Disclosure Laws in Australia – Things to think about for your company…

We’ve talked a bit about the benefits and potential impact of Disclosure Laws coming into effect in Australia and New Zealand. We’re proud to say that Security-Assessment.com in New Zealand played a part in getting the NZ government to put this on the agenda over there, and we have pushed discussion and debate about the merits of such legislation here in Australia:

But what is the impact and how will this affect your company if/when it comes into existence here in Australia? This article is one of many that gives you a good overview of what disclosure laws may mean to you. Do keep in mind, that any legislation in Australia may differ to what is in place in the US and other parts of the world:

From an IT Security practitioners perspective, we cannot just accept that such legislation will improve corporate security and make our jobs easier. It should in theory, but the potential exists for things to go the other way if not done right. We cover some of the potential issues here:


This is a topic that will gather momentum in 2008. I think not much happens during elections, and then soon after them, but it’s something that will happen.

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? (more…)

Hot on the heels of the ABC and Press Club in Australia trying to defeat the Worm (part of the Australian election debate) – unsuccessfully, Security Researchers are also discovering that it cannot be beaten. In fact, the Worm is not only now defeating attacks to kill it, it is fighting back. Is it just coincidence that this all came to a head on Sunday night? Is this another reason to vote in the Worm friendly Labor Party? Hmmmm….you have to wonder.

The Worm has become a living entity now by the looks of things as reported in Network World and as verified by IBM – with AI powerful enough to allow it to make decisions on the fly to attack those it sees as a threat to it’s existence.

Reports out of Tihsllub where the Worm is believed to have originated are sketchy, with all IT services down for the last 4 days. We have though heard through reputable sources that have managed to get out of the city, that there are unconfirmed reports that the developers of the Worm confessed to having lost control. One of the developers, known only as “Eddie”, is reported to have stated before his untimely disappearance; “It was just for fun…no money…no government…no terrorism….just prank on my girlfriend……now it goes crazy…..it’s alive! I am in fear of my human!”

So the warning to all: whatever you do, if you come across the Worm, don’t approach it or try to engage it in any way, just pretend it’s not there. But, if you are backed into a corner and have no other options, just be nice to it. That may be enough!

It should almost be time to give this TJX saga its own category here. Just as we think it’s quieting down, the story unfolds further. See The Register; TJX breach was twice as big as admitted, bank says. Can there be a better case study for poor security management consequences?

But, are other organisations learning from the TJX experience? The answer is probably only a small percentage are. We see it every day.

Another PCI compliance deadline passed here in this region recently. I’ll put it out there and say that of all the organisations that must be compliant with the PCI DSS, I would be surprised if more than 5% are! Happy to be proven wrong but I just don’t think it’s the case.

So who’s pushing the rest of the business community that doesn’t come under PCI DSS compliance obligations?

Related Links:
Risky Business 35 (Patrick Gray talks PCI with Verizon Consultant)
Beast or Buddha PCI Archive

Looks like there was some good stuff covered at BlueHat recently. Checkout the BlueHat Security Briefings site.

The New Security Disclosure Landscape article by Rain Forest Puppy covers the state of the research industry better than most I have read recently.

Posted in: Research

Our old mate Metl on Patrick Gray’s IT Security Podcast, Risky Business last week:

If you’ve not had a listen, I highly recommend Risky Business. (Disclaimer: Not needed – I have no business relationship with ITRadio).

Posted in: news

The following is well worth a read if you are involved with PCI compliance within your organisation. Thanks to our PCI specialist, Fatemah Beydoun for the heads up and links.

The National Retail Federation recently sent a letter of concern to the PCI Security Standards Council discussing the storage of credit card information. This has drawn a lot of discussion across PCI related and other IT security sites. Some good points and interesting debate:


This is a topic that we cover quite a bit in here. The following is a good article but does show that things for IT Security people may not necessarily be getting better. From the Taosecurity blog: Security staff as ultimate insurance.

In our experience, this is probably quite an accurate assessment of what is happening. Will business ever learn? Keen on people’s thoughts on this. Are IT Security people still struggling for recognition, acceptance and being able to perform their work to the levels people believe they should be?

A couple of related posts:

Hiring a security manager and then not letting them do their job
CIOs spooked about talking about It Security

Hot on the heels of the recent post Kiwi company aims to beat the hackers, another company in NZ is making some big calls. Morgan from Security-Assessment.com writes about it in the NZ ISIG Mailing List.

Come on Morgan….who knows…..it may all be that amazing. :-) .

Gather around and witness!!

Last month, there was Manabars, this month there is… “Janus: Human Factor Authentication”.

“Janus is our completely new and unique authentication solution. It protects identity data against theft or misdirection. By using our patented technologies that operate outside the realm of all current known forms of attack, it is immune to their effects.”

Wow. How is this accomplished you ask? With “message dissemination technology”:

“MESSAGE DISSEMINATION (NZ Patent 541356, WO2007/011240, patent pending in US and other countries) provides an alternative communication method that enhances information security and privacy by making the message known only by the sender and the receiver. It is developed with the principle of mutual understanding between the two parties that is communicating. Instead using a standard set of rules/protocols to govern all communications between everyone, MESSAGE DISSEMINATION uses dynamic rule/protocol based on a set of principles. It is using a separate set of rule/protocol between each party or simply making up the rule/protocol during the communication session for the next. For unintented receipients, the message intercepted is meaningless.”

Check it out:

These guys are so far ahead of the curve it boggles the mind :)

Just a reminder that Kiwicon 2007 is approaching. It looks like being a great event.


Current Presentations and Speaker List: https://kiwicon.org/presentations
Schedule: https://kiwicon.org/schedule

Posted in: Research, news

Older Posts »