Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

Internet Banking in NZ - Will be interesting to see some test cases….

July 4th, 2008 Drazen Drazic

The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; “The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

The Pope is coming so you must be nice or you’ll be in trouble…

July 3rd, 2008 Drazen Drazic

By straxd

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, WTF | 15 Comments »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »

Another consortium formed to “enhance global IT security”…

June 28th, 2008 Drazen Drazic

Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium!

Recent update on SAFECode.

Posted in Dumb Security, Research, Risk Management, WTF | 6 Comments »

A look at Australian Telecoms……

June 28th, 2008 Drazen Drazic

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

Posted in Bad Stuff, Research, To cool | 1 Comment »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

PCI DSS 6.6 - Getting on the comment bandwagon……

June 24th, 2008 Drazen Drazic

This one’s had quite a bit of press time, and discussion around the blogs recently - moreso as the deadline has approached. In Australia, it’s been relatively quiet in comparison to the US though. I think the fact that compliance across the board here is a way behind the US has a lot to do with that, with many organisations here still either unaware of their responsibilities or far off from being compliant.

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:

Read the rest of this entry »

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security | 1 Comment »

Trend Micro attacks the bad guys on their own turf….

June 22nd, 2008 Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media!

Related post.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, news | 3 Comments »

Information Security Certifications……

June 22nd, 2008 Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

I missed the National E-Security Awareness Week…..

June 21st, 2008 Drazen Drazic

Why didn’t someone remind me! Was it good?
http://www.staysmartonline.gov.au/latest_news

I also missed the Over the Horizon forum, but it was for experts…..but I don’t know any experts who attended. Feeling very unloved at the moment. (Thanks Nick for this link)

Posted in Risk Management | 4 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

39% of Australians Victims of Cyber Crime?

June 10th, 2008 Drazen Drazic

Another survey and some more frightening statistics as reported in CW and affiliated sites. Luckily the company that undertook the survey has the solution; “Protection against all Internet threats“. (Hey, their words, not mine!)

Does anyone have a link to the survey? 39% sounds pretty high but I have no context from the articles.

Secondly, AVG seems to have joined Symantec with the magic solution. Amazing that we allow companies to get away with such advertising! Related post on mis-leading and false advertising.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, news | 5 Comments »

The monkeynet project kicks off…..

June 6th, 2008 Drazen Drazic

Speculation has been rife and the rumour mill going crazy but I can announce that the monkeynet project has now kicked off. Visit and explore the site for more information and to stay abreast of the latest news on the monkeynet project. (Find the secret area with information on the “secret” projects). Join the initiative and become part of the monkeynet project.

Background:

Read the rest of this entry »

Posted in Research, news | 8 Comments »

Stay Smart Online - Latest Australian Government Initiative…

June 6th, 2008 Drazen Drazic

I wonder what the old teams and program developers at NOIE/AGIMO etc think about the latest re-branding of government’s effort to demonstrate care about individual’s and businesses use of IT. (As reported here). I remember the old NOIE site. It was pretty good; rich full of information and a great source of help and knowledge. It was a shame relatively very few people were aware of it.

The latest incarnation with a few added “features” comes at a cost of $1.2M (just on the contract alone to AusCERT as reported by the Australian Newspaper). Will be interesting to see how it all goes…….

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 6 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Data Classification - Effective? Has it ever been or really worked?

June 2nd, 2008 Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on.

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

Cringe….you’re not using that “Twitter” thing are you?

June 2nd, 2008 Drazen Drazic

It’s either that response or something along the lines of; “What the hell is that all about?”, “I don’t understand it!”, “Looks like crap!”. I was of the same opinions when Wade introduced me to it a while ago. (Per chance, Wade’s latest post is on that exact topic). I signed up out of curiosity and followed what was going on.

Read the rest of this entry »

Posted in Uncategorized | 3 Comments »