Detecting Bombs in Air Cargo

Dr Yi Liu described the CSIRO Air Cargo Scanner and its Development and Commercialization at ANU today. Surprisingly this is developed by a group of researchers who previously worked on analysing minerals in mines and processing plants. This used neutrons, X-rays and other techniques to discover the chemical composition and shape of minerals at a distance. This experience was applied to detecting bombs and illicit materials in air cargo. This is more difficult than for normal airport luggage, as the cargo containers are much larger and can have a clutter of different materials. The work started in 2002 and prototype was produced in 2005, with the produce now commercialised by Nuctech.

Neutrons can be used to detect the composition of material , but not density or precise shape (20mm x 20mm resolution). X-rays can be used for density and more precise shapes (5 mm x 5 mm) but not composition. A combination of scanning techniques are therefore used to identify both the shape and composition of materials.

The Mark II scanner is at Brisbane Airport. The device has a concrete shield for safety. Cargo containers travel trough the scanner on a conveyor. The system produces a combined false colour image. In a demonstration image the rubber of a motorcycle seat shows as red and the oil in the sump as green, while the metal is black. The operator sits an a normal office desk and views the images on a computer LCD display. The unit is not intended for people or animals, but even so the radiation is at a safe level.

The commercial version from Nuctech works essentially the same as the prototype, but has improvements with a quasi-3D display, dual energy X-ray system and a water radiation shield. The unit has 960 fixed neutron detectors (levels are too low to use a moving detector). The ray system has two detectors at 9 degrees for each x-ray source to provide some three dimensional information.

Future work is on automatic highlighting of suspicious objects in the container, use for sea and land containers and better neutron sources and detectors.

One suggestion I made at the seminar was automatic matching of the manifest to the material detected. Modern manifests are in machine readable format, so the computer system could work out what proportion of materials should be in the container and compare this to what is detected by the scan. The computer system could also look for suspicious similarities between different containers, even those entering at different ports. Also air containers have transparent sides. An optical scanner could also be used (perhaps using infrared). A high resolution optical scanner could be used to recognise any writing on the contents and use this in automated or manual analysis. Analysis could include use of open source analysis, such as information from the web.

CSIRO Air Cargo Bomb Scanner

The "CSIRO Air Cargo Scanner" is a new device for detecting illicit and dangerous cargo. This combines gamma ray and neutron scanning to detect combinations of metallic and organic compounds, including bombs. There will be a seminar on the CSIRO Air Cargo Scanner Development and Commercialization at ANU, 2pm, 1 February 2010:

COMPUTER VISION AND ROBOTICS SERIES

CSIRO Air Cargo Scanner Development and Commercialization

Yi Liu (CSIRO Process Science and Engineering)

DATE: 2010-02-01
TIME: 14:00:00 - 15:00:00
LOCATION: RSISE Seminar Room, ground floor, building 115, cnr. North and Daley Roads, ANU

ABSTRACT:
CSIRO has developed world first technology combining neutrons and X-rays to present and detect the composition as well as the shape and density information of objects in air cargo. This technology will help Customs to detect contraband and threats hidden in consolidated air cargo more easily.

The presentation will briefly introduce the principles of the technology and the scanner system development. The scanner has been successfully commercialised with a Chinese security equipment specialist - Nuctech Company Ltd.

BIO:
Dr Yi Liu obtained a B.Sc. degree in Applied Mathematics from Zhongshan (Sun Yatsen) University, Guangzhou, China in 1982. He then worked at the Control Theory Research Laboratory, Institute of System Sciences at the Chinese Academy of Sciences (in Beijing) for 3 years before moving to Australia for further education. He obtained his Ph.D. degree in Systems Engineering from the Australian National University, Canberra in 1989. After a short stay in the Mathematics Department, University of Western Australia as a research officer, he joined CSIRO in 1990 working in the areas of On-line Analysis and Control.

Dr Liu's main research interests have been in the areas of signal processing, artificial intelligence, process modelling, control and optimisation and their applications for mineral and energy industries. And more recently, he has been working in the areas of image processing and pattern recognition and their applications to air cargo security scanning. The CSIRO Air Cargo Scanner has been successfully commercialised with a major overseas security company.

Dr Liu was a co-recipient of the IEE (London) Kelvin Premium best paper award in 1989, the CSIRO Medal for research achievement in 2006, and the Eureka Prize for outstanding science in support of defence or national security in 2009.

Australian Cyber Security Operations Centre

The Australian Defence Department officially opened its Cyber Security Operations Centre (CSOC) at the Defence Signals Directorate in Canberra today. CSOC is for Defence needs, there is also "CERT Australia" for the rest of government. I was interviewed by Channel Ten News about this today at ANU, but the interview strayed into a discussion of Google's allegations of hacker attacks from China.

Unfortunately the Australian Government chose to set up its own new Computer Emergency Response Team, rather than support the existing non-government AusCERT. The Government also chose a confusingly similar name for their new centre. The new centre appears to consist of little so far, apart from the pre-existing Australian Government Computer Emergency Readiness Team (GovCERT.au).

RFID Blocking Wallets For Contactless Smart Cards

New passports, transit tickets and bank cards now contain radio frequency transmitters. Those worried about this can buy an RFID blocking wallet, but it is not clear how effective these are.

The National Australia Bank (NAB) and Commonwealth Bank have distributed Visa payWave cards which use contact-less Near_Field_Communication. For small payments of up to $100, the card is simply held within a few cm of the merchant's device to make a payment. No signature, PIN or keypress is required. This will be particularly useful in situations like public transport fares and the Victorian, WA and Queensland transit tickets use simialr technology.

According to reports, millions of these cards have now been issued in Austrlaia. Some may be worried about the security of the system, with the risk that private data can be read by someone passing with a reader, or that unauthorised payments could be made. The cards are designed to transmit data only a few cm, but the risk remains. There is also the possibility that a terrorist could design an Improvised Explosive Device (IED bomb) to target those carrying the cards, triggered by the signal of a particular card, type of card, or any card.

Supercomputer from game console components

Greetings from the famous room N101 at ANU where Wayne Luk from Imperial College London is talking on "A Heterogeneous Cluster with FPGAs and GPUs". He started by apologising the talk will not be polished as the work is very new and they are just starting to get results. He then gave us a quick tourist's guide to Imperial, which is near Kensington Palace and the Albert Hall. He argues that techniques for embedded systems could be applied to high performance computing. This is counter-intuitive as embedded computing is usually used for low cost small scale computing in consumer goods, whereas supercomputers have been made from high cost, high performance custom components.

The concept is that an application written in a conventional programming language would be compiled partly into code for a conventional processor and partly into configuration information for customisable chips. This could be used for applications from supercomputers to distributed applications using "smart dust".

The application would used Field-programmable gate arrays (FPGA). These are now used in consumer equipment, such as LCD TVs. FPGAs are very efficient in terms of cost and processing power per unit of energy used. But programming FPGAs is complex. FPGAs have high speed serial interfaces which allow them to be used together. Examples are the Stratix III and Stratix IV. Imperial have produced an 8 x 8 "cube" of FPGAs for emulating processors ("MUMAlink" Interconnect Fabric), and for prototyping the entertainment system in a car.

Graphics processing units (GPUs) have multiple processors, a shared bus and memory on a chip. As a result they are less customisable and less power efficient than FPGAs, but they are easier to program. Ideally FPGAs and GPUs would be combined with conventional processors in the one system for maximum flexibility. This approach differs to the one investigated in "Comparison of GPU and FPGA hardware for HWIL scene generation and image processing" (by Eales and Swierkowski, DSTO Weapons Systems Division, 2009).


Imperial has a 16 node cluster "Axel", with an AMD CPU, C1060 GPU and Vpf5 FPGA, connected by Gigabit Ethernet and Infiniband on the FPGA. This has a "non-uniform node" architecture: there is a CPU, GPU and a FPGA in each node, with these connected on a common backbone. Initially a Single Program Multile Data design was used for simplicity. The backbone has Gigabit Ethernet plus Infiniband.

Linux runs on each node, using NFS. There is a custom resource manager and public domain cluster manager (openMP and OpenMPI). There is a communications bottleneck with data having to pass through the CPU from the FPGA to the GPU. Direct communication would be desirable but difficult.

The question then is what are common patterns of parallelism which the system could support. The "Berkeley Dwarfs" offers a set of common patterns.

The new Intel Atom chip (codenamed "Pineview") due in early 2010, is rumoured to have an integrated graphics core, which could be useful for low cost systems.

Iridium is planning a new generation of communication satellites with provision for an earth observation payload. It might be interesting to see how much processing could be usefully put on-board. The processing might be reprogrammable to to communications or processing as required and depending on where in the orbit they are. The Iridium satellites can only carry out their primary function of communications during a small part of their orbit. The rest of the time the satellite could carry out observations and process data.

