Can someone enlighten me as to what this may be? Checking the site stats, we had a visitor who arrived here on the back of a search for “Buddha Porn”?!?! :-)

I suppose that now this is recorded, we may get more hits on this subject.

Posted in: Uncategorized


Just picked up on this one through an NZ ISIG thread and followed up to a Computerworld US story on PCI compliance becoming Law in some parts of the US.

There’s still detractors out there bagging PCI and why bother, but if it takes something like this to get widespread good practice happening, I am all for it. The standard has a way to go. I think the PCI body knows this but there’s not much else out there with the same impact and reach. Bring it on.

Posted in: PCI, PCI DSS


I thought the following responses from the previous post were interesting enough to throw them into a main thread. Serious questions are asked and points put forward about a lack of action against cyber criminals that do present a case for consideration……

While we all know that government agencies do partake in “interesting” business on the Net, how widespread and to what levels does this go? One for the conspiracy theorists.
Anonymous said…

Draz,
firstly, my full respect to Stas, whose presentation was remarkable and highly informative, however, the overall picture is *far* more sinister than Stas alluded to, in my opinion. Perhaps Stas was being diplomatic. :- )

Look closely at the factual info Stas has collated, combine that with the information presented by those ‘other’ guys (you know – the men in black wearing dark sunnies -can we mention them ?) and other presentations by organisations who should remain anonymous for obvious reasons.

My question is – what is the overall picture of global online fraud right now ?

The high degree of sophistication, organisation and inaction by countries that corruptly ‘allow’ these operations to continue unhindered are real indications that online fraud has moved far beyond the realms of ‘organised crime’ into a completely new ball game. At best, we’re talking about being State-endorsed, and at worst, State-sponsored, crime.

Think about it. There’s *serious* money to be made, billions of dollars at stake, 24/7. And your country’s suffering, corrupt economy badly needs cash. You need a low-risk, high return operation. You need to be able to cover your tracks to avoid potential embarrasment & sanctions. What to do ?

This is potentially a very dangerous thing if you consider the implications – having the backing, suppport and organisation of an entire country to fund your best brains to support your country’s secret online crime operations.

And if your operation unfortunately gets exposed by another country’s online crime agency, who does your country blame ? You guessed it – ‘Organised crime’. Well, its organised all right, but this time it’s not the crime gangs or russian mafia.

Hopefully I am wrong. But I doubt it. The other question I have is, how many countries are already involved, and what are our agencies doing about it ?

29 May 2007 12:33:00

Anonymous said…

Los Angeles Times
January 12, 1998 (WASHINGTON)
Foreign spies target U.S. industry
FBI says at least 23 nations take part in economic spying

… Fraumann wrote that Germany’s Federal Intelligence Service had been “very active and quite successful” in economic espionage by using a top-secret computer facility outside Frankfurt to break into data networks and databases of companies and governments around the world.

Their operation, code-named project RAHAB, he wrote, involves gaining systematic entry into computer databases and accessing computer systems throughout the United States, targeting electronics, optics, avionics, chemistry, computers and telecommunications.

29 May 2007 15:27:00

Posted in: cyber crime


Just got back from AusCert 2007. No fallout from my bagging the annual survey and no nude protests in front of our stand as was threatened. It’s no Black Hat, DEFCON, or for us local guys, Ruxcon but there were some good presentations.

My favourite had to be Stas Filshtinskiy’s presentation on cyber crime – a real world analysis of what is actually happening out there. With his knowledge of Russian allowing him to navigate Russian sites, he has been researching the types of underground (so to speak) activity happening on the Net every day; identity theft and sales of “identity” (just summarising here), credit card details, botnet sales, hacked server sales/ownership, logs, sites that traded all of the above…etc etc. Very eye-opening and something CEOs should be sitting here and listening too.

At one point, it was interesting to see a slide relevant to Australia that showed a website selling 700 “owned” servers in Australia to whoever wanted to buy them. I think many in the crowd thought, “wow, 700”. I am sure Stas was only showing information from one of a score of sites selling similar information! We looked around the room and thought that there was probably quite a few on sale on that site that Stas referenced that belonged to guys in the room………. 700? Very conservative number.

