News // Cyber Security

Alcorn Group Cyber Security News

  • Release of OAIC Notifiable Data Breaches Scheme 12-month Insights Report     //    
  • Release of OAIC Notifiable Data Breaches Scheme 12-month Insights Report image

    The Office of the Australian Information Commissioner (OAIC) has released its first full-year insights on notifiable data breaches that were reported between April 2018 to March 2019. Key results highlight that of the 964 eligible breach notifications reported:

    • 580 (or 60%) were attributed to malicious or criminal attacks.
    • Of those 580, 394 (or 68%) were cyber incidents resulting from common threats such as phishing, malware, ransomware, brute force attacks, compromised or stolen credentials and other forms of hacking.
    • The remaining 186 (or 32%) of those 580 were the result of theft of paperwork or a data storage device, social engineering or impersonation, or an act of a rogue employee or insider threat.

    These annualised results continue to support our previous article published back in July 2018. It remains relevant for organisations to better protect the personal information they hold, through establishing a regular program of security assessment and testing. Identifying and remediating vulnerable targets before they are compromised will always be a key defence against data breaches.

    Alcorn Group specialises in performing vulnerability assessments and penetration testing, which combined with our other services such as red teaming, threat risk assessments, and incident planning and response, can provide a broad and effective means to assist with mitigating the risk of data breaches. Please contact us to discuss how we can best address your organisation’s needs.

  • read more
  • Transport Encryption Recommendations     //    
  • Transport Encryption Recommendations image

    Transport Layer Security (TLS), the successor protocol to Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between two systems, such as a web server and a browser, to prevent third parties from reading or modifying transferred information, including personal details. The encryption algorithms used in TLS/SSL scrambles data in transit, making it very difficult to read while it is being sent.

    Of all the findings Alcorn Group raises, weak TLS/SSL configuration is one of the most frequent. Using insecure protocols or weak cryptography undermines the intent of the security measures in place and leaves data accessible to prying eyes.

    In this blog post, we are shining a light on our preferred practices.

    Protocol security

    There are currently six protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3. Published in August of 2018 (RFC 8446), the latest encryption protocol, TLS v1.3, was released with a redefined handshake protocol which simultaneously speeds up communication and protects downgrade attacks. However, since its release a group of researchers have successfully performed a downgrade attack on TLS v1.3 when RSA ciphers are in use.

    Although there is a known vulnerability, at the time of writing, TLS v1.3 is the best protocol to use as it significantly reduces attack vectors compared to previous versions. Crucially, it also removes obsolete features from TLS v1.2, including SHA-1, RC4, DES, 3DES, AES-CBC, MD5, Arbitrary Diffie-Hellman groups, and EXPORT-strength ciphers. Cipher suites are defined differently to previous versions and do not specify the certificate type or the key exchange mechanism. Due to its recency, it is not yet supported on all browsers.

    TLS v1.2 and TLS v1.3 support Authenticated Encryption with Associated Data (AEAD). This encryption provides simultaneous assurances on confidentiality, integrity and authenticity of the data. Therefore, when deploying servers, TLS v1.3 should be the default protocol, with TLS v1.2 the next preference. There may be a valid business case for use of TLS v1.0 and TLS v1.1 to support older browsers, however, this is sacrificing security for compatibility. It is best to disable support for the deprecated protocols SSL v2 and SSL v3 as these protocols have high levels of insecurity and are vulnerable to Person-in-the-Middle (PitM) attacks.

    Where it becomes necessary to support older protocols like TLS v1.0 or SSL v3, consider using TLS_FALLBACK_SCSV. This mode can prevent protocol downgrades from being forced by MitM attackers. Alternatively, specify all protocols that your application is willing to accept.

    Certificate use

    Certificates should always be obtained from a reliable Certificate Authority (CA). When making the purchasing decision, perform research on how the certificate authority responds to public breaches, as well as how many breaches have occurred. Also important are the services offered. Certificate Authorities should provide a Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) revocation methods.

    Your certificate needs to be properly validated against its hostname. If the Common Name (CN) of the certificate is different from the hostname, it becomes more difficult for users to verify the authenticity and identity of the web server. A mismatched certificate nullifies the use of SSL, and an attacker could then establish a Man-in-the-Middle attack against the remote host without changing the user experience.

    Of particular note should be the cryptographic algorithms your certificate employs. A certificate will use two pieces of encryption which work hand in hand: the hashing algorithm and the signing algorithm.

    Ensure your certificates are hashed with a minimum algorithmic strength of SHA-256 and signed with a minimum* key length of 128-bits in length (symmetric / shared key crypto), or 1024-bits in length for use in key exchange (asymmetric / public key crypto). Currently, the recommended hashing algorithm for a digital certificate is SHA256, with an RSA signing algorithm of a key length of at least 2048 bits.

    Bigger is better when it comes to key length and security. However, overly large key lengths will take more power to process.

    Further reading can be found here:

    Contact Us

  • read more
  • New Requirements for Government Agencies under NSW Cyber Security Policy     //    
  • New Requirements for Government Agencies under NSW Cyber Security Policy image

    In February 2019, the NSW Government issued its new Cyber Security Policy, a key part of its overarching Cyber Security Strategy released in September 2018. The policy establishes a set of mandatory cyber security requirements, ensuring an integrated approach to preventing and responding to cyber security threats.

    The policy came into effect on 1 February 2019, requiring all NSW Public Service Agencies to comply with the new requirements. Adoption of the policy, while not mandatory, is also recommended for State Owned Corporations, local councils and universities.