Building a supercomputer from game console components

Wayne Luk from Imperial College London will talk on "A Heterogeneous Cluster with FPGAs and GPUs" at the ANU, 14 December 2009. GPUs (Graphics Processing Units) are used to offload complex image processing from the main processor in PCs and games consoles. FPGAs (Field Programmable Gate Arrays) are more flexible devices which can be reconfigured for custom applicators. These cips have become popular as a way to design low cost specalised supercomputers. But no one is exactly sure of the best design for such a supercomputer. Thus the need for research to find out how. Apart from research these systems have applicaiton in predicting climate change and cracking encryption codes.

                   Seminar Announcement
           School of Computer Science, CECS
            The Australian National University

Date:  Monday, December 14, 2009
Time:  11:00 am to 12:00 noon
Venue: Room R214, Ian Ross Building [31]

Speaker: Wayne Luk

Title:   A Heterogeneous Cluster with FPGAs and GPUs

Abstract:

 This talk describes a heterogeneous computer cluster called Axel. Axel contains a collection of nodes; each node can include multiple types of accelerators such as FPGAs (Field Programmable Gate Arrays) and GPUs  (Graphics Processing Units). A Map-Reduce framework for the Axel cluster is presented which exploits spatial and temporal locality through different types of processing elements and communication channels. The Axel system enables experiments involving FPGAs, GPUs and CPUs running collaboratively for applications in high-performance computing, such as N-body simulation.

Biography:

 Wayne Luk is Professor of Computer Engineering at Imperial College London. He was a Visiting Professor at Stanford University. His research interests include theory and practice of customizing hardware and software for specific application domains, such as multimedia, financial simulation, and biomedical computing. He is a fellow of the IEEE and the BCS.

From: "A Heterogeneous Cluster with FPGAs and GPUs", ANU, 2009

Cyberwar Podcast

Stilgerrian, interviewed me for a ZDNet Australia podcast on "Cyberwar: What is it good for?". This was recorded shortly before the Attorney-General released the new Australian Government Cyber Security Strategy and IBM announced a new computer security centre in Canberra.

Low cost computer security device to replace passwords

Greetings from the famous room N101 at the School of Computer Science at ANU. Bob Edwards is presenting on "Yubikey Authentication in a Mid-sized Organisation". This is a preview of paper for Linux Conference of Australia 2010 (LCA2010) in January.

The Yubikey is a low cost ($10) security token designed to replace passwords for computer access. It is a small USB unit designed to be attached to a key ring and inserted into a computer when access is needed. The device generates a 44 character pseudo random number when a button on the unit is pressed. It emulates a keyboard to send the number to an application. The device uses AES-128 bit encryption.

One use which has been poposed is Yubikey identifying airline pilots on the U.S. Department of Homeland Security Transportation Security Administration blog.

Yubikey provide an online authentication server, which can be used. However, as Bob points out, this requires you to trust the security and reliability of Yubikey's system. Yubico allow for the device to be reprogrammed with a new 128 bit key so that an organisation can run its own authentication server.

One limitation of the device is that it has no internal battery and so cannot keep track of time. As a result the tokens generated never expire. Also as with any token, it must be kept physically secure. If left in a computer (as happens with sensitive devices), it will provide access for the next person who happens along (although an additional user entered id and password could be used).

Other limitations of the device are that it requires a USB port. Allowing USB devices to emulate a keyboard creates a security problem, but if disabled would stop the Yubikey working. Also, because it emulates a keyboard, any application on the host computer can read random numbers generated by the Yubikey.

One option which might be interesting for Yubico to make a credit card sized Yubikey. This would have sufficient space to overprint as identity card and have a conventional magnetic stripe. This could then be used with existing standard identity card printers and magnetic stripe security systems for student and staff ID cards. There are a number of designs available which have a USB interface on the edge of the card, or in a flexible cutout or with a folding card. These may seem cumbersome and subject to failure, but I have had a SanDisk Ultra SD Card for some years, which folds in the middle to covert to a USB drive.

Yubico might like to market the devices for green ICT power saving. The host computers could be programmed to switch to low power mode unit the device is inserted. It could also be used with thin client devices where the user's application run on a server. When the device was inserted in a different client, the applications would be restored as they were when suspended.

The Swedish company Yubico manufacture the Yubikey One-Time-Password (OTP) USB device and have released all protocol and other relevant details which makes the Yubikey particularly attractive as a low-cost and non-vendor-lock-in authentication solution.

Bob will demonstrate the Yubikey for the purposes of secure authentication on untrusted end-user systems (eg. PCs at an Internet Cafe or a friends house etc.) and will discuss some of the advantages as well as some of the weaknesses of the Yubikey system. He will then go on to describe the development of an authentication server written in C and based on a PostgreSQL database and implementing LDAP and other authentication protocols. This will include some technical details of how to use the APIs for connection to the database, parsing the ASN1 LDAP queries, dealing with denial-of-service attacks etc. He will also discuss some of the code he has written to implement the Yubikey protocol on devices with no USB port (eg. a PDA or mobile phone etc.).

This talk is a prelude to a paper Bob will present at the Linux Conference of Australia in 2010 (LCA2010) in Wellington, NZ in January.

BIO:
Bob Edwards is the Chief IT Officer in the School of Computer Science at the ANU. He also teaches into the Computer Networks course and the Free and Open Source Software Development (FOSSD) course, amongst others.

From: Yubikey Authentication in a Mid-sized Organisation, ANU 2009

Australian Government Cyber Security Strategy

The Federal Attorney-General, Robert McClelland has released an Australian Government Cyber Security Strategy. This is a high risk strategy as it proposes transferring the functions of the successful and experienced non-government AusCert to an inexperienced government body. A better strategy would be to resource AusCert so it can provide services to non-government bodies and work with DSD to look after government and military computer security.

The Australian Government Cyber Security Strategy has three objectives:

1. Make Australians aware of cyber risks,
2. Make businesses operate secure and resilient information and communications technologies,
3. Secure Australian Government information and make communications technologies resilient.

The seven Strategic priorities are:

1. Improve the detection, analysis, mitigation and response to sophisticated cyber threats,
2. Provide Australians with information and tools to protect themselves online,
3. Partner with business to promote security and resilience,
4. Protection of government ICT systems,
5. Promote a secure, resilient and trusted global electronic operating environment,
6. Maintain an effective legal framework and enforcement against cyber crime,
7. Promote research and development of cyber security a skills.

By early 2010 the Australian Government expects to have:

1. CERT Australia: with Attorney-General’s Department taking over AusCert's responsibilities. This will incorporate the Australian Government Computer Emergency Readiness Team,
2. Cyber Security Operations Centre (CSOC): The Defence Signals Directorate (DSD) will continue to provide civilian and military government agencies with cyber security assistance.

Google Wave Implications for Government and Security

One interesting question at the Google Wave hackerthon is the implications for corporate users (and government) with security and accountability. Because the waves are dynamic, many security measures designed for email (and adapted from paper documents) are not applicable. In terms of accountability the dynamic and group nature may cause problems. However, it occurs to me that the way the components of the wave (Wavelets) are separately maintained and labeled could improve security and accountability. This might create problems of its own, particularly in a political environment. Not only would it be possible to see who wrote what (avoiding the problem which occupied Parliament for several days recently). What might make corporate user less comfortable is that it would be possible to reconstruct exactly who changed what text when, allowing for a forensic analysis when a disaster occurs, such as the in the case of the 2009 Victorian Bushfires Royal Commission.

Open source for government security

Centrelink have developed a Protocol for Lightweight Authentication of Identity (PLAID). This might work well with the Yubikey open source hardware security device. Centrelink are holding free workshops in the USA later in the month, to interest smartcard developers in PLAID. But they may not need to travel that far, as there are Yubikey developers meeting in Canberra, a few kilometres from the Centrelink office on "Yubikeys in the Enterprise":

The next PSIG meeting is June 11th

Speaker

Bob Edwards

Talk

Bob will be talking about programming systems to interface with the Yubikey.

During this presentation, Bob will be demonstrating:

• how a yubikey works
• how to reprogram a yubikey with your own AES 128-bit key and IDs
• an open source server he has written in C to authenticate yubikeys
• how to add yubikey authentication to a web site and to SSH (via PAM)

The yubikey server C code will be examined demonstrating
principles of:

• connecting to and querying a PostgreSQL database
• authenticating via Pluggable Authentication Modules (PAM)
• emulating an LDAP servers bind method
• performing Secure Socket Layer (SSL) communications
• other C stuff (logging errors etc., parsing a config file, going into daemon mode, avoiding global variables and gotos - just because, etc.)

All constructive criticism eagerly welcomed... (except for those saying "I could do that in 3 lines of Python...")

Any experts on autoconf/automake configuration especially welcome...

