Interview with Philippe Courtot - CEO of Qualys

July 31st, 2007 Drazen Drazic

Philippe Courtot is more than just Chairman and CEO of Qualys, Inc. He’s one of the pioneers of the IT industry. Philippe has repeatedly turned innovative companies into industry leaders while creating significant customer and investor value. Prior to Qualys, Philippe was the Chairman and CEO of Signio (acquired by VeriSign in 2000 for more than a $1 billion); President and CEO of Verity (a company he took public in November 1995); and CEO of cc:Mail (acquired by Lotus in 1991).

I had a chance recently to chat with Philippe and thought I might share that here:
Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Vulnerability Management, news | 3 Comments »

Liability for Security Breaches…..

July 26th, 2007 Drazen Drazic

It does feel like the calm before the storm. You can see the direction things are taking now and there seems to be no turning back. The Banks are going to start pushing back hard on who is ultimately liable for customer information security breaches. Westpac most recently in; Westpac accepts no blame in security breach.

Related Categories that cover this in BorB:

PCI: http://beastorbuddha.com/category/pci/
Disclosure Laws: http://beastorbuddha.com/category/disclosure-laws/

It’s only a matter of time you would think in Australia but who knows?

Posted in Disclosure Laws, PCI, PCI DSS, Web Application Security, cyber crime | No Comments »

Kiwicon 2k7

July 25th, 2007 Drazen Drazic

Kiwicon 07 is a new conference being setup by IT security guys for the IT security community in NZ, and beyond. Awesome guys!

Posted in Research, news | 8 Comments »

Australia - A leader in the technology field?..don’t feed us crap Howard!

July 23rd, 2007 Drazen Drazic

I feel sick and angry everytime the Australian Government takes a position and promotes how great they are at keeping Australia as a leader in IT and Technology. What a load of crap!

Lets have a look at some facts:
- In the early 90s Australian companies were doing some amazing things with IT. The old saying was, “we did so much more, with so much less” so was true. So many Oz companies were showing their global colleagues how to do things. That doesn’t seem to happen as much now from what I see.
- We had great early take-up of the Internet, technology in general and mobile. I remember in the mid-nineties doing a lot of work in Asia: Singapore, HK, Thailand and even Japan and thinking, gees, Australia is so far ahead of you guys……not anymore….not even close.
- Most emerging IT Companies out of the US were basing their Asia Pacific HQs out of Sydney, Australia in the early to mid-nineties……not anymore…..any left at all?
- IT guys saw a big future in our industry here at home.

Since then:

- How many great Oz and NZ IT people are doing some amazing things OS because they realised they had no opportunities to do these things at home?
- How far behind the world are we in technology deployment? (and don’t quote me Internet use stats - cool, but on slow speeds…who cares?)
- How many Big companies call Australia home as their Asia Pacific base?
- How many IT geniuses believe they can achieve their best by staying at home?
- We’ve become a follower!

Australia has moved forward but we’ve moved forward at a far slower rate than most of our major trading partners and regional neighbours. We’re not a force in IT which I believe we once were but we produce great people who do go on and become a force around the world. Please Howard, don’t bullshit us anymore on how great your technology policies and initiatives have been. We don’t have much to show for it from a Government perspective.

My thoughts on the security side of things are well documented in here. Enough said for now…..

Posted in Bad Stuff, Disclosure Laws, Dumb Security, WTF, cyber crime, governance | 2 Comments »

Australian Insurer Hacked…Lets have a closer look….

July 20th, 2007 Drazen Drazic

Okay, the SMH reports; Turkish hackers bring down insurer’s site. This is a funny story, in a weird/bad sort of way but hopefully another company that learns their lessons before being hit really bad:

- “Hackers” or kids having some fun?
- “Spokesman Robert Whelan said despite customer fears that their account information may have been compromised, no customer details were accessed.” - probably not in this case given the type of attack and who did it but seriously guys, do you really know if that is the case?
- “Customer information for AAMI is all kept on a very separate infrastructure on our website,” - Hmmmm…..if this was so easy, gees…..
- “Earlier today, AAMI, which offers general insurance, was scrambling to find out how a group calling itself the “Ay Yildiz Team” hijacked its website, replacing it with an anti-Israel message”- Ain’t rocket science generally in cases like this!
- “When contacted at around 10.15am this morning, an AAMI spokesman said he did not know what had happened. “We only found out 15 minutes ago and I’m now trying to find out what is going on in the way of whether this was just a hack into the front part of the site or it went deeper,” he said. Philip Olsen, an AAMI customer who discovered the hack around 9.30am, said he was concerned that his account information may have been compromised. “I called them and they had no idea it was a problem, so their claims that my account information, including credit card info, was safe seemed hollow at best,” said Olsen. “If they [the hackers] can get on their main web page and deface it like that, what else can they get access to,” he said.” - Philip Olsen: AAMI Security Monitoring Manager?! Hire that dude!

