Archives For cybersecurity

20140122-072236.jpg

In breaking news the Australian Bureau of Meteorology has been hacked by the Chinese. Government sources are quoted by the ABC as stating that the BoM has definitely been compromised and that this may in turn mean the compromise of other government departments.

We’re probably now in the Chinese’s operational end game as their first priority would have been to expropriate (read steal) as much of the Bureau’s intellectual property as they could, given that follow-up exploits of other information systems naturally carry a higher likelihood of detection. The intruders running afoul of someone else who was not quite so asleep at the switch may well be how the breach was eventually detected.

The first major problem is that the Bureau provides services to a host of government and commercial entities so it’s just about as good a platform as you could want from which to launch follow on campaigns.  The second major problem is that you just can’t turn the services that the Bureau provides off, critical infrastructure is, well, critical. That means in turn that the Bureau’s server’s can’t just go dark while they hunt down the malware. As a result it’s going to be very difficult and expensive to root the problem out and also to be sure that it is. Well played PLA unit 61398, well played.

As to how this happened? Well unfortunately the idea that data is as much critical national infrastructure as say a bridge or highway just doesn’t seem to resonate with management in most Australian organisations, or at least not enough to ensure there’s what the trade calls ‘advanced persistent diligence’ to go round, or even for that matter sufficient situational awareness by management to be able to guard against evolving such high end threats.

iVote_Logo

The best defence of a secure system is openness

Ensuring the security of high consequence systems rests fundamentally upon the organisation that sustains that system. Thus organisational dysfunction can and does manifest itself as an inability to deal with security in an effective fashion. To that end the ‘shoot the messenger’ approach of the NSW Electoral Commission to reports of security flaws in the iVote electronic voting system does not bode well for that organisation’s ability to deal with such challenges. Continue Reading…

20140122-072236.jpg

The GAO has released its latest audit report on the FAA’s NextGen Air Traffic Management system. The reports updates the original GAO’s report and when read in conjunction with the original gives an excellent insight into how difficult cybersecurity can be across a national infrastructure program, like really, really difficult. At least they’re not trying to integrate military and civilian airspaces at the same time 🙂

My analogy is that on the cyber security front we’re effectively asking the FAA to hold a boulder over its head for the next five years or so without dropping it. And if security isn’t built into the DNA of NextGen?  Well I leave it you dear reader to ponder the implications  of that, in this ever more connected world of ours.

Or how to avoid the secret police reading your mail

Yaay! Our glorious government of Oceania has just passed the Data Retention Act 2015 with the support of the oh so loyal opposition. The dynamics of this is that both parties believe that ‘security’ is what’s called here in Oceania a ‘wedge’ issue so they strive to outdo each other in pandering to the demands of our erstwhile secret secret police, lest the other side gain political capital from taking a tougher position. It’s the political example of an evolutionary arms race with each cycle of legislation becoming more and more extreme.

As a result telco’s here are required to keep your metadata for three years so that the secret police can paw through the electronic equivalent of your rubbish bin any time they choose. For those who go ‘metadata huh?’ metadata is all the add on information that goes with your communications via the interwebz, like where your email went, and where you were when you made a call at 1.33 am in the morning to your mother, so just like your rubbish bin it can tell the secret police an awful lot about you, especially when you knit it up with other information.  Continue Reading…