June 30th, 2007 Drazen Drazic
Is it just me that takes offence when another big Australian company justifies outsourcing IT jobs overseas by claiming “skills shortage” and then qualifies it by saying “it’s just the operational work………we’re not outsourcing intelligence!”
Big call on the latter ever existing guys!
Posted in Dumb Security | 2 Comments »
June 30th, 2007 Drazen Drazic
From Computerworld.
Posted in Bad Stuff, cyber crime | No Comments »
June 29th, 2007 Drazen Drazic
Paul Craig from SA will be presenting on “Next Generation .NET Vulnerabilities” at SyScan 07.
This will be a good session.
Other SA presentations can be found be at our website.
Posted in Research, Web Application Security | 1 Comment »
June 28th, 2007 Drazen Drazic
From Popsci.com; their 10 worst jobs in science.
You got to love the comment from the MS dude: “………….Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless.“
Posted in Uncategorized | No Comments »
June 28th, 2007 Drazen Drazic
This NZ ComputerWorld story from over the ditch; Banks demand a look inside customer PCs in fraud cases is a bit of a concern. If it progresses, it will be interesting to see how they propose this working. This worries me or should I say scares me given some previous experiences of banks wanting to touch customer systems:
A few years ago, the NSW Police called a meeting with the IT Risk and some Security Heads of the major banks here to discuss Internet Banking fraud. At the time, it was a knee jerk reaction to old news that they had stumbled upon to do with Gator and similar software on kiosk machines and user systems etc. The focus of the meeting was to discuss ways to put into place mechanisms to prevent Internet Banking fraud. Hey, pretty cool I thought, finally some real discussion on security better than just something one level above basic auth.
The following is entirely true. You just can’t make-up stuff this funny……..no one would believe you.
Somehow, from the outset, the discussion turned to anti-virus software on user machines. (Did I mention Symantec led off the “discussion” with a presentation on themselves?). Where is this going I am thinking? Are we looking at the bigger picture here? The next hour was spent in discussion on how the Banks could pass the burden of Internet Banking security responsibility entirely back onto the customer. The following suggestions were proposed:
- We (the banks) could scan their (customer) machines to determine whether anti-virus software is installed.
- Hey, but how will we know if the user runs the software? Easy, we’ll set-off the scan (ie; read: scan whole machine) before they can access Internet Banking!
- Hey, but how will we know if the signatures are up to date? Easy, we’ll just check the versions and enforce the update and then set-off the scan before they can access Internet Banking.
See where I am coming from? But then…..the showstopper, that for about 2 minutes was the silver bullet to Internet Banking Fraud. I shit you not:
“Guys, why don’t we scan their hard drives from our systems once they login!”
What can I say? The majority of the room was in agreement! From there on, it’s a real blur. The room starting spinning for me. Vague recollections of workgroups proposed to make this happen, some back patting and then agreements to meet again soon.
I made the mistake of chipping in at the end (only chance I got), with a question on what we (the banks) were going to do from our end. I mentioned the current levels of authentication being questionable and put it out there that this could be something we look at also. Did I get daggers or what? Luckily this workgroup never met….I think…..If it did, I wasn’t invited.
So…back to our NZ cousins. Lets hope that the Banks work with a focus that also looks within themselves. That is where most of the solutions to problems will be hopefully found…though nothing is fool-proof. In the end, stupidity on the part of the customer should be assessed in terms of liability……..but weren’t computers initially developed to remove human error from the equation? 
…..
This will be an interesting story to follow.
Posted in Disclosure Laws, Dumb Security, Web Application Security, cyber crime | 1 Comment »
June 27th, 2007 Drazen Drazic
This is a topic that has been hotting up in recent times, and this story today from CIO provides further insight into possible directions this will take; “Banks Say Share of Credit Card Security Costs is Unfair“.
What I find interesting from this article are the following quotes:
Vanessa Pegueros, US director of compliance services at AT&T, contended that banks are “thumbing their noses at the PCI regulation, so we are paying the price.”
