So am I more secure now that I use a Mac without antivirus software than in my former life under a Windows machine with it?

The debate over Mac security compared with Windows is a long-running one. Apple considers Mac OS X so safe that late last year it removed a page on its site which Washington Post security blogger Brian Krebs had found.

Apple encouraged the "widespread use of multiple antivirus utilities" back then. Click it today, and you get the message as seen in the image below.

(Screenshot by Liam Tung/ZDNet.com.au)

Apple's reason for taking down the old message?

"It was old and inaccurate," Apple told Krebs. "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box." It did concede that OS X wasn't bulletproof; antivirus (AV) "may offer additional protection," it said.

But how is that different to Windows Vista?

Since removing the article, Apple hasn't published a position on the issue, but Mac users on its support forum have closed the case on the matter: AV is unnecessary.

It's not surprising Apple would focus on its built-in technologies, especially when security researchers have begun paying more attention to them. Apple's growing user-base is still seen as a likely trigger for malware writers to start devising nasty payloads. Dino A. Dai Zovi, a buddy of Charlie Miller — the "prize" hacker who recently pwned a MacBook in 10 seconds — recently released his research on the subject.

Zovi's assessment was that while threats and the likelihood of attack are currently low for OS X, vulnerability is high. The chink in Leopard's armour is how it handles memory corruptions, such as a buffer overrun — a flaw that can be triggered by an attacker, which causes data to be stored beyond the boundaries of a "buffer". When that extra data is overwritten to a nearby memory location the process could crash, or allow malicious code to run.

One solution to this problem is known as address space layout randomisation (ASLR), which, according to Wikipedia, involves randomly re-arranging the positions of key data areas.

Microsoft took the lead, at least on ASLR, from the OS X cousin OpenBSD in this respect, announcing its use in the beta version of Vista in 2006.

Since then IBM security researcher Mark Dowd has tested Microsoft's implementation of defences against this type of attack in Windows Vista, looking at how Adobe Flash bugs could be used to beat them.

So am I more secure now that I use a Mac without antivirus software than in my former life under a Windows machine with it?

These defences don't stop, but reduce the likelihood of an exploit working. Dowd's work attempted to increase the likelihood of them working.

Today, OS X has fallen behind on several fronts, compared to Linux and Vista, says Zovi, whose research paper can be found here. His conclusion: "Mac OS X is significantly lacking in memory corruption defence features compared to other current operating systems like Windows Vista and Linux: ASLR, Non-eXecutable memory, stack and heap memory protections."

His proof? The CanSecWest hacking competition. Charlie Miller pointed out last week to Zero Day's Ryan Narraine about his latest exploit: "With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomisation. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have."

It's interesting to see Microsoft has leapfrogged Apple on some very important counts (probably out of necessity), and that OS X could be hacked so quickly. But does any of this really matter to the user? Well, I think I'll just relish in my AV-less state for now, and enjoy the fact there aren't an army of Charlie Millers across the globe each with a $10,000 incentive to find more holes and devise payloads.

Comments (29) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Microsoft pulls Mac security update
• Trojan spells new era for Apple Mac security
• Apple removes Mac antivirus warning

Facebook's decision to pull the groups on Wednesday couldn't have been more perfectly timed: as its CEO Mark Zuckerberg attempted to convince his users that they really do own the content they publish on Facebook, locally it was commandeering "user's content" because Facebook decided those groups had breached its terms of use.

In other words, Facebook's lawyers thought it was not subject to the court order; it was just following its own rules.

The decision to take down the groups came after the Victorian Police told the media that it feared the Facebook groups could threaten the Department of Public Prosecution's case against Sokaluk.

Facebook responded quickly, but told media it did so because the groups had breached its terms of use. "We will remove groups reported to us that are found to express hatred or threaten violence towards people," spokespeople said.

In other words, Facebook's lawyers thought it was not subject to the court order; it was just following its own rules. At least that's how criminal lawyer David Galbally QC, who was interviewed on Sunrise yesterday, interpreted Facebook's comments.

"Facebook say they're not responsible. But that's wrong and nonsense. They're displaying it in a jurisdiction that breaches an order," Galbally said.

"We need to have a law that makes the website provider responsible for what it is that's being displayed on the internet, particularly in circumstances that breaches or tends to breach a court order," he added.

But if that's what should happen, it's certainly not what has happened in the past.

A lawyer friend of mine reckoned there are three analogous scenarios: eBay being used to sell counterfeit software; the court order preventing Channel 9 from airing the first series of Underbelly in Victoria being undermined by YouTube; and the case being brought by the Australian Federation Against Copyright Theft (AFACT) against ISP iiNet.

eBay typically handles the issue of counterfeit sales in its terms and conditions, my friend said. A good example is Microsoft's recent legal action, which was directed at the sellers and not eBay.

The Underbelly court order is much closer to the issue of whether Facebook is responsible. Although no individuals were charged with contempt of court, David Vaile, University of NSW Cyberspace Law and Policy Centre executive director told News.com.au at the time those who uploaded the series could face copyright and contempt of court charges, rather than YouTube or BitTorrent.

The AFACT versus iiNET case is more tangential than the first two, but that shows some of the difficulties in holding a service provider responsible for its users' actions.

Galbally is the only person I've heard say that Facebook should be responsible for obeying the court order. If he's right, we might see Facebook place an advertisement on its network asking: "Wanna make $150 a day for sitting at your desk and reading? Click here to apply."

Comments (6) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• MySpace, Facebook block arsonist info
• Google map tracks deadly bushfires in Victoria
• Just what is behind the iiNet case?

It is our opinion that the majority of security threats faced by Australian companies come from employee's who are dissatisfied or at risk of redundancy

ESD Australia's Les Goldsmith

Thanks to the financial and economic crisis, which McAfee's CEO Dave DeWalt at the World Economic Forum in Davos last week twisted into the "global meltdown in vital information", the security industry has found its new public enemy number one: not clumsy insiders who accidentally leak information, but fearful insiders who suspect they're about to become outsiders.

"The current economic crisis is poised to create a global meltdown in vital information. Increased pressures on firms to reduce spending and cut staffing have led to more porous defences and increased opportunity for crime," said DeWalt.

DeWalt based his comments on research that found US$4.6 billion worth of intellectual property was stolen last year across several countries. McAfee extrapolated it to US$1 trillion for the globe — a figure which will probably have to be trimmed in today's finance-constrained world.

