A little update

Well, since I started regularly blogging for CSO Australia magazine,
my personal blog hasn't had many updates!

Well a little update:

- I started writing a book on security operations that I hope to
electronically publish via amazon and or apple.

- working as a security architect full time at an institution

- my start ups appsecratings.com and ozsec.net.au are parked pending
some breakthroughs in time management

- doing a little work with Enex TestLab when I should be sleeping,
eating mostly with state and federal government

Infosec bucket list

Just once I'd like to hear with my own ears see with my own eyes the
following then I'll die a happy "security purist":

-A CISO who is more than a sacrificial lamb. To qualify their tenure
must be of a serious duration and have survived a major security
incident or made quantifiable material risk reduction.

-An executive who thinks strategically about IT risk and doesn't "knee
jerk" after an incident or do the minimum to "cover their proverbial"

- a security solution that is well maintained and configure in line
with it's documented and approved configuration

- a project manager who will delay a milestone to ensure that a
security governance requirement is adequately met.

What things would you like to tick off on your infosec bucket list?

Dear Telstra your mobile data performance is rubbish

Hi Telstra,

Since you won't accept an email I have created this blog post to submit this link via your web form on your website.

The mobile data tower in the Melbourne CBD is intermittent in its performance, I sometimes experience garbled voice calls and often have no mobile data coverage.

Please find attached evidence of GPS location and network performance. I get exponentially better performance at my home, results not included below for privacy purposes.

Date ConnType Lat Lon Download Upload Latency ServerName InternalIp ExternalIp

8/02/2012 15:03 Cell -37.816157 144.957394 402 884 180 Melbourne 10.240.189.66 58.163.175.185

8/02/2012 14:44 Cell -37.815999 144.952952 1608 957 82 Melbourne 10.240.189.66 58.163.175.174

8/02/2012 14:31 Cell -37.816224 144.958403 583 801 228 Melbourne 10.240.189.66 58.163.175.185

13/12/2011 13:02 Cell -37.816224 144.961198 4797 237 207 Melbourne 10.174.91.179 192.148.117.92

25/11/2011 13:56 Cell -37.81611 144.959405 844 999 105 Melbourne 10.190.41.87 192.148.117.99

24/11/2011 11:16 Cell -37.816381 144.958401 407 106 118 Melbourne 10.207.242.119 58.163.175.181

22/11/2011 14:11 Cell -37.816366 144.959105 170 54 163 Melbourne 10.174.63.124 192.148.117.95

1/08/2011 12:55 Cell -37.817752 144.957122 235 2 187 Melbourne 10.219.57.84 192.148.117.109

AISA Revolution!

Well it's been a couple of weeks since the AISA annual conference in Sydney and I've just about caught up from the day off!

I just really wanted to post an account of the conference as it truly was a red letter day for the Australian Information Security Association.

I've been to a few annual seminar days held in Sydney usually hosted at one of the bank's and spoken at one in Melbourne (as one of my last duties as outgoing branch executive) and this was the best!

Let's just go through some key points why it was so awesome:

- Sydney conference center

- delegates from Melbourne, Sydney and Brisbane.

- 650 plus people registered (and it looked like they all turned up)

- 30 plus exhibitors

- two international speakers (Bruce Schneier and Marcus Ranum)

- CIO of one of the largest banks in Australia speaking

- CSO of Cisco speaking

- FREE yes FREE to AISA Members (membership is $55 per year)

I put a few faces to names at the coffee cart by suggesting a tweet up. I quickly realised how tall @caseyjohnellis is in real life and what a cool accent @VS_ has.

I ran into Marcus Ranum at the coffee cart line and Bruce Schneier on the floor. I have to admit to being a little star struck!

I really enjoyed the presentation from John N Stewart Cisco's CSO. I really thought it was a useful presentation with lessons learnt. I was really dreading this one as, I thought it would be very "producty" where it was actually the most pragmatic of the day!

Marcus Ranum's presentation went right off on a tangent! The less free thinking in the audience probably were all like "What is this guy on about? Is he trying to encourage us to start a revolution and commit criminal damage and computer crime?". I really took his presentation as a challenge to us security professionals to think like a "misguided hacktivist" and consider how our organisations could be "pranked" and subjected to "economic denial of service" by protestors motivated by an organisational policy they dis-agree with.

AISA really is kicking a few goals at the moment in my humble opinion some examples below:

-new website (finally)

-ongoing focus group meetings http://www.aisa.org.au/for-members/focus-groups/ so you can talk to other security professionals in your area of expertise

- 1600 members

- AISA is providing submissions to the Australian Government on their "Cyber Whitepaper" on behalf of Australian information security professionals

- AISA is policing members for non-compliance with the code of conduct.

