May 08 9
Gold star for the ATO
Posted by Liam Tung @ 17:16 3 comments
If Australia is going to take information security seriously, we need more people like the ATO's CIO, Bill Gibson.
It's no secret that people don't like discussing their business's security woes — I've been knocked back so many times after asking to discuss security it almost feels silly asking the question.
So when I first called the ATO a few months back, after learning that PriceWaterhouseCoopers was conducting a review of the ATO's security practices, I expected my interview request to be declined. After all, the ATO is an AU$700 million a year IT shop which contains some of Australia's most sensitive information.
So to say I was shocked a few days ago, after hearing from the ATO that Gibson was ready to speak about the security review, is an understatement.
This is the problem with security in Australia and why we could benefit from data breach disclosure laws. As I said in my blog last week, the information we do have access to is mostly trite. The result is that we are limited in the ways we can think and discuss security. For consumers, it makes it almost impossible to assess the state of security in the country and the risks they face.
Anyway, after my initial excitement at the prospect of talking security with Gibson, I began to have doubts. They must have got a gold star in the review, I thought.
Which is why, when I secured a copy of the 100-page review yesterday, I was again shocked. The review found a security-conscious culture at the ATO — as you would hope — but also found some staff didn't know how to use approved file transfer channels, and serious problems when it came to the accountability of organisations it shares taxpayer information with.
Of course, the ATO hasn't experienced a HMRC-style data breach, so the review doesn't cut that deep. Even so, Gibson admitted a briefcase containing taxpayer information had been stolen, a disc lost and porn being e-mailed by staff.
The review also discovered interesting human responses to security measures. Staff at government agencies must classify outbound e-mails according to their level of confidentiality, except some staff who were "strategically" labelling them to either restrict access or bypass restrictions.
The most interesting aspect of the review, however, is that the ATO cannot be alone in the security challenges it faces. Nearly every person — vendor and end-user — I have spoken with is concerned about data leakage. And with the ATO's 22,000 staff, I can imagine some difficulties getting security right across the whole organisation. Yet as far as I can tell, no organisation, private or public, has opened itself in this way.
The ATO's security review is one of the most useful documents I have seen in my time at this publication, so it and the ATO, get a gold star.
May 08 2
Why I hate the Privacy Commissioner's office
Posted by Liam Tung @ 12:21 2 comments
According to the Office of the Privacy Commissioner's 2007 annual report, Australian consumers should feel pretty safe — but that's because it's full of crap.
My hair is going grey, which I can handle, but thanks to the uselessness of the Office of the Privacy Commissioner's Web site and annual report, I think it's now starting to fall out.
The Privacy Commissioner Karen Curtis — bless her cotton socks — has been trying to prime business for data breach disclosure laws with initiatives such as privacy awards — a positive approach to foster support among companies for what will presumably be an unpopular piece of legislation. ...Read more
Apr 08 24
Is running Windows XP on ATMs stupid?
Posted by Liam Tung @ 16:27 32 comments
When creating a secure, locked down IT system -- for something that is directly responsible for handling cash transactions -- would you choose the most popular, most targeted operating system?
You would think that running the most widely used operating system on your network of ATMs is just an invitation for trouble. At least some security folk reckon XP makes ATMs an easy touch for hackers.
But not the execs at National Australia Bank (NAB), who this week announced the bank is overhauling its 1,600 ATMs to run on Windows XP. ...Read more
Apr 08 16
Nobody protects Macs, not even Steve Jobs
Posted by Liam Tung @ 11:00 8 comments
Macs are banned from many government departments because there aren't any 'approved' applications to encrypt them. So why doesn't Apple CEO Steve Jobs do something about it?
In the US last week, The National Health Institutes banned MacBooks from being used by staff because they lack an approved encryption tool to protect client information, according to a report in InformationWeek.
And why doesn't Mac OS X have a full disk encryption tool yet? Well, technically it does. Leopard offers Disk Utility with 256-bit AES level encryption. The problem is that Disk Utility has not been sanctioned by the US government. ...Read more
