work to deprecate SHA1. Even though the CA/Browser Forum’s Baseline Requirements recommended an upgrade to SHA-2 in 2011, CA’s were reluctant to stop issuing SHA-1 certificates due to market pressure. The transition from MD5 to SHA-1 took ages and caused many headaches for Google when they finally removed support for the algorithm. Therefore, the only way to give this the push it requires is for a browser-led initiative.

  1. When it rains, it storms

As if SHA-1 deprecation wasn’t enough for IT operators to deal with, some versions of OpenSSL were bleeding with Heartbleed while POODLE killed SSLv3. Then after some reprieve, FREAK came along to remind us that the rain never really stops. It was like being in the middle of a heart transplant, when fluid starts leaking into the lungs and then the liver fails. I will explore some of these attacks in more detail in my next post.

  1. Migrating to SHA-2 is painful

In complex environments, it may be difficult to discover all the SHA1 certificates out there. Especially if there are certificates issued by multiple External and Internal Certification Authorities. It can also take a long time to identify the support teams and businesses that own the domains. There are some certificate discovery tools that can be purchased from your CA (e.g. Symantec or Digicert both issue them). These scan the network for any SSL certificates (issued by any CA). A good discovery tool should be fast to implement and easy to set-up (they may also be able to detect misconfigured certificates or other vulnerabilities (e.g. BEAST).

While most modern and commonly used clients, devices and servers support SHA-2, there are legacy clients, devices, applications and servers that do not support SHA-2 and may require additional patching before the migration can occur. For example, Windows Server 2003 will require further patching. Windows XP running on anything less that Service Pack 3 will require an upgrade (even though XP should no longer be used). Some applications running on supported systems may not be able to validate SHA2 certificates (e.g. Outlook 2003). The true impact will not be known until you begin testing.

  1. Getting support and prioritization from the business is hard

Let’s be honest here, nobody really cares about the insecurities of SHA-1, not really. Especially since the attacks are still practically infeasible and will take huge amounts of computing power to achieve. The CA browser community didn’t care enough to do anything about it until Microsoft and Google posed their challenge, so why would businesses care? In a large organization, where change is slow and budgets are spliced, coordinating an effort as big as this one, in a short timeline, is suffice to say, difficult. Success will require a coordinated effort by IT Support, customer support, business application owners, managers and security to collaborate effectively. To get all these teams on board and motivated to take action, there needs to be strong buy-in. It is all in or nothing. Therefore, Microsoft setting a review of this, sometime in July this year to “assess” whether to go ahead or not sets us in limbo and makes it hard to gather appropriate prioritization and support. There can be no “yes this may happen but maybe it won’t” scenarios to play out. Teams are busy enough. What helps is to have a clear deadline. What doesn’t help is any ambiguity. Meanwhile, time is ticking…