But DeWalt's argument was compelling — superficially at least. Locally, people have been angered by how retrenchments have been conducted — coldly — and revenge of a similar ilk would surely be on the minds of some. Just take a look at the feedback on the story about Dimension Data's recent layoffs.

Les Goldsmith, a veteran of technical surveillance counter-measure services and MD of ESD Australia, contacted me with a similar argument to DeWalts'.

"It is our opinion that the majority of security threats faced by Australian companies come from employee's who are dissatisfied or at risk of redundancy," said Goldsmith.

The current economic climate meant that staff would be aware of the threat of being laid off, leaving a company's intellectual property at a greater risk of theft, he said.

To an extent I agree with Goldsmith, but how different would that be to a climate in which poaching staff was the norm? Say, like last year.

I also had a chat with Rob McAdam, managing director of penetration testing firm, Pure Hacking, a company that often does forensics after a data theft has occurred. He made two points. First, companies that let their staff know its systems are being monitored reduce the risk of a theft occurring. Staff weigh up the risks, he said.

The second is more telling though of the risk of IP theft, specifically. "All the jobs we've been called in for have been around credit card data," he said. "It's been more about how can I make a quick return and that takes a while on IP, but for credit card information it's fairly immediate."

So is your IP under threat? Probably, just like it was last year, but it's the day-to-day low-hanging, easily liquefied fruit that's still likely to be at the greatest risk.

Comments (2) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Aussie ICT layoffs: the scorecard
• Oakton joins layoff list
• Layoffs hit UXC
• EMC layoffs to cut deeper than forecast

As Microsoft Australia's strategic security advisor Stuart Strathdee said: "We pulled all the stops to get this patch out". The "out of band" patch released by Microsoft at 5am Sydney-time yesterday was an unusual event indeed, according to Strathdee. The company usually patches monthly.

We pulled all the stops to get this patch out

Microsoft's Stuart Strathdee

"Out of band updates are a fairly rare occurrence. We did have one earlier this year. Without access to exact numbers, I think we only do one or two a year," Strathdee told ZDNet.com.au.

In October this year, Microsoft was forced to release a patch for its Windows Server software outside the monthly Tuesday patch cycle. Microsoft considered a flaw in its Windows Server 2000, Windows XP, and Windows Server 2003 software critical enough to do what it did yesterday at 5am.

The patch released yesterday was rushed through within eight days of the zero day's discovery — a feat which Australia's Computer Emergency Response Team's (AusCERT) general manager Graham Ingram earlier this week said would be "Herculean"; even without the eight-day turn-around time that Microsoft has achieved.

"I would not like to be working for Microsoft at this point in time," he told ZDNet.com.au at the time.

According to Strathdee, it wasn't such a pleasant time. After Microsoft completed its risk assessment on the threat, he said, "We decided it was something that we had to go 24/7 on."

"From the development team's [perspective], even though [they] have the core code for IE, going through all those permutations of different combinations of service packs and operating systems obviously opens up the matrix of testing," he said. "It was a big task."

Meanwhile, AusCERT, which knew that it might cop flack — not just from Microsoft but large corporations that have locked-down computers — had cautiously advised organisations to "consider" using alternative browsers until a patch was released.

Strathdee said this advice was "drastic". "Particularly in this instance, the risk to Australian users has been so minimal, that recommending alternate browsers — that really is a very drastic recommendation," he said.

And Strathdee's following comment can't be denied by other browser makers, such as Google, Apple, Opera and Mozilla.

"The other side of that is that if you are going to switch to an alternate browser, you need to consider the vulnerabilities that those browsers have in terms of exposure," he said.

The code is as good as we can make it based on the urgency that we had here

Microsoft's Stuart Strathdee

All have experienced serious flaws of some nature over the past year and all are under attack. On the other hand, none besides Firefox — and only at a consumer level — are anywhere near as widely used as Internet Explorer. The question is, which browser is next in line? On the advice of some fairly reliable sources, the answer is likely Firefox.

But in Microsoft's defence, Strathdee said: "We're not trying to back away from the fact this was a serious issue. That's why we've pulled out all the stops."

Despite the rushed nature of the patch issued yesterday, Strathdee said it was "quality". "Even though we've rushed it, we've done a lot to ensure that it is a quality update and the code is as good as we can make it based on the urgency that we had here," he said.

Microsoft typically tests its patches against application environments of between 250 to 300 organisations besides itself, according to the executive.

Despite the panic and hype caused by this zero-day flaw, Strathdee said it wasn't time for organisations that only supported Internet Explorer to start supporting other browsers.

Comments (11) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• MS patches zero-day IE flaw
• Avoid using IE if possible: AusCERT
• IE7 under attack from 'accidental' zero-day exploit
• Why CIOs aren't nuts for Chrome

I had a funny discussion yesterday with AusCERT's general manager Graham Ingram.

He was being coy about the advice they'd given — "consider using another browser until a patch has been issued" — which, from a home user's perspective seemed pretty sensible but for a major corporation might be impractical or simply impossible.

Every version of IE is exposed, and as Stephan Chenette, manager of Websense's US research division told ZDNet.com.au last week when it thought only IE7 was affected, this flaw is "critical" because it can be exploited with virtually no user interaction — the victim need only navigate to a website that has been armed with the exploit code.

Highlighting just how critical this flaw is, Microsoft last night announced it would issue an "out of band" patch tomorrow — a rare event which, according to AusCERT's Ingram, would have been a "Herculean" feat even for Microsoft.

As I was editing this blog one last time before pushing it live, Microsoft Australia sent an email to ZDNet.com.au advising that the patch will be ready by 5am tomorrow, 18 December. In fact, it's so spooked by this it's hosting a special webcast tomorrow at 8am for Australian eastern states.

Although zero days like this don't happen every day, we can be fairly sure it is only a matter of when, not if, there will be another. So a quick fix would be to immediately switch to an alternative browser such as Firefox, Opera, Chrome or Safari. If you like IE come back to it when Microsoft has released a patch.

But it's a different game for high security organisations like government agencies, banks etc. which in many cases "lock down" computers, usually with some cocktail of Microsoft software and inevitably IE in the mix.

So I was thinking then, why not, for the locked down environment, support two browsers? Stupid idea? Maybe.

IBRS security analyst James Turner thought supporting two browsers was silly and costly. He suggested "organisations question whether everyone actually needs web access".

AusCERT's Ingram agreed that if concern over this flaw was great enough, organisations should simply kill browsing altogether. But can you imagine seven whole tubeless days?

