Domain: securecomputing.net.au
Stories and comments across the archive that link to securecomputing.net.au.
Comments · 11
-
security was handled by Heartland Payment Systems
"This shouldn't be surprising - an organization's purpose is to do what it does, to quote somebody or other. TJX is making money off transactions; security is only incidental"
..Except the transactions were handled by Heartland Payment Systems, an organization supposedly charged with securing credit card transactions.
-
Re:Overthinking it
Not really:
http://www.securecomputing.net.au/News/241927,cablegate-dsd-unprepared-for-cyberwar.aspx
The group also discussed Israeli nervousness over Iran's nuclear programme, the ONA expressing interest in Fort's and INR's assessments on Israeli "red lines" and the "likelihood of an Israeli strike against Iranian nuclear facilities".
Source:
http://images.theage.com.au/file/2010/12/15/2096934/Cables.htm
-
Re:Aussie govt won't lift a finger...
Don't forget impounding those evil "hoons" cars. Nothing is more important than ensuring that Australian roads are completely free of import vehicles and car enthusiasts. How else can you train the population to help the government prop up our car industry than to intimidate them into buying the junk that rolls off the assembly line here?
Or making sure that nobody, absolutely nobody, takes their eyes off the speedometer for even half a second, lest they creep 0.0000001 km/h over the limit, thereby killing 10 starving disabled orphans instantly and advancing the impending doom of civilisation.
Yeah, keep up the great work.
OT: The government barely understands the internet at all. The NSW government claimed they had been "breached after two days of sustained attacks" when a newspaper found they could freely access the URL of an agency the gov't used to produce train timetables. The agency didn't secure the pages, so the government kicked up a stink about being "hacked". I'm glad they're keeping their incompetence far far away from our networks.
DO. NOT. WANT.
-
Re:Privacy Commissioner?
Actually, her name is Karen Curtis, the Federal Privacy Commissioner. She's investigating Google for the Street View Snooping. See here for example.
-
Re:Will you have to show an ID to get credentials?
Not the EU per se, but there has been a verdict (IIRC
/. reported it) in Germany where a person was convicted because he didn't seal his AP and it was used for copyright infringment. -
Re:whitelist
Whitelisting applications would work if this could control what is run on your system. Variously implemented by either looking up a hash (e.g. md5) or signing the code. Unfortunately we can make the following observations which indicate this does not provide total protection:
By Design:
Some applications allow interpreted code (macros, visual basic inside documents, perl/java etc.).
Some applications are inherantly data (excel spreadsheet etc.).
Some applications change their behaviour dependant on libraries and plugins which may not be checked against a whitelist (e.g. activex, greasemonkey).
Some applications self-modify (maybe to try and prevent software theft).Flaws:
Some applications have flaws that allow code injection (buffer overflows etc.).
Some features can be used for inappropriate purposes (updater that can be fooled into downloading the wrong files).
Sometimes signing keys are reverse engineered or leaked, allowing malware to be whitelisted.
List or key management requires ongoing maintenance and if it goes wrong can mount a denial of service attack on your customers.Lack of omniscience:
Some people can use a secure application in a secure OS and still do something insecure (phishing etc.).
As new attacks are found, old protections become ineffective.
There is a chance that malware could be whitelisted.
You have to update your whitelist for every update by every vendor.
It is really really hard to be sure that the application does what you are told it does - either deliberately to produce trojan horses or accidentally (see above).
Each user may require a different whitelist as they have different requirements - some may wish to run p2p data sharing wheras others may regard this as a huge security risk.Lack of omnipotence:
Some flaws are not in the applications - they may be in a hypervisor, loaded onto network cards, on routers, hosted remotely.IMHO whitelisting requires reducing the functionality of applications (e.g. no java) and adds hoops/costs to professional developers and upsets users but unfortunately malware writers will focus on the easiest route using what they can get. c.f. http://www.securecomputing.net.au/News/161167,analysis-iphone-malware-evolution-on-overdrive.aspx
-
Re:Of course they fought it.
-
Re:AU government are jerks
Guy #6 thinks Google should filter YouTube.
Oh wait ...
http://apcmag.com/now-conroy-wants-google-to-filter-youtube-in-australia.htm
http://www.crn.com.au/News/166677,conroy-meets-with-google-for-youtube-filtering.aspx
http://www.securecomputing.net.au/News/166754,google-cold-on-voluntary-youtube-filtering.aspx -
Re:Part of it has to do with
US blackout was computer related
"The W32.Blaster worm may have contributed to the cascading effect of the Aug. 14 blackout, government and industry experts revealed this week"
Rare SCADA vulnerability discovered - May 2008
SCADA Systems Vulnerable to Hackers Feb 2004 -
Re:ActiveX
Oh, of course established companies never release flawed software, right? Their ActiveX control does not have to be malicious in itself, it is sufficient if it tears holes into your defense for others to abuse. ActiveX needs to die a very quick death already. And can we please club that idea that a browser, JavaScript and a bit of fairy-dust can fully replace any local application regardless of specific implications out of people's heads?
-
Is your data *that* invaluable? Really??
Get real. Difference between you and "self respecting companies" is that they don't have a stash of porn they're trying hide.
"Self respecting companies" usually have a CFO whose job it is to make sure that money gets spent wisely. Let's consider having you or some other geek team manage my corporate data vs. doing it at Google:
Security:
Geek: encrypts stuff, holds me hostage
Google: Google datacenter securityRisk:
Geek: let's face it, would sell his mother (never mind the customer database) to get laid
Google: Google approach to risk managementLitigation & discovery:
Geek: will send lawyers whatever he's been asked to by his boss, and maybe a bit extra "by mistake"
Google: Will respond to specific and valid legal requestsService cost:
Geek: can never have enough (hardware, salary, perks, etc.) can't bother to come in wearing a clean t-shirt
Google: $50 a year. Regardless of volume or usage. Upgraded continually.I won't even mention the fact that you already trust a number of companies with your data - unless of course you've dug your own ditch and laid your own fibre between offices.
Google is staffed by asswipes like every other company. Unlike your employer, they just manage that risk.