News and Opinion

Criminals are targeting Sydney house-hunters through Fairfax Digital's Domain.com.au real estate website.

Fraudsters are placing fake rental property listings for affordable inner Sydney apartments on the site. Upon contacting the purported landlord, would-be renters are being instructed to transfer money offshore in exchange for apartment keys that will never arrive.

Australian information security companies Stratsec and SIFT have merged.

The new company employs a total of 65 people, with no staff being made redundant from either SIFT or Stratsec during the merger. The new company will retain the stratsec name and recruit 4-5 new staff immediately with a view to further expansion later this year, according to the new company's CTO and SIFT founder Nick Ellsmore.

Microsoft's senior security strategist, Steve Riley, has been made redundant.

After more than 10 years working for Microsoft, Riley fell the victim to a restructuring program last Tuesday. "As a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended," Riley wrote on his blog. "I'm certainly not disappearing... I'll remain involved in the security industry."

Security software maker McAfee is an industry laughing stock following the disclosure of embarrassing security vulnerabilities in its websites.

A Cross Site Request Forgery (CSRF) vulnerability uncovered in McAfee's "secure" vulnerability scanning portal would have allowed attacker to take control of client accounts. The portal is designed to scan customer websites for security vulnerabilities and fulfil some PCI DSS compliance requirements.

This piece was written for the Australian Broadcasting Corporation and originally ran here.

In June, Internet piracy as we know it turns 10.

Centrelink's smart card architect, Glenn Mitchell, has invited all and sundry to break its new authentication protocol, PLAID.

Australia's welfare agency released the the draft implementation of PLAID last month. It created the new protocol because off-the-shelf solutions didn't match Centrelink's "business needs," Mitchell says.

He now hopes crypto-geeks all over the world will rip into the software, now in its second draft. "We need to make sure it's as secure as we believe it to be," he told the Risky Business podcast. "There may be issues... if anyone does any issues with it then we're more than happy to take feedback on board and see what we can do to review it."

Introducing Kon-boot, a new tool that allows users to bypass password authentication on Linux and Windows machines by altering the kernel on the fly.

It's just another way to get full privileges once you have physical access, but it looks nice and simple and even supports Windows 7 for Chrissakes!

It's free and you can get it here.

Last week a Stockholm court found four men guilty of promoting copyright infringement for running The Pirate Bay, a peer-to-peer site primarily used for illegal file-sharing, and sentenced them to a year in prison, plus a large fine.

Handing down a year in the big house is a strong deterrent against those who may consider doing this type of thing in the future, but is it really the best judicial outcome?

The Swedish cops raided The Pirate Bay a couple of years ago and seized servers, but even this action didn't shut the site down. The investigation was well handled, but surely police resources should be dedicated to more serious crimes.

Verizon Business Security Solutions has released its 2009 Data Breach Study.

The report is essential reading; the post-mortem analysis of data breaches is to the information security industry what black-box flight recorder information is to the aviation industry. By understanding where things have gone wrong, we can avoid repeating the mistakes of some of our peers.

A phone interview with the company's director of investigative response, Bryan Sartin, has been recorded and will be included in Risky Business #104, which is due to be published in the next 24 hours.

In the mean time, the 52-page report can be found in pdf form here. It's a must read for anyone working in enterprise security.

Building security testing into your project lifecycle is one of those critical growing-up points for a business.

All enterprises must eventually accept that security is just one more part of software or system development lifecycle. Both designs and implementations must be reviewed, developers need security training and infosec teams need the power to veto go-live dates.

Lots of businesses have arrived at this point. But what often happens as a result is security gets siloed per project. The project scope determines where security people will see, where there is budget, and critically, where the incentive to fix the problems lies.

This means that the way that project siloes interact -- the reefs between scope islands -- are never in scope. And as we all know, scope is for project managers, auditors and security consultants. Hackers don't care about your scope.

Let's look at how scoping can create some pretty peverse outcomes.