So how important is the web for business? I would say it's pretty darn vital as the majority of workers legitimately access the web to help them do their jobs. Even classically non-work services like YouTube or Twitter have become useful tools in some industries.

So how are you dealing with this issue? Do you support more than one browser? Does everyone in your organisation need internet access? Will you be patching tomorrow?

Comments (7) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Zero-day exploit endangers all IE versions
• IE7 under attack from 'accidental' zero-day exploit
• Sun's Solaris 10 at risk of zero-day exploit
• Another Word zero-day bug used in attacks

Agent 86: "Sorry about that, Chief"
(Credit: Australian Labor Party)

As Kevin Rudd (Agent 86) delivered his first National Security Strategy speech about "cyber war" and the threat that KAOS posed to the nation's computer-dependent infrastructure, the $10.4 billion fiscal stimulus that was designed to lubricate the economy knocked out the biggest system that would deliver it — CommBank's NetBank.

Agent 86 would have pulled off his shoe, dialled Ralph Norris and said: "Sorry about that, Chief".

But no, our Agent 86 didn't say that. He was busy in Canberra saying this:

"It is increasingly evident that the sophistication of our modern community is a source of vulnerability in itself... We are highly dependent on computer and information technology to drive critical industries such as aviation; electricity and water supply; banking and finance; and telecommunications networks."

"This dependency on information technology makes us potentially vulnerable to cyber attacks that may disrupt the information that increasingly lubricates our economy and system of government. A number of actors may carry out such attacks ranging from hackers, to commercial entities and foreign states."

After conducting a root cause analysis of the situation, I found that our Agent 86 had forgotten one potentially massive, although unintentional, agent of KAOS: himself.

His $10.4 billion package wasn't an attack, but it was definitely an assault on the information systems "that increasingly lubricate our economy".

NetBank, according to CommBank's CIO, Michael Harte, is the largest transactional website in the southern hemisphere, pumping out one million of the suckers a day. Apparently you can't just inject $10 billion with the click of a button.

As Harte explained, a demand shock can knock out the bank's online systems. Fortunately for our Agent 86, preparation for the expected 300 per cent increase in demand on its systems occurred before the money had hit accounts.

But Harte said something more, suggesting the government was caught off guard (which was unfortunately cut from my original tale): the banks didn't have enough $100 notes to deliver $10 billion to recipients. The Reserve Bank was forced into printing money so that banks could distribute the funds.

Well, it's Tuesday now and so far, in terms of the systems dispensing the money, nothing has gone wrong. Now it's a matter of waiting to see if people will spend it on pokies or Christmas presents.

Agent 86 would have pulled off his shoe, dialled Ralph Norris and said: "Sorry about that, Chief".

As Agent 86 would say of the systems, "Missed it by that much" — a quip I'm sure Rudd would love to say of a recession.

But here's a suggestion for the next Cyber Storm exercise. The banking system was tested during that multinational exercise. Incident response teams were faced with keyloggers which resulted in people being unable to access their accounts online. Steven Stroud, head of Australia's Cyber Storm effort and director of e-security exercises at the Attorney General's Department noted that they addressed symptoms — they reset passwords — but forgot to address the source — removing keyloggers.

But perhaps, a more important issue for our nation's leaders to think of when talking about cyber-stuff, in light of this economic crisis, was Stroud's other criticism. "They're only talking about what they know about. They're only talking about what they can deal with, or deal with shortly. They are not projecting out how bad can this be... That doesn't happen," said Stroud.

The projection problem is really a human flaw that none of us can escape. But while there's nothing wrong with testing various systems' resilience against "hackers, commercial entities and foreign states", a little peek at the Australian GDP's year long nose-dive could have flagged that something big — something that might strain critical infrastructure — was on its way well before the Lehman Brothers collapse in August.

Comments (11) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Australia crumbles under Cyber Storm attack
• Australia attacked: What happened at Cyber Storm II
• Hacker threat: Rudd promises action
• Rudd's $10bn gives NetBank heebie-jeebies

"We're processing gigabytes of malware daily," says Alex Eckelberry, Sunbelt Software. (Source: Sunbelt Software)

The question came up during a discussion I had at the Ruxcon security conference at the University of Technology Sydney last weekend. I was chatting to independent security researcher Nishad Herath about Morro and why Microsoft decided to give the software away for free.

Herath reckoned at least one driver for Microsoft was that some "security conscious" organisations — law enforcement agencies etc — were increasingly turning to Mac OS X because managing malware was easier on a Mac than on Windows.

With Morro, Microsoft would level the playing field with Apple when it competed for this type of business, Herath hypothesised.

"I did a bit of research into this," said Herath. "I found that because of the high volume of malware directed to Windows environments [in general] and the significantly lower stream of malware targeted to OS X, they [OS X administrators] had an easier time detecting malware."

At least some administrators would rather deal with targeted attacks than the possibly millions of accidental pieces of malware that might affect what are likely to be a pre-Vista Windows systems.

Cisco's chief security officer, John Stewart, raised a similar question about antivirus at this year's AusCERT conference. Stewart wondered why businesses were spending money on antivirus when they were still clearly spending money remediating malware-affected systems. He called the "cost equation an entire waste of money".

But these are strange times in computer security. Administrators know phishing and browser-related attacks can work against users from both camps; so it's not as if by deploying Mac OS X, users are immune to all threats.

But if part of your job is to prevent malware, you can't escape the fact that PC-targeted malware has exploded while predictions of the same fate for Macs have not materialised.

And if antivirus is your answer to malware, what about flaws affecting antivirus software? Is there any product that hasn't suffered an exploitable flaw? Norton? McAfee? Trend Micro? ClamAV? Kaspersky? Here's a link to a search on our record of AV software where flaws have been discovered.

As Herath pointed out, "introducing any additional code in to the system increases your attack surface".

Meanwhile, antivirus vendors such as McAfee have all but admitted that they can't keep up with the volume of malware being generated for PCs. Malware has also put Symantec under pressure to create less intrusive security software.

While some elements of a security package are worth the cost, the commoditised component of it, the bit that Microsoft has promised to give away in Morro, is clearly not. Morro is the nail in the coffin for this cash cow.

Comments (22) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Why popular antivirus apps 'do not work'
• CTO of antivirus firm prefers Mac, Unix
• Microsoft's AV success may lead to PR disaster?
• The 'secret': Banks are freaked out by security

I could see tax commissioner Michael D'Ascenzo wipe a bead of sweat from his brow and sigh with relief when he was told the CD only affected 3,000 people and not 25 million like in the case of its UK counterpart Her Majesty's Revenue & Customs's (HMRC) missing CDs.