It's been a while

Well here's a little update from me:

- I have written a product review which was printed and a few online
articles for IDG's publication CSO magazine. I'm now a regular blogger
on that site too. Do I qualify for a press pass? Hmm all readers
please report in on events I can "cover" especially those with
delicious snacks :) CSO seems to be taking off, much more so than my
little venture http://www.ozsec.net.au

- I've been thinking a bit about creating an open source security
operations maturity framework project inspired by OWASP OPENSAMM
project. Just need to find an organisation to help me champion it.
Something like this would really help to illustrate where on the
security journey an organisation is and where they would like to go. I
have thought of ISC2, AISA and the ISF but maybe it is SANS?

- my little business is developing, I've delivered a few successful
engagements and now I even have a glossy brochure.

There's nothing new under the sun....some nostalgia from matt

Back in the day my mother was a sysop of a CDC PLATO system...in 1973 it had all on old school green screen/orange plasma:

touch screen

instant messaging

chat room

screen sharing

bulletin board/news groups

flight simulator

3D multi-player games

and..... wait for it...

freecell

I used to dial up to it at the university on a 300baud modem and play games with uni students.  They would make jokes that would go way over my head, I must have been like like eight years of age or so!

http://en.wikipedia.org/wiki/PLATO_system 

         

• Plasma display, circa 1964, by Donald Bitzer for PLATO IV
• Touchscreen, circa 1964, by Donald Bitzer for PLATO IV
• Answer Judging Machinery, ?date?, a set of about 25 commands in TUTOR that made it easy to test a student's understanding of a complex concept.
• Show Display Mode, 1975, a graphics application generator for TUTOR software, precursor to Apple's QuickDraw picture language editor.
• Charset Editor, an early precursor to MacPaint for drawing bitmapped pictures stored in downloadable fonts.
• Monitor Mode on PLATO, 1974, used by instructors to help students, precursor of Timbuktu screen-sharing software.
• Pad and a few months later, system-defined Notesfiles, 1973, the first general-purpose computer message board, and precursor to Unix Newsgroups, Digital DECnotes and Lotus Notes.
• Talkomatic, 1974, a 6-person real-time chat room (text-based), precursor to Instant Messaging Conferences.
• Term-Talk, 1973, precursor to instant messaging.
• Gooch Synthetic Woodwind, circa 1972, A music device for the terminal, precursor to sound cards and MIDI.
• Airfight, 1974, a 3-D flight simulator written for PLATO by Brand Fortner; this probably inspired UIUC student Bruce Artwick to start subLOGIC which was acquired and later became Microsoft Flight Simulator.
• Empire, circa 1974, a 30 person multi-player inter-terminal 2-D real-time space simulation.
• Spasim, circa 1974, a 32-player first-person 3D space battle game
• Pedit5, circa 1974, likely the first graphical dungeon computer game.
• dnd, 1974–1975, a dungeon crawl game that included the first video game boss.
• Panther, circa 1975 by John Haefeli, a 3-D tank simulation and forerunner of Atari's Battlezone game.
• Build-Up, 1975 by Bruce Wallace, based on a story by J. G. Ballard, the first PLATO 3-D walkthru maze game. The maze itself was also 3-D, having holes in the floor and ceiling.
• Think15, circa 1977, 2-D outdoor wilderness quest simulation, like Trek with monsters, trees, treasures.
• Avatar, circa 1978, a 2.5-D graphical Multi-User Dungeon (MUD), a precursor to EverQuest.
• Freecell, 1979 by Paul Alfille, which probably spawned the Windows version.
• Mahjong solitaire, 1981 by Brodie Lockard, popularised in 1986 by Activision as Shanghai.
• Emoticons, by 1973

Privacy - if you're not paranoid you're not paying attention!

Security & Privacy are two very separate almost opposing disciplines. Some of my colleagues are very privacy aware. I really haven't paid enough attention to privacy and am having a bit of an awakening at the moment and thinking more about it.

There are some major challenges with preserving privacy. If governments allow privacy for all, then criminals will have the ability to plan and commit crimes undetected by law enforcement. Does it all come down to judicial oversight?

I welcome your comments to enlighten me of significant incidents and issues that impact on an individuals right to privacy.

Some examples include:

Printer manufacturers embedding codes into printed materials - perhaps this was done to satisfy legislators worried about forgery of currency. A better solution is to prevent printers from copying currency by embedding a code into the currency

RFID chips in passports - These chips can be read at very long distances. Chris Paget illustrates
He got a read from 66m with easily accessible hardware.

Apple recording GPS location history in Iphone - so a large company is recording history of your GPS location by default on a fairly insecure platform that can easily be hacked.

Google recording location of Wireless Access Points, wireless clients via Street View Cars - At one stage Google could be queried for the MAC address of your mobile phone and if a street view car had picked it up its location could be identified (perhaps your home or work address).

If five years ago I would have warned of giant corporations and government tracking your location with hidden codes and chips in documents and wireless signals people would have called me a paranoid schizophrenic!