    To meet the new requirements, agencies will be required to:

    • Ensure cyber security planning and governance is implemented, which includes:
      • Establishing clear roles and responsibilities, oversight and plans for cyber security.
      • Conducting cyber security risk assessments.
    • Establish a cyber security culture across the organisation, incorporating such aspects as:
      • Regular education of employees, contractors and outsourced ICT service providers.
      • Imbedding cyber security risk management into decision making.
    • Manage cyber security risks to protect and secure information and systems, which includes:
      • Implementing an Information or Cyber Security Management System and supporting controls, compliant with recognised industry standards.
      • Implementing and reporting maturity against the ACSC Essential 8 cyber security incident mitigation strategies.
      • Identifying and classifying information and systems, and based on their relative importance, implementing commensurate controls.
    • Improve resilience and incident management capabilities, through:
      • Maintaining and testing annually, a cyber security incident response plan that integrates with the government’s response plan.
      • Implementing adequate incident identification and response tools and processes.
      • Reporting cyber security incidents in accordance with requirements.
    • Report and attest annually on policy compliance, including reporting on high and extreme residual risks and “crown jewels” (the agency’s most valuable or vital systems and information).

    Full details of all new requirements and the overarching strategy can be found in the respective documents linked above. As a CREST certified organisation, Alcorn Group is well positioned to assist government agencies with meeting the new requirements. Our independent assessment services can provide an initial baseline of your organisation’s cyber security posture and actionable recommendations to achieve and demonstrate ongoing compliance. Examples of services directly supporting policy compliance include:

    • ASCS Essential 8 maturity assessments
    • Threat and risk assessments
    • ISMS development and assessments
    • Cyber security controls testing (e.g. system penetration testing, red teaming, etc.)
    • Cyber security incident management (planning, testing and response)

    Alcorn Group will work with your organisation to tailor a program that meets your needs.

    Contact Us

  • read more
  • Alcorn Group Celebrate the Holidays in Style     //    
  • Alcorn Group Celebrate the Holidays in Style image

    It’s that time of year again when we get to acknowledge the greatest Red Teamer of them all – Santa Claus!

    With the countdown on until Christmas Day, the Alcorn Group team came together at Dutch Courage Officers’ Mess in Fortitude Valley. But it wasn’t brandy we offered up for the man in the red suit this year – Dutch Courage is known for its fine selection of over 130 gins.

    We celebrated the season and fine company with good food and drinks, on into the night.

    Alcorn Group would like to wish one and all a safe and happy holidays.

    Contact Us

  • read more
  • Technical Writer Speaks at Conference     //    
  • Technical Writer Speaks at Conference image

    Kristine Sihto, technical writer for Alcorn Group, took part in the ‘Write The Docs Australia’ conference in Melbourne this month.

    Kristine is a valued member of our quality assurance process, whose role ensures that the written content provided to our clients is both consistent and understandable. Her passion for the written word is evident in her day-to-day interactions with staff. Her topic at Write the Docs – The Art of Consistency: Creating an inhouse style guide – reflects the heart of what she does for Alcorn Group on a daily basis.

    We took a few moments to interview Kristine on her role here at Alcorn Group:

    A.G.: What does a typical day look like for you?
    Kristine: When I get to work, I immediately look for any quality reviews that need to be performed. This involves checking every report for consistent and appropriate language, correct grammar and spelling, and consistent formatting. Once the urgent work is all out of the way, I can then get down to preparing policy and procedure documentation, reviewing marketing, and occasionally writing blog posts.

    A.G.: Why did you join Alcorn Group?
    Kristine: Alcorn Group was, for me, a huge step in the direction of my lifelong goals. A position working with words has always been my idea of a perfect job, whether that be editing or writing, and in this role, I get to do both every day. I’m also working in a field that I’m passionate about, which is a definite drawcard.

    A.G.: What is the thing you like most about your job?
    Kristine: This role stretches me in ways I previously couldn’t have envisioned. Information security is an amazing field, and I get to learn things that I would never have considered while working in other industries.

    A.G.: What are your biggest professional challenges?
    Kristine: I’ve come from a background unconnected to InfoSec or IT, so it’s been a very steep learning curve. Also, while the consultants can collaborate with each other on their technical needs, I have to find my own professional growth strategies and seek out professional networks that support the type of work I do, in addition to the professional networks that support information security.

    A.G.: What is your biggest achievement to date – personal or professional?
    Kristine: 2018 has been huge for me. I published a book of poetry that I’ve been working on since I was a teen. I’ve spoken at BrisSEC, and now I’ve presented at the Write The Docs conference in Melbourne.

    A.G.: What advice would you give to recent new entrants to information security?
    Kristine: Find professional organisations to build your network and support your growth. Making connections outside of your organisation means that you have access to a range of professionals who may have the information you need, or know someone to refer you to.

    Contact Us

  • read more
  • Release of final version of APRA Prudential Standard CPS 234 on Information Security     //    
  • Release of final version of APRA Prudential Standard CPS 234 on Information Security image

    APRA has released the final version of Prudential Standard CPS 234 on Information Security. This follows a period of industry consultation and responses to submissions on the draft standard released back in March 2018

    In response to submissions received, APRA has confirmed:

    • The new standard will come into effect from 1 July 2019. A transition period for third party arrangements has been allowed whereby requirements will apply from the earlier of the next contract renewal date or 1 July 2020.
    • All information assets of regulated entities must be classified in terms of both criticality and sensitivity. This requirement is irrespective of whether information assets are managed by the regulated entity or a third or related party.
    • Regardless of whether a third party is in a direct or indirect (downstream) relationship with a regulated entity, and whether the information assets under management form part of a material business activity outsourcing, information assets must be managed in accordance with the new standard.
    • Regulated entities must notify APRA within 72 hours of becoming aware of an information security incident. Notifiable incidents are those with either an actual or potential material effect, or those requiring notification to other regulators either in Australia or other jurisdictions.
    • Regulated entities must notify APRA within 10 days of becoming aware of a material information security control weakness that is not expected to be remediated in a timely manner.

