April 12, 2008
Our friend Donal posts his thoughts in some detail at Ockham’s Razor. As with most of D’s stuff, well worth clicking the link!
Comments (0)
April 11, 2008
It will be interesting to follow the response to this on the net:
http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx
April 10, 2008
He can post absolute rubbish and his congregation will always be there for him with comments/responses… (that he never responds to…but they don’t care).
http://www.schneier.com/blog/archives/2008/04/tracking_vehicl.html
Hey, don’t get me wrong, I love a lot of BS’s stuff and his feed is on DSN but seriously…FFS….surely sometimes he’s just taking the piss and seeing how many “followers” take it seriously.
I’ll probably go to infosec hell for this.
April 8, 2008
I now need more than 2 hands to count the number of times an organisation has told me that they make too much money for the banks to have PCI DSS compliance forced upon them. It doesn’t matter what you say or what case studies you provide (eg; TJX and the millions it has cost them), it just does not hit home. They believe their size means they don’t have to play by the rules. As covered previously here.
Maybe it’s an Australian thing and they’re just not aware of what is happening elsewhere in the world. You never wish bad upon someone, but you sometimes do think; “yeah….why don’t you just keep testing your theory….lets see how nice the bank and PCI will be if/when something happens”. (Does that make me a bad person?) 
We’re expanding the coverage of DSN and also now categorising (as best we can) all the latest IT Security news feeds from around the world. You can still in one view read everything, or just view the category that interests you. In the next couple of weeks, our research team will work to expand some of the categories such as “Security Theory”. As usual, your comments, criticisms and ideas are most welcome.
April 7, 2008
I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.
Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.
We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.
Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.
April 6, 2008
The following is my bitch about the PCI Security Standards Council.
“Hey..WTF?”, you may say, “Draz, you have been a huge supporter of PCI DSS for a long time!…We always see you in the press being quoted on the positives of PCI DSS and we read stuff in Beast or Buddha all the time about your positive thoughts on it!”…..Yeah, I have been, but my patience/interest with the “governing” body is in some serious problems! Where do I start…no particular order:
April 3, 2008
Each week he visits another company and sorts out their problems in his own unique way. I could imagine a talk with many CIOs going along the lines of:
“Oh ^%$ me….what the &*$# are you actually %*&*ing doing here? Okay, show me what you actually @%$ing know about *&^%ing security!?…..if your customers actually &*$^ing knew what the $*&$ you $*&$ing do and don’t *&$#ing do, you’d make them *&^$ing ill. And who’s this #&^$ing guy you have looking after $&##ing security. Why don’t you *(#$ing listen to him?!…… oh *&#$ me!”
Blunt or beating around the bush…..what works best? I would watch this show.
April 2, 2008
I have the barrel and the fish are in it and I am about to shoot…..Yes, we predicted this. So what is new? Okay…here’s a few free hits to the site to make them feel good: http://www.safecode.org/ and members: http://www.safecode.org/members.php
The biggest news is that Nokia has joined. The “Best Practice” papers should not be printed..save the environment or at least if you have to, let your kindergarten kid scribble on the back of the page after you have discarded the rubbish as useless! So this is what out industry is doing? So this is what shareholders of these companies are investing in?
WTF are the CEOs of these companies thinking, doing and agreeing to????
Okay, some have seen this:
http://www.scanlesspci.com/
Yes, ScanAlert has copped it recently and rightly so! But I do take offence to my mates at Qualys being mentioned! You can’t compare a WRX to a Ferrari! The dude is funny but if all my clients ran Qualysguard at least weekly, I would be feeling like they are some way there to being more secure than 99% of companies we see! For a small investment, it’s a big step in their security! A start at least!