AusCERT 2009: Day 1
May 19, 2009

The Twitter phenomenon has finally reached AusCERT in some force with the number of people posting tweets growing as the day progressed. For those of us not in attendance, it was a good way to get some of the latest news, (like the almost instantaneous reports that Senator Conroy was not going to talk about the Internet Censorship plan). As the day went on, the Twitter postings became more and more interesting, wrapping up well into the early morning with people talking about a variety of things including once again, local content and male vs female speaker numbers. Follow the Twitter postings here: http://twitter.com/#search?q=%23auscert

So, did AusCERT 2009 – Day 1 follow Conroy’s lead and be a dud? Click on…..

(more…)

Comments (1)
Posted in: Internet Filtering, Research, cyber crime, news


AusCERT 2009: Pre-conference Roundup
May 18, 2009

While I’m not there myself, I was told it would be remiss of me to not somehow provide coverage of the events at Australia’s largest Information Security conference. Which blog would organisers be stressing about if we didn’t talk about the event?

So, a team has been formed and they’ll be providing a daily wrap-up of events as seen through their eyes. (Obviously to protect their anonymity and safety, names have been changed). Yeah, you know not all of this is going to be 100% serious but if you are offended, post your thoughts – flame away. Click on to begin….

(more…)

Comments (0)
Posted in: Research, news


Approach and position on IT, Information Economy, Security II (By SGirl)
May 16, 2009

By SGirl:

It is not just the government. The whole industry doesn’t care enough to pay sufficient attention to the message that is being sent in regards to IT Security to business. (I am not even going to bother with the national IT Agenda – that is a whole other rant). It is largely cultural. And I don’t know if it will change. Let’s start with the government.

You have local, state and federal government and within this, a plethora of agencies, departments, bodies and statutory authorities that have their own areas of responsibility. Pretty much at every level and at every segment they are putting out a message about IT security.

Some push a dedicated IT security message, others push a particular message for a particular sector or area of industry….and many are pushing the same message to the same segment in different areas of the country.  Their intentions vary too, and this also plays a part in what message is sent.

For some the root intent is social responsibility – for others it is purely political (eg; Internet Filtering anyone?), jumping onto topical interest bites or even just using up budget allocations pointlessly to keep jobs and play the games that governments play.

Not one though in my opinion gives sufficient information for a business of any size (small, medium and large) to understand and appreciate all that they should be knowing and doing to target new threats of doing business facilitated by technology. And few ever and consistently say things in alignment with each other. You have to wonder….

(more…)

Comments (10)
Posted in: Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, WTF, cyber crime, governance


APRA releases discussion paper on IT security risk management
May 11, 2009

Thanks to Matthew Hackling who spotted this one: “APRA releases discussion paper on IT security risk management“.

Reading on, and we’re no further down the track seemingly of some serious enforcement of good practice. Another set of “guidelines”?…..Or is it something potentially that APRA could selectively use as the working requirements for audits of “regulated institutions”? Should that be the case, a level of consistency will be critical – something that has not been a pattern of the past.

If it remains solely as a set of “guidelines”, you can add them to the scores of other good practice “guidelines” out there that never really achieved much and have fallen into the Information Security black hole.

Related posts:
- Australian Government approach and position on IT, Information Economy and Security
- Various posts over the years on related and some not so related topics

My thoughts on this aren’t new as people who read Beast or Buddha know. Am always optimistic though but hard not to be cynical.

Comments (5)
Posted in: Risk Management, cyber crime, governance


Australian Government approach and position on IT, Information Economy, Security
May 9, 2009

I admit to being somewhat confused in terms of what our government’s true strategy is in regards to IT, the Information Economy, IT security and related areas. I felt I somewhat understood what the government was trying to do many years ago when NOIE (National Office for the Information Economy) was the “department” covering all of government strategy. It then became AGIMO and from there, it seemed to get a bit lost for me. http://www.noie.gov.au/

In recent times, I have totally lost track of where our single point of reference to links and pointers to all else is (re: our strategy). If someone could guide me to it, that would be great. I am aware of things like Stay Safe Online and http://www.dbcde.gov.au/ but there seems to also be a few legacy sites (still relevant?) or am I just not understanding how everything links together?

More concerning is our government’s seeming lack of long term strategy and planning. Is anything really being “worked” at for any period of time greater than that coinciding with the next election? In addition, where and why have we lost the plot? See section in this related post; What does the digital economy encompass? Where did all the work from the past go? Does each new government just wipe the slate clean…..conveniently forgetting/rubbing out the past (1984 style)?

