AusCERT 2008: A Feast for the Senses
June 19, 2008
Q-CERT recently sent a representative to AusCERT 2008, this year's
instantiation of AusCERT's annual conference, one of the most
important information security conferences in Asia and the world. The
conference organizers have an interesting strategy for maintaining
excitement at the show: hold it in a venue that is too small. The
vendor booths are packed into the foyer outside the auditoriums,
creating a noisy, bustling space that energized even the most jaded
conference-goer.
As one might expect from a country as vast as Australia, the scale
of the conference was impressive: around 1,000 attendees, 80% of them
from Australia itself. More than 150 vendors competed for a limited
number of booths—so many, in fact, that there was actually a
fresh crop of vendors after the conference officially closed, on the
normally languid tutorial days.
The range and quality of the presentations were equally
impressive. The theme of this year's conference was "Security,
Privacy, and the Internet Citizen," and many speakers touched on the
uneasy balance between security and the rights of the end user. A
small, random selection of talks were especially memorable:
- Alexander Seger presented a nice talk on the Council of Europe's
Convention on Cybercrime, which is rapidly becoming the de
facto global standard for legislation on information security. Now
endorsed by 44 countries, the convention has grown far beyond its
European origins.
- Ahmad Almulla gave an inspiring overview of how Dubai Aluminum
Company transformed its business when it embarked on an ISO 27001
information security process improvement project.
- Morgan Marquis-Boire gave a wake-up call about the security of
SCADA systems. As was argued in a
previous article, the days when we could assume that SCADA systems
were safe because they were not connected to the internet are
over.
- In "Things that Make Us Dumb," industry gadfly Peter Gutmann gave
an insightful analysis of the psychological problems that lead to many
information security issues.
- Bill Cheswick, from AT&T Research, gave a sobering analysis of the
sad state of passwords today, and a depressing critique of some
current proposals to improve the situation.
- The head of Nigeria's Economic and Financial Crimes Commission
(NEFCC) gave a perceptive and occasionally amusing analysis of how
Nigeria became synonymous with cybercrime. He drove home the fact that
Nigerian cybercrime is a cottage industry, and he drew laughter from
the audience when he showed photos of hackers trying to escape one of
the NEFCC's raids by climbing through the roof of the internet cafe
they were using.
- David Rice gave a rousing call to arms against what he calls Geekanomics—"the
astonishing lack of consumer protection in the software market and how
this impacts economic and national security."
- Two speakers from MITRE gave a nice overview of vulnerability
theory and the research they are doing in understanding how to
eliminate vulnerabilities from software. One encouraging development
is that MITRE is working with universities to get the fundamentals of
vulnerability analysis into courses on computer programming.
The conference was remarkable in striking the perfect balance
between vendors and researchers, Australians and visitors, and
business and technology. One interesting feature of the conference was
the use of interactive hand-held voting devices that allowed speakers
to gather real-time information from the audience. For example, one
speaker was appalled to learn that 44% of the attendees still allow
their credit cards out of their sight while paying for meals in
restaurants.
To make the conference even more exciting, the vendors supplied an
astonishing quantity of marketing gizmos, all the way from
one-time-password keychains to blinking ice cubes to sales reps
dressed up as British Bobbies to a blimp that shot ping-pong balls
down at the crowd.