In the absence of data breach disclosure laws, it was commendable of D'Ascenzo to disclose the loss, but I find it surprising the ATO isn't already encrypting files on CDs it sends out into the wild.

As security consultant, Chris Gatford, from penetration testing firm Pure Hacking told me, placing files in an encrypted Zip folder ain't "rocket science"; you just need good key management practices.

The ATO reckons the lost CD is a "low risk", because for theft (ID or financial) to occur, a person would need access not just to the individual's name, address, and tax file number — the details contained on the CD — but all their account information too.

Still, the last time I spoke to the ATO's CIO Bill Gibson, he was spooked by the HMRC data breach. That incident and another CD lost by the ATO had prompted it to conduct a 72-page review of its handling of information, which was done by PriceWaterhouseCoopers (PWC).

The ATO paid a wad of taxpayer's money for PWC to conduct that review, called "Australian Taxation Office: Information Security Practices Review" (PDF), but following this incident it wants to conduct another review of its handling of information.

My message to Michael D'Ascenzo: scroll down to page 23 under the heading "Information leakage — Potential hot spots". You don't need to conduct another review. Here's what it said back in April:

"Information [at the ATO] exchanged without a consistently applied security mechanism to guard against unauthorised disclosure or loss, including: international transfer of classified information using relatively low grade encryption; unencrypted files, or non password-protected files, transferred on physical media such as CD-ROM or electronically via email."

Comments (2) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• ATO admits staff have lost data, sent porn e-mails
• ATO avoids open source due to security concerns
• ATO downtime thwarts weekend tax enthusiasts
• Bogus tax e-mail provokes warning from ATO

Apparently the people that influence Australia's privacy laws do, which is why the government has given itself four years, or until 2012, to start reviewing the Australian Law Reform Commission's recommendation to include "mandatory" data breach notification measures in Australia's Privacy Act.

In the meantime Australians will have to settle for softer initiatives, like the Office of the Privacy Commissioner's (OPC) Privacy Awareness Week, which recognises "good" privacy practices by organisations, but doesn't ferret out bad security and privacy practices.

In this state of affairs, if Australian Customs were to suffer a breach where people disguised as EDS staff stole two mainframes from its high security centre, which also contained sensitive details about you, Customs won't tell you.

Until 2012 we can celebrate privacy while the US clocks up another two billion data breach notifications — the number of notices issued to its citizens since 2002, Microsoft's chief privacy officer Peter Cullen tells me.

The first areas of the Privacy Act the government has promised to tackle are health information and privacy, which is sensible since health costs impact the public purse more than anyone's right to know when your personal information is exposed.

Data security and its relationship to privacy has been put on the back burner due to one fact: no one, not the ALRC, not politicians, not the Privacy Commissioner, and especially not the public, have the foggiest idea about the extent to which data breaches have affected Australians.

We could be lucky, or perhaps have supreme intellects, which has helped Australia avoid HMRC-style mass breaches that exposed 25 million UK citizens' personal records. The Australian Taxation Office at least recognised the reality of the risk. The HMRC breach inspired a security review that found overall good practices, but significant security holes which could result in a data breach.

This was quite rare indeed. According to a recent survey by analyst firm Intelligent Business Research Services of 99 local IT managers — half came from organisations with more than 1,000 staff — many organisations could haemorrhage data without realising it, just like TJX. Asked "How would you know if an unauthorised person were to access sensitive data?", 45 per cent agreed "It's possible we would not know if this occurred".

So that's the situation. The politicians don't know, organisations that hold your information don't know and the pubic doesn't know. If ignorance is bliss, then who the bloody hell am I to question Australia as being the lucky country?

She will, as we say, be right.

Comments (7) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Google defends privacy credentials
• Microsoft slams Google on privacy
• Why I hate the Privacy Commissioner's office

The great success of the ISP filtering trial was that current technologies impose far less interference on an ISP's network than similar tests done five years ago.

Improvements like this give the impression that yes, the government has its collective head around the challenge of making the internet a safe place.

But after an interesting chat with Internode's core networks and infrastructure group team leader Mark Newton, I came to the conclusion that any concerns about network degradation are peanuts compared to security worries around what could happen if the technology is implemented — in particular to the protocol used to conduct secure Web sessions with your bank or the tax office — HTTPS.

Newton raised an interesting idea: for an ISP to filter HTTPS sessions it would have to engage in a Man in the Middle attack, where the attacker intercepts and changes information being transmitted between two parties.

One of the key attributes the government was looking for in the tested filtering technologies was the ability to analyse content for smut so that it can accurately filter information rather than just block a bad source. While the filters were unable to analyse content over peer-to-peer networks, all the products were able to analyse Web protocols HTTP and HTTPS. (See table)

So what happens when granular filtering is applied to your transactions with a bank or the tax man?

Normally HTTPS means that data streams pass unfettered between your computer and the bank's servers, but ISP filtering would see that data unencrypted at the ISP, inspected, re-encrypted and then forwarded on to you and the bank.

Now, I don't use Dodo, Exetel or TPG, but these ISPs don't seem to be able to afford call centre staff, so can we rely on these ISPs to implement whatever technology the government approves?

And if the filtering products run on Windows operating systems, what happens if and when those systems become infected with a trojan or virus that siphon information to cybercrims?

Let's hope we find out a little more about the security and privacy implications in the "live" trials the government plans to run in the coming months.

Comments (19) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• BitTorrent hole in ISP filter tests
• UK ISPs lockstep on P2P
• EU vote forces ISPs to disconnect pirates
• ISPs: Govt porn filters 'could cripple internet'

For years, free antivirus software from AVG or Avast has been top choice for those who don't like paying for protection. But their edge over paid-for equivalents is being gnawed away in Australia — not by direct competitors but by banks.

NAB, Commonwealth Bank and St George have offered their customers 25 to 50 per cent discounts on various security products for some months now. But Westpac recently upped the ante by offering its customers several PC Tools products — antivirus, browser privacy protection, and firewall — absolutely free for 12 months.

Westpac's offer throws a spanner in the works, not just for AVG, but for Symantec, McAfee and Harvey Norman. Why? It now makes more sense to join a bank, if only for a year, to get the best price for PC security products compared to any other source.

Take Symantec's current pricing for the Norton range. Symantec charges AU$130 for Norton 360 version 2, AU$49 for its Norton AV 2008, and AU$99 for Norton Internet Security 2008 for three users per year.

