* Posts by Jonbays

27 posts • joined 27 Nov 2012

Commbank data loss: Non-disclosure was pretty reasonable


Recovering data from tapes isn't trivial but if it's not encrypted then I assure you any junior hacker could have posted the data up on the dark web and asked for help where the resources would be available. As for notifiable data breach, I think it certainly should be now under the new legislation as unless it was encrypted then there is a risk that harm could be caused to someone given the amount of data and type of data makes it worth spending effort on recovering off the lost tapes. Of course the legislation is very open ended and open to wide interpretation here so without actual prosecuted breaches and fines we will never know how the courts take these breaches of the privacy act

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin


Absolute Software aren't concerned for the customers safety yet so all is fine then?

Facebook confirms Cambridge Analytica stole its data; it’s a plot, claims former director


I think the proof is in. citizens are gullible and easily manipulated and not just in the US.

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager


Java sets the tone for the security of all their software so no one should be surprised. Just get a good patch and vulnerability management software and use it religiously if you have to use Oracle sw in your organisation

You publish 20,000 clean patches, but one goes wrong and you're a PC-crippler forever


It happens to every AV vendor so why all the fuss it's all about how useless AV blacklisting is it's reactive and prone to false positives and ultimately redundant these days.

Hospital injects $60,000 into crims' coffers to cure malware infection


Clearly they had never actually tested back up and restore procedures and probably not even followed them. Don't bother backing up if you haven't ever tested you can restore from a back up!

We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare


The Intel security folks must be glad to be at arms length and McAfee again, all this PR spin no substance makes a mockery of the companies security posture. Someone other than a hacker somewhere must have been able to see the potential for side channel attacks and remediate them in the core design surely?

Kaspersky dragged into US govt's trashcan as weaponized blockchain agile devops mulled


Doesn't seem to have any procedural fairness to blanket ban a company but at least it distracted him from grabbing pussies or starting a war in the middle east or Korean peninsula. Oh Oh it didn't ; )

Tenable's response to folks upset at AWOL features: A 150-emails-a-minute spam storm


Tenable have got big arrogant and dumb, but then what could you expect from the united states they voted for Trump as their president?

ATO, Dept of Immigration wrist-slapped for failing security audit, again


Independent Audit required here

Clearly they have been reading "yes minister" and are not going to comply merely stall. The ANAO should Audit them and if they fail to meet agreed implementation timelines then Finance need to withhold funding and restrict them from accessing any other agencies data until they can become compliant. Nothing in the top 4 is particularly hard to achieve if adequate resources are put into it and procedures are amended to support their adoption not block them. That said this is a big agency merged and mish mash of systems all in need of a savage revision back to the basics of what they need to get the job done.

There's a battle on over two US spying laws: One allows snooping on citizens – one bans it


"Think of the children" and "terrorists" always a good reason to spy on your own citizens and once you have the data well it can only get abused for more and more "good reasons". Of course if you arent allowed to spy on your own citizens then you can always ask your "good friends" to do it for you too.

Scotiabank internet whizzkids screw up their HTTPS security certs


Web hosters certificate management hint no.1 throw away the cert management spreadsheet.

Get ready to register your drones in the US – or else


Drones will need to be registered as their use and popularity increase and I think much like motorised bicycles you pick a power output like 250Watts or total vehicle weight or similar to determine when a Drone starts to represent a vehicle that needs to be registered, insured and requires a licenced operator.

Laptop imports declared SECRET in Australia


Yep they're lawyering up on you Simon. They're from the government and they're here to help that's all you need to know.

Kmart Oz popped but credit cards are safe, really


You have to give them points fro prompt disclosure as Australia still lacks mandatory disclosure laws to back the privacy act. Still doubtful that all is known early in the breach detection and if more was know The PR spin merchants now to release the bad bits later say over a long weekend or when Russia bombs the Syrian free army so its back page news. Lets hope free id theft insurance was offered as there would be enough info to get another credit card lost here.

How the Arab Spring blew the lid off the commercial spyware


Blue Coat wasn't selling to Syria one of their distributors in UAE was actually. Stephan Link had to hand over $2.8 Million to the US Gov over that one. Should have been more careful before buying Fusion or any UAE company for that matter.

HP goes off VMware's EVO:RAIL, stops selling sole appliance


Nutanix is what you want to look at here

Patch-crazy Aust Govt fought off EVERY hacker since 2013


Have to agree Coward and of course we don't have any mandatory breach disclosure laws so if you did have a breach you don't need to worry about it anyway as long as its not your own financial account data why would you worry!

ONE in A HUNDRED reported bugs exploited, says Cisco


This is a bit misleading so how many breaches are caused by exploits of unpatched known vulnerabilities? It cuts both ways. Patching is the simplest and most effective way of mitigating being breached or compromised and it can be easily automated and managed for a majority of systems for lower cost than anti virus which isn't working anyway. Don't believe me than ask the Australian Signals Directorate. Their 'Top 4 Mitigation Strategies' which are:

1.Application Whitelisting;

2.Patch Applications;

3.Patch Operating System;

4.Minimise Administrative Privileges.

Possible Lizard Squad members claim hack of Oz travel insurer


Mandatory Breach Reporting Laws need enacting in Australia

Data Breach's like this where nothing is done to assist or help the victims really do go to show you can't trust business to protect its customers data and government need to step in with simple clear legislation requiring prompt disclosure to allow people to take protective action and or $M fines for multiple breach's or late or no disclosure. This will force organisations to essentially do the right thing for their own financial benefit as they clearly won't do it to protect their customers.

CloudFlare ditches private SSL keys for better security


CF are really only trying to avoid any legal liability in having to manage and secure keys which is not beyond them just costs money they don't want to spend. Few clients will be helped by this move to "secure" them form NSA prying which for most people is the least of your worries.

SHOCK HORROR: Oz's biggest govt agencies to miss infosec deadline


Application control works and no it's not hard to decide what apps you want who to run on what. Many groups are very easy to whitelist like standard desktops domain controllers and web servers and database servers with a few exceptions and the exception shouldn't make the rule. Patching whitelisted apps though gets harder and patch management itself while easy is fraught with conflicting goals and timelines from app managers ops and sec-ops people. Still plenty of good sw to automate the Top 4 and make it achievable at a cost of course.


Re: Just who is surprised by this?

You really have worked in Government IT haven't you and for as long as me by the sound of your very healthy cynisim!

CERT Oz report: 76 orgs popped in targeted attacks


Whitelisting is the answer and NO it's not too hard just takes a disciplined approach and good whitelisting software with multiple ways of managing the exceptions that are allowing too many organisations to get away without implementing it.

Self-proclaimed LulzSec leader to be tried in July


AFP should be embarrassed about bothering to proceed with this. Even Content must be having a chuckle over how far this was blown out of proportion. No prime time telly interviews for the commissioner at the sentencing I will bet.

Gameover ZeuS adds nasty trick


With all these techniques becoming more common a more strict default deny policy with approved apps only being allowed through next gen firewalls like Palo Alto Networks may be the only way to cope with this as users WILL open zip attachments.

Defence Signals Directorate offers BYOD advice

Thumb Down

The private advice site is too well secured with a 1024 bit cert with errors!


Biting the hand that feeds IT © 1998–2021