The CXO forum organized by the ISACA Sri Lanka Chapter "Business Governance of Information Technology - The CXOs' Perspective" was successfully held on the 29th of April, 2009 at Hotel Galadari.

The event was targetted at increasing the awareness of CXOs about the IT governance, related frameworks, related legal background in the country and enterprise IT security.

Links to download the presentations (with audio) are available here.

ISACA has updated 10 key information technology (IT) audit/assurance programs that serve as road maps to help organizations improve controls and protect the privacy and security of their IT.

A group of international security experts has demonstrated how the weaknesses of MD5 hash function can be used to create two messages with the same MD5 hash which is commonly known as a collision. To demonstrate practically, they have successfully created a rogue CA* certificate (apparently mimicking RapidSSL.com of VeriSign Inc.).

The result of this experiment is that any bogus (SSL**) certificate signed by the rogue CA certificate is identified by web browsers as a genuine certificate issued by the original CA (like VeriSign, or any other CA that uses MD5) leading pathways to undetectable phishing attacks - if exploited successfully. While the probability of seeing actual attacks that exploit the flaw is low, it's time to look at other cryptographic hash functions like SHA1.

Details of the research work are available here: http://www.win.tue.nl/hashclash/rogue-ca/

* CA: Certificate Authority
** SSL: Secure Socket Layer

“Global village” is about seeing the world as a single community. During the past, we have been dreaming about the high flying potentials of how the connectedness transforms our lives. Failing to go against the nature, we continue to see bad dreams as well. Sometimes, they become the realities. Connectedness has brought us what appeared as a crisis at a distant part of the world to our door steps. Let the guest come in and greet him with a slice of your IT budget and a cup of previously valued controls in view of the increased love you have made with cost cutting and executives starting to stare at compliance expenses.

A research team at the Security and Cryptography Laboratory in Lausanne, Switzerland, has reportedly been successful in recognizing the keystrokes by analyzing the electromagnetic emissions.

"We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks."

We are glad to have received many more comments of the same nature and enjoy the  great success at the 4th Annual Conference on Information Technology Governance and the IT Security Awards Night, 2008.

See the bottom of this page to download the conference papers/presentation slides and also to see more photos.

ENISA, The European Network and Information Security Agency has released a useful report on how to convince the senior management to support and invest in security initiatives.

Verizon recently released a landmark research paper titled "2008 Data Breach Investigations Report" based on a study done by their Business RISK Team. The paper is freely available and is the first of its kind. In short, it provides significant insights into data breaches based on more than 500 forensic engagements handled by the Verizon Business Investigative Response team.

CIO.com has an interesting article about selling security solutions from Bruce Schneier, a prominent security expert. He describes the difference between Utility Theory and Prospect Theory as applied to human beings.

The law enforcing agency, Central Bank of Sri Lanka has released a draft document on "Corporate Governance for Registered Financial Companies".