Inside CERT Australia
mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."
You don't want HONEST people to know that the software is worth one cubic turd. Only criminals should possess that knowledge, because they are the people who will put it to best use!!
BTW - who knows why turds are round, and tapered instead of cubes?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
If even RSA (a security expert) is compromised, I wonder how long it'll take for this list to get leaked, especially now that it has been publicized.
Or maybe the publicity is another bait and switch :P. It'd be cool if it was, but I doubt it.
Just what we needed.
any possibility that the list could be used to hack computers the Australian government doesn't like is completely impossible.
Stuxnet anyone ?
TFA:
The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.
This is corporate welfare at its finest: make the people pay to give a competitive advantage to particular companies.
When will this primitive targets-based, public-private-partnership experiment born somewhere in the '80s finally collapse? When will parties and their representation in government reflect the people again? Whether left or right, authoritarian or socially liberal, your view is no longer represented unless you've paid for it.
Your services are required. I expect the information to appear on Wikileaks ASAP.
-- Even if a god did exist, why the fsck should I worship it?
record attained many enemy Would barking Physician corruptly
time widows displayed produced trusting talkers Afterwards
FITNESS Oxford speaks winding names disgusted expression
boast separateth sentiment apt inspecting eluding subtilty
music harmoniseth stars wisely candle bleeding abandon
smile position buyers confesses struggle reclaim sittest
posted infidelity penetrating mixture virgins thickets
drudgery Whatever Bible legally seeketh eternity employest
forsakest gratings terrors prayer Triers applied gatherest
BREACH caught burned prescribed forsake incorruption continent
different surf reigns wring losing littles callest unceasing
barren Heaven nourishments apply remembered
When God goes to war, He drops big bangs.
Tell people to fix these fucking "seekrit" bugs, and if they don't, make them public. Responsible disclosure. You have wankers who are on the tax payroll creating more paychecks out of the public dime for cyber "war" and fail to realize that if you just secure your fucking systems, then cyber "war" is just about impossible.
http://www.auscert.org.au/ and http://www.cert.gov.au/
http://www.auscert.org.au/render.html?cid=2
"Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "
As always governments don't like competition - in this case for security & secrets
The Singularity is closer than you think
Quant
nothing on the 'news'. maybe it blew away. all this biblical style 'weather' etc.. is unnerving our animals? 2nd band of terroristic atmospheric commotion in as many hours? long day ahead? bunny or jesus? neither will help now? those with genuine hymens will be given (high) priority placement in the chosen ones' departure/reward area. the rest of us unaltered unchosen primates??? excess. like queer cave dwellers. who needs 'em?
as for the royals, chosen ones, weapons peddlers, .5billion remaining pop. georgia stone whack job/exterminators etc..;
disarm (weapons vaccines media emt etc...)
leave. yes, you're right, the glorious 'day of departure' has arrived early, even if it's too late for many of us. go. now. today. goodbye
They already banned squirters and small breasted women, it was only a matter of time before they were going to cover up sensitive holes.
All secrecy is inherently evil! This way stupid aussies will see themselves hacked to bits and pieces by chinese cyber-specops and one day, probably not more than 20 years afar, the big "yellow junk" invasion fleet will arrive at their down under shores to take the mineral resource of the vast, but sparsely populated country.
I am hereby showing you why all secrecy is inherently evil! Did you know the Fukushima disaster was caused by the uncontrolled spread of the zionist-american Stuxnet military worm, which was designed to disable the iranian uranium centrifuges and the russo-iranian reactor at Bushehr by means of cyber-sabotage?
Control of backup systems in the Fukushima-1 reactors were switched over from domestic, but 1980s vintage Toshiba to Siemens Simatic S7 PLC years ago. These new systems them became infected due to the rampant USB-borne Stuxnet epidemic and did not work properly when needed, after the earthquake impulse started to scram the reactors. The tsunami had little to do with loss of backup coooling, overheating and eventual explosion of those BWR reactor blocks.
BTW, did you know that the particular "Khan P-1" urianian centrifuge set, used to develop and test the Stuxnet e-combat worm, was donated by Col. Gadhafi, when Libya made peace with the NATO a few years ago? The USA then shipped this set, identical to that of Iran, to the secretive zionist A-bomb factory at Dimona. This obsoleted set of pakistani origin was re-assembled with great effort in Dimona, kitted out with iranian-like bootlegged Siemens S7 PLC and then ran live to precisely experiment with Stuxnet attack code. That is the reason the jewish cyber-sabotage strike on Iran's atomic industry was so efficient. Now that Stuxnet has done all its duty, this little secret of Col. Gadhafi is is no longer a risk to the west, so he can be bombed out of his office at will by NATO warplanes.
On the other hand, the spreading routine of Stuxnet was totally lousy and it spilled over to much of Asia and the Middle East, via USB-bearing travelers, including the permanent loss of India's Hindisat-4B civil telecomms satellite, whose Simatic-based ground controls went belly up from the side-effects of Stuxnet infection. Now it's Japan that is being wrecked by Stuxnetan, which is curious as the jewish and the japanese are the only two nations on Earth who claim to be directly descended from God(s). More like deicide than, compared Kain and Abel. If so, keep fingers crossed the japs won't decide to finish what the mustached austrian painter started.
No news outlet will report on the above info. Now you understand why cyber-security and anti-malware efforts should never involve any secrecy at all. When secrecy is involved you can be sure they mean cyber-warfare, cyber-espionage and cyber-sabotage, potentially killing many thousands of civilians, as the end of the Fukushima saga will show. Their words speak terror alertness, national security, but they mean carnage, those politicians and the IT-sec people who prostituted themselves for politics! Freedom of speech forever!