“We were doing a good job — maybe not as fast as some would like, but we were on a plan and trying to meet the [PCI] requirements,” Pegueros said. “But [Visa is] trying to take a hard-line approach, and we’re caught in the middle. Now we have to adjust our plans.”
Gartner analyst Avivah Litan agreed that banks are not yet taking adequate measures to comply with the PCI standards.
“There has not been a lot of enforcement at the bank level,” she said. “All the enforcement scheduled has been on the processing and retailer side, so it has been unfair, frankly.”
Litan said retailers are upset because they believe that they are being held to a higher standard than banks in securing their systems.
Are some of these guys serious? This thinking is a classic example of compliance with the PCI DSS and good security being seen as two different things altogether. Security going one way and compliance in another direction. How can these excuses be taken as anything but a joke. If you had good practice security controls in place to begin with, the PCI DSS wouldn’t be as big an issue to you. The expectations from PCI DSS compliance is good security - nothing in there is radical or new. Correct me if you think I am wrong.
Worry about your own shop first and foremost. Bob Russo at the end sums it up best:
“This should not be a blame game,” he said. “The bottom line is everyone who touches consumer payment card data has a responsibility to secure it.”
And the story continues…….stay tuned…..I have a feeling some of the arguments against PCI DSS will become even sillier.
Posted in Disclosure Laws, Dumb Security, PCI, PCI DSS, WTF, cyber crime | No Comments »
June 27th, 2007 Drazen Drazic
Just got back from Singapore where we spent a day going through the most recent changes to the PCI DSS with the various members and PCI Security Standards Council representatives.
If you’re not up to speed with the latest revision of the changes, see the PCI Security Standards Council website. (Worth bookmarking if you’re not already). There are quite a few changes - mostly clarifications on existing standards to make the intent of the specific standards a bit more clear.
Look, I know the standard cops a bit of criticism, (mostly from people and organisations who’ve in the past never been as security minded as they should be), but it is evolving and lets face it, in many parts of the world where the regulatory environment adds little to nothing in terms of advice and enforcement of good security practices and controls (ie; Australia as one example), it’s the best and only thing out there. Even if you’re not under an obligation to be compliant, you could do worse than follow the PCI DSS. Related story from CIO Magazine.
A bit of discussion in Singapore was focused on organisations who have decided to approach compliance in “their own time”. Many companies, mis-guided and taking a big risk in their position, are willing to take the potential fines for non-compliance. Given the fines are miniscule relative to income/revenue, they believe it’s not worth the time and investment to become compliant.
Two points on that:
1. Compliance is mandatory. While the PCI members acknowledge the challenges to enforce compliance, and most importantly realise that it is a large undertaking for most organisations, rules are rules if you want to work with those members (and process card transactions).
2. Regarding the fines: 5-10K fines are small in the scheme of things and may sound more attractive than the cost to move to compliance BUT, get hacked, breached, owned, etc and you’ll be faced with potentially millions of dollars of costs and fines and most importantly reputational and business threatening problems. (Need we raise TJX again as but one of many examples?)
So for anyone who is managing the PCI compliance program in their organisation, and is struggling for buy-in from senior management, and/or faced with the position of small fines being acceptable, I would highlight the 2 points above. Further, and just putting it out there, I would also recommend in such scenarios that you get the CEO or CFO to signoff on a policy exemption form that acknowledges they accept the risk of non-compliance in the timeframes specified by the Acquiring Banks and PCI Members. (Ensure that all the risks of non-compliance are highlighted on the form). I’ve found when someone has to put their name to a position like this, there seems to be a greater likelihood of that position being re-assessed. (Ownership and accountability - we need more of it in IT Security).