    APRA has also provided further clarification on other requirements in the standard relating to:

    • Board information security responsibilities
    • Information asset life-cycle
    • Annual review and testing of information security response plans
    • Nature and frequency of control effectiveness testing commensurate with materiality and frequency of information asset changes
    • Reliance on testing of control effectiveness over information assets managed by third or related parties
    • The role of internal audit for information assets managed by third or related parties

    To assist regulated entities with implementing the requirements of the new standard, APRA will be updating Prudential Practice Guide CPG 234 in the first half of 2019. In preparation, and as recommended in our previous article, regulated entities should assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the effective date.

    Contact Us

  • read more
  • Halloween comes to Alcorn Group     //    
  • Halloween comes to Alcorn Group image

    Ghosts and goblins and things that go bump in the night! This October 31, webs, spiders, skulls and cauldrons adorned the office, and Alcorn Group staff members got into the spirit of the season by dressing up.

    We all know that showing up to the party in the same dress as someone else is a social faux pas of the highest order. While Dale and Callum managed to narrowly avoid the issue with their similar (but different) Apple costumes, imagine the embarrassment when Isaac and Kate both showed up to the office in their matching Sailor Moon outfits!

    Extra props to the Sydney office who put effort into their costume despite being so far from the rest of the crew!

    A popular vote from staff members decided that Isaac would gain the prize for best dressed, but who do you think wore it better?

    Contact Us

  • read more
  • CiscPwn: Hiding the intruder in plain sight.     //    
  • CiscPwn: Hiding the intruder in plain sight. image

    Innovation is at the heart of hacking. The hacker’s mindset needs to consider how common items may be manipulated to provide any advantage, whether that’s looking at online presence or finding ways to physically infiltrate an organisation.

    Introducing Josh R. - Operations Manager at Alcorn Group, hacker, and innovator, whose customised modification to Cisco phone hardware is assisting our consultants in the field. We call it CiscPwn.

    A.G.: What are we looking at, what is this phone device and what can it do?

    Josh: We often use devices “implanted” at client networks in order to maintain access. This is a functional computer with hacking tools ready for us to connect remotely and run attacks. We custom made this for a job; the basic build was done in under a day. Since then we’ve added improvements. Typically we’ll build a device for a specific job if needed, then add new features and improvements when we think of them.

    A.G.: Why did you choose a phone for the basis of this hardware?

    Josh: Lots of spare room, and it fits in at most meeting rooms or desks without raising too many eyebrows. The phone is fully functional, but because it would need to be configured for the PBX at the target, we typically hang the phone on the loading screen so it looks like it’s frozen.

    A.G.: Was it difficult to place the device on the site?

    Josh: Very easy! When the device looks like it fits in, then it’s normally a matter of plugging it in. We snuck it into a network and used it to maintain remote access. It was very successful.

    A.G.: You recently gave a presentation about this device, tell us about that.

    Josh: I gave a presentation on Red Team techniques, how to get in the mindset of an attacker. Which for us often comes down to low risk and high success rates. These devices are low risk because they’re difficult to trace, and once we have one implanted there’s a good chance we’ll be able to compromise the network.

    A.G.: Are there changes you’d like to make for the next version?

    Josh: We have a few improvements to detect tampering and more… but let’s not give it all away.

    A.G.: Will Alcorn Group be doing more hardware like this one?

    Josh: We have a number of other purpose-built devices already, and whenever we see the need or have an opportunity we add to the list. We can make custom gear for an engagement for sure.

    A.G.: What advice do you have for businesses on protecting themselves from hardware like this one?

    Josh: Port security and a good asset management policy are key. Asset management and an easy way to identify legitimate items is incredibly important.

    A.G.: If someone finds a suspicious piece of hardware like this one on their business premises, who should they contact?

    Josh: Ahh, well, roll incident response. …(Have) a good IR plan.

    Incident response is a vital piece of the puzzle when safeguarding your systems against intruders. Alcorn Group offer a range of incident response services to fill your needs, ranging from assistance in preparing your IR strategies, determining which areas of your business may require extra attention, or helping you recover in the aftermath of an incident.

    Call our consultants today on 1300 368 806.

    Contact Us

  • read more
  • Alcorn Group named as a finalist in AISA Awards 2018     //    
  • Alcorn Group named as a finalist in AISA Awards 2018 image

    Alcorn Group is proud to be named a finalist for the AISA Awards 2018 in the Cyber Security SMB Employer of the Year category.

    The Australian Information Security Association (AISA) has been running its annual awards program since 2012 to recognise and promote excellence, innovation, and professionalism within Information Security by individuals, projects, and organisations.

    This category honours organisations with less than 1000 employees who have helped engage the general community and other businesses to promote and improve cyber security capabilities and maturity in the sector.

    Voting closes at midnight on Thursday 27 September 2018, and winners will be announced at the Australian Cyber Conference on 10 October 2018.

