Implications to other countries if a 9/11 type attack happened on the Internet to the US?
August 27, 2008

Firstly, thanks to Donal and Wade who originally some time back linked me to the video discussed in this post.

David Rice, who I chatted with recently has posted some interesting thoughts on an Internet based 9/11 type attack on his Geekonomics site. (Video included in the link). David looks at the potential scenarios but importantly addresses the implications to the rights of the citizen by way of introduction of any Internet version of the US Patriot Act.

Worse case scenario, and not debating likelihoods of it happening or even being possible (for now in terms of this post), if it were to happen, what are the flow-on implications to other countries either directly or indirectly by way of the “global” Internet links to the USA?

We see US regulation/reactions to events affecting business around the world already (SOX as just one example of many). What happens if the US does enact an Internet Patriot Act? Would something like this in a quick knee-jerk reaction affect and change the Internet as we know it today? I think it’s something that needs to be considered and researched outside of just implications to the US and its citizens.

Or am I just way off base here and assuming too much in the way of US influence on the Internet as a whole?

Comments (11)
Posted in: Bad Developers, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


Owning the CCTV system…of course you can…it's a great feature!

It was an interesting day at Security 2008 yesterday. (If you’re in Sydney, come on down and have a look. It closes on Thursday this week).

As I mentioned, they have included IT security as part of the exhibition this time, so for the first time, the crowds of “physical” security and data security people are mixing at the event.

While everyone is talking convergence through the new technologies, it’s quite evident that we’re still talking very different languages when the two groups are meeting. There’s a way to go before we really start to understand each other. (But hey, it’s going to happen to one degree or another).

Funny hearing Dec’s story talking to one of the CCTV vendors trying to explain that the system can be taken over and controlled by anyone (aside: Dec was aware that the system has some “weaknesses”). Read on….

(more…)

Comments (4)
Posted in: Too cool, cyber crime


Old CIOs don't like Gen Y?
August 22, 2008

Interesting comments (somewhat substantiated) coming out of a recent CIO event (not mentioning names) about CIOs and Gen Y people. (Aside: gees, I hate these gen x…gen y..gen FFS descriptions).

Seems there was some consensus amongst a few CIOs I am told about hiring, or rather I should say, not hiring people under 25. Nice….lets have some fun with the old buggers!

(more…)

Comments (11)
Posted in: Bad Stuff, Dumb Security, WTF


Security 2008 Conference 26-28 August, Sydney.
August 21, 2008

If you’re heading into this show, pop by and say hello at the Securus Global stand. Security 2008 has been Australia’s premier security (non-IT) event and is now in its 23rd year. This year for the first time, they are including a Data Security Village – acknowledging that there is convergence and cross over between the traditional security and IT security growing. I’ve had the chance to work with the conference organisers behind the scenes and it looks like being a great event with over 4000 people expected to attend.

Registration for the exhibition is free so if you’re in town, well worth attending.

Comments (4)
Posted in: Research


North Queenslanders – You got to love them!
August 18, 2008

With in-laws up there, I must admit to having a soft-spot for North Queenslanders. There’s been books written about them and regularly, they’ll come up with some beauties. Great start to another week:

Mount Isa Mayor invites “ugly women” – giving them a chance to find a bloke!

http://www.townsvillebulletin.com.au/article/2008/08/16/15499_news.html

Now we stumbled upon this one by chance. The section on what “ladies” should wear is a classic:
http://www.cairnsdining.com/xmasparty-etiquette.html

There should be a whole blog dedicated to North Queesland stories!

Comments (11)
Posted in: Too cool, WTF


Dummies Guide to Internet Security v.43564563
August 17, 2008

Yes, some are still paid to teach us the problems:

http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx

Thank you! 2008?

Comments (0)
Posted in: Bad Stuff, Dumb Security, WTF, cyber crime


ALRC – Data Breach Notification Recommendation……Flawed Approach?
August 13, 2008

Unless I’ve missed something and it’s certainly not in section “51. Data Breach Notification” of this 2600 plus page Australian Law Reform Commission document, we’re still lacking some fundamental basics to any data breach notification law being successful.

As it currently sits and is proposed, the organisations that stand to be impacted the most are the ones that probably have the better Information Security and Privacy policies in place.

In basic terms, if you’ve got good practices and controls in place, you’re more likely to detect a breach and/or disclosure of private and confidential information. Thus, you will have to openly disclose. No need to drill down into the potential business and reputational implications to the organisation.

If your practices and controls around information protection are weak, you’re probably clueless as to whether a breach has occured so what you don’t know doesn’t get reported. Practice the 3 monkeys approach to Information Security and proposed data breach disclosure laws will have little impact upon you.

These laws will never be succesful without supporting legislation/regulation around basic and minimum security practices and controls. See previous post on this topic:

Regulation does not need to be considered bad. See discussion on regulation here.

We can debate whether high-level statements of requirements in the Privacy Act will cut it, but in my opinion, they won’t……they haven’t so far, so what would change things now?

Comments (2)
Posted in: Disclosure Laws, Risk Management, cyber crime, governance


The CIO Sticking Point – Time to Get them out of the Reporting Line
August 8, 2008

CIOs cop quite a bit of criticism from the Information Security industry and the people in it. (They’ve also copped quite a bit in posts here). Rightly so I believe in most cases.

There are some really good CIOs out there when it comes to understanding and working on Information Security issues and doing the right thing by their companies, but to be honest, there are many CIOs that fail dismally also. Regardless of whether they’re getting advice and guidance from their security people, ultimately, a level of accountability must sit with them.

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? (The CFO is reporting financial position and risks on a regular basis, so why aren’t you?)

What is the problem?

(more…)

Comments (1)
Posted in: Bad Developers, Dumb Security, Risk Management


SAGE-AU and Internet Filtering in Australia
August 6, 2008

Thanks to Michael Crawford from MIS for passing this article onto me.
http://www.sage-au.org.au/display/SAGEAU/Press+Releases

Michael also covers it here in MIS in his article; SAGE-AU debunks filter tests.

Related posts on Net Neutrality and Filtering.

Passions run high on this topic and I’m not sure this has been thought out well enough. It all starts with good intentions but how it pans out and potential future abuses need to be considered.

Comments (3)
Posted in: Bad Stuff, Dumb Security, Research


Vulnerability Assessment, DNS vuln and SaaS…..
August 5, 2008

By Amit Deshmukh

The DNS vulnerability recently discovered by Dan Kaminsky allowed researchers and vendors from across the world to collaborate over fixing the issue. (Details available here: http://news.cnet.com/8301-1009_3-9998906-83.html). Old news but……

Since then a number of security solution vendors have jumped onto the bandwagon of the week. (There seem to be so many of them of late!) and have provided their own versions of how best to identify and solve the problems.

Many vulnerability detection solutions now have begun detecting the DNS issue and have updated their signatures to verify the existence of the problem. However, it is critical that a company assessing its infrastructure for this vulnerability understands their DNS environment before they begin to audit their systems for this flaw, as this article very rightly points out: http://blog.tenablesecurity.com/2008/07/but-i-patched-o.html
(more…)

Comments (8)
Posted in: Industry Specialists Talk, Research, Risk Management, Vulnerability Management