Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Australia Crime Security IT

Inside CERT Australia 74

Posted by samzenpus
from the shiny-red-button dept.
mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."
This discussion has been archived. No new comments can be posted.

Inside CERT Australia

Comments Filter:
  • You don't want HONEST people to know that the software is worth one cubic turd. Only criminals should possess that knowledge, because they are the people who will put it to best use!!

    BTW - who knows why turds are round, and tapered instead of cubes?

    • by Anonymous Coward on Monday April 11, 2011 @05:08AM (#35779516)

      BTW - who knows why turds are round, and tapered instead of cubes?

      That's so your ass doesn't clap when you take a shit.

    • Re: (Score:2, Offtopic)

      by NoMaster (142776)

      BTW - who knows why turds are round, and tapered instead of cubes?

      Because you're not a wombat [museumvictoria.com.au]?

      • "Wombats produce 4-8 of these cube-shaped scats per deposition event" which has no realation whatosever with an event horizon, I'm sure.

        That's simply amazing. They really do some strange things in Auastralia!

    • by dbIII (701233)
      Wombats have cubic crap. I don't know why. It is a way to tell if there are wombats around - apart from the big holes under or through fences. Wonderful animals but not entirely cute. Imagine a bag of completely set cement covered in fur with teeth like bolt cutters and you are not far from the idea of a wombat. Just as well they are herbivores.
      • Angry herbivores. I remember camping in high school and watching one headbutt a classmate who got too close to it's burrow. He's lucky it didn't decide to maul him as their claws are like pineapple cutters.

        • hahha, this is soo true! We tied rope to a friend and sent him down a wombat hole to fetch a lost soccer ball. Bhahah, stupid thing to do thinking back to it!
  • If even RSA (a security expert) is compromised, I wonder how long it'll take for this list to get leaked, especially now that it has been publicized.

    Or maybe the publicity is another bait and switch :P. It'd be cool if it was, but I doubt it.

  • corporate welfare (Score:5, Insightful)

    by Hazel Bergeron (2015538) on Monday April 11, 2011 @05:09AM (#35779526) Journal

    TFA:

    The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.

    This is corporate welfare at its finest: make the people pay to give a competitive advantage to particular companies.

    When will this primitive targets-based, public-private-partnership experiment born somewhere in the '80s finally collapse? When will parties and their representation in government reflect the people again? Whether left or right, authoritarian or socially liberal, your view is no longer represented unless you've paid for it.

    • it's not new, it goes way back before the '80s, corps used to get away with a lot worse, in some cases, they ran everything:

      http://en.wikipedia.org/wiki/Hudson's_Bay_Company [wikipedia.org]

      in fact, if we go to the stars, it will probably under the same form as this:

      http://avp.wikia.com/wiki/Weyland-Yutani [wikia.com]

      it makes sense that corporations take these risks, profit, then they are absorbed. the point is, corporations are never going away, because they do make sense for many reasons in terms of the most efficient way to do things. however, they are like beasts of burden: you must harness them and put them to use, or they run roughshod over your society. like GE, which paid no taxes to the USA, where the corporation is corrupting our system of government to stand above the people:

      http://abcnews.go.com/Politics/general-electric-paid-federal-taxes-2010/story?id=13224558 [go.com]

      additionally, we are making progress. the labor movement a hundred years ago made a huge step forward (that yes, we are backsliding on now)... after the civil war, corporations had a larger military than the federal govt, to suppress labor. blackwater is a hiccup in comparison:

      http://en.wikipedia.org/wiki/Pinkerton_National_Detective_Agency [wikipedia.org]

      2 steps forward, 1 step back. this struggle is going on for centuries. but please do not forget we ARE making progress against the corruption of the people's will by monied interests. it is very difficult, and takes time and much effort. today, they have an entire corporate propaganda machine, fox news, that incenses the poor and middle class to actually fight against their own interests, like affordable healthcare. it is absurd, but real

      People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices. It is impossible indeed to prevent such meetings, by any law which either could be executed, or would be consistent with liberty and justice. But though the law cannot hinder people of the same trade from sometimes assembling together, it ought to do nothing to facilitate such assemblies; much less to render them necessary.

      http://en.wikipedia.org/wiki/The_Wealth_of_Nations [wikipedia.org]

      • fox news, that incenses the poor and middle class to actually fight against their own interests

        You don't understand these people.

        OK, an analogy of sorts: I don't shoplift. It's against my interest to not shoplift. Why then, do I not shoplift? I have this feeling that taking stuff from other people is wrong. Yes, I know, I'm being stupid and I should just do what is in my best interest. I also get really pissed off when other people shoplift, even if I'm not the shopkeeper and even if I don't see it happen. Perhaps you feel differently?

