Bjorn's identity

Once again, DotSec were proud sponsors of the AusCERT information security conference. Poster

The event was great, and provided a good opportunity to catch up with past colleagues and discuss a range of topics.

We gave a presentation entitled, "Bjorn's identity" (very witty, I'm sure you'll agree :-) but which also could have been entitled, "Identity Management at Queensland Health: A True Story!"

The presentation described a couple of things:

First of all, it described how DotSec, QH and Australian and overseas publishers have successfully implemented SAML-based Identity Management (IdM) for a variety of resources that make up the Clinician's Knowledge Network (CKN).

This presentation presented an overview of what CKN is and does, the goals for IdM with the CKN, and the benefits that have resulted from having implemented the CKN IdM infrastructure.

The presentation also outlined some of the tricks and traps that were associated with the deployment, and some of the options for CKN and IdM in the future.

Of course, no presentation is much fun without live, on-line demos, so we connected our laptop to the WLAN and ran a couple of demos on the servers back in Brisbane.  The demos showed a couple of things including how Dr Bjorn could rely on the underlying IdM infrastructure to take advantage of Web Single Sign-On and Single Log Out. 

That was neat enough but for the real meat, we showed how Bjorn could share private information across servers in different domains, in a controlled way. Our demo servers utilised DotSec's SAML-based IdM infrastructure, and Google's Google Apps authentication infrastructure. Demo applications were hosted on servers within both environments, and both were able to securely exchange Bjorn's calendar information in a controlled way using SAML and Oauth.



Please feel free to download the presentation slides and to contact us if you have any questions or comments.

Internet banking is dead! Long live Internet banking!

Once again, DotSec were proud sponsors of the AusCERT information security conference. The event was great, and provided a good opportunity to catch up with past colleagues and discuss a range of topics.

FlyerDotSec was also able to deliver a presentation, which is linked to below, but first of all, a confession: The title of this presentation is intentionally tongue-in-cheek,and we do not really think that Internet banking, as a general service, is dead. In fact, the presentation did not even focus exclusively on Internet banking! However, since Internet banking is essentially one of the archetypal secure online applications, it provides a convenient example of why secure applications-development frameworks should exist, as well as illustrative examples of what can go wrong if they do not.

In order to provide some concrete examples, the presentation included live demonstrations of three types of attack. The demonstrations were taken from vulnerabilities that we have seen in applications from the legal, government, education and finance sectors, all of which have been munged together and anonymised on a fake DotSec-hosted site, for our use during the presentation.

Please feel free to download the presentation slides and to contact us if you have any questions or comments.

Previous topics:

Links to topics that have been discussed over the previous months:


The "SSL is hacked/broken/compromised" story is, as told by most "news" sites, an alarmist and information-free beat up, made by people who should know better! They mix up 4 different risks, 2 protocols and a good dash of FUD, and bake us up another Henny Penny headline that only serves to confuse people further!


"Internet Banking Is Dead!" is a short presentation that DotSec was proud to deliver as part of the QUT FIT Industry Working Breakfast series.


DotSec conducted demonstrations using Shibboleth to bust the myth that privacy must be sacrificed in order to achieve strong security.


Surely there are more valuable targets out there for attackers to chase after? Why on earth would any attacker would target my business?


Greeting-card and other phishing attacks are often multi-facetted, and many rely on vulnerabilities in applications that are commonly used as plugins by the user's web browser. Here is a short overview of some of the techniques used may prove useful to you.


Spam, spam, more spam. Most of it is boring, so why was this email interesting? Read on and see what you think.


"Holistic, or full of holes? PCI, HIPAA and experiences in implementing secure computing systems". Feel free to check out the abstract