This is an interesting take on Vista from CNET; “Why Microsoft must adandon Vista to save itself“.
Maybe Philippe Courtot’s prediction is not as out there as some would think.
Related post: http://beastorbuddha.com/2007/07/12/advertising-for-vista/
Posted in Bad Stuff, news | 2 Comments »
It will be interesting to see if this attempt to settle is the end of the TJX saga. Somehow I think not but who knows.
And, for “All Customers”, the following:
“TJX will hold a future, three-day Customer Appreciation special event in which prices at all T.J. Maxx, Marshalls, HomeGoods, A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will be reduced by 15%. “
I’m serious….have a read through the link……you couldn’t make this stuff up!
Posted in Disclosure Laws, PCI DSS, Research, Vulnerability Management, cyber crime | 3 Comments »
This was an interesting story this week: http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/
It made me think, have antivirus products gotten any smarter?
I remember in the early days of computer viruses (early 90s) when antivirus products had signature recognition and/or CRC checks against files. (Gees…have things changed or do we have less now?) Remember the “heuristic detection” claims?
A product called Victor Charlie emerged that should have been a disruptive technology but for some reason, never made it. (Read: VHS vs Beta etc etc….same old story). We actually deployed it country wide at the company I worked for at the time (in combination with the usual signature based scanning just to be sure…as you did at the time).
The product was smart…far smarter in terms of approach/forward thinking than anything else we were seeing emerge from the main anti-virus vendors.
Now keep in mind, this is early 90s. This product would reside in memory and “bait” viruses – intercepting calls to interrupts 13H and 21C (gees, correct me if I got that wrong, it has been a while)…the calls that needed to made to either infect the boot sector or files directly.
Skipping ahead….it would then capture a string of the virus code, alert the user/admin and then store that string, enabling the admin to use the captured string within the scanning component of the package to scan for other potential instances in the environment….all on the fly.
Now the latter part, ie; capturing a string of code to use on the fly in a new scan was not perfect but gees, that ability to detect an unknown virus by way of the “baiting” technique at the time was brilliant.
It just never took off. Far ahead of its time and the dudes that developed it, I have no idea what ever happened to them; Bangkok Security Associates. Had these guys succeeded, I wonder if things may have progressed differently. (Yeah, I know the number of bits we work with now has increased but maybe the intelligence of the guys working on the protection side of things may have also!)
Posted in Research, Vulnerability Management, Web Application Security | 3 Comments »
We’ve recently made it easier to respond to posts so hopefully that may encourage more people to post their opinions.
We’ve also just added a contact me link in the “About Me” section of the main page. I am very keen to get feedback and also hear from fellow security people, and those people who have their own blogs or just want to have a chat and expand their network of contacts.
In addition, we’re also looking for contributors to the site, so if you have something you’d like to share and you think BorB would be a good place, send it to me. I can’t guarantee everyone but I will read every submission and respond to you.
We are looking at expanding BorB and these things are our first steps. We value everyone who comes here so your thoughts, comments and ideas are most welcome.
Regards
Drazen Drazic
Posted in news | 3 Comments »
From the Financial Review story by Michael Crawford, talking about the Deloitte 2007 Global Security Survey.
I’ve questioned the relevance and accuracy of such surveys before and I can understand why the local guys would be distancing themselves from this piece of work to a degree. Related post: http://beastorbuddha.com/2007/03/18/security-surveys/ . Don’t get me wrong….for some basic awareness, they’re not bad but as a definitive guide….hmmm.
Are standards dropping in the banks? I wouldn’t say that based upon our experience.
We do though see little to no improvement in the regulatory environment here in Australia that would further push stronger practices.
Anyway, the next “Big” survey will probably paint a different picture. 
Posted in Research, cyber crime, governance, news | No Comments »
A take on defining hackers, ethical hackers and penetration testers by Matthew Strahan (SA Consultant):
A short time ago there was a discussion here about the term “ethical hacker” versus the term “penetration tester”.
