The Australian Government is trying to unify its cyber-security policy by bringing cyber-security into the portfolio of the little-known National Security Resilience Policy Division, part of the Attorney-General's Department. The Australian IT article linked above paints this primarily as a response to espionage and cyber-warfare mounted by sophisticated foreign government intelligence agencies. This is an un-necessarily narrow interpretation - on the Internet small interest groups, organised crime and even individuals can mount attacks with national security implications.

One possible direction for the Attourney General's Department is mapped out in the Estonian Cyber Security Strategy document released last year. Published in the wake of crippling nation-wide infrastructure denial of service attacks, Estonia's document is a sound and well-informed broad national security policy that Australia might do well to emulate.

The classification.gov.au website was defaced today - doubtless through a vulnerability in the content management system used to maintain the site. The tone and content of the defacement makes it pretty clear that this was not just a random script kiddie:

(image mirrored from here)

Given the controversy surrounding Australian censorship and classification bodies in the last while, an attack like this is not surprising. The relevant risk manager should have been aware of the clear spike in hostile intent towards the relevant web properties once negative publicity started. It would be interesting to know whether an independent assessment was commissioned to try to pre-empt this type of PR disaster.

The site was taken offline soon after the compromise became public, and at the time of writing is still down.

TippingPoint sponsors an annual browser security contest called Pwn2Own, where the first security researcher to compromise a platform through a browser exploit gets to take the system home. This year's browser targets were IE8, Firefox, and Google Chrome running on Sony VAIO laptops, and Safari on a Macbook. Safari fell pretty much immediately, and Firefox and IE8 followed soon afterwards. The only survivor was Google Chrome, which might be a good argument in favor of Google's approach to browser security, which segregates pages and browser elements from each other using operating system processes.

One fascinating tidbit was this interview with Charlie Miller, the researcher who created the Safari exploit. There are a number of interesting points here. It's pretty clear that the idea that vulnerabilities have (and should have) a market value is now firmly entrenched with many top security researchers. When asked if he thought of providing details of his exploit to Apple, he responded thus:

I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs.

Here at Nullcube we still think that notifying vendors of problems in their software is a laudable public service - but perhaps we're out of touch. Miller's assessment of the relative difficulty of compromising the various platforms on offer are also worth reading.

As part of the contest rules the vulnerabilities become the property of TippingPoint, so no details on the exact problems have been released.

Google recently confirmed that a bug in their Docs service had exposed documents to unauthorized users. There is no official word on how long the problem continued before it was fixed.

This lapse is surely a sign of things to come. The momentum behind migration into the cloud can only increase in the next few years - hosted services are now in the rare position where their offering is often both cheaper and better than their competition. However, this compelling business case is counter-balanced by a complex set of security considerations. A scenario like the Google Docs problem, where confidential information hosted in a service cloud is exposed, is the most obvious concern. Ultimately, the risk involved in pushing data into the cloud hinges on one difficult question: what is the likelihood that a problem like this will affect your data? Direct assessment is usually out of the question - the infrastructure involved is deliberately opaque to users, and can usually not be subjected to inspection and testing. Also, online services are continually updated, so an assessment made today could be out of date tomorrow. The unsatisfactory result of all this is that organisations will usually have to fall back on a simple analysis of publically released vulnerabilities to come to a conclusion on the security of a cloud service.

As the large-scale migration to the cloud continues, we can expect many more high-profile mis-steps in the next few years.

A Sophos researcher has found that the randomly generated domains the Conficker botnet will be connecting to during March includes a number of legitimate websites. Conficker has already claimed a number of high-profile victims (including the UK Ministry of Defence) who neglected to roll out a Microsoft patch that fixes the vulnerability it uses as its primary infection vector. Its next set of victims are simply unlucky enough to happen to have a domain the worm will stomp on.