Is it just me that takes offence when another big Australian company justifies outsourcing IT jobs overseas by claiming “skills shortage” and then qualifies it by saying “it’s just the operational work………we’re not outsourcing intelligence!

Big call on the latter ever existing guys!

Posted in: Dumb Security

Paul Craig from SA will be presenting on “Next Generation .NET Vulnerabilities” at SyScan 07.

This will be a good session.

Other SA presentations can be found be at our website.

From; their 10 worst jobs in science.

You got to love the comment from the MS dude: “………….Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless.

Posted in: Uncategorized

This NZ ComputerWorld story from over the ditch; Banks demand a look inside customer PCs in fraud cases is a bit of a concern. If it progresses, it will be interesting to see how they propose this working. This worries me or should I say scares me given some previous experiences of banks wanting to touch customer systems:

A few years ago, the NSW Police called a meeting with the IT Risk and some Security Heads of the major banks here to discuss Internet Banking fraud. At the time, it was a knee jerk reaction to old news that they had stumbled upon to do with Gator and similar software on kiosk machines and user systems etc. The focus of the meeting was to discuss ways to put into place mechanisms to prevent Internet Banking fraud. Hey, pretty cool I thought, finally some real discussion on security better than just something one level above basic auth.

The following is entirely true. You just can’t make-up stuff this funny…… one would believe you.

Somehow, from the outset, the discussion turned to anti-virus software on user machines. (Did I mention Symantec led off the “discussion” with a presentation on themselves?). Where is this going I am thinking? Are we looking at the bigger picture here? The next hour was spent in discussion on how the Banks could pass the burden of Internet Banking security responsibility entirely back onto the customer. The following suggestions were proposed:

- We (the banks) could scan their (customer) machines to determine whether anti-virus software is installed.
- Hey, but how will we know if the user runs the software? Easy, we’ll set-off the scan (ie; read: scan whole machine) before they can access Internet Banking!
- Hey, but how will we know if the signatures are up to date? Easy, we’ll just check the versions and enforce the update and then set-off the scan before they can access Internet Banking.

See where I am coming from? But then…..the showstopper, that for about 2 minutes was the silver bullet to Internet Banking Fraud. I shit you not:

“Guys, why don’t we scan their hard drives from our systems once they login!”

What can I say? The majority of the room was in agreement! From there on, it’s a real blur. The room starting spinning for me. Vague recollections of workgroups proposed to make this happen, some back patting and then agreements to meet again soon.

I made the mistake of chipping in at the end (only chance I got), with a question on what we (the banks) were going to do from our end. I mentioned the current levels of authentication being questionable and put it out there that this could be something we look at also. Did I get daggers or what? Luckily this workgroup never met….I think…..If it did, I wasn’t invited.
So…back to our NZ cousins. Lets hope that the Banks work with a focus that also looks within themselves. That is where most of the solutions to problems will be hopefully found…though nothing is fool-proof. In the end, stupidity on the part of the customer should be assessed in terms of liability……..but weren’t computers initially developed to remove human error from the equation? :-) …..

This will be an interesting story to follow.

This is a topic that has been hotting up in recent times, and this story today from CIO provides further insight into possible directions this will take; “Banks Say Share of Credit Card Security Costs is Unfair“.

What I find interesting from this article are the following quotes:

Vanessa Pegueros, US director of compliance services at AT&T, contended that banks are “thumbing their noses at the PCI regulation, so we are paying the price.”

“We were doing a good job — maybe not as fast as some would like, but we were on a plan and trying to meet the [PCI] requirements,” Pegueros said. “But [Visa is] trying to take a hard-line approach, and we’re caught in the middle. Now we have to adjust our plans.”

Gartner analyst Avivah Litan agreed that banks are not yet taking adequate measures to comply with the PCI standards.

“There has not been a lot of enforcement at the bank level,” she said. “All the enforcement scheduled has been on the processing and retailer side, so it has been unfair, frankly.”

Litan said retailers are upset because they believe that they are being held to a higher standard than banks in securing their systems.

Are some of these guys serious? This thinking is a classic example of compliance with the PCI DSS and good security being seen as two different things altogether. Security going one way and compliance in another direction. How can these excuses be taken as anything but a joke. If you had good practice security controls in place to begin with, the PCI DSS wouldn’t be as big an issue to you. The expectations from PCI DSS compliance is good security – nothing in there is radical or new. Correct me if you think I am wrong.

Worry about your own shop first and foremost. Bob Russo at the end sums it up best:

“This should not be a blame game,” he said. “The bottom line is everyone who touches consumer payment card data has a responsibility to secure it.”

And the story continues…….stay tuned…..I have a feeling some of the arguments against PCI DSS will become even sillier.

Just got back from Singapore where we spent a day going through the most recent changes to the PCI DSS with the various members and PCI Security Standards Council representatives.

If you’re not up to speed with the latest revision of the changes, see the PCI Security Standards Council website. (Worth bookmarking if you’re not already). There are quite a few changes – mostly clarifications on existing standards to make the intent of the specific standards a bit more clear.

Look, I know the standard cops a bit of criticism, (mostly from people and organisations who’ve in the past never been as security minded as they should be), but it is evolving and lets face it, in many parts of the world where the regulatory environment adds little to nothing in terms of advice and enforcement of good security practices and controls (ie; Australia as one example), it’s the best and only thing out there. Even if you’re not under an obligation to be compliant, you could do worse than follow the PCI DSS. Related story from CIO Magazine.

