Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the ICT Security Controls Required by the Australian Privacy Principles.

So it appears that First State Super have decided not to prosecute the customer that informed them of a (possibly longstanding?) vulnerability in their website - how kind of them. Of course it did take being lambasted in the media to cause the about face and has resulted in unwanted attention from the privacy commissioner...
And the fallout doesn't end there, as it appears that the company responsible for the (in)security of First State is also responsible for other superannuation websites - including recently being awarded a contact for looking after the security of a Government employee superannuation fund...uh-oh!

In not entirely unrelated news, the SEC in the US has released new guidelines requiring disclosure of InfoSec incidents. While only guidelines at the moment, I think this is a step in the right direction. Even if little else changes, it might give us some better data on the rates of intrusions/incidents in these big companies.

Here's one for the shame file. An Australian security researcher, while accessing his superannuation fund's website, noticed a security flaw - a direct object vulnerability when the website displayed customer statements.

He notified the company, provided them his personal details and the details of the vulnerability. He even notified the ex-colleague whose records he accidentally viewed. The companies reaction? Call the cops, engage the lawyers and even threaten that he may be held liable for the cost of fixing the vulnerability!


Seriously? What planet are these guys living on? Would the outcome have been better if he had sold or disclosed the vulnerability to some less ethical party? Or done nothing and waited for someone else to exploit it in future? Maybe it's time to implement some kind of whistleblower-style laws to protect researchers in these circumstances.

I guess no good deed really does go unpunished. This kind of URL manipulation (ie: changing a single digit) hardly constitutes hacking in my mind. It'll be interesting to see the outcome here, and how our judicial system handles this case (if it gets that far).

It looks like data breach notification laws are back on the radar here in Australia. 2011, 'the year of the high-profile hack' has brought the need to better protect customer/consumer data back into sharp focus for our politicians.

Personally I think this is a good thing, at least in principle. How it works out in practice will depend, as always, on the details.

Other parts of the world have had data breach notification laws for some time now, and some research [pdf] has shown their impact to be limited. Security guru Bruce Schneier  wrote an essay on the effect of the laws back in 2009 (and Marcus Ranum's counterpoints are here), and despite admitting that the effect may have been minimal, he believes the laws are a step in the right direction. As Bruce put it: "The laws rely on public shaming. It's embarrassing to have to admit to a data breach, and companies should be willing to spend to avoid this PR expense".

In the aftermath of the "Sownage" of earlier this year, I imagine more than one company began a security review to avoid that exact PR nightmare.

The Defence Signals Directorate (DSD) in Australia has released a document called "Strategies to Mitigate Targeted Cyber Intrusions" [pdf] that lists the top 35 recommended intrusion mitigations, ranked by effectiveness, user resistance and cost.It an interesting little 2 pager that is worth reviewing. There was a version released in 2010 as well [pdf].

A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

• Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
• We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
• Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
• Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
• Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
• Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
• Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.

Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.

Vodafone - one of the world's biggest telecommunication companies - has been hit with an embarrassing data breach here in Australia. While the details are in dispute (some stories say the data was open to everyone, others say not), they all acknowledge that there has been a significant breach at a time when the company is already reeling from negative press about poor reception and data transfer speeds on their network.

To quote Vodafone:

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,"

Well it must be secure. They used the word secure twice!

Seriously though, while I can understand with all the partners and shops nation-wide that Vodafone found the easiest way to provide CRM access was to use the internet; it is a serious lapse in judgement for Vodafone to not require multifactor authentication on their web portal. What were they thinking?*


The Australian points out that it's likely that Vodafone won't get more than a public 'slap on the wrist' as the Privacy Commissioner currently has no power to act on breaches of the Privacy Act. Gah!

Adopting security is often about incentives. If the Privacy Commissioner can't 'punish' the company for the breach and implementing something like multifactor authentication can't be sold as a customer benefit ("Sign up with us and your data won't be stolen again!") then we're left relying on the company to 'do the right thing' - which has been shown again and again to not be a great incentive to businesses (it could be argued that if 'doing the right thing' was a sufficient incentive, Vodafone would have already used multifactor authentication on their CRM portal - I imagine someone inside of Vodafone is saying "I told you so" today...).


*probably that usernames and passwords are cheaper than multifactor authentication. Which they are, just not safer...

The Australian is reporting on a preview of a report from the Kokoda Foundation that "paints a damning and frightening picture of a complacent nation that has not grasped the scale of the threat posed by cyber hackers to national security, the economy and personal privacy".

Some interesting points made by the article are that "Australia has the fifth-highest level of malware infections in the world" and "the country still lacks a whole-of-nation, government-led integrated long-term National Cyber Strategy and Plan".