Related Stories:
http://beastorbuddha.com/category/disclosure-laws/
http://beastorbuddha.com/category/pci-dss/
Posted in Disclosure Laws, Dumb Security, PCI, PCI DSS, cyber crime | 5 Comments »
June 23rd, 2007 Drazen Drazic
All listed companies must be audited at least yearly by an independent Accounting Practice, but what is the relevance today for the IT Security review component that is generally tacked on as part of this Audit? Yeah, I know in the past the aim was to look at accounting systems controls and the like, but are these reviews still of value or are they potentially dangerous for some companies?
Let me clarify where I am coming from - I am yet to see a good job done by any of the large accounting firms undertaking such reviews. The danger to the client? The client accepting the results of the review as a true overall state of their security……..and I don’t need to expand on why that is a big problem.
What’s brought this to mind is two recent examples we’ve run into at new clients where we’ve been called in, and how do I put this nicely…..to double-check the work of the Big Auditing company. In previous years, the reports had been treated as gospel and IT management and the CEO have believed that things on the security front were good. New staff joining in recent times in both places cast doubt upon the true picture and thus the call to SA. Now this isn’t a plug for SA. It’s a plug for all good dedicated organisations who play in this space and have true expertise in their field.
Both organisations were shocked to put it mildly at the results of the subsequent review undertaken by us. From being secure (in their minds) to both now in a position of being in a pretty bad way - as bad as it can be in some parts of the IT environment. I’ll leave it to your imaginations. On a positive note, they at least now know what they are up against and have a more true picture. Both now have a long roadmap of activity planned to get to a level of being secure.
Unfortunately, these two cases are not out of the ordinary. We do still see it very often. In addition, I spent many years on the other side and dealt with the results of these external audits on behalf of the organisations I worked for at the time. It’s true to say that we, (the IT Security and IT teams) saw these audits as a pain in the backside, a yearly joke that took up a valuable few weeks. The same big talk before the event, auditors locked up in a room for 2-3 weeks, interviews by junior staff who had no idea what the questions they were asking actually meant, and then glowing reports delivered that generally had no more than 1-5 findings and a big congratulations that we were just brilliant. Hmmm….far from it in reality. But we at least knew the true picture. Many organisations didn’t and still don’t.
Companies who have these audits done yearly need to discuss what they are actually getting from the audits with their Auditors. Auditors in return need to ensure that they clearly state what is going to be delivered and support that with caveats, warnings and definitive statements for the client. But in reality, in most cases, they just need to deliver a better job! Are most capable?
Posted in Dumb Security, Vulnerability Management | 2 Comments »
June 22nd, 2007 Drazen Drazic
Thanks for finding us. Yes, we’ve moved from our original site and into the new BorB domain.
Everything should have come across but a few links may still point back to the old site. We’re working on that.
We’re also in the process of putting in some functional changes to the format here so a few things in terms of layout, colours etc may change in the next week or so as we work our way out of default template territory.
Content though will continue to be of the usual standard.
Posted in Uncategorized | 2 Comments »
June 19th, 2007 Drazen Drazic
What is raised in the article from Forbes, “Laws Threaten Security Researchers” is not new but worth a review and a few comments. Patrick Gray recently in the Risky Business 13 podcast spoke to Grossman also on the same topic.
From our (SA’s) perspective, it’s pretty clear cut - you just can’t “research” on other people’s sites. The cyber crime Act is in place for such activity and the question of how do you classify an action as friendly or malicious cannot be a grey area. I think that would open up a whole new industry of black hats. (Grey Hats?)
The article mentions stumbling upon vulnerabilities or suspecting that a site has them - what does a researcher do then?
I can state that this happens all the time. When you’ve got guys who do this type of testing for a living (paid by clients), the eye is in for potential weaknesses in all sites. But, that opens up dilemmas - if and a big IF the likes of an SA approaches the client in such scenarios, it is done cautiously, because we are always, given who we are, potentially taken as: (1) We’ve been snooping where we should not or (2) We’re hunting for new business. I can guarantee to all that we don’t do either but what can you do? So in most cases, you can’t do much other than hopefully continue to try to raise awareness in the importance of ongoing testing.