    See the Finalists here

    Contact Us

  • read more
  • Alcorn Group at Barefoot Bowls     //    
  • Alcorn Group at Barefoot Bowls image

    The Alcorn Group team took to the green at the Merthyr Bowls club this week.

    Finger-food was provided for the hungry crew, which all agreed was quite tasty (including the magpie who came to snack while we were playing). Then, breaking into four groups across two lanes, we faced off against each other to see who was the best at rolling balls in a curved line to deliberately miss the things we were aiming at. Which of us could have foreseen that the balls would roll so far, or so askew?

    The competition was fierce, with light-hearted heckling to be heard throughout the match. Strategy became key, and at some points players would engage in the meta-game, rolling their ball into blocking positions for the adjoining game, thereby disrupting potential future combatants.

    Reece’s Rockin’ Rollers proved strong against Harvey’s Hackers, but Dook’s Divas took the day, finishing off against Kleidon’s Klassics. A great day was had by all.

    Contact Us

  • read more
  • Effective Security for Smaller Organisations     //    
  • Effective Security for Smaller Organisations image

    The need for effective security is not just limited to large organisations. Smaller organisations equally need to consider the importance of the information they hold, and the impact to their business and customers if this information fell into the wrong hands or was no longer available.

    While there are many best practice standards available to guide good security implementation, their relevance and ability to be applied in smaller organisations may not be clear. This can make it difficult for smaller organisations to determine the scope and extent of security controls that they can practically implement, and whether they have the internal capability to do so.

    As highlighted in a recent podcast interview with AEMO’s Chief Security Officer, Tim Daly, standards like the NIST Cybersecurity Framework are available for organisations of all sizes to use. The interview also highlighted partnering with a service provider for assistance where internal expertise may not be available.

    How can the NIST framework help? While comprehensive and detailed in nature, the framework still offers a good model for smaller organisations to adopt, being based around a lifecycle approach to cybersecurity-related risk. It aims to guide organisations to:

    • Identify the information and services that are important to the organisation
    • Protect those important assets through proactively identifying and implementing appropriate security measures at a level appropriate for the organisation
    • Detect malicious or unauthorised activities that could put the organisation’s information and services at risk
    • Respond to those activities effectively to minimise any impacts
    • Recover any impacted information or services in a planned, timely and effective manner.

    Still not sure where to start and what to do? Alcorn Group can work with your organisation to perform a NIST capability and gap assessment to help determine your organisation’s current security posture. We can also provide recommendations on appropriate cybersecurity measures to address any gaps and guide you on their implementation. These activities together will help your organisation achieve the first two stages of the NIST framework – “Identify” and “Protect”.

    Do you need a trusted partner to perform those ongoing security functions that your organisation does not have the internal capability to deliver? Alcorn Group can tailor a managed security service to fit your organisation’s needs. From effectively planning for and responding to cybersecurity incidents, through to assisting with returning impacted services to normal operations, our managed security service solutions will help your organisation achieve the final three phases of the NIST framework – “Detect”, “Respond” and “Recover”.

    Contact Us

  • read more
  • Regulatory Requirement for Aviation Security Identification Card (ASIC) Issuing Bodies     //    
  • Regulatory Requirement for Aviation Security Identification Card (ASIC) Issuing Bodies image

    The Aviation Transport Security Regulations 2005 require issuers of ASICs (“Issuing Bodies” or “IBs”) to establish and implement a program of procedures to ensure they perform functions and exercise powers in an appropriately secure manner. Recent regulatory oversight has highlighted the need to ensure these procedures adequately address how electronic information about ASICs and ASIC applications is handled and stored.

    Alcorn Group suggest that IBs ensure that their systems that contain or host ASIC information meet the ACSC Essential Eight and OWASP Top 10 requirements. Alcorn Group also suggest that IBs audit their procedures annually to ensure ongoing compliance. As a CREST certified organisation, Alcorn Group can assist IBs by independently assessing their systems’ compliance through:

    • conducting assessments against the ACSC “Essential Eight” mitigation strategies
    • performing OWASP “Top 10” assessments and penetration tests of web applications
    • assessing and testing other procedures in the IB’s ASIC program.

    Alcorn Group can work with IBs to develop an annual independent assessment and testing program that meets the IB’s regulatory obligations, with engagements scheduled throughout the year, and as part of a multi-year program if desired.

    Contact Us

  • read more
  • Third Party Security Assessments Now Offered by Alcorn Group     //    
  • Third Party Security Assessments Now Offered by Alcorn Group image

    Due to demand from our clients and the recent release of APRA Draft CPS 234 we are very pleased to announce that we now offer Third Party Security Assessments to meet the needs of your business. See below for more information about TPA’s or contact us.

    Our Service

    To assist in meeting corporate, customer and regulatory obligations, Alcorn Group can conduct third-party security assessments on behalf of your organisation. These assessments are in questionnaire format and are aligned to recognised industry standards for information security.

    Alcorn Group will work with you to conduct the assessments of your nominated third party service providers via your organisation’s nominated contact. Third-party responses will be assessed based on information and evidence provided. Assessment results will be reported back your organisation with areas of concern highlighted for further consideration and remediation tracking.

    Our approach ensures a consistent and reliable means of gaining visibility over third-party information security controls while freeing up your internal resources to focus on other important activities. Packaged with our other security services, this service will assist in providing greater independent assurance over your organisation’s security posture and management of third-party risk.