An interesting point that Stas made was on the amount of time and effort these guys put into developing their software and keeping it updated, hidden (and secure). There is some amazing talent working the wrong side of the fence. Most developers we run into could do with the same level of dedication and commitment. (Yeah, I’m ranting again….but that’s the point of this site). Makes you also think if these guys are helping the organisations that they are “using” keep to their SLAs for uptime. Hey don’t laugh…..it’s probably happening……if all seems to be working well, well then, there must be no problem.

Stas talked about their management systems. Would Tivoli or the like compare? Just think about that one and consider the thousands or millions of systems they are “managing”.

I don’t have a copy of Stas’ presentation due to him not being able to make it public. (Legal at his work I assume). We are hoping to get Stas to present this again at an upcoming SA session.

Joanna Rutkowska’s presentation (link from Black Hat earlier this year but pretty much the same) was probably the most technical of the conference. (I told you it’s no Black Hat, DEFCON or Ruxcon). From our perspective, it was cool to see her reference Security-Assessment.com’s work presented at Ruxcon 2006 and use Adam Boileau’s Firewire hack throughout her presentation. Who is Joanna? :-)

Posted in: cyber crime


Hey guys, if you’re at AusCert 2007 come by the SA stand and say hello.

Posted in: Uncategorized


I kicked off a new company this week….Securus Solutions.

No, I am not selling out.

SA……here’s the plug … www.security-assessment.com is still my baby and it always will be. World’s best security consulting team! Come on….tell me a better one! :-)

Anyway…….the two organisations will be chinese-walled from each other and always will be.

I set up Securus (no stupid play on words….it means “Safe” in Latin… :-) …. because I’ve gotten to know a lot of dudes who had some good product and asked me to front it for them. Security-assessment.com doesn’t do that as you know.

I thought, well do you trust that with your typical reseller? No……thus, Securus Solutions.

More good stuff to come……we’re only starting.

DD

Posted in: Uncategorized


I had a few emailers looking for more information on this topic in response to the post on web application security and choosing your developers carefully.

SA plug coming……. the Security-Assessment.com website has more information on what the testing entails. Click down into more information for an overview of what and how we do this type of testing.

We’ve also got a couple of recent presentations on web application security on the presentations page which may be of interest.

SA plus coming…. for this type of testing, we can look after clients all over the world so no matter where you are, do give SA a yell.



AusCert takes a stand against budget cutbacks. Related to this post.
Seriously though….I’ve talked about these security surveys before….here. As much as I appreciate the work of fellow security community dudes, we still need to question each other’s work’s relevance, accuracy and what it means in the big picture of improving security practices.

Do these surveys reflect what is happening out there? How accurate are they? AND, my big bug bear, how do the dudes responding know what is actually happening to help provide more accurate stats?…..ie; we see it every day, (as I mention in almost every post)….most companies have no idea what is happening! …so what do the stats really mean? I’ll put it out there and say they are useless and far from accurate stats!

You may say, “Hey Draz, but at least they highlight some of the problems?”…yeah, they do….but I’ve never met one senior decision maker in a company that has even read or heard of the surveys….or rather, I should say, remembers having seen them. So do they preach to the converted? Yeah…they do! Sadly, no one will miss the AusCert Annual Survey in my opinion. They should!

(Aside: SA has a stand at the next AusCert conference next week. Readership here may be small enough for me to feel no repercussions of this post>:-))

Posted in: Uncategorized


A poorly developed web application can potentially open up an organisation to business-threatening problems. Exaggeration……no way? I know, because we see it everyday.

A friend, CEO of a good sized company (offices in Australia, Asia and London) recently decided to make a serious move into eCommerce B2B and B2C.

Security-Assessment.com did not need to be involved with the project because the third-party developer was reputable and had good reference sites I was told at a BBQ by CEO over a few beers. (CEO’s not an IT guy – he’s a successful businessman). After sharing a few generic war stories with him (incriminating no one as per our policy), I suggested I get a couple of the boys to have a look at the new site anyway – given the potential new exposures he’s opened his business up to now…..which he previously did not have to concern himself with.