The term “ethical hacker” is thrown around quite a lot nowadays without any real concern of whether it’s accurate or not. When people ask what I do, I find that “ethical hacker” or “professional hacker” gets the point across much quicker than a full discussion of what a penetration tester or a security consultant actually does.
The interesting thing is that I don’t really like to think of myself as a “hacker” or “cracker” since those terms are fundamentally different to what a “penetration tester” does.
Though we may use similar tools to the hackers, we are by nature, defenders, and hackers are by nature attackers.
Lets look at the difference between attacking and defending. Read the rest of this entry »
Posted in Applications, Industry Specialists Talk, Research, Vulnerability Management, Web Application Security, cyber crime | 5 Comments »
Roses Only with a few problems at the moment in regards to credit card security
ABC News reports it as the first case of its kind in 5 years?! Really?
This will be an interesting one to follow.
Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | No Comments »
http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10463381
Some big calls made here.
Gees, they’re busy those kiwis lately.
Posted in Research, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »
Police surveillance gone a bit wrong:
http://www.theregister.co.uk/2007/09/13/nz_snooping_farce/
Posted in Bad Stuff, Dumb Security, WTF | No Comments »
How good was this at the recent APEC Meetings in Sydney? Security at its finest! See the followups after the video for more of a laugh.
Posted in Bad Stuff, Dumb Security, WTF | 3 Comments »
This seems to come up quite often lately in the press. I think it was Risky Business (ITRadio.com) in a recent interview also covered it. Big Galoot raised it in a previous post.
The kiwis first and now the Aussies also are getting into it: http://www.news.com.au/story/0,23599,22403224-2,00.html
I wonder how someone can definitively state that it was this government or that. Anyone heard of spoofing IP addresses? Was it raised with China at APEC?
Big Galoot sent me the following:
“Organisations that still have the mindset that the enemy they are battling against is mainly organised crime gangs. They’d better face up to the grim reality! Cyber crime is also State-sponsored, which given the resources available to an entire country for this type of activity, raises the stakes massively!”
Posted in Bad Stuff, Big Galoot Diatribe, Vulnerability Management, Web Application Security, cyber crime, news | 2 Comments »
Tell all your friends….bad things are actually happening on the Internet:
http://www.theregister.co.uk/2007/09/11/online_threat_report/
Posted in Bad Stuff, Dumb Security, UFOs, WTF, cyber crime, news | 1 Comment »
Not much more I can add; http://www.ipv6porn.com/ (Thanks to Donal for the link).
Posted in WTF | No Comments »
There’s plenty you can but this one in regards to policing of Internet predators is well worth the investment.
Posted in Bad Stuff, cyber crime | 1 Comment »
I’ve added this as a direct response to questions I have received to clarify comments from previous posts. (See link below). I hope this helps but as usual, am open to suggestions, thoughts and criticisms of my take on this.
—————-
If you have already started to head down the PCI compliance path, you know it is a time consuming and costly exercise. If you’re about to, trust me, it is a time consuming and costly exercise. There’s no short cuts. While there are quite a few certified organisations to help you, and to provide required services like quarterly scanning and onsite Audits, you need to be careful when assessing who can actually do a good job. I know this will upset some of the other “certified” guys and some who previously were certified but no longer are, but; there’s a lot of guys out there who really can do you a disservice. We know, because we have seen the results of their work.
Choose Your PCI Auditors Carefully
When looking for a PCI certified organisation (QSA) to assist you, ask the questions. If you are getting quotes from a few parties, ask the question why some quotes maybe double, triple or more the cost of someone else. Understand what it is they are proposing and why – make sure you are comparing apples with apples. Alarm bells should ring if someone quotes you 5 days for an onsite Audit for your complex environment and another party quotes 30 days! Trust me, the latter may be closer to the actual time required to do the job right! The above link highlights the issues and costs you may be faced with later by trying to save a few bucks today.