A bit of discussion in Singapore was focused on organisations who have decided to approach compliance in “their own time”. Many companies, mis-guided and taking a big risk in their position, are willing to take the potential fines for non-compliance. Given the fines are miniscule relative to income/revenue, they believe it’s not worth the time and investment to become compliant.

Two points on that:
1. Compliance is mandatory. While the PCI members acknowledge the challenges to enforce compliance, and most importantly realise that it is a large undertaking for most organisations, rules are rules if you want to work with those members (and process card transactions).

2. Regarding the fines: 5-10K fines are small in the scheme of things and may sound more attractive than the cost to move to compliance BUT, get hacked, breached, owned, etc and you’ll be faced with potentially millions of dollars of costs and fines and most importantly reputational and business threatening problems. (Need we raise TJX again as but one of many examples?)

So for anyone who is managing the PCI compliance program in their organisation, and is struggling for buy-in from senior management, and/or faced with the position of small fines being acceptable, I would highlight the 2 points above. Further, and just putting it out there, I would also recommend in such scenarios that you get the CEO or CFO to signoff on a policy exemption form that acknowledges they accept the risk of non-compliance in the timeframes specified by the Acquiring Banks and PCI Members. (Ensure that all the risks of non-compliance are highlighted on the form). I’ve found when someone has to put their name to a position like this, there seems to be a greater likelihood of that position being re-assessed. (Ownership and accountability – we need more of it in IT Security). :-)

Related Stories: 

All listed companies must be audited at least yearly by an independent Accounting Practice, but what is the relevance today for the IT Security review component that is generally tacked on as part of this Audit? Yeah, I know in the past the aim was to look at accounting systems controls and the like, but are these reviews still of value or are they potentially dangerous for some companies?

Let me clarify where I am coming from – I am yet to see a good job done by any of the large accounting firms undertaking such reviews. The danger to the client? The client accepting the results of the review as a true overall state of their security……..and I don’t need to expand on why that is a big problem.

What’s brought this to mind is two recent examples we’ve run into at new clients where we’ve been called in, and how do I put this nicely… double-check the work of the Big Auditing company. In previous years, the reports had been treated as gospel and IT management and the CEO have believed that things on the security front were good. New staff joining in recent times in both places cast doubt upon the true picture and thus the call to SA. Now this isn’t a plug for SA. It’s a plug for all good dedicated organisations who play in this space and have true expertise in their field.

Both organisations were shocked to put it mildly at the results of the subsequent review undertaken by us. From being secure (in their minds) to both now in a position of being in a pretty bad way – as bad as it can be in some parts of the IT environment. I’ll leave it to your imaginations. On a positive note, they at least now know what they are up against and have a more true picture. Both now have a long roadmap of activity planned to get to a level of being secure.

Unfortunately, these two cases are not out of the ordinary. We do still see it very often. In addition, I spent many years on the other side and dealt with the results of these external audits on behalf of the organisations I worked for at the time. It’s true to say that we, (the IT Security and IT teams) saw these audits as a pain in the backside, a yearly joke that took up a valuable few weeks. The same big talk before the event, auditors locked up in a room for 2-3 weeks, interviews by junior staff who had no idea what the questions they were asking actually meant, and then glowing reports delivered that generally had no more than 1-5 findings and a big congratulations that we were just brilliant. Hmmm….far from it in reality. But we at least knew the true picture. Many organisations didn’t and still don’t.

Companies who have these audits done yearly need to discuss what they are actually getting from the audits with their Auditors. Auditors in return need to ensure that they clearly state what is going to be delivered and support that with caveats, warnings and definitive statements for the client. But in reality, in most cases, they just need to deliver a better job! Are most capable?

Thanks for finding us. Yes, we’ve moved from our original site and into the new BorB domain.

Everything should have come across but a few links may still point back to the old site. We’re working on that.

We’re also in the process of putting in some functional changes to the format here so a few things in terms of layout, colours etc may change in the next week or so as we work our way out of default template territory.

Content though will continue to be of the usual standard. :-)

Posted in: Uncategorized

What is raised in the article from Forbes, “Laws Threaten Security Researchers” is not new but worth a review and a few comments. Patrick Gray recently in the Risky Business 13 podcast spoke to Grossman also on the same topic.

From our (SA’s) perspective, it’s pretty clear cut – you just can’t “research” on other people’s sites. The cyber crime Act is in place for such activity and the question of how do you classify an action as friendly or malicious cannot be a grey area. I think that would open up a whole new industry of black hats. (Grey Hats?)

The article mentions stumbling upon vulnerabilities or suspecting that a site has them – what does a researcher do then?

I can state that this happens all the time. When you’ve got guys who do this type of testing for a living (paid by clients), the eye is in for potential weaknesses in all sites. But, that opens up dilemmas – if and a big IF the likes of an SA approaches the client in such scenarios, it is done cautiously, because we are always, given who we are, potentially taken as: (1) We’ve been snooping where we should not or (2) We’re hunting for new business. I can guarantee to all that we don’t do either but what can you do? So in most cases, you can’t do much other than hopefully continue to try to raise awareness in the importance of ongoing testing.

Is there an issue here with researchers not being able to “test” sites uninvited? No, you just can’t do it! Organisational awareness in regards to the importance of web application testing is key – researchers and testers need to be invited in.

Aside: We still see figures of upwards of 80% of sites that we test for the first time having major to critical vulnerabilities so the importance of organisations doing regular testing is clear.

Older Posts »