From: Canberra Linux Users Group, CLUG, 2009

Workshops for Australian web security system

Centrelink are holding free workshops in Australia and the USA for smartcard developers to use its Protocol for Lightweight Authentication of Identity (PLAID). Unfortunately, Centrelink issued the media release about this as a Microsoft Word document with a large logo on the top, making the one page document 20 times larger than it need be. Here is the text, minus the logo:

Australian Government

Centrelink Media Release

Thursday, 4 June, 2009

Workshops for developers of Centrelink IT security solution

Centrelink is holding free workshops in Australia and the USA to help access-system and smartcard developers understand its smartcard authentication protocol: PLAID.

PLAID stands for Protocol for Lightweight Authentication of ID. It was developed in-house by Centrelink IT Security staff and released for free to anyone – including manufacturers.

Centrelink is holding two-day workshops in Canberra on 23 and 24 June and Washington DC, USA, in July, with the US National Institute of Standards and Technology (NIST).

PLAID is being evaluated as a standard in Australia and the USA. It is a protocol that specifies how components of a card-based ID authentication system ‘talk’ to each other.

These two-day workshops will assist access system and smartcard developers with the incorporation of PLAID into their products.

The workshops assume knowledge of smartcard-based authentication protocols and the ISO/IEC 14443 and ISO/IEC 7816 suites of smartcard standards.

It is Centrelink’s intention that both the physical and logical access security vendor community and its customer base become well informed about PLAID so it can be incorporated into off-the-shelf product.

Interested vendors should review the PLAID web site at http://www.govdex.gov.au/confluence/display/PLAID and complete the respective application forms

Centrelink is migrating its 27,000 staff from random number generators to a PKI Certificate-based smartcard system this year, and plans to update those smartcards with a PLAID application in 2010 once commercial products are available.

For more information see Centrelink.gov.au and Govdex.gov.au

Media contact: Simon Ferguson, Centrelink Media, (02) 6155 1749 ...

Authentication Protocol from Australian Government

The Minister for Human Services announced 28 April 2009 that Centrelink was releasing its Protocol for Lightweight Authentication of Identity (PLAID) freely available government and private use to secure applications. The PLAID Specification Version 7.1 and a PLAID Reference Implementation are available.

Centrelink has developed the Protocol for Lightweight Authentication of Identity (PLAID) smartcard authentication. The protocol is cryptographically stronger, faster and more private, than most or all equivalent protocols currently available either commercially or via existing standards. PLAID is a candidate for broad usage in Physical and Logical Access Control Systems (PACS/LACS) where the requirement for a fast, private, ID leakage proof, secure, free and extensible smartcard authentication protocol has grown significantly.

When broadly implemented, the technology will have significant advantages to Government and industry in both efficiency and reduction of costs. Should multiple governments or commercial users support the same protocols there are further advantages in the use of common readers, building, key and card management systems.

Centrelink has made the intellectual property that it has developed freely available to other agencies, Governments and commercial organisations on an open, free and non-discriminatory basis. The protocol now requires market acceptance through commercial 'off the shelf' product availability. In support of this aim, Centrelink plans to:

• generate third party interest, evaluation and cooperation
• develop, propose, socialise, agree and implement standardisation strategies in consultation with third parties
• manage vendor access, feedback and licensing to ensure equality of access to PLAID intellectual property
• ensure intellectual property is available to all potential users under reasonable and free licensing arrangements, and
• encourage and support governments, their agencies, commercial end users and vendors to implement PLAID.

From: About PLAID, Centerlink, 2009

Open Source Intelligence Job

The Office of National Assessments (ONA), the Australian Prime Minister's intelligence agency, is advertising for a Director of their Open Source Branch.
Open source intelligence is based on publicly available information, rather than finding out secrets and has come to prominence with the Internet. The ONA OS Branch uses the Internet to disseminate intelligence reports, as well collect information. There is a password protected section on the ONA web site, to provide reports to Australian and allied government agencies.

ONA is seeking a highly motivated and skilled individual to coordinate the collection and research activities of the Open Source Branch. The successful candidate will have demonstrated management and coordination experience, well developed interpersonal skills and strong analytical skills. Proficiency in Indonesian language will also be highly regarded. ...

Stapler with Security Cable Loop

Found myself having a discussion with a group of highly trained ICT experts trying to work out how to secure a stapler to a desk. After such options as looping a chain around it, drilling holes and using screws (even replacing paper with e-documents), I typed "stapler security" into the web and found that what was needed was a "Stapler with Security Cable Loop". This makes me wonder why staplers and other office items are not made with a Kensington Security Slot.

Bizarre as it seems you can buy stick on Kensington Security Slots (officially called a Security Slot Adapter Kit) . This is a small pad with a slot in it and a tube of high strength glue. You glue the pad to the item to be secured and then attach a security cable to the standard slot. This is a bit like a hole kit from Acme Corporation. One catch is that the kit costs more than the average occice stapler you might secuere with it.

See also on amazon.com:

Staplers

• Electric & Battery Operated Staplers
• Manual Staplers
• Paper Drills
• Plier & Clipper Staplers
• Punch & Stapler Combos
• Punches
• Staple Guns
• Staple Removers
• Staples
• Stapler with Security Cable Loop
• Security Cables
• Security Slot Adapter Kit

National Cyber Security Exercise Report

The Australian Attorney-General's Department has issued "Cyber Storm II - National Cyber Security Exercise - Final Report". This is the unclassified version of the report on Australia's part in the US anti-cyber-terrorism exercise Cyber Storm II:

Cyber Storm II was structured and executed as a large-scale national exercise within an international framework. Canada, New Zealand, the UK and the US were participants. Australia’s participation was second only to the United States, and involved Australian Government agencies, state and territory governments and the largest contingent of private sector organisations ever involved in an Australian Government-sponsored exercise. The exercise structure allowed participants to exercise their internal incident response and communications in a national framework that allowed external communications to be more than notional and which encouraged a collaborative response.

Cyber Storm II was conducted as a “no-fault” exercise. Its purpose was not to obtain a stock-take of participant’s internal crisis management arrangements. Nor was the exercise a test of the resilience of participant’s networks to cyber attack. The starting point for the exercise was that the adversary had sufficient time, money and motivation to penetrate any network.

Many participants recognised that the global exercise framework provided by Cyber Storm II was an extremely cost-effective way of conducting an in-house cyber exercise.

The exercise proved that the major elements of the national response arrangements are sound, but as expected also found a number of areas where improvement would be possible. This report captures key findings and participant’s observations as they relate to cyber incident response.

The key findings are that crisis arrangements must be regularly reviewed and tested; established relationships facilitate rapid information sharing during a crisis; crisis communications procedures must be predicated on accurate and appropriate points of contact and formalised; cyber crises require tailored responses that take into account multiple inter-dependencies; and incident response is assisted by having clear escalation thresholds.

From: Executive Summary, Cyber Storm II - National Cyber Security Exercise - Final Report, August 2008

Virus reported on ASUS Eee Box PC

ASUS have reported a virus present on the hard disk of their new Eee Box desktop PC. I was only able to find this in Japanese on the ASUS web site ("ASUSミニパソコン新製品「Eee Box」でのウイルス混入に関するお詫び" translated: 'ASUS new mini-computer "Eee Box" on the incorporation of the virus in Apology'). The Register have an explanation in English: "Asus admits Eee Box mini PC shipped with virus", (Tony Smith, 8th October 2008 12:10 GMT). Presumably this virus only applies to units running the Windows XP operating system, not ones using Linux.

UK Government Data Missing on Memory Stick

A USB flash drive with tens of thousands of prison and police records on it is missing in the UK. Perhaps Jacqui Smith, the government minister responsible, should have the contractor (PA Consulting) purchase some heavy duty retractable reel lanyards to secure the flash drives.

When a similar incident happened in Australia with a military officer leaving important data behind, I jokingly suggested that military personnel should be issued with a retractable cable clipped to their uniform. The officer could then clip the flash drive to the other end of the cable. If they forgot the flash drive, the cable would pull it out of the computer and retract when they got up.

Reels with nylon cable are commonly issued to staff with security swipe cards, but the clips and cables on most are flimsy. So I found on Amazon.com a stainless steel lanyard sold to sailors for attaching then penknives to. These are much stronger than the nylon cables and they have a secure steel clip on each end. While this started off as a joke, I found that people were ordering batches of these lanyards, presumably to hold flash drives. So I created an Amazon.com store for lanyards.

For those needing more security there are coiled plastic cable lanyards. Smaller ones of these are designed for divers and have a stainless steel clip on each end. Even stronger units are pistol lanyards. Some of these are actually a steel cable coated with plastic. One end of the cable has a wide nylon loop for attaching to a belt and the other a thin loop or a clip. They are designed for military and police handguns. One manufacturer claims that the cable is so strong it can help stop an attacker turning the gun on the owner. Because the lanyard is attached to the butt of the gun, the tension of the cable makes it naturally point away from the holder. As a result it is difficult for someone to point the gun at themselves or for anyone else to do that.

The military lanyards are more than would be needed for holding a flash drive, but then for security personnel, this sort of lanyard might fit better with their uniform than a shiny stainless steel reel. To complement this, there are also Waterproof USB Flash Drives.