What am I doing even writing this? Must be a Friday thing. Off to Zone-H with you all!

Posted in Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | No Comments »

Risk Management - Great in meetings, not so much in practice…

July 19th, 2007 Drazen Drazic

Risk Management evolved essentially from the insurance industry. Most pundits agree that it started to gain momentum as a broader business practice in the 1970’s and 80’s. About the time, AS/NZS 4360 (Australian and New Zealand Standard for Risk Management) was first published in late 1995 was the first I was hearing and seeing “Risk Management” discussed as a practice within IT (and IT Security). Since then, the term “Risk Management” has been widely bandied about in meetings, boardrooms and between IT professionals when discussing their approaches to managing IT security risks in their organisations. But, is business really managing IT security risks? My blunt assessment of the Australian IT industry – We’re not even close!
Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Risk Management, governance | 11 Comments »

Paul Craig from SA on Risky Business #22 Security News Podcast

July 17th, 2007 Drazen Drazic

If you don’t already subscribe to Patrick Gray’s Risky Business Security News Podcast, it’s well worth a look. Paul Craig from SA is on this weeks show talking about the .NET vulnerabilities.

Since the advisory, quite a few people have asked our opinion on whether we thought Microsoft was slack in getting the patch out, given we first reported the vulnerability last year. We stick by our position that in this circumstance, we would have been surprised and worried if something had come out quickly …given the amount and complexity of work required. See SMH story also.

Paul sums up our position on some vendors in his interview on Risky Business. MS does okay!

Posted in Research, Web Application Security, news | No Comments »

Top 10 Security Tools/Systems

July 16th, 2007 Drazen Drazic

We recently polled a sample of senior security managers and specialists to get their thoughts on what they perceived were the 10 most important security tools/systems for their organisations.

Why? For no other reason than we were interested to see what industry people were thinking, using and planning for.

The following is a summary of the findings: Read the rest of this entry »

Posted in Research | No Comments »

Big Galoot Diatribe - Standards For Forensics…a Need?

July 13th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.

Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.

For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do - from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process - at the expense of performance?

A recent article at CIO mag http://www.cio.com.au/index.php/id;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”

What a complete load of puffed-up, breast-beating, piffle! Read the rest of this entry »

Posted in Big Galoot Diatribe, Forensics | 6 Comments »

Australia behind the game on IT Security…..

July 13th, 2007 Drazen Drazic

My thoughts on this are pretty clear and most people who have followed Beast or Buddha would know I take a pretty cynical position on the Australian Government’s approach to IT Security. But hey, the gov guys did create about 6 awesome whitepapers in the last 12 months or so to ensure Australian business security continues to match it with the best in the world. A must read for every CEO and CIO - telling you everything you need to know about Wireless, VoIP, SCADA and a few others. Shame you’ll never find them or even think to look for them - even greater shame, you’ll probably have no interest anyway as you’re too busy doing other things.

It is good to see I am not the only one being critical of government’s lack of effective understanding of real-world business security concerns and issues. Recent story from SC Magazine; Australia failing on e-security is worth a look. Bill Caelli also puts it out there that government needs to get serious in terms of developing some legislation “to enforce a more security-conscious approach”.

Ain’t gonna happen I am told Bill….but we do have some nice whitepapers to read.

Posted in Bad Stuff, Disclosure Laws, Dumb Security, WTF, cyber crime, governance | 2 Comments »

Advertising for Vista?

July 12th, 2007 Drazen Drazic

Had to laugh the other day - radio advertisement for new notebook computer comes on: “……. and, comes standard with Microsoft Vista but can be easily changed to XP”.

Posted in WTF | 2 Comments »

90% of Web Applications Suck……

July 12th, 2007 Drazen Drazic

Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.

The question was raised on overall web application security in the real world….what’s your call on it SA?

We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.

I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.

When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….

Japan has the right idea in the banking sector - they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol - aussie spelling - stupid as it is).

We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.

Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……

Posted in Applications, Bad Developers, Bad Stuff, Big Galoot Diatribe, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

.NET Framework Security Vulnerabilities….