Standard charges for maintaining a bank account meanwhile sit around AU$5 per month or AU$60 per year. So instead of activating the security software that comes pre-installed on your new laptop, simply open an account with Westpac — even if you don't actually use the account, you'll still be better off than spending up at Harvey Norman!

It's an interesting change for banking consumers also. This could be the first time in a decade that consumers financially gain from paying what are seemingly pointless monthly fees to a bank.

Oh, how good it is to be a customer in Australia.

Comments (5) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• The 'secret': Banks are freaked out by security
• Web banking: It's time to write down your password
• Banks are confusing consumers on PC security
• CommBank dives into $580m banking IT revamp

Outsourcing can be a useful tool for government agencies to increase staffing levels without making the same HR commitment that applies to public sector employees.

That's exactly the path the Department of Immigration and Citizenship (DIAC) has followed in order to progress its AU$496 million Systems for People IT refresh.

According to Mark Handley, DIAC's director of protective security, the agency has been issuing a phenomenal number of security clearances since 2004. Pre-2004 it issued around 800 clearances per year, but since then, its annual issuance rate has consistently reached 2,500 per year — a figure driven largely by the Systems for People overhaul, which kicked-off in June 2006.

By the end of this year DIAC will have issued security clearances to over 12,500 contractors in four years — meanwhile DIAC only maintains a 7,000 strong permanent staff level.

These figures have led to what Handley calls a high "churn" of staff, meaning that thousands are being pumped through its operations each year. However, DIAC made a decision in 2004 to outsource all but its highest priority security clearances to a panel of selectors from an external company, and also to allow long-term contractors to issue security clearances for those staff they select for work at DIAC.

"We share much of the responsibility for security with our contracted service providers," said Handley. "For example, our larger providers may develop their own security policy — based on our interpretation of the [government] Protective Security Manual, of course... We have agreements with some companies that they will actually manage the security clearance process."

It sounds like an efficient solution — DIAC pays the panel AU$1 million a year to do a job that its own team of 10 clearance officers could not possibly do. But what has occurred since it made its decision in 2004 is that 90 per cent of DIAC's security clearances are issued by an organisation other than DIAC itself.

Now it is possible that this practice is entirely safe. According to Handley, the invisible hand of commercial incentives makes the system work. "Commercial companies are more accountable for their performance than government agencies because let's face it, your current and future business with government agencies depends on your performance in the security field," he said.

And the Australian National Audits Office in a recent audit of four government agencies' handling of security clearances for staff did not find any major problems with the way DIAC issues security clearances.

However, can the "laissez-faire" system of trust really stand up to other incentives that commercial outfits face, like making money where money is available? For example, let's say a service provider faces a tight labour market, but needs to quickly bring in more skills to meet a tight deadline. Is there no risk that the commercial outfit could cut corners on the clearance process?

Perhaps decision-makers in Canberra are so closely tied to their suppliers there is no wall between the two. But I find it very odd that an agency so crucial to national security as DIAC can outsource a process which governs who has access to its systems.

What do you think? Should security clearance processes be banned from being outsourced?

Comments (4) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• DIAC security threatened by flood of contractors
• DIAC CIO: IT wages nearly forced us to 'down tools'
• DIMIA mum over skilled migration
• DIMIA mum over skilled migration

Is China more of a threat to your data than any other country? If you listen to some sections of the media, from backyard hackers to the People's Liberation Army, the Chinese are all after your secrets and the Beijing Olympics will present the perfect opportunity to get at your information, either by giving you a booby-trapped USB or distracting you for a second while they extract information from your laptop.

This week, the director of the SANS Internet Storm Center Marcus Sachs played up to these fears on his blog by asking how anyone heading to the Beijing Olympics will protect their data and devices.

Based on some of the responses published, the only "communication" devices you should take with you to Beijing are a pen, pad and perhaps prophylactics (if the last APEC meeting in Sydney is anything to go by, these meet and greets are a chance to exchange more than just ideas).

PDAs, laptops, mobile phones and BlackBerrys — leave them at home, even if your life doesn't quite seem the same without them. And if you are foolhardy enough to bring them, make sure you scan and scrub any USB, or CD given to you — there's every chance that you'll get more than you bargained for seems to be the advice.

One respondent to Sachs' blog says: "China has made it very clear that 'no holds barred' is fair game and they WILL take it to their full advantage."

"Returning expats," says the respondent, "should have an in-briefing meeting and sign a statement indicating ... have not brought back any non-company media to the best of their knowledge. At that time, they are given a one-time opportunity for amnesty to provide anything they may have forgotten to leave behind."

Here's my take on it: if this trip to Beijing is the first time you've been cautious about your data, you need your head — and systems — thoroughly checked. And if you're truly concerned about those "no holds barred" Chinese, I'll tell you a secret: the Chinese are already outside of China. And if they're really desperate to get their hands on your data, they'll know that a better place to get at your data is on your home turf — where you're not so paranoid.

And one more thing. Forget Beijing when it comes to USBs. Do not trust anyone that gives you a USB. Even Telstra, Australia's largest telco, recently issued delegates at this year's AusCERT conference, 80 malware-infected USBs.

Comments (4) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• The myth of the Ninja Hacker
• Gmail cookie vulnerability exposes user's privacy
• PDA to track Olympic VIPs in Beijing
• Chinese hackers back off from CNN attack

Last week's blog on why consumers might be confused by contradictory messages on computer security from banks drew a few objections from interested parties — ones that I thought would be worth responding to this week.

Perhaps I didn't make my point clear enough, or perhaps the people who contact me are nitpicking pedants with a marketing plan in hand. So I'll state my position again: I have no problems with banks giving away security software; I do, however, have a big problem with exaggerating what it will do for you. Why? Exaggerated claims about the efficacy of security products muddy what is already a confusing topic for many consumers.

ING Direct in the US is offering its customers free security software made by the vendor, Trusteer. ING and Trusteer claim the product Rapport creates a secure pipe between the PC and the bank, protecting against "sophisticated attacks", including phishing and man in the middle attacks.

Mickey Boodaei, the CEO of Trusteer, emailed me to disagree that ING Direct is blinding its customers to the reality of malware by making such claims.

"ING Direct realises that regardless of how careful the user is, malware can still find its way to the desktop," he wrote in an email to me, which he says is his personal position on this matter.

Well why doesn't ING Direct say that? It's quite normal for a person who feels safe, to act as if they are safe and take extra risks because they think they're totally protected. And if you make them feel safe when you know that they're not, then their behaviour won't reflect the risks they face, potentially leading to a worse outcome.