The latter point is not really surprising. Does it sound more familiar if it is changed to "the organization still lacks a whole-of-company, executive-led integrated long-term Information Security Strategy and Plan"?
From my discussions with friends in the security industry, once you get outside of the big banks and major financial institutions, Information Security in Australia is still commonly an afterthought or an 'IT Problem'. Hopefully this attitude is changing, especially with the incredible amount of reporting on incidents sich as Wikileaks.

The Kokoda Foundation report should be available later this month.

An aussie hacker who was arrested back in July for infecting @2500 computers with a virus to steal banking and credit card information has plead guilty but asked for a reduced sentence as his actions wee 'youthful curiosity' and he 'was interested in becoming an internet security consultant'.

Are there any hackers who got arrested who didn't pledge to go straight and become an IT Security consultant? Now there's not alot of detail in the news articles about exacly what he did (did he write his own code, is he a script kiddie running something like Zeus, etc), but regardless, asking for a more lenient sentence after you commited a crime so you can become a security consultant - is that not something like being arrested for stealing cars because you want to be a mechanic or robbing a bank because you wanted to be a security guard?


I know there is a great precedent of those who were on the wrong side of the law, who reformed and have become security consutlants or security celebrities (eg: Kevin Mitnick, Kevin Poulsen), and it is a subject that has been well debated before. Would you hire a 'reformed' blackhat? Does it always "take a thief to catch a thief"? I'm not so sure...

The interesting thing about this case from an Australian point of view is that:

"The judge was told there had been no similar cases across Australia to guide him when imposing a penalty."

It will be worth watching closely to see what kind of sentence is handed out, and to compare it against  other parts of the world where these types of prosecutions have been more common.

The ACMA are warning us that 30,000 Australian PCs infected every day. I wonder, are they unique infections? If so then if 78% of households have a computer and there are 7,600,000 households (roughly - 2006 figure) then every household should have one infected PC by 5th August 2011! (oops forgot to minus the 80,000 pre-infected machines, so that would actually be 2nd August 2011).

Are we really all that doomed?

Unisys have released their latest security index reports which also have a break out section for Australia. While this report covers far moer than InfoSec (it includes items such as terrorism/national defence, health and financial security) there are sections on Internet Security, shopping & banking online and computer security (viruses and spam).

From their summary:

• Six out of 10 (58%) Australians never secure their mobiles, PDAs or smartphones by using, and regularly changing, a password or PIN. Only 18% say they always secured their mobile device
• Young Australians are protecting their identities online by limiting the information they post on social networking sites with 70% of 18-34 year olds saying they do it always, compared with only 44% of those aged 50+
• The top two areas of concern for Australians are ID theft related: Unauthorised access to/misuse of personal information (56%) and other people obtaining/using credit card/debit card details (55%)

Australians are ending the year more relaxed than they started. The overall level of concern on key security issues, tracked by the Unisys Security Index, stands at 115 out of 300, down 8 points compared to April 2010. This reflects a drop in concern for all four areas of security with the biggest fall recorded for national security which has an index of 110 down 11 points since April.

What's interesting is the state-by-state comparion, with people in WA, NSW and VIC more worried (+7%) about internet security than those in SA and QLD.

Those over in WA seemed to be the most worried overall, topping the lists for all four sections: national security, financial security, internet security and personal security.

The House Standing Committee on Communications have released the results of their findings into Cybercrime in a report entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

I haven't had a chance to digest the near 300-page document yet, but news.com.au has reported some interesting excerpts from it:

Among its final 34 recommendations were:

— The creation of an around-the-clock cyber crime helpline.

— Changes to the law to make unauthorised installation of software illegal.

— Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers.

That last point seems to be the most potentially controversial and problematic, but I'll hold judgement until I've had a chance to read the entire report...

One of the difficulties of working in the infosec space in Australia can be the lack of region-specific information available. I blogged recently about a Ponemon institute study that was Australian-based and have recently come discovered Chris Gatford of hacklabs.com had started maintaining a record of security incidents in Australia and New Zealand.

This is a nice addition to some of the existing resouces available, such as datalossdb.org (which records all different kinds of data loss) and zone-h.org which keeps a good record of website defacements.

The Australian has reported that the Ponemon Institute has released a report on the Cost of a Data Breach based on data from the Australian market.

For those of us 'down under' it is great to see some reporting based on the local conditions, rather than the usual reports from the US and Europe. Unfortunately the report is only based on the 16 completed responses from the 114 companies that were asked to participate, however I see it as a good start that I hope will continue.