In a nutshell, his business went from being a strong and secure bricks and mortar organisation to one that now bled customer and competitive information to anyone who wanted to see it on the Internet! How’s open access to back-end customer database and real-time access to orders as they came in hit you?……amongst many other things! In addition, some other nice touches included; the complete site code zipped up for anyone to download and also, get this, developer had a beautiful photo of his wife and new baby in a bath tub on the site for the world to find.

Anyway, we deliver the report with recommendations and CEO and his GM strip out the major issues to confront the developer directly. Now here’s where it gets good and keep in mind, CEO and GM are not IT guys..so the developer thinks he’s going to put it over them. Here’s the main gist of the developer’s response:

- “No, we don’t follow OWASP. The standards that we follow are W3C web standards for front end/interfaces”.
- “In regards of the back end coding, this depends on the environment and we implement the best practice. However, since the website has payment gateway, it uses SSL Certificate (128 bit encryption) to make sure no personal Credit Cards details are exposed to the net”.
- “Just so you are aware that for any big corporate website eg. [DD: Aussie Bank name removed] website we do follow security standard which is ‘Application Security Guidelines’ from [DD: company name and website link removed.. but it was a small IT security consulting business / SA competitor], basically this is a security bank standards. In order to for us to implement this standard, we need to be notified in advance if this is necessary since implementing this incur additional charges which is not small”.

Can you believe this? Lets look at this more:

(1) The first statement said nothing more than they develop websites. For a laugh, we ran a W3C validation report and guess what, they failed. Not a big deal as such but if you state this, at least be able to back it up.
(2) Well duh! But we’ll get that information (and more) from other places……as we did. :-)
(3) So, just because CEO’s company was not a “big corporate”, what, he doesn’t warrant getting a secure site built?! AND, if he wants a secure site, this will cost extra! WTF? What year are we in?? In addition, developer discusses some standard we could not find on the site he noted. In addition, we’d never heard of it and were unaware of this unheard of standard being the “security bank standard”. On contacting our competitor (who was quoted) to confirm, they stressed that in their work, they refer to OWASP to their clients and didn’t really know why their name was used or what this guy was talking about!

Sadly, we see this all the time. It is good though to see organisations are getting more aware of web application risks and are doing something about it, but it’s a long way from us being able to say this is not something we see everyday.

A few tips for anyone developing a new website and web applications – whether being done in-house or getting third-parties in:

- Aside from ensuring all the functional requirements are there, ask about how the application is going to be secured.
- Ask whether security is a strong focus in the SDLC.
- Ask how security is tested.
- Ask whether OWASP guidelines are followed. (If they’ve never heard of OWASP, I suggest you run!).
- Get a reputable security company to test the application’s security prior to release.

The risks of not doing this are potentially business threatening.



I’ll leave the latter question for now and look at the first one. Second Life on the face of it, and has been reported widely, opens up a world of e-opportunities for business. Just google it if you haven’t heard about it. It’s getting mainstream press everywhere. You’ll wonder why you haven’t heard about it!

The “Otherland” series of books by Tad Williams gives you the feel for how life may become….and more than likely will. Second Life seems like an early incarnation of what Williams plays out in his stories. This is something our kids or their kids will see as a normal part of their lives. Do I sound like a raving lunatic? Maybe….but marketplaces like this are coming. It is inevitable.

Many large corporates are already investing into the L$ (in Second Life) for marketing purposes, but seriously, is porn and other illegal stuff going to dominate (akin to the Internet)? At present, it looks like it!

Don’t get me wrong….I’m excited by things like this….done right (but how do you manage it?)….. How do you stop it turning into a “dirty” and unregulated society..a place where you can virtually do what you want? A place outside the law? It’s heading that way…..smh story.

Don’t get me wrong. I’m no prude, but I see that games like this (more than a game actually), make it harder for parents to control their kids access to inappropriate material. How can they?

I went into Second Life for the first time last weekend. I had read about it and it sounded interesting. As a businessman, I thought I should stay abreast of new marketing channels for my business. Now some of you that know me may say that I looked for it….but NO…….it wasn’t hard and within a few hours (it takes that long to do your orientation) I was walking into houses and Islands dedicated to porn and virtual sex. NO…I did not look for it. It was there!

I wouldn’t have my kids on this and at present, I surely wouldn’t promote my business in it….but then again…….companies said the same about the Internet.

Posted in: Uncategorized


Older Posts »