All publication is a political act. All communication is propaganda. All art is pornography. All business is personal. All hail Eris. Vive les poissons rouges sauvages!
You are currently browsing articles tagged infosec.
Back in February I spoke at the “Freedom of Information? panel held in Redfern by Recordkeeping Roundtable. I’ve previously posted the audio of my contribution. Here’s a transcript.
Recordkeeping Roundtable’s website has the raw transcript as supplied, but I’ve decided to edit it up a little to make it more readable. Enjoy.
My week from Monday 14 to Sunday 20 May 2012 was mostly about the AusCERT information security conference and a blur of returning pain thanks to my dodgy shoulder.
As I finish compiling this post, I’ve still got lots of AusCERT material to produce and Monday looks like being intense. So let’s just list everything and see what happens.
These are just the first two articles from my AusCERT coverage. More will follow.
There’s a couple of days of intense writing and production ahead. At the very least there’s two or three articles about AusCERT 2012 and the Patch Monday podcast. Then there’s a piece to do for CSO Online, and one for Technology Spectator.
I should be returning to Wentworth Falls this evening, but I plan to be back on Wednesday night to go to a paintball session with Eugene Kaspersky and other journalists. That could be weird. And I’ll probably be in Sydney again at the end of the week, but that hasn’t been planned out yet.
Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up) and via Instagram. The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.
[Photo: Airbus A320-232 VH-VGY at Gold Coast airport, the aircraft I traveled in on Saturday. Check out the complete history of VH-VGY at FlightAware.]
[Update 26 May 2012: Links added to last weekend's audio recordings, added earlier today as separate blog posts.]
My full output from the AusCERT 2012 information security conference has yet to appear. Stand by. But last night I did a half-hour conference wrap with Dom Knight on ABC Local Radio.
We spoke about the conference atmosphere itself, cybercrime, cyberwar, the risk of Cybergeddon (yes, I know), and the claim by Eugene Kaspersky that Apple is ten years behind Microsoft when it comes to security.
Not that Mr Kaspersky would ever, like, troll the entire planet.
Podcast: Play in new window | Download (Duration: 32:41 — 15.5MB)
What we didn’t talk about, really, was the two stories that have been published so far:
The audio is of course ©2012 Australian Broadcasting Corporation, but as usual I’m posting it here as an archive.
I’m currently on the train down from the Blue Mountains to Sydney, en route to the AusCERT 2012 information security conference on the Gold Coast, and I’m thinking about what stories might emerge.
Here’s what I wrote last year when, just like this year, I was on the ZDNet Australia team:
The feeling I get from scanning those headlines is that there’s always a lot of scaremongering but the threats often don’t materialise. Are the threats over-stated? Does pointing out the threats trigger an effort to counter them, thus defeating them? Is it all just a bit too screechy?
And over the last year there’s been so much talk of imminent cyberwar. Is that just this year’s fashionable scary thing on a stick? I intend to ask a few questions. And I’ll plug it again: Thomas Rid says we shouldn’t believe the hype.
I haven’t yet looked in detail at the conference program but will do so over the next few hours. What do you reckon I should be investigating?
[Update 16 May 2012, 0625 AEST: Changed second paragraph to emphasise that I am covering the event for ZDNet Australia this year as well as last.]
My week from Monday 7 to Sunday 13 May 2012 was less productive than it might have been thanks to my shoulder being “out” for a few days, resulting in severe pain. No, I don’t mean I have a gay shoulder. I mean that a rib wasn’t seated properly.
The shoulder was repaired on Wednesday and is now slowly getting better, thank you. But despite the pain and the codeine haze, I did get a little work done.
None.
The current plan? A day of writing at Wentworth Falls on Monday. A day of travelling on Tuesday, taking the train to Sydney and then flying to the Gold Coast. Once there I’ll be covering the AusCERT 2012 information security conference for ZDNet Australia, flying back to Sydney on Saturday afternoon.
On Sunday afternoon I’m speaking about the total surveillance society at the Sydney Writers Festival.
Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.
[Photo: Fuckin' art, innit, taken at the Hotel InterContinental, Sydney, on Saturday 12 May 2012.]
My presentation from the Saasu Cloud Conference 2012, which I told you about previously, is now online: Security and the Cloud: Hype versus Reality.
I’ll leave the article to explain itself once you click through, but to provide some Googlejuice here are the words hacking, infosec, cybercrime, cyberwar, information security, malware and cows.
Here are the background notes and further reading for my presentation at the Saasu Cloud Conference on 11 May 2012, “Security and the Cloud: Hype versus Reality”.
This presentation was a quick run-through of what I think have been the most important themes from the past 12 to 18 months.
About two-thirds of what I write touches upon information security, cybercrime, cyberwar, or privacy and transparency issues.
