[Linux-aus] Security conferences (was: LUGs)

[Adam Nielsen]

> I looked at a few conference links and did not find the "What we did
> wrong" style confessions from failed organisations. How can anyone
> know what to avoid if there are no investigations and coroner reports?

These conferences are more proactive.  They focus on newly discovered
issues, alerting people to the problems they need to address *before*
there is a major security breach.

When there is a compromise like the Medibank one and the reasons are
made public, quite often you will find the very methods the attackers
used have been discussed at these conferences many years earlier.

This is why many companies and government agencies with a strong focus
on security send delegates to these conferences, because they want to
address their security shortcomings before there is a public breach
rather than after.

> The medibank incident should be investigated out in the open the same
> as an aeroplane crash.

I haven't looked into it but a quick web search shows it is being
investigated by police, and there is some preliminary information
available.

It looks like someone with high-level access was tricked into typing
their credentials into a phishing scam, and those login details were
used to discreetly install remote access software that was used to
extract the information.  It appears MFA was not used so compromising
the username and password was all that was needed to allow access.
There is more detail on this article I found:
https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4

None of this will come as a surprise to anyone who has attended
security conferences, as they always have talks on how sophisticated
social engineering and phishing scams are getting, and how end users
will always be tricked into handing over their passwords, so you need
MFA to save them from themselves.  MFA has been considered mandatory for
many years now and at this point no self respecting company would be
without it, because it makes the very thing that happened to Medibank
significantly more difficult.

The latest social engineering trick being discussed is how AI can be
used to fake the voice of real people.  It will only be a matter of time
until there are breaches because someone gets a call from their boss who
forgot their password and needs some files urgently, and they just need
them e-mailed to their personal GMail address.  The files will
dutifully get e-mailed because nobody wants to disappoint their boss,
only to find out later the confidential files were just e-mailed
directly to a scammer.  MFA won't help you there.

Hearing about how an actual breach took place is certainly very
interesting, but from the point of view of protecting your own data,
finding out about these things before they happen is of much more
benefit than hearing of them after the fact.

Cheers,
Adam.