Is there an issue here with researchers not being able to “test” sites uninvited? No, you just can’t do it! Organisational awareness in regards to the importance of web application testing is key - researchers and testers need to be invited in.
Aside: We still see figures of upwards of 80% of sites that we test for the first time having major to critical vulnerabilities so the importance of organisations doing regular testing is clear.
Posted in Web Application Security | 1 Comment »
June 19th, 2007 Drazen Drazic
The FBI’s Operation: Bot Roast, claims to now have identified “about 1 million” botnet infected systems in the US. See also: http://www.fbi.gov/page2/june07/botnet061307.htm.
The announcements say all the right things, but the question as to how much substance is behind them is somewhat questionable in my opinion. The intentions may be there, so lets see what impact to botnet activity this program has. It would be interesting to know how the 1 million systems were identified. Have I missed something in my readings?
Other than that, there is some good introductory information in here for individuals and businesses alike.
Related Links:
http://www.dailyinfosec.net/
http://beastorbuddha.com/category/cyber-crime/
Posted in Forensics, cyber crime | 1 Comment »
June 18th, 2007 Drazen Drazic
The rantings of Craig Chapman, Computer Forensics Geek.
Now I don’t know about you, but this latest story on moths being bred with inbuilt remote sensing chips is bordering on the ridiculous, for a whole lot of reasons.
When I grew up watching Star Trek, the nasty ‘cyborgs’ were the ugly dudes with flesh growing around computer parts. The Cyborgs certainly weren’t moths (how uncool would that have been?). But, a mob of big-brained, cutting edge defence scientists, known as The Defense Advanced Research Projects Agency (DARPA) is apparently growing computer chips around insects for use in warfare surveillance. An ‘insect-cyborg’, they’re calling it.
Now I know what you’re thinking. You’ve gotta be kidding, right ?
No way, my cyborg friends. This is science-reality, not science fiction. The big-heads at ‘DARPA’, as they are known, are implanting computer chips in moths while still in the pupa stage. The moth grows around the chip and its nervous system can be controlled by a remote control.
Trotting out yet another sexy, defence techie acronym, the project is affectionately called the ‘Hybrid Insect Micro-Electro-Mechanical Systems’ (HI-MEMS) and it also includes outfitting other insects with miniscule sensors and a wireless transmitter which could send data from places inaccessible to humans.
“It is hoped by DARPA, that one day, a sensor-enabled insect with a 100-yard range could be placed within five meters of a target using electronic remote control and, potentially, Global Positioning System technologies.” From: http://government.zdnet.com/?p=3189
Now for the best bit: “Ultimately, the moth will be able to land in enemy camps in remote locations undetected and be able to beam video and other information back via what its developers refer to as a “reliable tissue-machine interface.” I say, stuff the enemy camps - I can think of a *far* greater application of this technology. Lets just say that I hope Paris Hilton’s bedroom windows have lousy flyscreens.
According to zdnet: “This latest development will allow the moth cyborgs to spy on enemy insurgents, and is the most advanced robotic technology ever conceived by DARPA.” Latest technology? Perhaps. A great idea doomed to failure ? I believe so.
In line with (much loved) rantings of Bruce Schneier http://www.schneier.com, the most advanced technology can often be defeated by the simplest and cheapest of means. So I have two words for the big tech-heads and their multi million dollar Hi-Mems cyborg insect project at DARPA….. ‘Pea-Beau’.
More articles on moth cyborgs:
http://www.foxnews.com/story/0,2933,276182,00.html
Posted in Big Galoot Diatribe, UFOs, cyber crime | 1 Comment »
June 15th, 2007 Drazen Drazic
The UK’s Advertising Standards Authority recently released an assessment in response to complaints lodged against some of the MAC ads. (Gees they are good ads :-)).
It’s worth a read. While you can argue some points, the realities are pretty much close to the mark. (says a new convert to MACs). It does still freak me that I don’t have any anti-virus or spyware software on my machine (coming from 17 years of running such software on all previous machines I have owned).
