Who's really at fault?

There is a lot of discussion currently taking place regarding a recent report that was tabled in Australian Parliament. The report is entitled, "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime".


PosterMany people discussing this report refer to sections of the report that indicate that individual home-users should be responsible for protecting themselves, and should be disconnected by their ISP if they fail to do so.

As the report-authors are undoubtedly aware, this kind of recommendation leads to a slippery slope where users are effectively held responsible for situations and actions that are outside their ability to control.

DotSec has delivered presentations that describe how it users can be unfairly burdened in this way. Feel free to download the presso.

Bjorn's identity

Once again, DotSec were proud sponsors of the AusCERT information security conference.

The event was great, and provided a good opportunity to catch up with past colleagues and discuss a range of topics.

We gave a presentation entitled, "Bjorn's identity" (very witty, I'm sure you'll agree :-) but which also could have been entitled, "Identity Management at Queensland Health: A True Story!"

The presentation described a couple of things:

First of all, it described how DotSec, QH and Australian and overseas publishers have successfully implemented SAML-based Identity Management (IdM) for a variety of resources that make up the Clinician's Knowledge Network (CKN).

Poster

This presentation presented an overview of what CKN is and does, the goals for IdM with the CKN, and the benefits that have resulted from having implemented the CKN IdM infrastructure.

The presentation also outlined some of the tricks and traps that were associated with the deployment, and some of the options for CKN and IdM in the future.

Of course, no presentation is much fun without live, on-line demos, so we connected our laptop to the WLAN and ran a couple of demos on the servers back in Brisbane.  The demos showed a couple of things including how Dr Bjorn could rely on the underlying IdM infrastructure to take advantage of Web Single Sign-On and Single Log Out. 

That was neat enough but for the real meat, we showed how Bjorn could share private information across servers in different domains, in a controlled way. Our demo servers utilised DotSec's SAML-based IdM infrastructure, and Google's Google Apps authentication infrastructure. Demo applications were hosted on servers within both environments, and both were able to securely exchange Bjorn's calendar information in a controlled way using SAML and Oauth.



Please feel free to download the presentation slides and to contact us if you have any questions or comments.

Previous topics:

Links to topics that have been discussed over the previous months:


The "SSL is hacked/broken/compromised" story is, as told by most "news" sites, an alarmist and information-free beat up, made by people who should know better! They mix up 4 different risks, 2 protocols and a good dash of FUD, and bake us up another Henny Penny headline that only serves to confuse people further!


"Internet Banking Is Dead!" is a short presentation that DotSec was proud to deliver as part of the QUT FIT Industry Working Breakfast series.


DotSec conducted demonstrations using Shibboleth to bust the myth that privacy must be sacrificed in order to achieve strong security.


Surely there are more valuable targets out there for attackers to chase after? Why on earth would any attacker would target my business?


Greeting-card and other phishing attacks are often multi-facetted, and many rely on vulnerabilities in applications that are commonly used as plugins by the user's web browser. Here is a short overview of some of the techniques used may prove useful to you.


Spam, spam, more spam. Most of it is boring, so why was this email interesting? Read on and see what you think.


"Holistic, or full of holes? PCI, HIPAA and experiences in implementing secure computing systems". Feel free to check out the abstract