See the Amazon.com store:

1. Retractable Lanyards
2. Coiled Lanyards
3. Pistol Lanyards
   
4. USB Flash Drive
5. Waterproof USB Flash Drives

Information Security Threat Environment

Robert Lowe, AusCERT Training Team Leader, gave an informative and frightening overview of the treats to computer systems at the ACS meeting in Canberra on Tuesday. He is also speaking in Perth 19 August, Hobart 21 August, Wollongong 26 August, Sydney 25 August, Adelaide 27 August and Darwin 11 September.

AusCERT is Australia 's national Computer Emergency Response Team, providing advice and monitoring security treats on the Internet. It provides a national alerting service and an incident reporting scheme.

Robert provided statistics showing many home computers have out of date operating systems and security software. Even when home users are alerted to a security problem with their computer, many simply ignore it. Robert pointed out that corporate users can't be complacent about their own security. Home computers are used to connect to corporate systems and can compromise them.

Some of the discussion was about cooperation between AusCert and government security authorities, with information on threats passed on for action. But AusCert is different to the other response teams around the world: it is not funded by a parent body. Other national response teams are directly funded by their national governments. AusCert has to raise funds from its members, by running courses and from short term government contracts.

AusCert's funding came to my attention some years ago, when I had a call at the Department of Defence from a well known Queensland security expert. They first asked me what sort of phone I was using. Having established that the line was secure enough, they explained that AusCert was about to run out of money and could DoD help with a bit? I send off a recommendation into the defence bureaucracy and a few days later someone whispered it was "sorted". The process was somewhat mysterious.

Ad-hoc funding is not the way to run an service essential to Australia's national security. The Minister for Broadband, Communications and the Digital Economy and the Attorney General must be aware that an attack on Australia's networks threatens the national economy, as well as the lives of Australians. Adequately funding those who are protecting the infrastructure is an easy first step in combating the threat.

I attended part of the AWB inquiry, into bribery and breaking of UN sanctions with the UN Oil-for-Food Programme in Iraqi. Senior public servants and ministers were asked what they knew and why they did not act. In that case they were able to successfully argue that they could not have reasonably known what was going on.

But if there is a major attack on Australia's network infrastructure, the Ministers and their senior advisors will have difficulty convincing the judge that they could not have anticipated it. If the resulting loss to the economy, damage to infrastructure or loss of life is large enough, those responsible can expect to be jailed.

EDUCATION ACROSS THE NATION - SECURITY (The Information Security Threat Environment)

AusCERT is the national Computer Emergency Response Team for Australia and a leading CERT in the Asia/Pacific region.

As a trusted Australian contact within a worldwide network of computer security experts, and an active member of the Forum for Incident Response and Security Teams (FIRST) and Asia Pacific Computer Emergency Response Team (APCERT), AusCERT has access to accurate, timely and reliable information about emerging computer network threats and vulnerabilities on a regional and global basis and provides computer incident prevention, response and mitigation strategies for members, a national alerting service and an incident reporting scheme.

Providing computer information security advice to the Australian public and its members, including the higher education sector, AusCERT are the single point of contact for dealing with computer security incidents affecting or involving Australian networks.

The very nature of AusCERT's role makes this an Education across the Nation event not to be missed.

Biography: Robert Lowe

Robert Lowe has worked at AusCERT since June 2003 as a Computer Security Analyst. He is now AusCERT's Training Team Leader and assists in the development and delivery of AusCERT training courses. Prior to joining AusCERT Robert was a Senior Client Services Engineer for an Internet gaming software provider. Robert's previous experience includes systems and database administration, development, training delivery, as well as application integration and support. Robert graduated from the University of Technology, Sydney in 1999 with a Bachelor of Science (Computing) and has over 10 years experience in the IT industry.

China's War on Terrorism

With the Beijing Olympics about to open, "China's War on Terrorism: Counter-insurgency, Politics and Security" by Martin I. Wayne (Routledge, 2007) is a timely analysis of the Chinese government's response to Islamic terrorism in northwest China (Xinjiang). While not underplaying problems with the Chinese government's human right record, Wayne has respect for their multi-level response to terrorism. In contrast to the approach of the USA which is to go after high profile terrorists, China has tackled the problem at at all levels, with political and policing measures starting at the grass roots community level. This is a book which should be read by all those interested in dealing with insurgency.

Protecting email servers on the Internet

Michael Still will give a free seminar about his research on how to protect email servers on the Internet from denial of service attacks, 2008-07-31 at the ANU in Canberra:

DCS SEMINAR SERIES

Measuring deployment of mail servers on the Internet
Michael Still (DCS, ANU)

DATE: 2008-07-31
TIME: 16:00:00 - 17:00:00
LOCATION: CSIT Seminar Room, N101

ABSTRACT:
There are millions of email servers connected to the Internet. I have an interest in developing a survey of these servers to determine the current comparative popularity of the various SMTP implementations in existence. My specific interest is in developing Denial of Service (DoS) attack protections for such servers, where popularity data for SMTP implementations guides the testing regime for my proposed DoS defenses. This seminar will cover the survey methodology I am currently using, as well as early results.

BIO:
Michael Still is a PhD student in DCS at the ANU, as well as being employed as an engineer at Google in Silicon Valley.

Armed Anti-terrorist Segways for Beijing Olympics

In what must be one of the more bizarre policing techniques, Chinese police have been reported to be practicing shooting their sub-machine guns while steering a Segway type people transporter with their knees. These appear to be the standard model of Segways, not modified. The company also makes a Segway i2 Police model, with bars over the tires and a carry bag on the handlebars and the x2 Police, with balloon tires for off-road use.

The anti-terrorist forces were also equipped with battery-powered segways, each about a meter high and with two wheels.

The segways allowed the armed police to control direction and speed by changing the gravity center, leaving their hands free to shoot, said Huang Shan, a provincial special force vice head.

"With a speed of up to 20 kilometers per hour, the vehicle helps transport troops and shoot accurately, fast and silently." ...

From: Unmanned drones to serve security forces during Olympics, Xinhua News Agency, 2008-07-03 22:55:45

The ability to steer with no hands would be useful for police, but having to clutch the steering column with your knees would not make for a comfortable ride, or a steady platform to fire a gun from. Perhaps a bicycle type seat needs to be attached to the Segway, to allow the rider to sit down. This could be elegantly added to the Segway's steering column, where it bends about one third the way up.

For less crowded areas, a motor-scooter might be a better idea than a Segway. The Greek police have two people on one scooter (presumably so one can drive and the other take action). These look a little cramped and something like the Piaggio MP3 three-wheeled scooter would have more room and carrying capacity.

Australian Government E-Security Framework

The Minister for Broadband, Communications and the Digital Economy announced a Whole-of-Government review of e-security on 3 July 2008. The Attorney-General’s Department, will conduct the review, of both the public and private sectors, by October 2008. The public and industry were invited to contribute. Available are:

1. E-Security Review web site
2. Media Release (copy appended)
   
3. E-Security Review 2008 Terms of Reference (PDF 19KB)
4. E-Security Review 2008 Public Discussion Paper (PDF 42KB)

Also giving an idea of the government's current thinking on e-security is the Trusted Information Sharing Network (TISN). This is a forum for those running critical infrastructure on security issues which affect critical infrastructure. This has a Computer Network Vulnerability Assessment Program. Also there is the Attorney-General's Critical Infrastructure Protection Branch.

Joint media release

The Hon Robert McClelland MP
Attorney-General

Senator the Hon Stephen Conroy
Minister for Broadband, Communications and the Digital Economy
Deputy Leader of the Government in the Senate

---

Whole-of-Government review of e-security

The Attorney-General Robert McClelland and the Minister for Broadband, Communications and the Digital Economy Senator Stephen Conroy today announced a whole-of-government review of e-security.

Australia’s ever-increasing reliance on information and communications technology and the threat of a hostile online environment has prompted the review, which will assist the development of a national framework for securing Australia’s electronic networks.

“New and networked systems increasingly underpin our business and social interactions, but they also provide fertile ground for exploitation by cyber criminals”, Mr McClelland said.

“The e-security review is an opportunity to look at what help the Government can provide to develop a more secure and trusted electronic operating environment for both the public and private sectors. The review will also consider whether Commonwealth programs can be better focused to deal with the ever increasing range of online threats.”

Senator Conroy said that the review of e-security was a vital step towards fostering confidence in using the internet for personal and business activities.

“A secure online environment trusted by the community coupled with the Government’s rollout of the National Broadband Network is critical to our nation’s continued social and economic prosperity,” Senator Conroy said.

A multi-agency team, led by the Attorney-General’s Department, will conduct the review, which will be completed by the end of this year.