Posted in MAC Security | 2 Comments »
June 13th, 2007 Drazen Drazic
Regular VA and network and web app penetration testing…just throwing it out there………in particular if you are an Australian tourist attraction. SMH again.
Seems like we have some amateurs giving the bad guys a bad name….pretty bad if Google’s able to pick you up guys.
Google Hacking?!……..why not Google VA?! - Remember where you heard it first!
Posted in Dumb Security, Web Application Security | 2 Comments »
June 12th, 2007 Drazen Drazic
Interesting one from Patrick Gray today on the SMH news re: the Opera House site being hacked.
Nice to see our friends at Pure Hacking being called in to help. A good bunch of guys! As an aside, some people like their site so much, they’ve decided to……well…..this explains it all. What can you say?
Posted in Web Application Security | No Comments »
June 12th, 2007 Drazen Drazic
As reported in the News side bar, the discussions/thought we have been driving in NZ is gaining momentum: http://www.stuff.co.nz/stuff/4091268a28.html
Stay tuned…..this seems to be a hot topic now in New Zealand up to Government layers.
Posted in Disclosure Laws | No Comments »
June 10th, 2007 Drazen Drazic
The rantings of Craig Chapman, Computer Forensics Geek.
A couple of recent cases, including http://www.securityfocus.com/news/11469 in the US have highlighted malware and trojans as an emerging problem for the computer forensics community - testing the validity of the expert evidence and calling into question the practise as a whole.
In this most recent case, problems emerged after a teacher was wrongly convicted following an
incident where her classroom PCs became infected with pop-up ads displaying pornographic images. The prosecution alleged that the pop-ups were caused by the teacher’s activity on her PC following expert testimony from a computer forensics detective.
Problems in the case emerged after the defence’s computer forensics expert successfully argued that a harmless hairstyling web site had actually re-directed the PC’s browser to pornographic sites, setting off a chain of offensive pop up ads (a sub-argument was also presented about access control).
With the benefit of hindsight, this case was perhaps more about poor forensics practises - the investigating detective was apparently not thorough enough.
But it raised a bigger issue: What about really hard-core trojans & malware? How do we prove that malware didn’t exist on a suspect’s system? Recent studies into the potential problems facing computer forensics community of malware\trojans\viruses suggests this problem is not going to go away any time soon.
Highlighting this problem, some conceptual tools developed by Security-Assessment.com and Joanna Rutowska from www.invisiblethings.org have shown the ability already exists for
malware to defeat ‘volatile’ memory forensics. Make no mistake, this is a big threat facing computer forensics practises and its ability to withstand rigorous cross-examination in the witness box.
The really big questions facing the computer forensics community right now
must be:
- How can the trojan defence be negated? and;
- What practises can be put into place by the corporate world to assist computer forensics ?
The nitty-gritty of ‘The Trojan Defence’ is that we don’t know what we don’t know. In other words, how do we prove that something (a trojan) didn’t exist?……The mere possibility of the existence of a trojan may itself be enough for a case to be thrown out, in the absence of any corroborating evidence.
The solution? (Is there any?)
In terms of hard-drive forensics, (and even perhaps volatile memory?) the ability exists to make a ‘known good’ copy of a system prior to it’s deployment & have it locked away in a safe. In an attempt to negate the trojan or malware defence argument, the ‘known good’ copy could be dragged out of the safe & compared to the original, and forensically examined for changes to that system. Operating system active processes, dlls etc could all be mapped & compared against those of the ‘known good’ system. This practise could also be a really good tool for very quickly detecting what is going wrong with a particular system when the IT Security guys are called in following an ‘incident’, say, an intrusion where their system became owned or whatever.
In reality though, this practise is unlikely to be adopted in the short term. But I’d be very interested to learn if some companies out there are already adopting the practises of having a secured, ‘known good’ copy for forensics or IT Security purposes. Has anyone heard of this being done ?
Or, perhaps someone has some other ideas about how ‘The Trojan Defence’ argument can be (relatively expeditiously) negated in a forensic manner ?
