Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the ICT Security Controls Required by the Australian Privacy Principles.

明けましておめでとございます！
Happy New Year from Security-Samurai.net!

Some interesting articles that recently caught my eye on the impending changes to the Privacy Act in Australia (courtesy of itnews.com.au):

Interesting concept, and one that's probably well over due, but I get the feeling it may be a little like implementing DNSSEC or IPv6... Who knows, maybe the Snowden leaks will provide the push necessary to overcome the inertia.

http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-darkmail-alliance-to-thwart-e-mail-spying/

http://www.darkmail.info/

So I saw this today:

Google will allow its advertisers to use your image and comments in ads for their products, via a new feature called Shared Endorsements. This change raises privacy concerns for some people, and if you use Google Plus, the company's competitor to Facebook, you need to understand these changes.From November 11, the names, images and comments of Google Plus users will be available to Google advertisers for incorporation into the advertisements that appear when users run searches on the site. The changes are reflected in new Terms of Service that are understood to be accepted whenever you use Google services.

Interesting TED Talk on privacy and one which highlighted in my mind an interesting crossover that exists in the Information Security industry.  Information Security professionals are often in an excellent position to breach privacy, and are often called upon to do tasks that do just that (though only in an ethical and responsible manner). On the flip side and possibly as a result of the above, they are often the strongest proponents of improved privacy controls and the most outspoken critics of those that breach them.

Google has released it's transparency figures for the period January to June 2012 which details requests made by various countries to access user data held by Google. The figures provided by Google only give the total number of requests which (I think) can be a little misleading, I'm no statistician but I thought it might be informative to have a look at the figures relative to population. Other interesting comparisons might relate to law enforcement budget or be somewhat more subjective such as the goverment's stance on data retention.

Australia ranks second behind the US for requests that were complied with when accounting for population, fourth for total requests when accounting for population and ninth for total number of requests.

I think one interesting aspect of the graph below is the discrepancy in certain cases between the number of requests made and the number complied with.

Sony's woes continue, as although they have restored their PSN network, they are being accused of still having plenty to do with flaws in their password reset function and multiple vulnerabilites being discovered by researchers in their other websites.
Adding salt into the very public wound, an investigation into Sony's data protection measures by the UK Information Commissioner's Office mirrors the announced investigation by the Australian Privacy Commissioner. It will be interesting to see the findings.

Sony are learning the hard way a lesson that many other organizations should be heeding, computer networks are incredibly complex and difficult and defending them is even more complex and difficult. If your business is providing online services to a large customer base, security needs to be part of the culture of the company - it needs to be evaluated, implemented and questioned at every level with every developer, every DBA, every sysadmin, every network engineer taking responsibility to proactively secure their area and every project manager and every business manager understanding the importance of security and the potential damage of a significant breach. Maybe it's too much to ask...?

 To my mind it is quite a surprise that Sony did did not have a CISO and unfortunate that it took such a major incident for them to appoint one. It seems it may have been a typical 'it can't happen to us' attitude that many managers and executives adopt.

Hopefully the major publicity surrounding this breach will lead to other organizations to reassess their data security efforts.

The cloud has arrived down under! Well at any rate it has registered on the radar (weather radar?) of our Government officials.

Last month the Defence Signals Directorate (DSD) has issued a paper on Cloud Computing considerations [pdf] that aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

This came hot on the heels of the Federal Privacy Minister voicing his concerns with the compatibility of cloud services and the National Privacy Principles and has been followed up by the Victorian Privacy Commissioner releasing a Cloud Computing information sheet to give "a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies"

Personally, I'm happy to see privacy concerns are getting some serious consideration. I'm certainly not anti-cloud, in many ways it is very cool, but I don't want to see businesses running headlong into a potentially disastrous (security & privacy-wise) situation without giving the consequences due consideration. Firm Cloud standards and Government guidelines (and industry guidelines -eg: ASIC) will go a long way to helping any move to the Cloud be successful in the long run (again from a security & privacy perspective).
Assuming you cloud service is up and running that is! (sorry for the cheap shot Amazon!)

Finally on privacy, this week is Privacy Awareness Week, so go and check your facebook privacy settings (because they change pretty often!)

While playing with my new ipad, I can across an interesting article on The Last Watchdog about the US Federal Trade Commission's complaint against Twitter.

I'd read about twitter's security breach in April last year where an employee's personal email account was hacked and provided admin passwords to the social networking site, but had somehow missed the earlier breach where apparently nothng more complicated than a brute force attack revealed the site's weak, lower case, common dictionary word administrative password!

From the article some of the major points from the FTC's complaint are Twtter's failure to:

• Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
• Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
• Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
• Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
• Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
• Restricting access to administrative controls to employees whose jobs required it
• Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).