    Contact Us

  • read more
  • Release of OAIC Notifiable Data Breaches Quarterly Report (April - June 2018)     //    
  • Release of OAIC Notifiable Data Breaches Quarterly Report (April - June 2018) image

    The Office of the Australian Information Commissioner (OAIC) has released its first full quarterly report of statistics on notifiable data breaches reported during the April to June 2018 period. Key results highlight that of the 242 breach notifications reported:

    • 142 (or 59%) were attributed to malicious or criminal attacks, of which 97 were cyber incidents.
    • Of the 97 cyber incidents reported, the majority were attributed to compromised credentials resulting from phishing, brute-force attacks, or by unknown methods.

    Organisations can better protect the personal information they hold through establishing a regular program of security assessment and testing to identify and remediate vulnerable targets before they are compromised. Alcorn Group specialises in performing vulnerability assessments and penetration testing, which combined with our other services such as red teaming and threat and risk assessments, can provide a broad and effective means to assist with mitigating the risk of data breaches.

    Contact Us

  • read more
  • Alcorn Group Sponsors Appsecday 2018     //    
  • Alcorn Group Sponsors Appsecday 2018 image

    Alcorn Group is proud to be sponsoring AppSec Day - Brought to you by the Open Web Application Security Project (OWASP) Foundation

    “AppSec Day is Australia’s only conference dedicated entirely to application security. Aimed at providing a welcoming environment for developers, testers, devops engineers and security professionals alike. To improve their application security knowledge, skills and to network with other like minded professionals. With a day filled with talks, hands on workshops and panel sessions to learn all things application security.”

    Appsec Day is a fantastic event where you can immerse yourself in great talks, network with other security-minded professionals and attend hands-on workshops all in the same great location - RMIT University in Melbourne

    Join us on October 19th 2018

    Contact Us

  • read more
  • Draft APRA Prudential Standard CPS 234 on Information Security     //    
  • Draft APRA Prudential Standard CPS 234 on Information Security image

    In response to the increasing frequency, sophistication and impact of information security attacks, in March 2018, APRA released draft Prudential Standard CPS 234 on Information Security. The proposed standard will require regulated entities to ensure they have effective security controls in place to protect against and respond to such attacks.

    Australian regulated entities impacted by the proposed new standard are banks, building societies credit unions, life and general insurance and reinsurance companies, private health insurers, friendly societies and superannuation funds (excluding self-managed funds). The standard broadly covers the following areas that regulated entities will need to address:

    • Information security roles and responsibilities
    • Information security capability and policy framework
    • Information assets and controls, including incident management
    • Controls testing and internal audit
    • APRA notifications

    The consultation period closed in June 2018, and it is expected that the final version of the standard will be released in late 2018. The proposed effective date for the new standard is 1 July 2019.

    In preparation, regulated entities will need to assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the proposed effective date.

    Contact Us

  • read more
  • Creating Secure Passwords     //    
  • Creating Secure Passwords image

    With the enormous number of passwords we require in our day to day lives, it’s no wonder that people reuse them across multiple sites, or use the minimum complexity they can get away with. How does anyone store that many complex passwords in their head all at once?

    A good password is hard to guess but easy to remember. It has uppercase letters and lowercase letters, numbers, special characters, and it is long. It doesn’t include any personal information.

    This scares a lot of people, but it doesn’t have to look like this:


    On the other hand, it shouldn’t look like this:


    Instead, there is another method of creating a good password, called a passphrase. It has uppercase letters and lowercase letters, numbers, special characters, and it is long.

    It looks something like this:

    The phone sits next to 3 keys. It is on the desk!

    Not all password fields will allow spaces; this can be alleviated by using a different character instead of a space.

    For example, if I replace the space with the letter z:


    A passphrase gains complexity with each element that is included in it, but it remains easy for a human brain to recall. It’s also easier to input without errors than the original complex password shown.

    But the program says my password is too long!

    Sentences are wonderful things. They vary in length. If the program or website that you’re constructing a password for doesn’t allow a lengthy password, choose a shorter one. Shorter sentences can be memorable, while still having complexity. It’s preferable to aim for the upper margins of what’s allowed, rather than the lower margins. If the program allows for a password of 4-14 characters, choose 14 characters rather than 4, such as in this example:


    So why can’t I use this great password everywhere?

    It’s important to avoid reusing passwords. Not every organisation will safely store your password, and if you’ve reused passwords and one site gets breached, this can then mean that other sites you use are also affected.

    Are there bad passphrases?

    Not all passphrases are good to use as passwords. Book or song titles, song lyrics, or commonly known quotes may be present in password dictionaries. However, creating a unique sentence about the things around you will ensure that you’re not treading the same territory that hackers have already covered.

    Meanwhile, you can check if your account has been breached by searching at This handy service will allow you to see what the breach was, when your account was breached, whether your details were pasted anywhere, and the source of the breach.

    Contact Us

  • read more
  • Alcorn Group at Whisky Live 2018     //    
  • Alcorn Group at Whisky Live 2018 image

    It’s that time of year again - the time to taste some fantastic whiskys at Whisky Live.

    With a range of fine spirits on offer, as well as plenty of distiller histories being told it was a tasty and informative evening.

    Particularly popular were the Peaty Whiskys such as Octomore By Bruichladdich and Talisker’s Entire Range as well as the fantastic King’s Ginger

    Contact Us

  • read more
  • Alcorn Group and the Room of Many Escapes     //    
  • Alcorn Group and the Room of Many Escapes image

    Alcorn Group the Sleuth Master Extraordinaires visited the Brisbane Escape Hunt for an afternoon of fun and mystery.