Posted in Big Galoot Diatribe, Forensics | 2 Comments »
June 6th, 2007 Drazen Drazic
When buying a new car, you test drive it…….to see if it floats your boat and performs as you hope it will. A big factor is the security the car comes with nowadays. If you’re in the market for a Rex, Evo or the luxury sports models (I like my cars as you can tell), you expect the security now as standard, because you know you’re a target.
Why not do the same in terms of security of new applications you’re buying……in addition to ensuring the functionality is there which you do as standard? Hey, the analogy fits.
This story from SearchSecurity is worth a read, but somehow, it looks like the last part of the journo’s story has warped into another plane and has been replaced by the end of another article, (which looks interesting in its own right).
We are seeing this trend growing and that is good! The last thing anyone wants is this. But, unfortunately, there’s still more “this”.
Posted in Bad Developers, Dumb Security, Web Application Security | 2 Comments »
June 5th, 2007 Drazen Drazic
Peter Benson continues to be a leading voice in NZ for the introduction of disclosure laws, as covered in the News side bar and today’s Computerworld story.
You have to love Solicitor Michael Wigley’s comment; “Wigley described most of the “accepted use” policies he had seen as “shit”.”
Related story from previous post.
Posted in Disclosure Laws | No Comments »
June 4th, 2007 Drazen Drazic
The rantings of Craig Chapman, Computer Forensics Geek.
To kick off my first article in beast or buddha - my controversial thoughts
on the victims of Nigerian email scams.
I have this theory about people who send their hard earned savings to
Nigerian email scammers in the hope of huge financial gains, but end up
losing the lot. What really amazes me is, these victims, many of whom are
presumably intelligent, and some of whom occupy highly paid positions
(lawyers, doctors, etc) send their money away - even *after* being told by
police that the whole thing is a scam & they’ll never see their money
again. Its truly incredible. Its mind-bogglingly stupid. I call this
phenomenon - Financial Darwinism. Survival of the financially fittest.
For the victims of these frauds, it seems making money is the easy part,
actually holding onto it is the tough bit.
What the Nigerian email scammers do is not rocket science. But they do
prey upon two very powerful human frailties - greed and stupidity. After
mass emailing their incredulous letters with offers of vast amounts of
money, the first part of the scam involves playing the percentages, ie, a
very small percentage of people will actually believe their incredible
letters instead of hitting the delete button (or having their spam filter
kill it before it hits their in box). Secondly, an even smaller percentage
of victims will begin to participate in their scam, continuously and
robotically sending money to them in the greedy and stupid hope of vast
riches. These are the people the Nigerians are targeting.
And it seems even in the face of losing their entire life savings, some
victims coldly refuse to believe they have been a victim of a Nigerian
email scam. That is, even after they’ve been presented with the factual
evidence by the investigating police. But we shouldn’t give the Nigerians
all the credit for preying on these human frailties. Preying upon greed
and stupidity has probably been happening for thousands of years. Look at
another recent example - poker machines.
Recent estimates in Australia suggests there are a lot of financially-dumb
people out there. In the State of Queensland alone, losses to Nigerian
emails is currently thought to run around $500,000 per month. We don’t
know for sure, but if the Queensland example is a representative figure of
humankind’s stupidity, it must be an awful lot of money when you consider
that Nigerian scammers are operating on a global scale.
All of which raises interesting questions about our species. Is there some
part of the human brain within some people that switches off all financial
common sense and logic ? Or perhaps, is there something within the
victims’ DNA that has a greed override switch, completely overriding
competing factual stimuli ? Looking at this phenomenon from a Darwinism
perspective - perhaps this phenomenon is really not so amazing, but simply
a case of financial evolution taking place. The dumbest of our species
will inherently lose their money and fail, the smarter will keep their
money and prosper.
See article -
http://www.computerworld.com.au/index.php/id;660142320;fp;16;fpid;2
Posted in Big Galoot Diatribe | 3 Comments »