Boodaei also believes that media and security experts should support ING "for its bold move and out of the box thinking... After all, most banks are too afraid to do anything (afraid of support calls, afraid of user reaction, afraid of negative media) and this plays right into the attackers' hands," he continued.

Really Mickey? The CEO of McAfee, Dave De Walt, reckons there are better things to worry about than "negative media" — like customers ready to sue their bank's pants off for lying and breaching customer privacy.

"[Banks and telcos are wrestling with] how much liability can they take on by recommending a security product to you and how invasive can they be to help protect your computer transaction. Typically, to be very strong, they have to actually download something to your computer to help secure the transaction, but they potentially could breach data privacy laws by putting something on your computer," he said.

And as for those support calls? I think ING has covered that too: "ING Direct is not responsible for, nor do we guarantee, the content or services associated with this product. All problems, questions or concerns regarding Trusteer Rapport should be directed to support@trusteer.com." As with most financial products, read the fine print.

To me this smells like a company that's able to make claims about the efficacy of a product without having to stand by those claims if and when something goes wrong.

And, Mickey, like I said, last week, if consumer education is what will truly offer secure computing, why not start with a few home truths just like you gave me about security?

A more honest representation — rather than covering your rear with fine print — might be: "Dear customer, feel free to download this security software. It will make you *more* secure, but in reality, unless you unplug your computer and wrap it in a lead box, nothing will make you totally, 100 per cent secure. These are the unfortunate facts of our time. Happy banking and stay safe online."

The CEO of security company Prevx left an essay in the feedback section of my last blog about the plight of banking security from a banker's perspective and banks needing to take a holistic stance on "Customer Security Management" (sic). I appreciate most forms of feedback, including the negative, but Mel, use your own blog page for spruiking.

But Mel did make one relevant comment, and actually, it could make a neat footnote to the Commonwealth Bank's claim that its CA security suite will "eliminate" the threat of malware:

"If a PC is under the control of a kernel level rootkit then nothing running on that PC is safe, nor can anything running on it create a safe harbour without detecting and removing the rootkit."

Comments (4) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Web banking: It's time to write down your password
• Banks are confusing consumers on PC security
• Russian criminals prefer Australian banks
• 1,100 users sign up for NAB's new text banking

Banks obviously have an interest in making consumers feel safe. They are there to protect the customers' money. They want customers to use their online services, too, because the channel offers a lower cost per transaction than a branch. But giving away free security software to make customers feel safe is probably doing more harm than good.

I'm not surprised that consumers have a difficult time grasping the idea of computer security. In Australia, banks such as the Commonwealth subsidise antivirus. The good news is that CBA customers can buy CA antivirus for AU$35 instead of AU$65. The bad news is that the bank exaggerates massively, claiming that with antivirus the threat of malware is removed entirely: "By offering you personal security software, we can help to eliminate this threat [of malware]," says the bank's FAQ page.

CBA customers are likely to walk away feeling completely safe with their new antivirus, yet security professionals know this not to be the case. At this year's AusCERT conference, Cisco's chief security officer, John Stewart, echoed what many security observers have said: that antivirus is not enough to eliminate today's threats because malware writers can create new malware faster than AV vendors can write signatures.

So who should consumers believe? The security professional or the organisation they entrust their savings to?

ING Direct USA also recently announced it is giving away 6.5 million licences of Trusteer's Rapport security software to its customers.

According to Trusteer, the software works by monitoring the interface between applications and an operating system for malware, encrypting information sent from the computer and authenticating ING's website.

The application, which can be downloaded from ING's website, creates a so-called "secure pipe" between a PC — not a Mac or Linux system — and the bank's network. ING boldly claims that Rapport protects against Man In The Browser and Man In The Middle attacks, keyloggers, screen grabbers, pharming, and phishing — "even on infected PCs".

Again, if consumers believe the bank, they should walk away feeling entirely safe. However, they are then given another confusing message: whether or not they install the application, ING will refund customers if their PCs have been hacked and money is stolen.

But here's where it gets really confusing for customers: to run the Rapport software users have to install it with Administrator privileges [see clarification below] — a practice which Microsoft's top security people have been preaching customers to avoid to mitigate the threat of malware.

Security consultant Ty Miller from Pure Hacking explained why: "Vista bases much of its security around not running as Administrator to prevent your system becoming compromised in the first place, so if users are required to run programs as Administrator then they may actually be introducing additional risk to the user's operating system."

The customer has obviously placed some level of trust in both organisations, yet each give different advice. So again, who should the customer believe?

In this instance, I'd actually say, place your bets on Microsoft. According to the CIO of ING Direct USA — a bank which promotes itself as ranked by the University of California as "America's safest bank" — it still sends its customers email alerts for their statements that include URL links. It's pretty amazing the "safest bank" still does this, given the prevalence of phishing scams in the US.

Banks often claim that education is the key to making them actually safe. Well, if this is true, banks shouldn't blind customers to the realities of malware protection by exaggerating claims about the level of security they have.

This is to clarify that Rapport can be installed without administrator privileges, however the product may not work as described by Trusteer if users are not operating under Administrator mode.

http://www.trusteer.com/board-directors

Mickey Boodaei, Trusteer's CEO contacted ZDNet.com.au to clarify that Trusteer Rapport does not require Administrator privileges to run.

"If you run Rapport as administrator it provides its protection from the OS kernel. If you don't have admin privileges Rapport will run from user-space and will protect you mainly against user-space attacks. The logic is simple: if you run as non-admin you're less exposed to kernel-level malware. However, you're still exposed to user-space malware (most malware today can install itself either way) and this is the gap that Rapport closes for you. Either way, Rapport will significantly improve your online security," he said.

Comments (12) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Antivirus is 'completely wasted money': Cisco CSO
• Signature-based antivirus is dead: Get over it
• Microsoft admits Vista UAC prompts 'need work'
• Has Windows Vista's UAC feature failed Microsoft?

Around AU$500,000 of money stolen from within Australia is siphoned offshore each month by Queensland mules, according to the state's police — a well-entrenched problem for banks, money transfer services and the police.

But are these mules really victims or cunning opportunists?

In the job-seeker money mule scam, victims are enticed to apply for seemingly simple work through fake job advertisements. The ads often rely on big brand names, such as financial institutions, to add authenticity to the supposed work. As part of their new "jobs", victims are asked to send a sum of cash using either Western Union or their personal bank accounts to a foreign destination, after which they receive a percentage commission.