July 11th, 2007 Drazen Drazic

Following on from Paul Craig’s research on .NET security weaknesses, Microsoft has today released patch information - MS07-040. Further information at SecurityFocus.

A copy of Paul’s presentation is posted on our site on the Publications page. The full Advisory can be found on this page.

========================================================================
= Multiple .NET Null Byte Injection Vulnerabilities
=
= Vendor Website:
= http://www.microsoft.com
=
= Affected Version:
= .NET FrameWork v1.1 SP1
= .NET FrameWork v2.0.50727
=
= Vendor Notified - October, 2006
= Public Disclosure - July 11th, 2007

========================================================================

== Overview ==
Security-Assessment.com recently completed research into the .NET Framework in relation to the affect a Null byte (%00) has on various aspects of the .NET Common Language Runtime.

This advisory details the findings of that research conducted by Paul Craig.

It was found that certain .NET methods in various sections of the .NET namespace are vulnerable to Null byte injection attacks. Null byte injection occurs when the .NET CLR incorrectly handles user supplied Null bytes.

The .NET CLR considers Null bytes as ‘data’, .NET strings are not Null byte terminated. However, native POSIX compliant function calls terminate all strings at the first found Null byte. Interoperability issues are encountered when data containing a Null byte is used by .NET to directly call a native C function call.

Native function calls terminate strings at the injected Null byte allowing a remote user to arbitrarily terminate a string
parameter used by the vulnerable method.

Security-Assessment.com has discovered five vulnerable methods in the .NET framework which are exploited through Null byte injection.

Three of the discovered vulnerabilities allow strings to be arbitrary terminated through String Termination vulnerabilities. The remaining two resulted in an Arbitrary File Disclosure condition where a remote user is capable of accessing arbitrary files from within the web root.

.NET has a history surrounding Null byte input flaws and associated logic. On September 8th, 2003 WebCohort Research <research@webcohort.com> released an advisory titled “Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability”. Where by the .NET request validation routine could be bypassed when using a Null byte injection.

Null byte injection is not a new class of attack, and is a well known exploitive method but this is the first time a Null byte
injection vulnerability has been found in methods within the .NET framework.

Security researchers should be aware of Null byte injection attacks within the framework itself and .NET developed
applications.

== Solutions ==

Security-Assessment.com has been in contact with Microsoft and a new .NET patch has been released to address the discovered vulnerabilities. Install patch KB928365 (Security Update for Microsoft .NET Framework 2.0)
and/or KB928366 (Security Update For Microsoft .NET Framework 1.1)

== Credit ==

Discovered and advised to Microsoft October, 2006 by Paul Craig of Security-Assessment.com.

== About Security-Assessment.com ==

Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor’s products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.

Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General’s Department Critical Infrastructure Project panel.

Posted in Applications, Research, Web Application Security | 3 Comments »

InterSecT in Singapore

July 10th, 2007 Drazen Drazic

SA is hooking up with InterSecT in Singapore. It’s not officially announced but take it as a done deal. We’re partnering with Justin Lister (Head Man of InterSecT) to bring SA services into the region. Justin is probably the best security guy in the region and when the chance came up, knowing Jus, I leapt at it. I know his site is raw….give it time….but for you guys in Singapore, HK, China, Korea, Thailand…….he’s open for business and SA is right behind him.

Posted in news | No Comments »

Time to look at .NET security

July 9th, 2007 Drazen Drazic

I mentioned in a previous post that Paul Craig’s presentation on .NET would be interesting to say the least.

More on this soon but in the meantime, have a read on one of the first reports at: http://planet-websecurity.org/.NET+0-day%3F/

Posted in Applications, Bad Developers, Bad Stuff, Web Application Security | No Comments »

The eBay for Zero Days…….

July 8th, 2007 Drazen Drazic

I still can’t get my head around this - from a mainstream perspective - not the usual “black market”. But, as people have stated to me before, it’s all business Draz…..It’s going to happen and there’s little that can be done to stop it.

And so, Wabisabilabi kicks off their auction site for zero days. Latest supposed sales on the go. Anyway, some information from the website. I’ll leave you to make your own calls on this:

“Finally a Marketplace Site for Security Research | A revolution in the way security research is handled and reported has occurred! WSLabi (www.wslabi.com), a neutral vendor independent Swiss laboratory, has launched a new international security research exchange. This exchange will create a portal where researchers, security vendors and software companies can interact in an open market to enable researchers to obtain the correct value for their findings. The exchange will become a global database of every IT security research ever found…………..”

