Movember video!

Do I need to write anything?

Oh yes.. please donate! Do do it now click here.

Do you also hate telemarketers?

I don’t think we have this type of problem in Australia, specially with the Spam Act, but in the US the issue with unsolicited calls seems to be pretty bad.

While uploading some videos to Youtube I came across to this video, showing how one guy got back at them.

Enjoy!

Fraud Numbers in Australia. Are we secure?

“UPDATE: Arno Brok, who works with met at Accenture, has just sent me this interesting article about a new credit card that is being developed and tested in Australia.

Thanks Arno!”

The Australian Bureau of Statistics published in June this year its Personal Fraud Survey, which was conducted between July and December 2007.

 

There are some very interesting numbers:

 

- A$ 615 million were lost due to credit card fraud in Australia last year;

- The median, or most common loss was A$ 450 per person, but the mean loss was over A$ 2,000 per person, and 3 percent of victims lost over A$ 10,000.

- 75.5% of people targeted reported the loss; and

- 57,800 of 383,300 people were defrauded by phishing scams.

 

It is the first time I have seen this type of information shared with the public. Banks around the world do not generally make their internal statistics on fraud public. One of the reasons is the potential loss of confidence from customers and the market.

 

It is simple like that: Banks and other businesses make multi million dollar savings by automating services to customers. Those savings come, for example, from less staff and less branches/tellers. Also, many consumer retailers have moved into the online selling world, where you can save a significant amount by minimising stock and costs related to brick and mortar stores.

 

For all to work, consumers need to be confident in using the system. A consumer will not send his/her credit card information online if he/she knows that it is going to be stolen and subject to fraud. Andrew Wallis, a Gartner Analyst, said the following on the Sydney Morning Herald edition of 7 October 2008:

 

“It’s a classic thing. How do you get people moving into something? Well, you don’t tell them it’s dangerous. You don’t mention the negative side. You’ll extol the virtues and benefits”.

 

And that’s what banks have been doing. There is now a sense that online transactions are secure!

 

I beg to differ… if 5% of the Australian population aged 15 years and over suffered some type of fraud over the last 12 months then I would say that it is not that secure. However, we do have to look at it from a risk point of view.

 

From the banks perspective: if they spend A$ 615million, would they bring the amount of fraud to zero in Australia? Is it sensible to assume that A$ 615million is the acceptable risk banks are willing to take and pay customers back (as they do) so they keep the confidence in the system?

I’m not saying that banks should not invest in controls to address frauds. As a matter of fact I think it is the right thing to do. One example is the ANZ Falcon, which does not only mitigate the risk of losses due to fraud but is a marketing tool for ANZ credit card services. However, there is a limit to which you can mitigate the risk – there will always be a residual risk.

 

From the customer perspective: all we are worried about is not losing money, so as long as the banks are paying for the fraud we should be happy.

 

Banks might not pay customers in some isolated cases of misuse, however I believe that they will keep paying off most frauds as a cost of business, due to the fact that the savings of automating transactions and increased credit card usage will cover most of these expenses.

 

Banks will also keep investing on implementing fraud countermeasures, but the residual risk will always exist and, as long as the banks are paying for it, consumers shouldn’t be worried.

 

SaaS (Software as Service) Risks

There’s been a lot of discussion recently around Software as a Service, or SaaS. Although some may say it is new concept, SaaS has been around for some time – since 2000, I believe – and used to be referred as ASP, or Application Service Provider. The idea seems to be working well: IDC recently forecasted that worldwide spending on SaaS will reach $10.7 billion by 2009.

The need for SaaS has evolved from the increasing licensing and maintenance costs of applications, which became prohibitive for some organisations. The cost for upgrades is also avoided, as the business model that SaaS providers operate imply on a periodic (usually monthly) payment instead of traditional application licensing. Further to this, SaaS providers run the software on their own infrastructure (hardware, operating systems, network, etc… ) avoiding other costs with infrastructure, datacenter operation and maintenance. Most SaaS providers also offer 24 x 7 technical support, physical and electronic security, and built-in support for business continuity.

SaaS definition can be simplified as nothing more than a pay-as-you-go outsourcing model where your internal application is hosted, managed, maintained and operated by a service provider across the Internet.

Of course, such arrangement has its challenges. customers relinquish control over software versions or changing requirements; moreover, costs to use the service become a continuous expense, rather than a single expense at time of purchase.

SaaS also has the same fundamental risks as outsourcing, as the client data is stored and processed by a third party. There are some interesting articles and checklists available on the subject. Some of them include:

- Gartner “Critical Security Questions to Ask a SaaS Provider”
- Financial Industry Shared Assessment Program (Third party review questionnaire developed in the US to assess third service provider security in line with ISO 27002)

I have also written an article to SANS about outsourcing which might be helpful. You can find it here.

The key thing for organisations considering SaaS is to perform appropriate due diligence over the provider. This means that, in order to mitigate inherent security outsourcing risks, it needs to get assurance over the ability of the SaaS provider to support business requirements and the controls that exist on the environment.

There are auditing standards that can help, such as SAS70, which brings some assurance and comfort over a third party service provider controls. However these are just a start when an organisation is considering SaaS and not sufficient to ensure that business requirements will be consistently addressed.

For a comprehensive assessment, an organisation should consider a decent baseline. A good start is CobiT and APRA. Also, consulting companies such as <selling hat> Accenture</selling hat> have frameworks to perform such assessments for a fee.

Hope you find the post useful. I am still reading about the topic, so would appreciate your comments with your views on SaaS and experiences with providers.

