As reported in ITNews and syndicated sites:

“The Federal Government has announced plans to sign an international treaty designed to facilitate the identification, extradition and conviction of cybercriminals around the world.”

In principle, the thinking and premise behind this is what you would expect in terms of technology issues/practices trying to align with “traditional” laws. But is this happening to mirror “traditional/current” laws in the member countries? What impact such a treaty owned and driven out of the EU for “other members” such as Australia? While 99% of this may be acceptable and most already a practice accepted here, care must be taken that we don’t jump into something without a full understanding of the impacts to our country and it’s citizens.

Are we prepared to fully jump into something like this (albeit, we do formally and in-formally undertake and work against most of these principles now), without other foundation legislation in place that would strengthen our abilities to really make this work on all levels?

The Government(s) in Australia have not really instilled us with much confidence for a while that they truly get IT, IT Security, eCommerce etc. Hopefully this is not another case of kicking something off and then having it come back to haunt them later….and there’s quite a bit of that.

I’m no expert in this field but find it an interesting topic. Am keen on your thoughts.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

I know it has taken me a while to catch up, but I relegated it low priority when I first heard of this “APT” business. Bad of me? Who made this stuff up? This is something you’d only make up for a laugh. But, all of the sudden, my industry is talking about it. FFS. Is this an American thing?
:) ….if I had to mention that to a client. “Stand back… have an APT!!!”…… “Thanks Draz…awesome we hired you to save us!”

I have nothing! If this makes Wikipedia, (which it may have by now (Ed: yeah, I know it’s there), I’d love to chat (Ed: modified to not scare people), with that genius  who invented the term, (for our industry).

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Just got back and saw this was confirmed:

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view. :)

I’ve seen a few discussions around the Net recently on this topic of “market forces” being the drivers of better IT security practice versus “regulation” so I thought I would resurrect some recent posts for discussion.

- Crime Insurance – Implications of bad business IT security practices: Could swing to either side of the debate.
- Regulating IT Security Practices – PCI DSS too tough?: It doesn’t have to be seen as impossible.
- Workaround, accepted mediocrity and questionable future benefits/improvements: Giving up and taking the “easier” paths?
- Regulation is Bad! Let the market solely dictate things!….What a load of BS!: A response to some recent posts posted a few months before the recent posts.

Keen to get your thoughts.

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising… which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites :) To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:


No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..


This is a topic I’ve covered quite a bit and I was asked recently to write an article for Risk Management Magazine on this topic.

You can read it online pp 14-15. I would be interested in your thoughts and comments.

Older Posts »