    All teams succeeded, with minimal hacks involved.

    Contact Us

  • read more
  • Hacking Windows Domains     //    
  • Hacking Windows Domains image

    Sydney’s newest go-to security industry conference, PlatypusCon, took place on Sat 24th September. Targeted at infosec enthusiasts of all capabilities and experience, this year’s event took on a fresh approach to conferencing - holding interactive workshops instead of talks, whereby attendees could try their hands at breaking and entering, capturing flags, hacking drones and fuzzing!

    Alcorn Group’s managing consultant Lukasz Gogolkiewicz had the pleasure of demonstrating to his 50-strong audience the art of hacking Windows domains. Lukasz’s workshop took attendees on a journey of network service enumeration to identify vulnerabilities, and if possible, establish a foothold on the network. From there, it was a flag capturing mission for points via privilege escalation techniques, domain controller attacks such as password extraction and exploiting misconfigurations in service permissions.

    The workshop was received well by the attendees and the opportunity for Alcorn Group to share some of the more intimate techniques behind Windows hacking was appreciated. Keep an eye out on our twitter feed and website for more information on upcoming workshops and training sessions on hacking Windows domains and web applications.

  • read more
  • Oceana CACS Conference     //    
  • Oceana CACS Conference image

    This year’s Oceania CACS conference is being held on the Gold Coast from September 11 -13. Run by ISACA, this is the premier event in our region for IS Governance, IS Security and IS Assurance professionals.

    Alcorn Group’s founder and managing director will be presenting on Monday September 12 at 11:00am with Mayus Nath, Director of QLD Audit Office. With the theme of this year’s conference being ‘Governance, Empower, Protect’ Mayus and Wade will present to the audience their thoughts on empowering the use of new technologies by understanding attacks on Critical Infrastructure with Advanced Persistent Threats (APT’s).

    With information technology becoming more and more pervasive, not only in enterprises but also in social and public settings, organisations need to embrace new technologies, including Internet of Things in order to enter the market and be competitive. However, until recently, protection has been focussed on information system. Wade and Mayus will discuss how organisations need to take a broader view now days, incorporating multiple technologies when designing and implementing security. They’ll also take a closer look at why browsers are involved in so many advanced persistence threats (APTs). Attendees will learn more about how web browsers within organisations provide opportunities for attackers.

    The program of speakers for this year’s conference should ensure informative and insightful sessions for all attendees. For more information on the 2016 Oceania CACS click here

    If you would like more information on Alcorn Group’s contribution to this year’s event or have any general inquiries please contact us here.

  • read more
  • Future of Work Security Panel     //    
  • Future of Work Security Panel image

    This week Alcorn Group’s founder and managing director Wade Alcorn had the pleasure of joining a panel of security experts in a discussion on the importance of security in collaborative cloud environments at the inaugural Redeye Future of Work (FoW) conference.

    The FoW 2016 program was packed with informative sessions and keynotes from some of the Technology industry’s greatest contributors including Brisbane City’s Chief Digital Officer Cat Matson and Snowy Hydro CIO John McGagh.

    An excellent opportunity for business owners and enterprise leaders to learn more about innovative technologies, successful business transformation, big data, insights and creating value was provided and it was a great pleasure for Alcorn Group to be part of the mix providing input from an information security standpoint. If you’d like more information regarding what security insights and considerations your organisation should be discussing don’t hesitate to contact Alcorn Group here.

  • read more
  • Alcorn Group on 'The Weekly'     //    
  • Alcorn Group on 'The Weekly' image

    Our managing director Wade Alcorn featured on Charlie Pickering’s The Weekly last week. A tongue in cheek look at “big data” had Charlie disagreeing with Wade’s assessment of most privacy data T&Cs. As Wade noted “…you practically need a legal degree to understand them”, to which Charlie quipped that he HAS a legal degree and still can’t understand them! We here at Alcorn Group are big fans of “The Weekly” and were quite chuffed to feature!!

    You can watch are no longer able to watch the segment here

    Contact Us

  • read more
  • ACSC & Blockchain Security     //    
  • ACSC & Blockchain Security image

    Our Managing Director will be presenting in Canberra at the Australian Cyber Security Center Conference this week on all things Blockchain. Wade will delve into Bitcoin, Ripple, Ethereum and the implications of Blockchain for business and for law enforcement. Blockchain technology may be set to change the course of how the world does business - but who can honestly say they understand it? In this [presentation](, Wade will take the audience on an entertaining journey of discovery to build an understanding of this technology - what it is, who is using it, and why it may well be the biggest influence on humanity since the internet.

    Contact Us

  • read more
  • ACSC & Blockchain Security     //    
  • ACSC & Blockchain Security image

    Wade Alcorn is presenting at the Spatial Industries Business Association on Bitcoin, blockchains and digital currencies? What are they and where can we use them? The pros and cons of Ripple verse Bitcoin will be explored.

    Contact Us

  • read more
  • Blockchain as a Service     //    
  • Blockchain as a Service image

    Microsoft and ConsenSys partnered back in October 2015 to offer Ethereum Blockchain as a Service (EBaaS) on Microsoft Azure so Enterprise clients and developers could have a single click cloud based blockchain developer environment. The initial offering contained two tools that allow for the development of SmartContract based applications:

    • Ether.Camp - An integrated developer environment
    • BlockApps - a private, semi-private Ethereum blockchain environment.