Some questions to ask QSAs:
- How long have you been involved with PCI DSS work?
- How much PCI work have you done? (Not a big one but worth knowing – some guys have done much less than others but are far better at it!)
- How many experts and certified staff do you have in Australia (add you own country here)? (Many promote their global numbers but that means little here – they are overseas, not here!).
- What background and expertise do your staff have?
- What is your approach to the Audit? Do you just ask questions or do you get down and dirty and test?….and how and to what level?….. get them to explain their methodology! (Many will just interview – for an onsite Audit and to get the assurance you need from a risk perspective, this is just not good enough!)
- Get your best technical guys to pick apart some of the technical areas in the standard and throw some detailed technical questions on encryption and key management (as a couple of examples) at the QSA. You would be surprised how many will be stumped! If they can’t answer the questions, how can you expect them to help you become compliant?
- Company X proposed Y days for the work but you proposed Y/3. How can you do the work in that time and still give us the assurance that you will cover everything?
- And one for the dummy’s – what does “safe harbour” mean?
Obviously you’ll have your own questions also and this is just a start but as I said, the risks to your organisation can be huge if something happens. Don’t get me wrong, even the best guys will never get everything but the bad guys do and will miss the bleeding obvious!
Posted in Disclosure Laws, PCI, PCI DSS, cyber crime, governance | 3 Comments »
From; Insurance Networking
Am not bagging the study(s) overly but studies like this rarely produce anything new – more just reporting that things on the RM side are getting better. Are they?
Seriously though, aside from individual projects (sometimes), many miss the point. All RM methodologies, practices, processes…whatever you want to call them, fail, if you fail on the first step – understanding what exactly it is you want to manage the risk on? We still haven’t gotten to grips with these basic foundation principles of Risk Management.
See previous post on this; “Risk Management – great in meetings, not so much in practice“.
Posted in Research, governance | No Comments »
Two high profile cases making the news this week; Bank of India and Monster Breach.
Many more companies hacked or continue to be breached that you’ll not have heard about this week!
You got to love Bruce Schneier’s comment from the Monster article: “You’re going to see this happen again and again and again,” said security analyst Bruce Schneier, chief technologist for BT Counterpane. “I assure you, every other company didn’t say, `Wow, look what happened to Monster, we have to fix our problem.’”
Posted in Bad Stuff, Disclosure Laws, Vulnerability Management, Web Application Security, cyber crime, governance | No Comments »
We’ll back Wade’s bet and send it out to the first 20 respondees to this post or email to me also.
Clue: It isn’t IPv6.
If you just want the bag, we can organise that also without an answer….not sure how we handle bundles of less 10 but if your company wants their IT staff to look cool/hippy/geek etc….just send me through your details.
Posted in WTF | 4 Comments »
How funny is this from MIS Magazine; “Don’t ask, do tell“. Well done to Michael Crawford and the team for writing this up!
You’ve got to love the percentage that were secure (so to speak) in their position. That’s pretty much close the figure that would know! In regards to the dudes who baulked….well we know the good majority have no idea whatsoever, so as we have asked before, why are you even in that role? Yeah, I know that sounds harsh….actually no, it’s pretty much on the ball. Prove me wrong!
Posted in Bad Stuff, Dumb Security, WTF, cyber crime, governance, news | No Comments »
Helen Coonan on Labor’s plans – from ZDNet.
You got to love it. The Government that succeeded in keeping us behind the major players in Asia and most of our major trading partners having the hide to bag someone else.
My previous thoughts on this: Who’s kidding who?
Oh, we’re all so concerned now about this aren’t we?!
The horse has bolted guys….let’s get some real discussion on how the country can keep, develop and grow out IT talent and our overall capability here. At present, it’s the old lip service and no more…..lets follow what the latest trend is and what will make us look good in the eyes of the majority of the population who don’t know the true story!
Posted in Bad Stuff, Dumb Security, WTF | No Comments »