Clean shaved photo

Dear all,

Second day on Movember and my mo is growing slowly. As promised, below a clean shaved photo from this Saturday, 1 November:

The Movember website wasn’t accepting donations for a while, but it is back online. If you can donate, please do at this address.

Thank you for your support!

All the best,

Daniel

Movember is back!

I am not sure you have heard about Movember, which is an annual charity event held during November to raise money to benefit men’s health – specifically prostate cancer and male depression.

At the start of the month guys register with a clean shaven face. The Movember participants, known as Mo Bros, have the remainder of the month to grow and groom their Mo. Mo Sistas (ladies who support their guys or just love Mo’s!) also help Mo Bros and helping to raise funds.

So, during Movember (the month formerly known as November), I’m growing a Mo. That’s right… I’m going to look ridiculous but I believe it is for a good cause.

Men lack awareness about the very real health issues we face. There is an attitude that we have to be tough – “a real man” – and are reluctant to see a doctor about an illness or go for regular medical checks. Movember aims to change these attitudes and make men’s health fun by putting the Mo back on the face of fashion and in the process raise some serious funds for key men’s health issues, including:

- Prostate Cancer: because every year 2,900 Australian men die from prostate cancer and over 18,000 men will be diagnosed with prostate cancer.
- Depression in Men: because one in six men experience depression at any given time but most don’t seek help.

To donate to my Mo you can either:

1.    Click this link and donate online using your credit card or PayPal account, or
2.    Write a cheque payable to ‘Movember Foundation’, referencing my Registration Number 1421956 and mailing it to:

Movember Foundation
PO Box 292
Prahran VIC 3181

Remember, all donations over $2 are tax deductible.

The money raised by Movember is used to raise awareness of men’s health issues and donated to the Prostate Cancer Foundation of Australia and beyondblue – the national depression initiative. The PCFA and beyondblue will use the funds to fund research and increase support networks for those men who suffer from prostate cancer and depression.
Hope you can contribute!

The Coolooli

This weekend I have joined some friends to dive the Coolooli. The shipwreck is a bucket dredge that was sunk in 1980 as an artificial reef and now lays at 48msw.

Trip from the Coolooli to Rose Bay Wharf plotted on a map

The wreck location is roughly in front of dee-why beach, in the northern suburbs of Sydney. It is a great spot for technical divers to train and have a great start of the day.

I usually dive on the Scubaroo, the boat owned and manned by our French friend Yves, one of the funniest skippers in Sydney. The ride to the site takes about 45 minutes, as it is approximately 8 miles away from the pickup point at Rose Bay Wharf. The boat normally leaves at 6:45 in the morning, so I usually have to mind the drinks on Friday night.

The trip to the site is stunning, with the sun rising on the horizon and the sight of the heads while going outside of the Sydney Harbour.

The dive is always good, even when it is murky at the surface. The bottom rarely has less than 8 meters visibility (I have dived there at least 5 times and never got less than that) with average 15 meters. As the wreck has been cleaned before sinking there are heaps of space for penetration. You can easily get in at the bottom and make your way through the wreck to exit close to the line at the shallowest point around 36 meters.

Due to the depths, I dive and recommend divers to use Trimix. Also, as decompression is required, proper tech diving training is strongly recommended. Further to this, the use of a dry suit is a good idea as the dive run time can be as much as one hour on 16oC water during the summer (it was 14oC at the bottom yesterday)

You can find more information about the Coolooli on the Michael McFayden website, which is a great source of general information about Sydney diving.

Also, I have embedded below a video from Andrew Cronan that was shot with the DiveFrontier crew. These guys are a group of GUE certified divers in Sydney who are involved in a number of interesting diving projects. But this is a topic for a future post…

Problem solved! No more foil needed in your pocket!

When I sent an e-mail to friends and colleagues about reactivating the blog, some of them wrote to me asking about privacy and RFID.

RFID wallet has a Faraday cage emdedded in it!

While getting up to date on the topic I found something amusing. The “Think Geek” website is selling a “RFID Blocking Wallet”, which is like a normal wallet but with a Faraday cage embedded in it. This way any RFID chips in your credit cards or ID are protected against readers that might try to get personal information without your knowledge.

Although I am not buying one (I don’t have any RFID enabled devices in my wallet) I couldn’t help finding it an interesting gadget for paranoid geeks. And don’t we all have a bit of paranoia an geekness?

More info at the Think Geek Website

Update: They also have a passport holder that blocks RFID! This one seems a bit more useful to me!

Pissed off Engineer

One of the things that I hate on some professionals such as doctors, IT professionals, lawyers and economists is their tendency to speak about their areas of knowledge using very specific acronyms and terms, making simple concepts impossible to understand.

My father always said to me that a good professional can make complex things seem simple and easy. A good example is gymnasts, who make all those pirouettes seem very easy… as if they didn’t spend weeks or months to master each one of those moves.

When I first saw the cheque below, I wondered if this engineer wasn’t pissed off with the same thing. I loved the way he was mathematically correct and at the same time gave a hard time to whoever got the cheque (and the bank!)

Absolutely loved it! Hope you guys enjoy it as well…

Yes… I’m back!

Dear readers,

I was thinking about the reasons that it took so long to post again and, besides arriving to the conclusion that having a blog is just too much work, I think that maybe focusing the topic of the blog too much on Information Security might be the problem.

So I decided to give it a try and open the topic a little bit. Maybe if this is a space to publish information about some of my passions my posts will be smaller, more relevant and more frequent.

To start I have added a quick video from my trip to Truk Lagoon and Palau. As some of you might know, this is one of the top diving destinations in the world and I had the pleasure of diving some of the most amazing shipwrecks around.

Well… hope you enjoy it and welcome back to my blog!