Thoughts on what we the public and customers should be asking of Vodafone;

1.  Why was something that access the most sensitive data of it's customers not protected with a two factor authentication mechanism.
2. What controls does Vodafone use to catch users attempting to capture large batches of users via searches (i.e  Search a then b or account no. 123 then 124etc.)
3. Did they not perform analysis on the patterns of login to IP address to possibly identify unusual behaviour? ie. Login account "ben" has logged in from 20 IP Addresses in the last month. 
4. Why did they not do simple controls such as locking logins to specific IP addresses as a low ball security control.
5. Who are there auditors and why did they not raise such a potential high risk problem?

 I very much doubt that we will ever know the true dataloss that has occurred over the years at Vodafone. And what of the other telcos ? Think they are doing something better perhaps but I wouldn't put money on it.

Lets hope the NSW Privacy Commissioner actually does something with this event and takes action.

So thought I'd share this there I was on the Manly ferry and I was trying to sort out a wifi issue with some portable equipment I had in the middle of Sydney harbour. Any how I see the below AP pop up, which given that I was passing Manly heads was a surprise. Note that there was no encryption (which was not a surprise in itself)

But then after seeing that I finally look up and see that we were overtaking this ;-)

As on ABC Radio when I was interviewed along with Alastair MacGibbon on IT Security, I mentioned several resources and key tasks to ensure you maintain a good level of security for your organisation or family PC. Here is a quick summary and a list of resources.

• Passwords
  • Weak password selection by users is still the most common way to compromise and organisation. Choose a phrase and use the first letter from each word as your password. And add symbol at the end i.e @yourpasswordvaluehere!

• Protecting your system from Malware;
  • There are several good solutions some are even free my preferences are my pick of the free is AVG offering.
  • The commercial offerings are always battling it out it the reviews and some shine above others. Sophos is something I often see in the field doing a good job IMHO.
  • When selecting an antivirus or these days malware protection look for something that protects all of your online activity  (Email, Web Browsing and Social Media)

• Patch your software;
  • Windows users are often compromised due to lack of updating your software. The windows OS makes use of the built in software update process which should be set to Automatic.
  • Third party software also needs to be regularly updated not sure if your it's up to date? Try using a free online tool from Secunia to check if there are any vulnerabilities for the software on your machine.

• Data Encryption
  • Windows Encryption tools are very effective against casual attackers. There has been encryption in windows for many years all seamless to the enduser. Windows 7 and Vista have the Bitlocker tool which is simple to very simple to enable.

• Firewalls
  • Are you concerned you might have some services exposed to the internet perform a quick free scan at the Shields up website and discover which ports are open.
  • If your organisation is starting to look at something more than just a ADSL modem between you and the internet or you need more control on activities your employees are performing online then an entry level firewall will assist. They often do many if not all of the tasks of the corporate big boys without the need for costly staff or $$$. My recommendation for ease of use and features is the Watchguard range of systems.

• Online/Social Media
  • The benefits of using facebook, myspace, linkedin and other social media sites to promote your business or catch up with friends and family is wonderful. But as online criminals increase there attack vectors be conscious of what you post online. My advice is don't post anything online that you are not prepared to pin to your letter box at the front of you house.

• Outsource
  • If you are about to set up online but don't have the time or money to buy the right equipment or hire staff of consultants (Like myself). Consider looking at Rackspace who provide online virtual servers which you can get full access to and consult there excellent support staff.

I left Pure Hacking yesterday after 2.5 years I had a great time but it is now onwards and upwards as the Director of HackLabs. HackLabs is a new boutique penetration testing company looking forward to making a significant impact on the industry.