        When the government takes money from other people to supply my hea

        • you should have a $500,000 savings account in case sometimes bad happens. because contributing to a group fund that other people draw out of is communist, right?

          that you think financial common sense on the question of the best way to pay for healthcare is morally corrupt shows how propagandized you are

          • by r00t (33219)

            If I choose to buy insurance, I'm choosing to gamble. I may "win" by getting expensive care provided to me, or "lose" by staying healthy and getting nothing.

            If I'm forced to buy insurance (private or government) then I'm being forced to gamble. My choice has been taken from me. Maybe I want to gamble, and maybe I don't, but taking away the choice is not OK.

            I don't feel right taking your choice from you. Please don't take mine from me.

            • you don't have a choice

              if you are young and healthy and have no health insurance, but you break your arm, we do not inquire as to your bank account before treating you. we treat you. then, being poor, as most young people are, you avoid the bill, or declare bankruptcy. what a nice society

              this is the way it has been for decades: the state and feds constantly reimbursing hospitals for unpaid bills so thehospitals don't go under. in other words, we already have universal healthcare, that you already pay for, i

              • by r00t (33219)

                There is that problem, yes. It is reasonable for the government to cover the cost of treating everybody who is unable to shop around for low prices and think about payment. The free market is broken if you have a bullet in your heart; there is no time to compare prices or decide if medical care is not worthwhile.

                For a broken arm, there is no reason you should get treatment without payment. It's not immediately life threatening, it doesn't impair your ability to phone doctors, and you can wait.

                Really, your c

                • put your money with your mouth is, ignorant free market fundamentalist

                  you want hospitals to turn away people who can't pay?

                  • by r00t (33219)

                    you want hospitals to turn away people who can't pay?

                    Of course. It's unreasonable that they provide services for free.

                    Hey, I want a free pony too. With wings. And it farts rainbows.

                    I'm far from a free market fundamentalist. I recognize that there are times when a free market is impossible, I'm paranoid about the instability that leads to monopoly and too-big-to-let-fail situations, and I strongly support taxing externalities like pollution. Ordinary non-emergency health care can and should be much more of a free market than it is today.

                    When you are simply una

              • by TheLink (130905)
                Yeah.

                Taxpayers are already paying for other people's healthcare! They pay for the poor people who queue up in ER.

                It's just being done in one of the most inefficient ways in the Western World.

                And these fools don't want to fix it, and provide stupid reasons against fixing it.
        • by TheLink (130905)

          When the government takes money from other people to supply my healthcare, I get the same feeling. It's like shoplifting. It's in my interest, but it is wrong.

          Get a clue. It's in their interest too.

          Because the Government is ALREADY taking money from other people to supply your healthcare, it is just being done very inefficiently.

          When you are very sick/injured and have no money you go to ER (either yourself or via an ambulance/"good samaritan") at a state hospital and they will treat you using OTHER PEOPLE'S money.

          They don't just ignore you and let you suffer/die, because your country is still a _civilized_ society (it may not be true in the future but it still is

    • by Yvanhoe (564877)

      The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data.

      So... Criminals know about these but the general public that needs to protect itself is not informed. That is great work the governement is doing.

    • by gl4ss (559668)

      300 companies, so they could just as well be yelling the holes from the rooftops. where do they shop for the holes though?

      seems just like shammy attempt at pr and funding for the office that keeps this super secret hacker mega leet list.. which the companies that sign up for can't know what it has before signing up for it of course. of course they couldn't even limit it to just companies they want, so practically anyone would have access.

      this is a _business_ for cert australia. nothing more. cert is not sup

  • Your services are required. I expect the information to appear on Wikileaks ASAP.
  • by Anonymous Coward

    Tell people to fix these fucking "seekrit" bugs, and if they don't, make them public. Responsible disclosure. You have wankers who are on the tax payroll creating more paychecks out of the public dime for cyber "war" and fail to realize that if you just secure your fucking systems, then cyber "war" is just about impossible.

    • Well - maybe not "impossible" - but it would take a sophisticated and competent wanker to wage war against a properly secured system.

  • http://www.auscert.org.au/ [auscert.org.au] and http://www.cert.gov.au/ [cert.gov.au]

    http://www.auscert.org.au/render.html?cid=2 [auscert.org.au]
    "Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "

    As always governments don't like competition - in this case for security & secrets

  • They already banned squirters and small breasted women, it was only a matter of time before they were going to cover up sensitive holes.
  • Let's just say I know (not well personally, but mix in a crowd) a person who lectures and researches security at a university on the aus west coast.

    The guy has secret clearance, all of his net presence locked down, a great understanding of various technical and social engineering attacks. I don't know what he does in Canberra exactly but from all the talk of honeypotting I hear out of context I assume it likely to be AusCert.