    Everyone, particularly Financial Services, is interested in Blockchain technology. While a platform like Bitcoin has many great uses specifically as a Cryptocurrency, Ethereum provides the flexibility and extensibility many customers are looking for.

    In Financial Services, Blockchain is a major disruptor to some of their core businesses, and FinTech companies are driving innovation in this space. Ethereum is open, flexible can be customized to meet customer needs allowing them to innovate and provide new services and distributed applications or Đapps.

    Ethereum enables SmartContracts and Distributed Applications (ĐApps) to be built, potentially cutting out the middleman in many industry scenarios streamlining processes like settlement. But that is just scratching the surface of what can be done when you mix the cryptographic security and reliability of the Blockchain with a Turing complete programming language included in Ethereum.

    “Ethereum Blockchain as a Service” allows for financial services customers and partners to play, learn, and fail at a low cost in a ready-made dev/test/production environment. It will allow them to create private, public and consortium based Blockchain environments using industry leading frameworks, distributing their Blockchain products with Azure’s distributed (private) platform.

    Contact Us

  • read more
  • Wade Alcorn delivers keynote at BrisSEC Aisa     //    
  • Wade Alcorn delivers keynote at BrisSEC Aisa image

    Our Managing Director, Wade Alcorn, will be delivering a keynote Presentation at BrisSec on March 11th, 2016. Taking the perspective of an adversarial APT team, Wade will take you on a journey of the thought process behind hacking a browser to exploit your organisation.

    It promises to be an entertaining ride!

    Contact Us

  • read more
  • ASX and the Blockchain     //    
  • ASX and the Blockchain image

    The Australian Stock Exchange (ASX) has announced that it has selected US-based firm Digital Asset Holdings to develop solutions for the Australian market utilising Distributed Ledger Technology. This may be able to significantly simplify and speed-up post-trade processing. For ASX clients this could reduce back-office administration and compliance costs, while investors could experience significantly faster settlement of equity transactions – potentially in near real-time.

    Adoption of Distributed Ledger Technology has the potential to stimulate greater innovation by ASX and third parties to develop new services for intermediaries, end-investors and listed companies. This would create a more competitive marketplace across a broad range of services.

    Contact Us

  • read more
  • Australian Government Cyber Security Review     //    
  • Australian Government Cyber Security Review image

    Here at Alcorn Group we are eagerly awaiting the release of the 2016 Australian Government Cyber Security Review. The issue of cyber security is one of national importance and affects every Australian citizen, and certainly every Australian business. Some estimates put the direct cost of cyber-crime to Australia a more than $1 billion a year and this seems to be on the conservative side.

    There are some great initiatives already including the Australian Information Security Association (AISA) and CREST Australia. The Cyber Security Review will be a clear direction from the federal government and a very much needed clarity. The announcement of funding through to 2019-20 to establish an industry led Cyber Security Centre highlights the government’s efforts to prioritise the area of cybersecurity, and to move towards working more closely with industry, businesses and researchers.

    It will be interesting to see how this Security Review evolves and as a wholly Australian owned cyber security company, we are keen to see engagement with Australian industry at a real level. We would like to see initiatives particularly around addressing the skills shortage within the industry that we see at the moment. Our managing director has long been banging on this drum and has been involved in several initiatives to lead Australia’s up-skilling in this area. How government can support Australian businesses to improve their resilience and understanding of cyber threats will also be an area of particular interest. We stay tuned!

    Contact Us

  • read more
  • Alcorn Group presents at Infrastructure Saturday     //    
  • Alcorn Group presents at Infrastructure Saturday image

    Our Managing Director Wade Alcorn presented to a keen bunch of professionals at Brisbane’s “Infrastructure Saturday” on November 21st. Interest certainly seems to be growing around Bitcoin, Ripple the Blockchain and Etherium. There were lots of interesting questions and stimulating discussion. Thanks to Just People’s Adam Broadbent. Of course, a big thanks to Alan Burchill and his team for hosting the day too.

    Contact Us

  • read more
  • Bitcoin User Group session was a huge success     //    
  • Bitcoin User Group session was a huge success image

    Our MD Wade Alcorn had the pleasure of presenting to the Brisbane Cloud User Group on 5th November. Wade discussed BitCoin, Banking with Ripple, The Blockchain, and the brave new frontier of Etherium. Big thanks to Just People’s Adam Broadbent and Brisbane Cloud Group for facilitating the evening

    If you missed the session, why not come along to Wade’s next presentation which will be at “Infrastructure Saturday” in Brisbane on November 21st:

    Contact Us

  • read more
  • Cracking the Mac Security Myth     //    
  • Cracking the Mac Security Myth image

    Wade Alcorn is among a few security bods having a discussion in this insightful article on Always interesting to explore the assumptions and myths around security and branding that are out there. As Wade states in the article: “The bad guys go where the money is”, so will we be seeing more and more attacks on Macs in the future?

    More details here: Cracking the Mac security myth - CRN

    Contact Us

  • read more
  • Security and Artificial Intelligence     //    
  • Security and Artificial Intelligence image

    Wade Alcorn recently had the pleasure of presenting to some security folk at an Australian Information Security Association (AISA) Adelaide event. Wade spoke about a topic of increasing interest within the media, and within the security world: security, artificial intelligence and big ideas.

    Wade gave an entertaining and thought provoking talk on both the potential and real security implications of AI. We at Alcorn Group say - watch this space. This isn’t the last you have heard from security and artificial intelligence!