The terms of reference for the review are attached. Details of how the public and industry can contribute to this review are available at: www.ag.gov.au/esecurityreview

Date: 3 July 2008

Media Contact:
Adam Sims, Mr McClelland’s office 0419 480 224
Tim Marshall, Senator Conroy’s office 0408 258 457

E-SECURITY REVIEW 2008
TERMS OF REFERENCE

The Attorney-General's Department is to lead a review of the Australian Government’s e‑security policy, programs and capabilities, assisted by other agencies represented on the E‑Security Policy and Coordination Committee. The review will take account of both the threat from electronic intrusions into Australian networks and the threat from complementary attacks on their physical, administrative or personnel security arrangements.

The purpose of the review is to develop a new Australian Government E-Security Framework in order to create a secure and trusted electronic operating environment for both the public and private sectors.

The review will:

1. develop a new Australian Government policy framework for e-security, covering the span of e-security issues across government, business and the community
2. examine current programs, arrangements and agency capabilities and capacities that contribute to e-security, including:
   • those being implemented by agencies under the E-Security National Agenda
   • incident response and crisis management arrangements for e-security, including the recommendations from Australia’s participation in Exercise Cyber Storm II, and
   • other relevant information and communications technologies (ICT) initiatives being undertaken by the Commonwealth and by state and territory governments to establish their suitability and effectiveness to achieve the policy objectives of the new Framework.
3. address emerging e-security issues including:
   • those resulting from technological change, including roll-out of the National Broadband Network, and
   • an increasingly hostile online security environment, which does not respect traditional jurisdictional boundaries
4. consider opportunities provided by international cooperation, including engagement with similar economies and like-minded governments
5. bring forward recommendations, prioritised in accordance with an assessment of risk, for consideration by Government to:
   • tailor programs and agency capabilities and capacity to achieve the policy objectives of the new Framework
   • address current and emerging threats, and
   • determine how to measure the success of each approach
6. principally focus on measures to be effective in the period to mid-2011, but also take into account longer term considerations, and
7. consult with relevant stakeholders and experts in government, business, academia and the community.

The review is to be completed for Government consideration by October 2008.

An executive committee comprising senior representatives of the Attorney-General’s Department, the Defence Signals Directorate, ASIO, the Department of the Prime Minister and Cabinet, the Department of Broadband, Communications and the Digital Economy, the Australian Federal Police and the Australian Government Information Management Office will provide oversight of the Review.

From: Whole-of-Government review of e-security, Attorney-General and the Minister for Broadband, Communications and the Digital Economy, Australian Government, 3 July 2008

Malaysian Corporate Governance Conference Program

I will be attending the Malaysian Corporate Governance Conference, orgainsed by the Asian Strategy & Leadership Institute, 15 - 16 May 2008 at the Securities Commission, Kuala Lumpur. Anyone else going? Here is the latest program for the event:

Organised by:

Malaysian Corporate Governance Conference

"Forging Leadership & Sustainability in the Global Environment"

15 - 16 May 2008

Conference Hall 1, Securities Commission, Kuala Lumpur

PROGRAMME

DAY 1 - Thursday: 15 May 2008

8.30am Arrival and Registration of Participants

9.00am Arrival of VIPs

9.15am Welcome Speech by

Yang Berbahagia Puan Sri Datin Seri Susan Cheah

Director, Asian Strategy & Leadership Institute

Executive Director, Sunway Management

Official Opening & Keynote Address by

Yang Berbahagia Dato' Yusli Mohamed Yusoff

Chief Executive Officer, Bursa Malaysia

9.55am Morning Refreshments & Contact Break

10.15am SESSION ONE: CREATING SUSTAINABLE GROWTH IN THE GLOBAL BUSINESS ENVIRONMENT

• What are the growing trends in corporate governance in global economies?

• What are the detrimental factors to the sustainability of businesses in global emerging economies?

• What do companies in developed economies do to create sustainability? What can Malaysian companies learn from them?

• Does size matter? Does sustainability differ from a large multinational company to a small company?

• What do Malaysian companies need to leverage on to create sustainable growth in global businesses?

Moderator:

Mr Puvan J. Selvanathan

Executive Director, Caux Round Table Malaysia

Speaker:

Yang Mulia Tunku Abdul Aziz

President, Caux Round Table Malaysia

Former Special Advisor on Ethics to the UN Secretary General

11.30am SESSION TWO:POWER OF THE BOARD "" LEADERSHIP CALL IN GLOBAL BEST PRACTICES

• Some parties have argued that many Malaysian directors do not take corporate governance seriously enough. This does not only hurt the organisations, but the society and nation as a whole. Thus, what role does the board of directors play in ensuring the welfare of the society and the competitiveness of the nation? What are the principal responsibilities of the board?

• What constitute an effective board and what would be the demands and challenges to assume a leadership role in the emerging global environment?

• Having good judgement is a subjective matter, but it is important especially in determining the size of non-executive participation. Thus, what factors are deemed good judgement? Is there a quintessential guide in exercising good judgement for directors?

• Maintaining a successful relationship between the board and management is all about an issue of effective communication. Thus, what are the key elements in ensuring an effective communication between the two parties?

Moderator:

Mr Philip Koh

Senior Partner,

Messr Mah-Kamariyah & Philip Koh

Speaker:

Mr Jiv Sammanthan

Senior Executive Director

PricewaterhouseCoopers Advisory Services

12.15 pm SESSION THREE:IMPACT OF COMPANIES (AMENDMENT) ACT 2007 AND CAPITAL MARKETS SERVICES ACT ON BOARD DECISION MAKING

Speaker:

Mr Philip Koh

Senior Partner,

Messr Mah-Kamariyah & Philip Koh

1.00pm SPECIAL SESSION: Leveraging on Technologies to Manage Challenges in Corporate Governance

Ms Michelle Yee

Solution Architect - Governance, Risk & Compliance,

SAP (Asia-Pacific Japan)

1.45 pm Networking Luncheon

2.45pm SESSION FOUR:

ACCOUNTABILITY & INTERNAL AUDIT FUNCTION (IAF)

• What are the duties of audit committees in relation to IAF? What are their roles in accountability?

• How do audit committees establish and preserve their independence with the management?

• What would be the expectations and perceptions of internal audit in the continuous engagement with the management?

Moderator:

Mr Walter Sandosam

Vice President Audit, Maybank and Vice President, Institute Internal Auditors Malaysia

Speakers:

Mr Lee Min On

Partner, KPMG Business Advisory and

Governor, Institute of Internal Auditors Malaysia

3.45pm Afternoon Refreshments/Contact Break

4.15pm SESSION FIVE: SHAREHOLDER ACTIVISM AND PROTECTION OF MINORITY INTEREST "" THE MALAYSIAN EXPERIENCE

Moderator:Ms Marghanita da Cruz Principal Consultant & Director Ramin Communications, Australia

Speaker:

Mr Lee Leok Soon

Head, Client Services

The Minority Shareholders WatchDog Group

5.00pm End of Day 1 conference

DAY 2 - FRIDAY: 16 May 2008

8.30am Arrival and Registration of Participants

9.15am Arrival of VIP

9.30am Special Keynote Address on:

Malaysian Corporate Governance and Its Impact on the Competitiveness of the Country"

by Yang Berbahagia Datuk Ranjit Ajit Singh

Managing Director, Securities Commission:

10.00am Morning Refreshment & Contact Break

10.30am SESSION SIX:BUILDING ACCOUNTABILITY & SUSTAINABILITY THROUGH INVESTOR RELATIONS

• What is the power of investor relations (IRs) function?

• How does a company maintain an effective communication policy with shareholders through IRs?

• How would one draw the line differentiating between Corporate Social Responsibility and IRs? They seem the same, but they are not.

• In order to achieve greater transparency and accountability in financial performance reporting, what would be the best IRs initiatives proposed/practiced by award winning companies?

• Whilst limitations on voluntary disclosure do exist as it may facilitate comparison by competitors, too little disclosure will defeat the purpose it serves. Thus, what would be the "˜right"™ amount of disclosure to ensure the desirability of disclosure is achieved?

Moderator:

Mr Puvan J. Selvanathan

Executive Director, Caux Round Table Malaysia

Speaker:

Mr Justin Leong

Chairman, Malaysian Investor Relations Association (MIRA)

Head of Strategic Investments and Corporate Affairs, Genting Bhd

11.45am SESSION SEVEN:ICT IN CORPORATE GOVERNANCE "" THE AUSTRALIAN EXPERIENCE

The importance of information and communications technologies (ICT) can not be ignored as the world is heading towards this direction for effective sources of information, communications and world-wide connectivity. Thus, this session aims to cover the followings:

• Overview of Standards

• Electronic Reporting

• Fraud and other Threats from ICT

• ICT impact on Corporate Performance

• ICT Corporate Compliance Requirements

Moderator:

Mr Puvan J. Selvanathan

Executive Director, Caux Round Table Malaysia

Speaker:

Ms Marghanita da Cruz

Principal Consultant & Director, Ramin Communications, Australia

12.45pm Networking Luncheon

2.45pm SESSION EIGHT:COMMITING TO RESPONSIBLE BUSINESS PRACTICES"

• How do responsible business practices contribute to the success of a company in global businesses?