If you’d like the full firehose of information, please stay in touch via my list of written articles, the compilation of my media work in my Weekly Wrap posts and — if you don’t mind seeing my less-presentable public face as well as my serious work — my high-volume Twitter feed.
If you have any questions or comments, do please add them below. I’ll generally respond within 48 hours.
2011 was billed as the year of the hacker, and the year of the hacktivist. And yes, it was bad.
Hackers working under the Anonymous brand compromised Sony’s PlayStation network, costing the company $170 million.
Anonymous also hacked Stratfor, a US private intelligence analysis firm, stealing their 10-year archive of confidential emails and apparently handing them to WikiLeaks.
Anonymous splinter group LulzSec hacked into Rupert Murdoch’s News International, including UK newspaper The Sun — although it seems that most of LulzSec has since been arrested when their leader was turned and became an FBI informant.
Random hackers even defaced a Tasmanian government website. How very dare they.
Mid-year, McAfee told us about Operation Shady RAT, a five-year program by an unnamed nation state that had infiltrated dozens of organisations around the world. Most of them didn’t even know they were hacked.
We heard how the Stuxnet worm attacked Iran’s nuclear program — although the attack itself took place the previous year — leading to claims that 2012 would be the year of cyberwar. Atomic explosions illustrated the cover of books like Cyberdeterrence and Cyberwar by Martin C Libicki.
Despite all the hype, we have no reliable figures on the extent of the problem.
Online crime is under-reported and under-researched. Plenty of people have called for mandatory reporting of cybercrime, including the chief technology officer of AVG
and Detective Superintendent Brian Hay of the Queensland Police. Me too.
Major security companies avoid telling us the facts and continually promote dubious statistics.
McAfee’s claims about Shady RAT were mostly hand-waving, quite probably exaggeration.
Sophos reckons this focus on high-profile attacks distracts us from the real threats.
The report on Cyber Storm III, the latest in a series of five-nation cybersecurity exercises, told us nothing.
“The exercise provided insight into key decision making processes within government, business and industry. These insights could not have been achieved without processes being tested in an exercise,” the report reveals. Gaps were identified. Improvements made. Relationships built.
Jasmine Singh Cheema, aka Pherk, aka Zero Cool, is a typical hacker and the most likely threat you’ll face.
Cheema did $1.5 million of damage to his employer’s competitors in 2005 in exchange for a few sneakers and a watch. His story is told in Tracking Cybercrooks: the tools feds use and Hacker’s Delight.
The story of the December 2011 extortion attempt against Sulieman Ravell’s financial advisory business is told in the Manly Daily, and I spoke with him at length in a subsequent Patch Monday podcast.
Israeli researcher Tal Be’ery has monitored Anonymous and LulzSec. He reckons Anonymous hacktivists prefer penetration, but choose targets of opportunity. I spoke with him for the Patch Monday podcast too, Removing the anonymity from Anonymous.
Most cybercriminals are stupid, but there’s a lot of them and the tools are cheap and easy to obtain. Your paper boy might hack your home network because you didn’t tip him.
… except for the complexity and your ability to understand what’s going on.
Most of the recent surveys have shown that when it comes to cloud computing, security is the number one concern. And every time I’ve looked at this in detail, the message from the information security experts has been get a lawyer.
That goes double in government circles.
Legal complexities make it difficult to use public cloud computing, according to Raimund Genes, Trend Micro’s chief technology officer. Unless you’re a criminal, that is.
“Public cloud for me is not really a security challenge. It is a change in the way we operate with data. It doesn’t decrease security. It increases complexity, and that’s a problem,” he told the company’s Canberra Cloud Security Conference.
“The cloud, from a legal point of view, will keep our internal lawyers and everybody else busy for the next fifty, one hundred years,” he said.
Hybrid clouds will probably be the answer, balancing the low price of public clouds for less critical with the increased ability to monitor private clouds for more critical data.
Mobile devices are changing everything — especially on the Android operating system, which could end up being a simmering security shemozzle.
The internet connects every computer directly with every other computer. That’s not new.
What is new is that we’re publishing more information than ourselves than ever before. And while we might think we’re sharing that information with our friends, or friends of friends — those terms are highly misleading.
We might think of friends-of-friends as someone we’d let a friend bring to dinner. But research by Sophos shows that half of the time people will automatically friend someone on Facebook, even if they know nothing about them. Friends of those friends could be literally anyone.
We don’t even know who our enemies are either. After all, anyone can call themselves Anonymous.
According to the Defence Signals Directorate, the agency responsible for the protection of Australian government and military networks, four simple strategies can prevent 85% of targeted intrusions.
DSD has published the full list of the top 35 mitigation strategies.
This work won DSD the US Cybersecurity Innovation Award for 2001.
Evgeny (“Eugene”) Aseev, head of the Kaspersky’s China antivirus lab, has his own list of 18 infosec fails that let crims win.