    More details here: AISA National

    Contact Us

  • read more
  • XSS Virus a Decade On     //    
  • XSS Virus a Decade On image

    AG’s Managing Director recently took a trip down memory lane with the register’s Darren Pauli. It’s been ten years since Wade publicly demonstrated that cross site scripting vulnerabilities could be used to construct a virus.

    More details here: The Register

    Contact Us

  • read more
  • Leak of Personal Details of Defence Employees     //    
  • Leak of Personal Details of Defence Employees image

    Alcorn Group’s Managing Director speaks to the ABC’s Brendan Trembath on the AM current affairs program about what’s believed to be the personal phone numbers, email addresses and computer passwords of US and Australian defence employees that have been published online.

    Full story here: Article

    Contact Us

  • read more
  • Cybersecurity: The New Due Diligence     //    
  • Cybersecurity: The New Due Diligence image

    We came across this report recently and really liked the main gist. When considering a merger or acquisition with any new company, cybersecurity is fast becoming no longer an afterthought, but a very important part of due diligence. Alcorn Group is highly skilled in providing visibility into the risks and threats any company may face.

    Full story here: Article

    Contact Us

  • read more
  • AusCERT Pre-Conference Presentation     //    
  • AusCERT Pre-Conference Presentation image

    Wade Alcorn will be presenting at an AUSCert pre-conference session on Tuesday (2nd June 2015). Wade will be diving into the exciting area of BitCoin, the BlockChain, Smart Contracts and the future of the security of these technologies.

    Full story here: Conference Detail

    Contact Us

  • read more
  • Internet of Hackable Things     //    
  • Internet of Hackable Things image

    Check out this Sydney Morning Herald article exploring a few different cyber topics that are capturing the media’s attention at the moment. Wade Alcorn was interviewed for the article, particularly around the hot off the press 2015 ACC Report into Organised Crime.

    Full story here: Internet of hackable things: wired world wide open to new age of cyber crime

    Contact Us

  • read more
  • Telstra's Pacnet Breach     //    
  • Telstra's Pacnet Breach image

    We had a chat to Bloomberg’s David Fickling about the recent brouhaha with Telstra’s Pacnet. There’s always a spike in the interest about the who? and how? after these kinds of high profile attacks.

    Another timely reminder for all businesses that your cyber security is really a prime concern for your shareholders - Telstra’s shares dropped 9 cents when this incident was announced.

    Full story here: Hackers Exposed Government Data in Breach of Telstra’s Pacnet

    Contact Us

  • read more
  • The Australian Crime Commission 2015 Organised Crime Report     //    
  • The Australian Crime Commission 2015 Organised Crime Report image

    If you have a spare half hour, make yourself a coffee and have a read through the 2015 ACC Report on Organised Crime in Australia. It makes for an interesting, if not daunting, read. The main things we took away from the report from our perspective.

    1. Cybercrime ain’t going away any time soon and is becoming an increasingly significant factor in many aspects of organized crime

    2. The report extrapolates the cost of cybercrime to Australians this year will be over $936 million.

    And this is based only on ACORN self reporting of small-medium businesses, so the report acknowledges this is likely to be an underestimation. We would agree with that- many businesses avoid self reporting, and we all know that cybercrime certainly targets large businesses and government agencies as well, sometimes with devastating impacts. So let’s face it – we are looking at a conservative estimate of over 1 billion dollars this year.

    Organised Crime in Australia 2015 report

    Contact Us

  • read more
  • Cyber Attacks on Australian Businesses Rose 20pc Last Year     //    
  • Cyber Attacks on Australian Businesses Rose 20pc Last Year image

    Wade Alcorn chats to ABC’s “The Business” about cyber threats to Australian businesses. “…finance has been facing cyber threats for quite a long time now - it’s one of the most strongly positioned industries in Australia…” You can see the full story here: ABC News Story - Cyber attacks on Australian businesses rose 20pc last year

    Contact Us

  • read more
  • Presentation at ACSC Conference: Security of Browsers - Why are APTs successful?     //    
  • Presentation at ACSC Conference: Security of Browsers - Why are APTs successful? image

    At the Australian Cyber Security Center Conference Wade Alcorn presented an entertaining and insightful take on APTs and web browser security in Australia today.

    The presentation description was “Why are browsers involved in many APTs? In this presentation you will learn how the web browsers in your organisation provide an opportunity for an attacker. You will explore and understand how they provide a great return of investment for your adversaries. You know them, you love them but how far can you trust them?”

    Standing room only!

    More details here: ACSC Speaker Details

    Contact Us

  • read more
  • Alcorn Group Leads AISA Web Hacking Workshop     //    
  • Alcorn Group Leads AISA Web Hacking Workshop image

    Alcorn Group leads a very popular Hacking Workshop at AISA. Today Wade led a popular browser hacking workshop in Brisbane. Always rewarding presenting to a local crowd!

    More details here: AISA BrisSec Speakers

    Contact Us

  • read more
  • Crypto App Uses Single-byte XOR     //    
  • Crypto App Uses Single-byte XOR image

    Our Managing Director comments on encryption… “Encryption is hard, very hard! … This goes to re-emphasise one of the golden rules of secure development: do not create your own cryptographic functions.”

    Read the full article: The Register

    Contact Us

  • read more
  • How Much Do We Value Our Privacy?     //    
  • How Much Do We Value Our Privacy? image

    Managing Director Wade Alcorn featured in an interesting Lateline story around privacy and personal data. Check out the social experiment in the café- what happens when people start acting like apps? Are we so ready to give away our personal data when it is face to face?

    More details here: ABC Interview

    Contact Us

  • read more