What are the longer term strategies (of substance)? Where is the “source” of information? What happened to the previous government’s projects and longer term strategy(s)? Are the broader issues being neglected as the government battles with the NBN and Internet censorhip? Does the government have any real idea of what it should be doing or is skirting around the edges of core problems and issues we have? From where I sit, I don’t see it. I just see a bunch of failed and forgotten projects. I am keen to hear others thoughts on this. Set me straight if I am just lost and missing it!

Comments (6)
Posted in: Dumb Security, Internet Filtering, Risk Management


Bruce the Rock Star of IT Security

By SGirl1:

The closest the security industry has to a rock star“. LOLs Bruce….love to see the quality of your groupies! Does Gene Simmons have anything to worry about? :)

Comments (3)
Posted in: Dumb Security, Too cool, WTF


Random Links and Rants…….
May 8, 2009

- Great to see Qualys release a new “Laws of Vulnerabilities“. Waiting for a more detailed release which they tell me is coming that will have some context for those people who could not attend the presentation. I know full context is based upon just those that run VA to an extent but the data does makes for interesting analysis regardless.

- The Internet censorship video production by Donal and Wade, www.nodecity.com went global soon after the Beast or Buddha scoop (thanks guys). Check it out if you haven’t already.

- Small victory for iiNet in it’s current legal battle – reported here at ZDNet. Related posts here. Still wondering why iiNet is getting so little support from it’s fellow industry players. Weak!

- In Melbourne next week for business but also to do first round of interviews for Securus Global role. Penetration Testing expertise is key but just part of the criteria (yeah, for the benefit of Google that link….need to knock off a few in the order…LOL). More here.

- Nice to see a couple of our competitors merging. All the best with it guys. Awesome….one less competitor now! :) You’ll read about it…..

- Following @AISA_National, @Perth_AISA and @Melbourne_AISA now on Twitter.

- Seems to be award season at the moment with a few organisations running various industry awards. Good luck to those people and organisations nominated. Some truly deserve their awards and others, well…..somewhat related post here. Yeah, typical me. Have a great weekend all.

Comments (0)
Posted in: Uncategorized


Doing first round of Melbourne interviews next Thursday….
May 5, 2009

As you may have seen here in this role advertisement, we’re looking for a new person to join Securus Global to be based in Melbourne. I’m going to be in Melbourne next Thursday and possibly Friday (14-15 May) on business but will also be conducting some interviews while there. (Not the final ones as the applications don’t close until 20 May, 2009). If you’re planning to apply and are keen to meet with me sooner rather than later, get your application in soon. I will be back in Melbourne soon after the 20th for the next round. (Fair playing field and no advantage either way).

Comments (2)
Posted in: Uncategorized


Aussie Press Finally Picks up on Security Implications of Internet Filtering…
May 4, 2009

The Australian Internet filtering/censorship mainstream media releases about this topic have covered everything bar security until now. Finally, the local press has woken up to this issue in Computerworld: Web filters threaten national security. (Cred to Darren Pauli)

The work of nodecity Donal and Wade has now gotten local press interested/involved. But it took OS “experts” (as part of this) before anyone decided this was worth reporting. Smart and quality product…..interesting and well put together to support the cause!

We were there a long time ago but not so smart in our approach thinking the facts spoke for themselves:
http://beastorbuddha.com/2009/01/05/security-implications-for-internet-filtering-censorship/
http://beastorbuddha.com/2008/12/17/matt-talking-about-potential-internet-filtering-problems-on-banthisurl/

Cred to Ban.This.Url. (Though quiet lately). But we’re not “famous” so who would listen? :)

Thanks to Donal and Wade for giving BorB the scoop on this.

Aside: It’s sad to see so many (initially vocal) people and groups drop off this cause as it has dragged on. No longer web 2.0 “flavour of the month”?….you have to ask? Also interesting to see so few question why a trial of ~2000 sites would/could constitute a “true” trial?! Will it be a surprise that it’s successful? I am sure we could whip up a filter for 2000 odd sites in about an hour….but it’s all how you “sell” it. :)

Comments (1)
Posted in: Bad Stuff, Dumb Security, Internet Filtering, WTF


Industry/Business/Risk Management/Process – Failures and Search for Hope
May 1, 2009

Banging on about the selectively forgotten root cause issues – that are glazed over for want of a prettier picture (alternative reality)…the ongoing “marketing” to sell millions/billions of dollars worth of magic (questionable) product that is; purchased by business without thought, implemented; without plan, committed strategy, effective process – through failed Risk Management methodologies….we go on and on. Let’s then celebrate mediocrity at each step.

(more…)

Comments (5)
Posted in: Bad Stuff, Dumb Security, Risk Management, WTF, governance


« Newer Posts