John Lawler, chief executive officer of the Australian Crime Commission (ACC) reckons we all need to harden up.
“There will always be exceptions — high-profile cases and particularly unique cases — where prosecution will be attempted,” he said, “where for deterrent purposes you’ll put a head on a stake somewhere, and I’m an advocate of that — not literally — where that becomes important for community confidence.” …
“I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack.”
Organisations must have audit controls, for example, particularly for digital information, and robust governance. They must understand security risks in their full complexity, both technical and human factors.
“That message hasn’t, I think, permeated — certainly in business — to the extent and level it needs to,” Lawler said.
And we need to make sure our data is encrypted, especially on portable media.
The problem is, it’s human nature to put security last.
Businesses need to start taking this more seriously. I’ve called for their to be less pep talk, more stick, and I reckon negligent data breaches should become a criminal offence. I’m not alone.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Australia License.
The non-commercial and share-alike conditions are required to adhere to the licensing of the imagery used. Please contact me if you require an alternative version. As a minimum, attribution should read: “Source: Stilgherrian.” Online versions must link the word Stilgherrian to the website at stilgherrian.com.
[Image credits: Cows by Emmett Tullos III, used under a Creative Commons Attribution license (CC BY); photo of Jasmine Singh Cheemsa supplied by FBI via PCWorld Communications Inc; Clouds by Jerry Pierce (Flickr/Uncle Jerry) CC BY-NC-SA; Social graph image by Jim Bumgardner (Flickr/krazydad) CC BY-NC-SA; "Loose Tweets Sink Fleets" by Brian Lane Winfield Moore CC BY-NC-SA; "This time we are all in the front line" by Phil Bradley CC BY-NC-SA.]
My week from Monday 30 April to Sunday 6 May 2012 also covered the entire continent, because a cancelled flight kept me in Perth through until Monday evening.
I won’t go into the cancelled flight in detail just now. Either you saw it unfold via my Twitter feed or you didn’t. Not everything has to be recorded everywhere forever.
I got back to Wentworth Falls late on Tuesday and went to bed — and didn’t emerge until Friday, thanks to a nasty cold I seem to have picked up along the way.
None.
The current plan is that I’ll be in Wentworth Falls until Thursday morning, writing a whole bunch of stuff and, with luck, getting rid of this cold. I’ll head to Sydney some time on Thursday, and then present a keynote on security at Friday’s Saasu Cloud Conference.
Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags. Yes, I should probably update this stock paragraph to match the current reality.
[Photo: Waratah Cottage via Instagram. Waratah Cottage is one of the Bunjaree Cottages, where I've spent maybe three-fifths of my time over the past year. It's not the building I usually stay in, but it's likely that I'll be here until Thursday.]
News that the Queensland Police is once again war-driving to find unsecured Wi-Fi networks is doing the rounds, and I ended up talking about the risks with Keith Conlon and John Kenneally on Adelaide radio 1395 FIVEaa on Wednesday morning.
Here’s the audio, and I reckon you can hear very clearly that I had a very bad cold.
Podcast: Play in new window | Download (Duration: 9:05 — 4.3MB)
The audio is ©2012 dmgRadio Australia, but here it is ‘cos it hasn’t been posted on the radio station’s website. Besides, this is a reasonable plug.
My week from Monday 23 to Sunday 29 April 2012 covered the entire continent from Sydney to Perth and (at least later today) back again.
That’s Perth in the photo, with the Swan River just visible between the apartment buildings of East Perth. The photo was taken with my bashed-up HTC Desire phone and processed through Instagram.
Heck, if Zuckerberg reckons it’s worth a billion dollars I might as well have a look, right?
I’ll comment on Instagram itself later, and figure out a better way to integrate the photos into this website. Meanwhile, here’s a gallery of my Instagram photos, updated automatically.
And now on with the show…
A busy week of writing lies ahead, including a story for CSO Online and my presentation for the Saasu Cloud Conference the following week. I’ll also continue work on the feature story I’m writing for ZDNet Australia
I believe I’ll be back in Wentworth Falls for most of the week, but this could change at short notice. The Dopplr widget on the left-hand side of every page of my website is usually updated within an hour of plans changing, so always check there first — but bear in mind it has odd ideas of what day it is.
Most of my day-to-day observations are on my high-volume Twitter stream, and random photos and other observations turn up on my Posterous stream (or they used to before my phone camera got a bit too scratched up). The photos also appear on Flickr, where I eventually add geolocation data and tags.
ABC The Drum
Crikey
CSO Online
Delicious
Dopplr
Flickr
LinkedIn
newmatilda.com
Patch Monday
Posterous
Qik
Stilgherrian Live (Ustream)
Technology Spectator
Twitter
Viddler
Recent Comments