Hmmmmm……the “Ethics” page is interesting also.

Anyway, may not last long….they don’t seem overly bogged down with bids on the supposed “research” they have.

Posted in Bad Stuff, Disclosure Laws, Research, WTF, cyber crime | 2 Comments »

dailyinfosec Security News Site……

July 6th, 2007 Drazen Drazic

http://www.dailyinfosec.net/

…….on the new gnucitizen initiative.

Posted in news | No Comments »

Ya big bully boys…..leave Joanna alone….shes nice!

July 5th, 2007 Drazen Drazic

It gets exciting in the security community when the challenges are thrown out. I know……I can barely get to sleep at night from the anticipation. And so it is at the moment with the; “Bet we can detect Blue Pill vs. Bet you can’t!” challenge.

In the red corner, the Bully Boy Team. (And no, that’s Peter Ferrie - not the famous Peter Fernie of Security-Assessment.com and Securus Solutions fame). In the Blue corner (gees, the jokes are lame) of Blue Pill fame, the lovely Joanna Rutkowska.

Even if Joanna loses, there’s enough excuses already to see a rematch in the future. Either way, hits on both websites should shoot through the roof.

Let the best woman win!

Posted in Forensics, Research, news | No Comments »

Big Galoot Diatribe - Computer Forensics “Specialists”

July 4th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

The other day I met a couple of guys at a security conference who introduced themselves and announced proudly that they did “Computer Forensics”.  I had no reason at that stage to disbelieve them, since they were wearing some rather impressive-looking nametags, bearing the logo of a very well known global company.

After a bit of big-noting themselves, it was what they said next in relation to investigation techniques that sent my alarm bells ringing;

“We’ve just done a course on interviewing suspects.  We can tell you when someone is lying.”

“Really ?” I said, rather disbelievingly. (Gees, these guys have it 100% - something that takes good police detectives years to develop).

“Aside from your lie detector skills, how do you keep an arm’s length between your forensics role and being the interviewer of a suspect?” I asked, very curious to hear their response.

“Bah! No need to worry about that!” they replied rather boldly, as if that were a mere technicality not worth worrying about.

Unfortunately, as they might discover, the courts don’t exactly share their view on wearing both the hat of the interrogating Investigator and Computer Forensics Expert, simultaneously. See fellas, there this thing that courts are big on, it’s something known as ‘Independence’.

Nor is computer forensics simply a fancy term for checking of audit logs, as they would later try to rather incredulously argue.  Make no mistake, these guys were not computer forensics people in any form.  They were at best, a pair of audit-log-checking, boofheads calling themselves “computer forensics” people.  As the term “forensics” suggests, it also involves the gathering of evidence in a manner that is lawfully admissible to a court.  Judging by their manner, and their high degree of BS, I’d have to conclude that these gentlemen have spent far too much time watching CSI or NCIS, and very little time, if any, in an actual court or in a witness box.

Fellas, if by chance you recognise yourselves & happen to be reading this blog, here’s a really good definition of computer forensics as described at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1007675,00.html

Computer Forensics:
“The application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”

And by the way, if you’re still reading, perhaps you should remove the “Computer Forensics” label from your nametags and replace it with “Audit Log file checkers”.  Ok, it doesn’t sound as impressive, but it’s perhaps a lot closer to the truth.  and it avoids more potential embarrassment for you.

Chappo

Posted in Big Galoot Diatribe, Forensics, cyber crime | No Comments »

iPhone to Bring Down Corporate Security!

July 3rd, 2007 Drazen Drazic

It’s time to pack it in guys. The battle for securing the corporate environment is lost….or so many will have you believe with the release, in the last few days, of the Apple iPhone.

I’ve tried not to get involved in the hype and talk about it here, (and even resisted the temptation to bag the fanatics that line up for days to be the first to buy an electronic gadget), but some of the stuff going around the news and blogs is getting a bit crazy. Rightly so…or not?

This eWeek story; Analysts: iPhone Has Neither Security nor Relevance, summarises a lot of what is being published.

Are we really going to see any new security concerns that we don’t already see with other mobile devices? Are the practices we adopt or should adopt any different to those today for the other mobile devices entering our networks. Does Apple really care about all this security hype? The more talk, the more interest in actual sales.

A different perspective from an article on; ITNews, (also covered in ZDNet).

And from Matasano, who probably spells it out best. I don’t think I could put it any better.

Posted in Dumb Security, Vulnerability Management, WTF | No Comments »