Despite the quality of deception within the fake job ads, I find it difficult to believe that anyone who applies for a job where the only requirement is to transfer money from one unknown source to another isn't aware that something is fishy. The fact that the work is so ridiculously easy would raise suspicions in even the most trusting of people.

Peter Muggleston, acting head of technology for New Zealand's Auckland Savings Bank (ASB), reckons many so-called victims are merely playing dumb to escape prosecution and says banks are taking a hard approach to the problem.

"One thing that always comes through is mules claiming they are innocent victims... People are choosing to believe that it is above board, but if you stop and thought about it, even for a second, it's obviously dodgy... The reality is we will prosecute mules," he told ZDNet.com.au recently.

I initially found myself agreeing with Muggleston's sentiment. That is, until last week when I discovered a new scam, which targets lonely hearts. Instead of a job, the promise is a Russian bride.

The victim is told that, in order to be united with his sweetheart, he needs to help his "bride" fund her airfare by sending money entrusted to him by a friend of the "bride" to some offshore location, using Western Union or his bank account.

The scam takes many months to execute for the "bride" to gain the victim's trust, according to Queensland Police's Brian Hay. To me this seemed more like a real scam, not just Muggleston's mule who has found a plausible excuse to deny criminal intent. Hay reckons the best way to deal with the problem is "target hardening" — ensuring that would-be targets are aware of the scam and simply delete any emails from unknown sources.

Hays also told me that most of the job-seeking money mules cases that he has seen involve the mule first handing every single identity document to the scammer before taking on the "work". Why would a person who knows how the scam works be willing to hand over their genuine identity?

So what should we do? If we take Muggleston's approach, and assume that mules know what they are doing, real victims would never come forth; there'd be no information and everyone remains soft targets. On the other hand, if we assume innocence like Hay, people might start claiming there was no criminal intent on their part and mules can work without fear of punishment.

Or perhaps the police should start placing ads for money mules of the job-seeker or lonely heart variety. Anyone who falls for it could then be sent to a basic course in email management to correct their ways before they harm themselves. Prevention is, after all, better than a cure.

Comments (2) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Russian criminals prefer Australian banks
• Russian bride scam turns romantics into money mules
• Pillow talking bots latest Russian malware threat
• Infamous Russian malware gang disappears

People fear the consequences of information falling into the wrong hands and therefore, quite rightly, feel the need to defend privacy. But could that "fear", as one doctor calls it, be stopping information reaching hands that could heal us?

This week the Victorian government announced it will pay Deloitte AU$1.3 million to develop an Australia-wide e-health strategy, to introduce online referrals, e-prescribing, and electronic health records.

It sounds like a good idea but it will be interesting to see what impact it will have on the adoption of electronic health records in Australia. Medical professionals appear to want to be able to use electronic records but current privacy laws are preventing it.

"If you go from one hospital to another, the only way your data is going to get from one to the other is if the doctor writes a letter. And there is no electronic sharing whatsoever," said Dr Marienne Hibbert, director of the cancer research project, Biogrid — also part-funded by the Victorian government.

Due to what she believes are fears about privacy, Australian clinicians — at least those participating in the Biogrid project who treat cancer patients — are hamstrung in their efforts to use widely-dispersed information in order to improve the lives of patients, and it's all due to privacy.

"There's a real danger of privacy being too protected — it's people's perception of the risk... It's way out of... Well, it's fear," she said. "If people weren't worried, for a start, I think there'd be much more sharing of patient data for clinical use."

Biogrid currently pulls together de-identified cancer patient data, sourced from over 30 hospitals in Australia, New Zealand, the US, UK, Brazil and Malaysia.

But while researchers are able to learn from anonymised data collected in the Biogrid project, the clinicians who treat patients are unable to make use of it — primarily because the information needs to be attached to a patient's name to be useful. What could be achieved if this were permitted has implications that are far reaching and quite immediate for cancer treatment, according to Hibbert.

"[Biogrid] is research and we can actually integrate data much more effectively than is available for clinical care.

"My clinicians that are involved in this are really frustrated about not having any way of viewing identified clinical information across sites," she said.

If there was a way of providing a "secure and protected" view of cross-site identified information — say across a single tumour stream — clinicians, who are often dispersed amongst several hospitals, could improve their management of cancer treatment.

"Cancer patients are coming and going all the time, they often have had surgery at one site, oncology at another and then radiotherapy elsewhere. If you can provide the clinical view to the clinicians, that would be really helpful. Doctors get so frustrated because they don't have that combined view," said Hibbert.

It's a bit hard to say that if doctors could access identified information from other sites it would reduce the number of cancer related deaths in Australia but it would seem the logical — especially if we are to believe the government's message that the fight against cancer will be won by early detection and surveillance.

But cancer research and saving lives is not the only thing that's being held back. Today, Australians would be hard pressed to use services such as Google Health and Microsoft's Health Vault since the only copy they likely have of their medical history is stuck in their head.

Where is your medical history stored?

Comments (6) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• National e-health vision unleashed in September
• SA health to cut errors with $4.4m pharma system
• National health database every integrator's dream
• Google CEO coughs up Australia Health plans

It's no secret that people don't like discussing their business's security woes — I've been knocked back so many times after asking to discuss security it almost feels silly asking the question.

So when I first called the ATO a few months back, after learning that PriceWaterhouseCoopers was conducting a review of the ATO's security practices, I expected my interview request to be declined. After all, the ATO is an AU$700 million a year IT shop which contains some of Australia's most sensitive information.

So to say I was shocked a few days ago, after hearing from the ATO that Gibson was ready to speak about the security review, is an understatement.

This is the problem with security in Australia and why we could benefit from data breach disclosure laws. As I said in my blog last week, the information we do have access to is mostly trite. The result is that we are limited in the ways we can think and discuss security. For consumers, it makes it almost impossible to assess the state of security in the country and the risks they face.

Anyway, after my initial excitement at the prospect of talking security with Gibson, I began to have doubts. They must have got a gold star in the review, I thought.

Which is why, when I secured a copy of the 100-page review yesterday, I was again shocked. The review found a security-conscious culture at the ATO — as you would hope — but also found some staff didn't know how to use approved file transfer channels, and serious problems when it came to the accountability of organisations it shares taxpayer information with.

Of course, the ATO hasn't experienced a HMRC-style data breach, so the review doesn't cut that deep. Even so, Gibson admitted a briefcase containing taxpayer information had been stolen, a disc lost and porn being e-mailed by staff.