• What kind of value do companies see in committing to responsible business practices in the long run?

• CSR encompasses many different aspects in relation to responsible business practices. The concern is how does a company manage all different aspects of CSR in the global competitive environment? What is the art of balancing the social aspect, economic welfare and environmental aspect of CSR?

Moderator:

Mr Puvan J. Selvanathan

Executive Director, Caux Round Table Malaysia

Speaker:

Dr Geoffrey Williams

Managing Director, OWW Consulting

4.00pm End of Conference & Afternoon Refreshments

Notes:

• The Organiser reserves the right to alter the content and timing of the programme in the best interest of the conference and are not responsible for cancellations due to unforeseen circumstances

• The Organiser accepts no responsibility for statements made orally or in written material distributed by any speakers at the forum. In addition, the Organiser is not responsible for any copying, republication or redistributions of such statements

• Copyright © Asian Strategy & Leadership Institute (ASLI) 2008. ® All Rights Reserved

• as of 12 May 2008

Malaysian Corporate Governance Conference

I will be attending the Malaysian Corporate Governance Conference, orgainsed by the Asian Strategy & Leadership Institute, 15 - 16 May 2008 at the Securities Commission, Kuala Lumpur. Anyone else going?

In the world of globalization, there has been a growing need to efficiently compete internationally for global emerging economies. As a rising economy with robust regulatory and legal framework, it is not an exception for Malaysia either.

Many would agree that sound corporate governance in the global markets is imperative to national economic welfare as well as to the stability of a global economic environment. Asian countries like Hong Kong and Singapore realized that being small is not an option. For sound corporate governance framework is a key component of market competitiveness, good governance practices would counter the lack of market size and push the economy back into the investors’ loop.

As Malaysia falls into the radar screen of investors, industry players, professionals and public listed companies must indoctrinate strong compliance and greater corporate governance cultures. Furthermore, investment choice is aplenty amidst the capital market liberalization as institutional investors now have the option to invest locally or overseas.

Recognizing the intense market competition, the review on the Malaysian Code of corporate governance in October 2007 was timely to further strengthen corporate governance practices in Malaysia. In addition, competing in the international business arena requires good leadership, as it is what corporate governance is all about. While mergers and joint ventures are on the cards for many local institutions to achieve economies of scale and greater corporate synergy, there are also government initiatives to help SMEs meeting the challenge of the global emerging competition.

Nevertheless, those who truly emerge as winners are those who are able to crave out a niche for themselves in the industry.
So long as making a difference in business stands out and emerges as a leader, a good business cannot survive without sustainable growth. ...

Welcome Speech by Dato’ Dr. Michael Yeoh
Chief Executive Officer, Asian Strategy & Leadership Institute

Official Opening & Keynote Address by Y.Bhg. Dato' Yusli Mohamed Yusoff CEO, Bursa Malaysia Berhad

Session One
CREATING SUSTAINABLE GROWTH IN THE GLOBAL BUSINESS ENVIRONMENT
• What are the growing trends in corporate governance in global economies?
• What are the detrimental factors to the sustainability of businesses in global emerging economies?
• What do companies in developed economies do to create sustainability? What can Malaysian companies learn from them?
• Does size matter? Does sustainability differ from a large multinational company to a small company?
• What do Malaysian companies need to leverage on to create sustainable growth in global businesses?

Session Two
POWER OF THE BOARD – LEADERSHIP CALL IN GLOBAL BEST PRACTICES
• Some parties have argued that many Malaysian directors do not take corporate governance seriously enough. This does not only hurt the organisations, but the society and nation as a whole. Thus, what role does the board of directors play in ensuring the welfare of the society and the competitiveness of the nation? What are the principal responsibilities of the board?
• What constitute an effective board and what would be the demands and challenges to assume a leadership role in the emerging global environment?
• Having good judgement is a subjective matter, but it is important especially in determining the size of non-executive participation. Thus, what factors are deemed good judgement? Is there a quintessential guide in exercising good judgement for directors?
• Maintaining a successful relationship between the board and management is all about an issue of effective communication.
Thus, what are the key elements in ensuring an effective communication between the two parties?


Session Three
IMPACT OF COMPANIES (AMENDMENT) ACT 2007 AND CAPITAL MARKETS SERVICES ACT ON BOARD DECISION MAKING

Session Four
ACCOUNTABILITY & INTERNAL AUDIT FUNCTION (IAF)
• What are the duties of audit committees in relation to IAF? What are their roles in accountability?
• How do audit committees establish and preserve their independence with the management?
• What would be the expectations and perceptions of internal audit in the continuous engagement with the management?

Session Five
SHAREHOLDER ACTIVISM AND PROTECTION OF MINORITY INTEREST - THE MALAYSIAN EXPERIENCE

Session Six
BUILDING ACCOUNTABILITY & SUSTAINABILITY THROUGH INVESTOR RELATIONS
• What is the power of investor relations (IRs) function?
• How does a company maintain an effective communication policy with shareholders through IRs?
• How would one draw the line differentiating between Corporate Social Responsibility and IRs? They seem the same, but they are not.
• In order to achieve greater transparency and accountability in financial performance reporting, what would be the best IRs initiatives proposed/practiced by award winning companies?
• Whilst limitations on voluntary disclosure do exist as it may facilitate comparison by competitors, too little disclosure will defeat the purpose it serves. Thus, what would be the ‘right’ amount of disclosure to ensure the desirability of disclosure is achieved?

Session Seven
“COMMITING TO RESPONSIBLE BUSINESS PRACTICES”
• How do responsible business practices contribute to the success of a company in global businesses?
• What kind of value do companies see in committing to responsible business practices in the long run?
• CSR encompasses many different aspects in relation to responsible business practices. The concern is how does a company manage all different aspects of CSR in the global competitive environment? What is the art of balancing the social aspect, economic welfare and environmental aspect of CSR?


Session Eight
ICT IN CORPORATE GOVERNANCE - THE AUSTRALIAN EXPERIENCE
The importance of information and communication technology (ICT) can not be ignored as the whole world is heading towards this direction for effective sources of information, communications and world-wide connectivity. Thus, the questions are:
• What is the implication of ICT for Malaysia?
• What can ICT offer to companies in achieving better corporate governance?
• Are Malaysian companies ready for it?
• Can companies do without ICT in global businesses?
• How do Malaysian companies leverage on ICT in measuring, monitoring and benchmarking of CSR activities?
• Can ICT manage the challenges of non-financial performance?
• There has been an increasing number of cyber fraud cases. What are the pre-emptive measures that companies should take to prevent online fraud or fraud in ICT?

Session Nine GLOBAL BEST PRACTICES – EMERGING AS A LEADER IN GLOBAL BUSINESSES ...

From: Malaysian Corporate Governance Conference brochure, Asian Strategy & Leadership Institute, 2007.

Cyber Terrorism Exercise Starts 10 March

Cyber Storm II, a US National Cyber Exercise, is due to run from 10 to 15 March 2008, with participation by the Australian Government. The US Department of Homeland Security’s National Cyber Security Division (NCSD) will exercise with industry people, playing out a scenario involving coordinated cyber and physical attacks on critical infrastructures. As well as Australia, the UK and NZ are particiapting.

One thing to note about such exercises is that they are not so much about trying out technology for preventing cyber-attacks, but testing the procedures to be used when one occurs. Issues to be clarified are: Who is in charge? Who do you tell? Who talks to the media?

There is a detailed Report on the first Cyber Storm exercise, which was held in 2006. It recommended improvements to inter-agency coordination.

Objectives
• Examine the capabilities of participating organizations to prepare for, protect from, and respond to the potential effects of cyber attacks
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and
procedures
• Validate information sharing relationships and communications paths for the collection and dissemination of cyber incident situational awareness, response, and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors, without compromising proprietary or national security interests

from: Fact Sheet Cyber Storm II National Cyber Exercise, CERT, US Department of Homeland Security

E-Security Education Module for Australian Schools

The Department of Broadband, Communications and the Digital Economy (DBCDE) have issued a request for tender for an "E-Security Education Module for Australian Schools". Given that the government is funding increased broadband access for schools, these seems a wise move:

"This module will be delivered free to all Australian schools and will complement the Australian Government's cyber-safety initiatives. The Service Provider will also develop an evaluation methodology to assess the effectiveness of the module. The Service Provider will also update the module annually until Financial Year (FY) 2009/10 and then redevelop the module in Financial Year 2010/2011 to keep pace with changes in technology. ..."

From: E-Security Education Module for Australian Schools, DCON/08/13, Department of Broadband, Communications and the Digital Economy, 4-Mar-2008.

There is a 65 page tender document describing the project:

The Australian Government has identified the following three priorities to provide and integrated approach to Australia’s security;

1. Reducing the e-security risk to Australian Government information and communications systems

2. Reducing the e-security risk to Australia’s national critical infrastructure

3. Enhancing the protection of home users and small to medium enterprises (SMEs) from electronic attacks and fraud.

One of the key aspects of addressing priority three is to ensure that school students who form an important part of the household profile recognise the important of e-security and are able to take appropriate measures to protect themselves from e-security threats and vulnerabilities.