Nyah, plbt! Because we inserted those vulnerabilities in the first place.
You'll never find them.
All our passwords are "beer"
Off topic, but can we get a new icon for Australia? How about the coat of arms or the Australian flag? USA gets a flag. EU gets a flag. Australia should get a flag too. Alternatively, since the Australian dollar is worth more than the US dollar at present, perhaps we could just buy Slashdot and run it our way.
Let's just say I know (not well personally, but mix in a crowd) a person who lectures and researches security at a university on the aus west coast.
The guy has secret clearance, all of his net presence locked down, a great understanding of various technical and social engineering attacks. I don't know what he does in Canberra exactly but from all the talk of honeypotting I hear out of context I assume it likely to be AusCert.
We really do have some genius sec people in this country. Heck, they even get paid more than all the TS-SCI plebs in the US that are paid diddly-squat by military contractors. Australia, albeit rather weak on the global stage, is laying solid foundations - just you wait.
"The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public"
What Platform do these software holes run on, what imdemnification do the endusers get from the manufacturers of the Software holes?
"The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt .. the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals"
That's the dumbest thing I ever read, as is patently obvious, the crooks are way ahead of the security "professionals".
"If we become aware of control nodes for botnets or those that harvest data that is being ex-filtrated out of a network, we will pass that information on so that it can be blocked at firewalls and organisations can see if they have a compromised machine"
As a security professional, someone should tell Rothery that there any number of ways to bypass a firewall.
"One of the specific concerns is how a bank may protect or deal with an attack against an air-conditioning system charged with the vital role of keeping a datacentre cool"
Solution: don't connect your air-conditioning system to the Internet .. :)
I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.
Here are some facts on the ground:
1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.
2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .
3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.
4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.
5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.
I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.
Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.
Nearly fifty percent of all graduates come from the bottom half of the class!
This is complete irresponsible nonsense. "... the bait..."? Really?
First of all, this is called honeypotting but without the benefit of actually having complete control over the monitoring, logging and the PCs to be compromised... oh wait... maybe they do. I wonder if the rest of Australia is okay with their government withholding information and using them as "bait" while at the same time not being particularly capable of a wide-spread law enforcement activity?
Someone didn't think this stuff through before they said it.
"All secrecy is inherently evil!" - Anonymous.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
> I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.
What development platform do you use?
> the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want.
I don't even understand this bit or else you're just talking techno waffle and I've worked in ths industry for decades both hardware and software, if that's supposed to count for anything.
> Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down ..
No one in their right mind "patches" a running system.
> revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.
How do you design it in such a way that it is accessable to "script kiddies"?
fox news, that incenses the poor and middle class to actually fight against their own interests
You don't understand these people.
OK, an analogy of sorts: I don't shoplift. It's against my interest to not shoplift. Why then, do I not shoplift? I have this feeling that taking stuff from other people is wrong. Yes, I know, I'm being stupid and I should just do what is in my best interest. I also get really pissed off when other people shoplift, even if I'm not the shopkeeper and even if I don't see it happen. Perhaps you feel differently?
When the government takes money from other people to supply my healthcare, I get the same feeling. It's like shoplifting. It's in my interest, but it is wrong.
Yeah, we see you as morally corrupt.
What a bunch of lunatics thinking they are so omnipotent in their "secret" knowledge they can outsmart everyone by being so secretive. The only real benefit to this that I can see is that (presuming they are able to be as secretive as they claim, a big if) the obvious inevitable downsides to this strategy will not be obvious to the public because they are secret. Basically, by taking the whole world off their bench and pretending to be able to do the work of the wider public in secret they will inevitablely fail in the most embarrassing ways. But if they keep it secret then the embarrassment won't be made public and their public funding can continue. So basically the best approach for them is to do nothing while pretending (secretly!) to be very busy. Then they won't make mistakes because they haven't done any real work. Secrecy for the sake of secrecy! Somehow these machinations remind me of the logic in the novel Catch-22. Glad to hear institutional insanity is alive and well 70 years later.
Stupidity is its own reward.
you should have a $500,000 savings account in case sometimes bad happens. because contributing to a group fund that other people draw out of is communist, right?
that you think financial common sense on the question of the best way to pay for healthcare is morally corrupt shows how propagandized you are
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
you don't have a choice
if you are young and healthy and have no health insurance, but you break your arm, we do not inquire as to your bank account before treating you. we treat you. then, being poor, as most young people are, you avoid the bill, or declare bankruptcy. what a nice society
this is the way it has been for decades: the state and feds constantly reimbursing hospitals for unpaid bills so thehospitals don't go under. in other words, we already have universal healthcare, that you already pay for, in the most idiotic way most expensive way via your taxes. in other words, your position is called FREELOADING: the acknowledgment that you can get injured, but not planning financially.for the possibility
he only financial common sense is universal health care insurance. you want a choice? the choice you want is to not be insured, thereby forcing me, the taxpayer, to pay for your care. which is alternatingly hilarious and maddening that you talk about robberey when it is you who is robbing me. so many morons like you argue that universal healthcare rewards freeloaders who don't work. yes, it rewards them: it says you live in a society that will not let you die just because you get injured
meanwhile, you argue for the choice, the "freedom," to freeload. you want the freedom from financial responsibility for when you break you arm
i am really sick of you utterly ignorant propagandized fools
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
put your money with your mouth is, ignorant free market fundamentalist
you want hospitals to turn away people who can't pay?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it