The review also discovered interesting human responses to security measures. Staff at government agencies must classify outbound e-mails according to their level of confidentiality, except some staff who were "strategically" labelling them to either restrict access or bypass restrictions.

The most interesting aspect of the review, however, is that the ATO cannot be alone in the security challenges it faces. Nearly every person — vendor and end-user — I have spoken with is concerned about data leakage. And with the ATO's 22,000 staff, I can imagine some difficulties getting security right across the whole organisation. Yet as far as I can tell, no organisation, private or public, has opened itself in this way.

The ATO's security review is one of the most useful documents I have seen in my time at this publication, so it and the ATO, get a gold star.

Comments (3) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• ATO offshoring precedent still on horizon
• Taxing times for the ATO
• Australian Tax Office: Bill Gibson, CIO
• Tax Office needs to rethink open source objections

My hair is going grey, which I can handle, but thanks to the uselessness of the Office of the Privacy Commissioner's Web site and annual report, I think it's now starting to fall out.

The Privacy Commissioner Karen Curtis — bless her cotton socks — has been trying to prime business for data breach disclosure laws with initiatives such as privacy awards — a positive approach to foster support among companies for what will presumably be an unpopular piece of legislation.

Last week a news story from the UK triggered my interest — the UK Information Commissioner's Office (ICO) revealed that since the security breach at HMRC in November last year, it has been notified of almost 100 data breaches. The public sector accounted for 62 breaches and the private sector for 28.

That set me thinking — how well (or poorly) does Australia fare in terms of data security and privacy?

I wanted to see if our Privacy Commissioner would reveal similar information as her UK counterpart. As it turns out, she probably would ... if she could.

The information about Aussie breaches provided to me — and what is available to you — was unfortunately about as much use as a chocolate teapot. Between July 2007 and March 2008, the Privacy Commissioner has recorded 60 instances where a breach of privacy may have occurred. In that time, there have been 830 instances of individuals complaining of a privacy breach. Promising, I thought, but how many of those specifically related to potentially far-reaching information security breaches, rather than, say, a one-off complaint about an overly intrusive call centre? So I went back for a second bite of the cherry and asked the Commissioner's office for how the 100 breaches were categorised.

Apparently analysing this information is a very onerous task, so it's not been done. The result: the cause of the complaint, as well as the nature and scale of any breach, cannot be disclosed. In the absence of said information, the next best thing is a look at the number of privacy complaints, which the Commissioner's office does record, and I was referred to the 2007 Privacy Commissioner's annual report.

It turns out that four percent (762) of the complaints lodged with the office related to "data security". In total, there were over 17,000 complaints.

Just four percent. Sounds minuscule compared to the 25 million Brits affected by the UK HMRC breach. Which is exactly the point — there is no way that all 25 million people would know, and therefore could complain to the Office about the breach. So why in Australia do we collect data on complaints? It shows nothing other than the workload of a government office and how many eagle-eyed consumers know when they've been wronged.

We are given this reassuring notice: "If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further."

This highlights why the decision to disclose a breach should be taken out of the hands of an individual and, instead, minimum standards set so that disclosure becomes an automatic response. Whether this occurs will be debated in parliament once the ALRC submits its recommendations to the Attorney General's Department this month.

Here's some more useless information I found: Australia's private sector is a worse privacy offender than the public sector — two-thirds of the "complaints" this year related to possible breaches in the private sector. Size and nature is all I have to say.

And yet some more ... The annual report details whether complaints were received by telephone, letter or e-mail, whether there was "an apology made", if a complaint was closed because it was "frivolous, vexatious or misconceived".

So I advise everyone, if you're looking at the state of information security in Australia, do not bother visiting the Office of the Privacy Commissioner's Web site — not until it contains information on actual breaches, such as: the name of the organisation (particularly for publicly documented breaches); whether information was lost via an unencrypted laptop, a lost CD, a misplaced USB, or by hacking; and most importantly, details on how many records were compromised.

Please, Commissioner, I urge you, stop publishing the volume of complaints your office receives. Nothing useful can be gleaned from this other than the workload your staff face and give us what we really want: a Commissioner that's not afraid to shame big business into protecting its consumers.

Comments (2) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• Are PC users diluting the IQ of the Mac community?
• CA's Apple Mac lives with 100,000+ viruses
• Google: G'arn, I'll swap ya privacy for security
• Aussie PCs valuable for all the wrong reasons

You would think that running the most widely used operating system on your network of ATMs is just an invitation for trouble. At least some security folk reckon XP makes ATMs an easy touch for hackers.

But not the execs at National Australia Bank (NAB), who this week announced the bank is overhauling its 1,600 ATMs to run on Windows XP.

Gibbins and NAB are not alone on this front. Seventy-five percent of Australia's ATMs run on some version of Windows, according to an NCR spokesperson.

Why?

According to NCR's chief technology officer Alan Chow, running ATMs on Windows is about "brand image".

"Banks spend a lot of energy personalising [an ATM] screen. The ATM is the brand image of the bank. If you want to see the difference why they choose [a full version of Windows XP] — versus a stripped down embedded OS — go to the ATMs at the corner store and compare the user interfaces. Without the interface, it's just a cash dispenser. This is about brand image," he said.

So there's a trade off between convenience and security. I can appreciate that. And I'm sure NAB can mitigate the threats that affect the rest of the world on Windows XP from affecting both its 28,000 newly XP'd desktops and now its ATMs. Running Windows doesn't necessarily mean you're screwed. Just Ask Bruce Schneier.

Back in 2003, Cambridge security researcher, Ross Anderson, in a Wired article, said ATMs running Windows would likely see a Slammer style attack, resulting in money spewing forth from thousands of machines.

FUD and rubbish, said Bruce Schneier. Why? Because in 2003 the machines did not operate online and therefore would not become vulnerable to a malicious Internet attack or to some virus passed around in an e-mail attachment.

But National Australia Bank proudly announced this week that it will be the first bank to roll out ATMs that operate on TCP/IP networks.

So don't be surprised if you start seeing ATMs spewing cash from their dispensers. I am going to carry around a swag bag just in case.

Comments (37) | Email this

Share: Google | Facebook | del.icio.us | Digg | Reddit | Slashdot | StumbleUpon

• NAB splashes out AU$100m on Windows ATMs
• NAB gives staff final word on IT jobs offshoring
• NAB ditches Windows NT for XP
• Telstra, NAB and Visa turn mobiles into credit cards