This is particularly important as children are often recognised to be the heaviest users of the Internet and most comfortable using new technologies.

Given this, the e security education module for use within schools’ curricula would help children understand the importance of e-security. It would also provide them with skills and knowledge necessary to protect themselves from online threats. Such an education module would encourage the next generation of online users adopt a “culture of security” from the start.

It is envisaged that students would use the skills and knowledge they learn at school to improve e security measures taken at home. School activities that focus on e security would, therefore, have a wider impact than the immediate audience. In addition, learning about protection against e-security threats as part of the school curriculum is likely to have greater impact on young people than any other information source. This is because of the level of trust and credibility that is generally associated with knowledge that is imparted by teachers.

Tenderers should note that the e-security education module is an initiative under priority three (as outlined above) and will be distributed freely to all Australian schools. The ESNA be found at: http://www.dbcde.gov.au/__data/assets/pdf_file/71201/ESNA_Public_Policy_Statement.pdf

From: Request for Tender for E-Security Education Module for Australian Schools, 5.2 Overview, ATM document set, DBCDE, 4 March 2008

The RFT provides a useful insight into government thinking on online security and the large range of initiatives:

1. Introduction

The Department of Broadband, Communications, and the Digital Economy (DBCDE) is seeking proposals to design, develop, and update an education module on e-security practices for Australian school students. This module will be delivered free to all Australian schools and will complement the Australian Government's cyber-safety initiatives. The successful Tenderer will also develop an evaluation methodology to assess the effectiveness of the module. The successful Tenderer will update the module annually until Financial Year (FY) 2009/10 and then redevelop the module in Financial Year 2010/2011 to keep pace with changes in technology.

2. Objectives of the E-security Education Module
The successful Tenderer is required to ensure that the module is designed and developed in a way that meets the objectives of the Government's e-security policy, and complements associated cyber-safety, privacy and consumer fraud initiatives. Further, the successful Tenderer is required to design and develop a module that is consistent with the Ministerial Council on Education, Employment, Training and Youth Affairs (MCEETYA) Statements of Learning for ICT.

2.1 E-Security Policy objectives

The Australian Government has identified the following three priorities to provide and integrated approach to Australia's security;

1. Reducing the e-security risk to Australian Government information and communications systems

2. Reducing the e-security risk to Australia's national critical infrastructure

3. Enhancing the protection of home users and small to medium enterprises (SMEs) from electronic attacks and fraud.

One of the key aspects of addressing priority three is to ensure that school students, who form an important part of the household profile, recognise the important of e-security and are able to take appropriate measures to protect themselves from e-security threats and vulnerabilities.

This is particularly important as children are often recognised to be the heaviest users of the Internet and most comfortable using new technologies.

Given this, the e security education module for use within schools' curricula would help children understand the importance of e-security. It would also provide them with skills and knowledge necessary to protect themselves from online threats. Such an education module would encourage the next generation of online users adopt a "culture of security" from the start.

It is envisaged that students would use the skills and knowledge they learn at school to improve e security measures taken at home. School activities that focus on e security would, therefore, have a wider impact than the immediate audience. In addition, learning about protection against e-security threats as part of the school curriculum is likely to have greater impact on young people than any other information source. This is because of the level of trust and credibility that is generally associated with knowledge that is imparted by teachers.

The successful Tenderer should note that the e-security education module is an initiative under priority three (as outlined above) and will be distributed freely to all Australian schools. The ESNA be found at: http://www.dbcde.gov.au/__data/assets/pdf_file/71201/ESNA_Public_Policy_Statement.pdf

2.2 Complementary Initiatives

The successful Tenderer is required to ensure that the module complements other e-security and cyber-safety initiatives detailed below that are either already in place or currently being developed. The successful Tenderer needs to ensure that the module links to, and is consistent with, the messages of the following initiatives:

Stay Smart Online

Stay Smart Online is the Government's e-security website. The website provides practical, step by step information for Australian Internet users on how to secure their computers and adopt smart online practices.

It focuses on four main areas:

• 'Securing Your Computer,'

• 'Small Business Safe Online',

• 'Smart Transacting Online'; and

• 'Kids Safe Online.'¹

Further information about Stay Smart Online can be found at: http://www.staysmartonline.gov.au.

Tenderers should note that the module will be hosted on this website.

National Alert Service

National E-Security Alert Service (NAS), a free subscription based service, will provide home users and small businesses with information on the latest e-security threats and vulnerabilities in simple, non-technical, easy to understand language. It will also provide possible solutions to address these threats and vulnerabilities. The NAS is currently being developed and will be delivered through the Stay Smart Online website.

Tenderers will note that the module is required to provide a reference to the NAS. Subscribing to this service will help teachers and students to remain informed about the latest e-security threats and vulnerabilities and what they can do to address them.

National E-Security Awareness Week

An annual National E-Security Awareness Week to be held in collaboration with industry and community organisations to highlight the importance of online security to Australians. The Week will also provide an opportunity to emphasise the importance of secure online practices to teachers, parents and students.

Australasian Consumer Fraud Taskforce

The Department is a member of the Australasian Consumer Fraud Taskforce (ACFT) which comprises 18 government regulatory agencies and departments with responsibility for consumer protection regarding fraud and scams. The ACFT runs an annual awareness initiative to increase the level of scam awareness in the community.

Further information on the Taskforce's activities can be found at http://www.scamwatch.gov.au

Cyber-Safety Initiative

NetAlert

The NetAlert - Protecting Australian Families Online initiative is managed by the DBCDE and includes:

• The National Filter Scheme, which provides every Australian household and public library with access to a free Internet content filter to help block unwanted content; and

• a new website and national helpline to provide advice about protecting children online, as well as access to the free filters, and information about how they work.

Further information on NetAlert can be found at http://www.netalert.gov.au

Australian Communications and Media Authority (ACMA)

ACMA's cybersafety education activities include:

• providing information on current trends in Internet safety

• undertaking targeted awareness raising activities - including the Cybersafe Schools and Cybersmart Kids programs in schools

• the continuing review of filtering technology, including another trial of ISP-level filtering technologies in Tasmania

• reporting annually to the Government on Internet filtering technologies to ensure Australian families are offered the best available filtering.

Cybersafe Schools

Cybersafe Schools is an Internet safety program designed to help teachers empower students on safe use of the Internet. Australian primary and secondary teachers are provided with appropriate curriculum support materials to enable them to deliver effective education programs. Students are presented with learning activities that are relevant, effective and created specifically for their level of education.

Further information on the Cybersafe Schools can be found at http://www.netalert.gov.au/programs/cybersafe_schools.html

Cybersmart Kids

Cybersmart Kids Online is a community awareness project developed by ACMA with the objective of providing parents and children with information and tools to help them have a rewarding, productive and safe experience of the Internet.

Further information on Cybersmart Kids Online can be found at http://www.cybersmartkids.com.au

Digital Education Revolution

The Digital Education Revolution is a major part of the Australian Government Education Revolution. Under the Digital Education Program the Australian Government has committed to provide:

• grants of up to $1 million for schools to assist them to provide for new or upgraded ICT for secondary students in years nine to twelve; and

• a contribution of up to $100 million for the provision of high-speed fibre-to-the-premises broadband connections to Australian schools.

Further information on the Digital Education Revolution can be found at http://www.digitaleducationrevolution.gov.au/

The Successful tenderer should note that the module will assist in ensuring that the Australian students' improved access to ICT and high speed broadband will occur in a secure way.

2.3 Education Policy Objectives

2.3.1 Target Audience

The successful tenderer will design a module that can be delivered to Australian students in school years three and nine. The school years were chosen as a result of stakeholder feedback and research undertaken by DBCDE.

By school year three, many Australian students are using the Internet.² While this age group is generally limited in their use of the Internet for information purposes or playing computer games, they are still exposed to e-security threats if not appropriately protected. It is important that students are made aware of these threats right from the start and have the skills and knowledge to appropriately protect themselves. This way they will be more confident using online technologies.

Students in secondary school differ greatly from students in lower grades in their use of the Internet. Year nine students are at the younger end of the spectrum of secondary school students. Secondary students tend to use the Internet for information, entertainment (eg downloading music or movies) transactions and social interaction (eg through social networking sites or online chat rooms). Given this, the exposure of this group to online threats can be significant and hence the need for greater e-security awareness and understanding. The focus on year nine is also consistent with the Government's Digital Education Revolution policy that targets students in year nine to twelve for new or upgraded ICT.

The successful tenderer is required to ensure that the e-security education module is tailored to year three and nine students based on their use of online technologies and their level of exposure to online threats.

The basic e-security messages taught at the year three will be built on with more detailed and complex messages in school year nine.

