AusCERT 2012 Day 1 : Is security growing up at last?

“Too much law, too little tech” is one way of viewing today’s output from AusCERT 2012 – except for two things.

“Too much law, too little tech” is one way of viewing today’s output from AusCERT 2012 – except for two things.

The first is that the delegates don’t seem to have seen it this way. Nobody seemed to doze off early this afternoon after even the third session with a predominantly legal focus (Nick Abrahams of Norton Rose following Bill Caelli following Robert Clark).

So something’s happening: the kind of content that would once have drawn cat-calls from a security conference now gets engagement.

And that brings me to the second consideration: that the security sector is growing up at last.

This author happened to be present at Interop in San Francisco, some time in the mid 1990s, that saw the launch of a now-venerable, then-startup called Checkpoint; and for many of the intervening years, security has wanted to isolate itself into siloed discussions of technology, nearly divorced from the rest of the world.

That attitude still exists. It’s still possible for a company like Pirate Pay to create what is, essentially, a denial-of-service tool specific to BitTorrent hosts, for Microsoft to provide funding for the venture, and for media outlets to completely ignore the legality of a deliberate disruption to a computer’s ability to communicate.

Strong delegate interest in legal issues arguably hints that the world outside – the real one, where people have to protect systems and worry about consequences, and where buying another newer box won’t fit in the budget and won’t solve the problem – is maturing faster than the tech press has noticed.

So it is that Robert Clark could give a pedantic and legalistic definition of “cyber attack”, and explain why Stuxnet doesn’t fit the bill; and why Bill Caelli could invoke 19th century warfare and not experience walkouts; and why people didn’t attend Nick Abrahams’ talk merely because it had the word “cloud” in the header.

The security industry is growing faster than the media’s understanding of it; [not only academic or advocacy interest].

Let’s return to Pirate Pay, for example: it represents, in part, some of the concerns that Caelli was raising: the victim of some kind of attack (in the case of rights-holders, an attack on the exclusivity of their content – ignoring, of course, the ongoing debate over copyright and the Internet) has no legal right to self-defence.

If I threaten to strike you over the head with a stick, you have the right (under NSW law, at least) to self-defence beyond merely asking the attacker to desist. I can try to defend myself by grabbing the stick, breaking the stick, or using sufficient reasonable violence to prevent the attack.

The various computer crimes acts in Australia don’t even consider the notion of a proportionate response to an attack. The computer crimes laws in the various states and at the national level merely make all interference with a communications network illegal. Even if my target is a computer that’s being used to launch traffic against me, my hands are tied: the attacker can use a stick, and I cannot even use my bare hands to defend myself.

And this goes all the way from the individual up to the company up to the country (at least, in the absence of policies and international agreement).

Nobody solved the problem today; but an industry that is showing serious interest and engagement in these issues is far, far more mature than the security business I first encountered 16 or 17 years ago.

Of course, treating the legality of self-defence as a serious issue is one thing: what of the morality of counter-attack?

Nobody, I suppose, would argue in favour of the botnet or tell me that Microsoft was morally wrong to shut down a botnet.

BitTorrent is more problematic, since you must assume that the content you’re killing is infringing content.

Before we assume the right to a counter-attack, we assume the responsibility to be a lot more sure of our facts. The level of proof that (for example) AFACT presented to iiNet was never considered to be “sufficient” by any Australian court to justify what AFACT wanted – the disconnection of users. That level of proof should not, then, be considered adequate to justify attacks on end users.

In the AusCERT opening keynote this morning, Mikko Hypponen of F-Secure told delegates that Chinese hackers use VPNs to obscure their origin – in other words, attack traffic may “originate” from Washington or Indonesia, Britain or Australia, but have its real source in China.

Well and good: but achieving that level of knowledge of the traffic demanded considerable time and effort. One hallmark of an effective counter-measure is that the deterrent needs to be deployable quickly. A gun that takes months to aim is a gun that’s too slow to use.

So the “good guys” could easily find themselves caught between legal and moral niceties and the need for speed. But it’s a much more mature debate than the solipsistic technical discussions of years gone by.

Full coverage for the next 3 days from @CSO_Australia #Auscert2012


Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about ACTBillCERT AustraliaetworkF-SecureIinetInteropMicrosoftNortonRose

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Richard Chirgwin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place