    We really do have some genius sec people in this country. Heck, they even get paid

  • "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public"

    What Platform do these software holes run on, what imdemnification do the endusers get from the manufacturers of the Software holes?

    "The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt .. the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals"

    Tha

    • Solution: don't connect your air-conditioning system to the Internet .. :)

      Every time I see a slashdot post on network weaknesses with infrastructure I always see the line above. "Don't connect X to the Internet; problem solved". So here's a question, what do you mean when you say this? Do you mean make sure the network the air-conditioner is on is physically isolated from the Internet? Or do you just mean "isolated" via some router magic or other. I say this knowing that the situation on the ground is that there is hardly a network in any system that is physically isolated. Prett

      • > Do you mean make sure the network the air-conditioner is on is physically isolated from the Internet? Or do you just mean "isolated" via some router magic or other

        IPsec running over IP tunnel running on embedded hardware would go along way to defeating such breaches, that they don't implement such solutions owes more to incompetence and we-can't-be-bothered ..

        • Well, I think you'll find that they often can be bothered (in fact I know these guys take this stuff very seriously). If thats all you need to ensure the air-conditioner is secured, whats the problem?
  • Reality Check (Score:5, Informative)

    by AB3A (192265) on Monday April 11, 2011 @06:48AM (#35779908) Homepage Journal

    I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

    Here are some facts on the ground:

    1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.

    2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

    3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.

    4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.

    5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.

    I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.

    Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.

    • by Anonymous Coward
      I write SCADA software for one of the top 5 players (anonymous for obvious reasons). I resent your implication that the software is poorly written. I have worked for many different software companies, and the standard at this one is the highest of any of them. It must be; SCADA software is designed to run for many months at a time, flawlessly. SCADA software is infinitely configurable, and often includes a scripting language, which means that it cannot be statically verified (unlike a lift control system fo
      • Re:Reality Check (Score:4, Insightful)

        by AB3A (192265) on Monday April 11, 2011 @08:20AM (#35780452) Homepage Journal

        The truth is that the software industry marches forward at a much faster pace than we can deploy. Today's ultra reliable souped up cool stuff becomes yesterday's "what the hell were they thinking?" stupidity very quickly. In truth, it's not just about the code YOU write, it's the code that OTHERS write. They're making assumptions about your work and you're making assumptions about their work. Those assumptions are often wrong.

        From my perspective as an end user, I often can not see the dividing line between you and your component software companies. I often can not tell whether you're using VxWorks, an embedded version of BSD, or some small company's custom RTOS. So whatever you do to improve your code may be irrelevant if the host OS crashes. From where I sit, the end result is the same.

        That said, stability in most embedded OSs is usually pretty good. But the issue here is not stability. The issue is whether the software can stand up to even a mild attack. I once saw someone attack a SIL rated PLC with a LAND attack (names of guilty parties redacted to protect industry). The PLC curled up and crashed.

        I would like to be able to say better things, but I have seen otherwise. Sorry...

    • by Anonymous Coward
      I do mission-critical safety and security systems for aviation.

      We have an ethical duty to turn the CIA model upside down to become the AIC model.

      The CIA Triad itself isn't inherently weighted to value one principle over another. You make the differentiation between the office process and industrial by saying:

      Yes, the flaws are hard to fix. We design these things for safety, and reliability, first.... In an office, if the computer stops, the whole office process stops and that's it.... In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not.... If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

      I'm assuming you're saying that safety and reliability is more important than security? How can you possibly treat a known and reproducible attack vector as anything less than a safety and reliability issue? I just don't understand this logic, security issues should be treated just

    • > I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

      What development platform do you use?

      > the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want.

      I don't even understand this bit or else you're just talking techno waffle and I've worked in ths industry for

  • by erroneus (253617) on Monday April 11, 2011 @07:16AM (#35780020) Homepage

    This is complete irresponsible nonsense. "... the bait..."? Really?

    First of all, this is called honeypotting but without the benefit of actually having complete control over the monitoring, logging and the PCs to be compromised... oh wait... maybe they do. I wonder if the rest of Australia is okay with their government withholding information and using them as "bait" while at the same time not being particularly capable of a wide-spread law enforcement activity?

    Someone didn't think this stuff through before they said it.

  • What a bunch of lunatics thinking they are so omnipotent in their "secret" knowledge they can outsmart everyone by being so secretive. The only real benefit to this that I can see is that (presuming they are able to be as secretive as they claim, a big if) the obvious inevitable downsides to this strategy will not be obvious to the public because they are secret. Basically, by taking the whole world off their bench and pretending to be able to do the work of the wider public in secret they will inevitablely

10.0 times 0.1 is hardly ever 1.0.

Working...