2.3.2 MCEETYA's Statements of Learning for ICT (School Years Three and Nine)

The Statements of Learning were developed as a means of achieving greater national consistency in curriculum outcomes across the eight States and Territories. The Statements of Learning for ICT have been developed collaboratively by State, Territory and Australian education authorities. They provide a description of knowledge, skills, understandings and capacities that all students in Australia should have the opportunity to learn. The development of the Statements has involved identification of what is common amongst State and Territory curricula as well as what is essential for all students to learn.

The successful tenderer is required to ensure that the e-security education module will fit into the "Ethics, Issues and ICT" component of the Statements of Learning for ICT. The following are the relevant excerpts from the Statements which the module is required to be consistent with:

Statement for Learning: Year 3 Ethics, issues and ICT

Students have opportunities to apply ICT protocols and appropriate ethical expectations. They develop understandings of the safe and responsible practices required when using ICT through discussion and observation of practices.

Students examine the relevant values inherent in particular ICT environments and identify issues and practices for using ICT in a safe and responsible manner. They identify the owner(s)/creator(s) of digital information and acknowledge them.

Students use basic preventative strategies for addressing health and safety issues and reflect on their personal safety and information security practices when using ICT. They identify how ICT is used in the community and recognise ways they impact on people.

Professional Elaboration: Year 3 Ethics, issues and ICT

Students comply with expectations and protocols when using ICT. They develop understandings of the safe and responsible practices required when using ICT through discussion and observation of practices.

Students have the opportunity to:

*develop and apply protocols for safe and responsible use of ICT

*examine relevant values and identify issues and practices for using ICT in a safe and responsible manner

*identify the owner(s)/creator(s) of digital information and acknowledge them

*use basic preventative strategies addressing health and safety issues when using ICT

*reflect on individual use of ICT to enhance personal safety and information security

*identify how ICT are used in the community and ways they impact on people.

Year 9 Ethics, issues and ICT

Students have opportunities to consistently apply codes of practice relevant to local and global environments. They identify and discuss the potential and implications of ICT for learning.

Students take into account individual rights and cultural expectations when accessing or creating digital information, understanding that values shape how ICT are used. They adhere to codes of practice and apply strategies to conform to intellectual property and copyright laws, particularly in relation to online access. They analyse and evaluate their ICT use to consider economic, social, ethical, and legal perspectives. They also develop and maintain strategies for securing and protecting digital information.

Students select practices to ensure health and safety issues are minimised when using ICT and recognise that some users will have specialised needs. They apply their knowledge of how ICT are used today in order to predict possible future impacts on the workplace and society.

Professional Elaboration: Year 9 Ethics, issues and ICT

Students consistently apply the codes of practice relevant to both local and global environments. They identify implications associated with the use of ICT and discuss the place and potential of ICT for learning and in society.

Students have the opportunities to:

*apply practices that take into account individual rights and cultural expectations when accessing or creating digital information

*understand that values shape how ICT are used

*adhere to codes of practice and apply strategies to conform to intellectual property and copyright laws, particularly in relation to online access

*adopt practices to ensure health and safety issues are minimised when using ICT

*develop and maintain strategies for securing and protecting electronic information

*apply knowledge of how ICT are used today to predict potential future impacts on the workplace and society

*analyse and evaluate ICT use, considering economic, social, ethical and legal perspectives.

The Statements of Learning for ICT can be found on: http://www.mceetya.edu.au/verve/_resources/SOL06_ICT.pdf

3. E-security Education Module

The successful tenderer is required to develop a module that assists schools in educating students about the importance of e-security and how to stay secure online. The module will be a resource for teachers and students.

The focus for the module will be on e-security aspects of online participation. The module will empower students in taking the initiative to secure their systems and their data, and to participate in online activities in a secure way. The successful tenderer will need to demonstrate how the module can complement and link to other awareness and educational materials on e-security and cyber-safety developed or being developed by the Australian Government, as discussed in Statement of Requirement 2.2 of this tender.

3.1 Methodology

The successful tenderer is required to design the module and the evaluation methodology in consultation with the Department and other relevant stakeholders identified by the Department.

While the complexity of content will be different for the different year levels, the general design principles and targeted behaviours should be consistent.

3.1.1 Design Principles

The successful tenderer is required to design the module with the following principles in mind:

• Students recognise and appreciate the importance of e-security in their use of ICT;

• Students adopt secure online behaviours and strengthen their computer defences; and

• Students be aware of, and comply with legal or organisational guidelines/policies around the use of the Internet.

3.1.1.1 Students recognise and appreciate the importance of e-security in their use of ICT

While school students heavily rely on ICT, including the Internet, for a range of purposes it is important that they do so in a secure manner so that they make the most of the benefits offered by these technologies. They must recognise that e-security threats can lead to serious ramifications such as theft of personal data. This, in turn, can also expose them to cyber-safety threats such as online grooming or cyber-bullying.

3.1.1.2 Students adopt secure online behaviours and strengthen their computer defences

Students must be made aware of the risks and consequences associated with unsecure online behaviour, such as indiscriminate accessing and sharing of information and passwords, clicking on links to emails from unknown sources or providing personal information without a full understanding how that information will be used.

In addition to adopting secure online behaviours, it is important that students are aware of the need to have appropriate technological measures in place to strengthen their computer defences, such as security software.

3.1.1.3 Students be aware of, and comply with legal or organisational guidelines/policies around the use of the Internet.

Becoming an effective cyber citizen means that students recognise legal and organisational boundaries in relation to the use of ICT. They need to be aware that crossing those boundaries can have detrimental effects for themselves and many other people. This includes the indiscriminate sharing of software, music, movie clips and copyrighted information.

3.1.2 Desired Behaviours

The successful tenderer should outline how they will be able to design a module that fosters secure online behaviours. Key aspects of such behaviour for Australian students should include:

• Implementing and maintaining technological security solutions;

*Developing and fostering secure online behaviours; and

*Understanding of appropriate responses should a threat eventuate.

3.1.2.1 Implementing and maintaining technological security solutions

Students need to actively ensure that up to date security software is installed and regularly updated on their computers, and adjusting Internet browser security settings to an appropriate level.

3.1.2.2 Developing and fostering secure online behaviours

These include:

• Identifying practices that may compromise systems and data, such as clicking on links within emails and pop ups.

• Developing safe password management habits, such as changing passwords regularly and ensuring that others are not able to access their passwords.

• Actively looking for well-known and universally accepted signs of security reassurance from websites, messages or emails. This is especially important when accessing websites that ask for personal and/or financial details. Some examples of well-known and universally accepted signs are the https at the beginning of the address bar and a locked padlock at the bottom of the browser screen.

• Awareness of the importance of Acceptable Use Agreements³.

• Downloading and sharing files in a safe way, including the acknowledgement of intellectual property rights and copyright protection.

• Managing spam, scam and hoax messages.

• Managing their information in a way that ensures their privacy and protection from identity theft

• Using wireless connections and open Internet terminals in a safe way.

These behaviours can be applied in the use of multiple ICTs, such as computers and mobile phones.

3.1.2.3 Understanding of appropriate responses should a threat eventuate

This includes:

- Reporting unusual activity (eg computer is exceptionally slow) to parents, teachers or the owner of the compromised computer,

- Awareness of the necessary steps to clean up a system,

- In serious circumstances, assisting in the process of reporting security breaches to the relevant authorities,

- Re-installing data through back-ups; and

- Seeking extra help in relation to e-security issues. This includes accessing appropriate websites for further information on how to respond to e-security issues.

4. Compatibility

The successful tenderer is required to ensure that technical interoperability is a key feature in the design of the module. The module is required to take into account the differing ICT capabilities of schools as well as individual school policies blocking certain sites and downloading software from the Internet.

The successful tenderer is required to clearly articulate to the minimum system requirements for the module to run and the anticipated Internet connection needed for the module to successfully run off the Stay Smart Online website. The module should run on Windows, Mac and Linux based systems.

5. Accessibility

The module is required to comply with Australian Government accessibility requirements, which can be accessed at: http://webpublishing.agimo.gov.au/

Australian schools should be able to easily access the module via the Stay Smart Online website, any additional website requested by the Department and a compact disc (CD). ...

1 Note that this section provides links to NetAlert, which is discussed later in the document.

2 Note that the 2005 report kidsonline@home found that children are accessing the Internet at younger ages, with just over 30% of children having started using the Internet at age five or six years old. The largest portion first accessed the Internet at age nine or 10. It is envisaged that by targeting school year three, the module is targeting students prior to the largest take-up of the Internet.

3 Acceptable Use Agreements are documents where students sign a “contract” agreeing to use ICT and the Internet in a way that is acceptable by the ICT owner. An example of an acceptable use agreement can be found on: http://www.ict.schools.nt.gov.au/computers_networks/forms/AUPolicy_EC.pdf

From: Request for Tender for E-Security Education Module for Australian Schools, 5.5 Services, ATM document set, DBCDE, 4 March 2008