I’ve posted before about the Australian Information Security Association. AISA is volunteer run organisation of Information Security professionals with branches in almost every capital city in Australia and in excess of 800 members. The number of members in recent times has grown significantly and AISA as an “organisation” as opposed to an “Interest Group”, which it started as, is growing also. In this chat with Stephan Overbeek (the current Australian Chair) of AISA, we talk about the organisation, focus on valid questions and concerns raised by many in the industry here (including myself) about AISA and look at what AISA’s plans for the future are. (Note: I am an AISA member and a volunteer on the Executive committee as I have mentioned in the past).
Opinion Piece: By Wade Millican (with Drazen Drazic)
The recent content filtering issues we discussed pertaining to TPG are very concerning in their own right, but they are part of a much much bigger picture – something before the Senate of the United States.
They are part of a topic termed Net Neutrality. This is a battle taking place between the old-school traditional telco companies like ATT, MCI, Verizon, with the objective to make more money by re-charging for their Internet services. With the cost of bandwidth so cheap, there is supposedly no money in the market and thus they are all going broke?! In response, they are diversifying with service arms and branches but are also looking to re-coup costs on the leased lines. To do this, their goal is for content providers, such as Google (as but one example) to pay, to assure a certain quality of service to the end user’s PC. (Side note: This is a big issue when the line is provided all the way through with one provider, which is common both in the US and in Australia).
Some interesting stuff floating around about web content filtering with TPG. You have to ask what is going on here. Is this a well-intentioned system that has just gone wrong in terms of deployment for the ISP?
http://www.inthemix.com.au/forum/showthread.php?t=228479
http://forums.whirlpool.net.au/forum-replies-archive.cfm/946858.html
Surely there’s a “problem” here that needs to be addressed. Opt-out options (in terms of content filtering being a standard from the ISP) are not what we are used to in Australia in terms of access to Internet content. Without going too hard and giving them the benefit of the doubt for now, it will be interesting to see how this plays out.
Hat tip to Wade.
The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview
Submissions are due by 31st July 2008.
The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.
Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:
• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general – hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies – rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds – lack of regulation, establishment of base level requirements for security and looking at root cause
I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought – some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?
I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!
If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS 6.6) and using that to drive business?
Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?
The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.
The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; “The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.
While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.
Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.
By straxd
Nobody expects an Australian inquisition….
Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone! 
I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:
http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL
Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390
I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?