.. if it’s available via an unencrypted, unauthenticated portion of a public website?

I don’t really think so.

Slashdot reports:

“According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government’s ‘website firewall security’ for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is ‘akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.’ The matter has been referred to the police, who are now investigating. But how did the paper ‘hack’ the website? They entered the unannounced URL. Security by obscurity at its finest.”

Don’t worry people, @DDrazic, @Gillis57 and @Isidort are on the case. We’re proposing a multi-pronged effort to strengthen the Australian Government’s “website firewall security”, including a 2nd line defence provided by physically locating SAS troops next to all Government Firewalls, IDS and IPS’. These will be further reinforced with Stormtroopers and either a serving of Chuck Norris or perhaps @Isidort himself (who claims he’s quicker, deadlier and prettier – hard to know I believe).

Following on from my last post referring to KPMG’s fraud report, PricewaterhouseCoopers also released some fraud survey results, summarised here:

• 40% of Australian organisations surveyed reported at least one incident of fraud compared to the global average of 24%
• 37% of the frauds reported by Australian organisations over the 12 month period cost in excess of AUD$1mil, more than double the global average (17%)
• 52% of the Australian organisations surveyed experienced an increase in the number of incidents compared to the previous 12 months
• 60% of organisations believe they are unlikely to be a target of fraud in the next 12 months

You can read the full article here: http://www.pwc.com.au/media-centre/catch-fraud-early-feb10.htm

I’ve had the opportunity to digest a couple of good reads over the past week. First up was Charles Leadbeater’s Cloud Culture: The Future of Global Cultural Relations, and if you’re at all interested in emerging technology and the way it’s impacting (the global) society then this is a must read. I really liked the style used and how the 81 pages just flew by (maybe the formatting?). Some interesting pointers that stuck with me (nothing really new but worth paraphrasing none-the-less):

• The future will be of many clouds. This can only be achieved by embracing an open source approach to technology and information.
• For all the benefits that we’re starting to perceive in this new open communication platform, there are still powers that are working their tentacles to slow it down, for example, authoritarian governments. For example, Thai authorities “have used crowdsourcing to uncover the addresses of websites making comments critical of the Royal family..“. Maybe to a different degree our own government here in Australia and their unremitting push on Internet filtering.
• “Cloud culture” will enhance the creativity of people, giving them new methods to collaborate, but this can only continue as long as we don’t make it too restrictive to share and work on material.

Of course, this could’ve just been written as the “Internet” culture, but it carries more weight when it focuses on the collaborative nature of how the Internet looks these days.

Secondly I had a chance to read something a little more local. The team over at KPMG have released their December 2009 Fraud Barometer and similar to above, nothing entirely earth-shattering, but sometimes it’s useful to cite local reports when trying to “scare” people about their control environment. And by scare, I mean reinforce your fantastic risk assessments on your projects and other important information assets. I also found it interesting to see the number of frauds committed against Government, considering they don’t appear to defraud that much money compared to say finance or commercial companies.

So the prize for “no-surprise-graph-most-useful-to-reinforce-or-scare” is Figure 6, Frauds by perpetrator. In particular, towards the bottom of the number of frauds is Management, but they’re responsible for the largest amount of money defrauded. On the opposite side of the table is the massive number of frauds perpetrated by employees and how little they defrauded. This makes sense of course, management have access to more resources and there’s less of them to normal employees. Pretty anyway.

Enjoy!

Today we announced our involvement with the Perth AISA Tech day:

Hi all,

Christian and I will be presenting a workshop on behalf of OWASP at the
Perth AISA tech day on Friday the 4th of December.
More information on the tech day (including online registration) can be
found here:
http://eventarc.com/view/95/inagrual-aisa-perth-technical-security-day

OWASP members are able to attend our session (and the other sessions) for
free. However, if you want free lunch and post-event drinks, you’ll need
to be an AISA member.

Hope to see you there.

Regards,
David

I’m really excited to be participating in the workshop and I’m sure that for the price you’re paying ($0) you won’t get better value for a technical, hands on web-security session. The hardest decision you’ll have to make is either attend the OWASP session or the Stratsec session (which focuses on building/designing secure web apps, whilst we’re focusing an assessing them). If only these were back to back as opposed to at the same time! Maybe next time this will be better.

If you have any questions jump on the Perth OWASP Mailing list or shoot me an email, twitter or leave a comment.

I read this article by Andrew over at ozrisk the other week and I’ve been meaning to comment on it but have only gotten around to doing it today. The main concept that Andrew focuses on is quite simple:

“The more regulation you have in a market the more that regulation will favour the big suppliers – i.e. the larger incumbents – over the smaller incumbents, any potential new players, and, crucially, the individual consumers. So the more that you regulate the worse the situation gets for everyone but ‘Big Businesses’.”

Whilst the article focused on regulatory requirements of Australian financial institutions, after my first read I thought to myself how relevant and aligned these statements were to the information security space as well. This is of course because the relationship is almost one-to-one, a component of having to comply with additional regulations often relates to the protection of your information, and therefore increases the rigour and cost of your security efforts.

Interesting stuff and I’ll have to endeavour to get my hands on Tim Carney’s “The Big Ripoff“

I have nothing to add to the great work that @irldexter and @wadeis have done here.

Read Drazen’s post now.