Disclosure Laws in Australia - Article from SA Australia Newsletter

October 31st, 2007 Drazen Drazic

Disclosure Laws in Australia – Things to think about for your company…

We’ve talked a bit about the benefits and potential impact of Disclosure Laws coming into effect in Australia and New Zealand. We’re proud to say that Security-Assessment.com in New Zealand played a part in getting the NZ government to put this on the agenda over there, and we have pushed discussion and debate about the merits of such legislation here in Australia:
http://www.security-assessment.com/news_room/index.html

But what is the impact and how will this affect your company if/when it comes into existence here in Australia? This article is one of many that gives you a good overview of what disclosure laws may mean to you. Do keep in mind, that any legislation in Australia may differ to what is in place in the US and other parts of the world:
http://www.workforce.com/section/03/feature/24/27/11/index.html

From an IT Security practitioners perspective, we cannot just accept that such legislation will improve corporate security and make our jobs easier. It should in theory, but the potential exists for things to go the other way if not done right. We cover some of the potential issues here:

http://beastorbuddha.com/2007/08/14/more-on-disclosure-laws-in-australia/.

This is a topic that will gather momentum in 2008. I think not much happens during elections, and then soon after them, but it’s something that will happen.

Posted in Disclosure Laws, Risk Management, cyber crime, governance | No Comments »

SAFECode Forum - The first? Right focus? Losing focus?

October 27th, 2007 Drazen Drazic

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, cyber crime | 3 Comments »

The Worm fights back…..

October 25th, 2007 Drazen Drazic

Hot on the heels of the ABC and Press Club in Australia trying to defeat the Worm (part of the Australian election debate) - unsuccessfully, Security Researchers are also discovering that it cannot be beaten. In fact, the Worm is not only now defeating attacks to kill it, it is fighting back. Is it just coincidence that this all came to a head on Sunday night? Is this another reason to vote in the Worm friendly Labor Party? Hmmmm….you have to wonder.

The Worm has become a living entity now by the looks of things as reported in Network World and as verified by IBM - with AI powerful enough to allow it to make decisions on the fly to attack those it sees as a threat to it’s existence.

Reports out of Tihsllub where the Worm is believed to have originated are sketchy, with all IT services down for the last 4 days. We have though heard through reputable sources that have managed to get out of the city, that there are unconfirmed reports that the developers of the Worm confessed to having lost control. One of the developers, known only as “Eddie”, is reported to have stated before his untimely disappearance; “It was just for fun…no money…no government…no terrorism….just prank on my girlfriend……now it goes crazy…..it’s alive! I am in fear of my human!”

So the warning to all: whatever you do, if you come across the Worm, don’t approach it or try to engage it in any way, just pretend it’s not there. But, if you are backed into a corner and have no other options, just be nice to it. That may be enough!

Posted in Bad Stuff, Ford Falcon, WTF | 6 Comments »

TJX saga continued….it just seems to get worse

October 25th, 2007 Drazen Drazic

It should almost be time to give this TJX saga its own category here. Just as we think it’s quieting down, the story unfolds further. See The Register; TJX breach was twice as big as admitted, bank says. Can there be a better case study for poor security management consequences?

But, are other organisations learning from the TJX experience? The answer is probably only a small percentage are. We see it every day.

Another PCI compliance deadline passed here in this region recently. I’ll put it out there and say that of all the organisations that must be compliant with the PCI DSS, I would be surprised if more than 5% are! Happy to be proven wrong but I just don’t think it’s the case.

So who’s pushing the rest of the business community that doesn’t come under PCI DSS compliance obligations?

Related Links:
Risky Business 35 (Patrick Gray talks PCI with Verizon Consultant)
Beast or Buddha PCI Archive

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, cyber crime, governance | No Comments »

BlueHat Security Briefing Notes - New Security Disclosure Landscape

October 24th, 2007 Drazen Drazic

Looks like there was some good stuff covered at BlueHat recently. Checkout the BlueHat Security Briefings site.

The New Security Disclosure Landscape article by Rain Forest Puppy covers the state of the research industry better than most I have read recently.

Posted in Research | 3 Comments »

Metl on Risky Business

October 23rd, 2007 Drazen Drazic

Our old mate Metl on Patrick Gray’s IT Security Podcast, Risky Business last week:
http://www.itradio.com.au/?p=71

If you’ve not had a listen, I highly recommend Risky Business. (Disclaimer: Not needed - I have no business relationship with ITRadio).

Posted in news | No Comments »

PCI - Retailers and the Storage of Credit Card Information

October 22nd, 2007 Drazen Drazic

The following is well worth a read if you are involved with PCI compliance within your organisation. Thanks to our PCI specialist, Fatemah Beydoun for the heads up and links.

The National Retail Federation recently sent a letter of concern to the PCI Security Standards Council discussing the storage of credit card information. This has drawn a lot of discussion across PCI related and other IT security sites. Some good points and interesting debate:

http://pcianswers.com/2007/10/11/retailers-do-not-need-to-store-credit-card-data/
http://www.schneier.com/blog/archives/2007/10/merchants_not_s.html

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime | 1 Comment »

The role of IT Security people…..are things getting worse?

October 21st, 2007 Drazen Drazic

This is a topic that we cover quite a bit in here. The following is a good article but does show that things for IT Security people may not necessarily be getting better. From the Taosecurity blog: Security staff as ultimate insurance.

In our experience, this is probably quite an accurate assessment of what is happening. Will business ever learn? Keen on people’s thoughts on this. Are IT Security people still struggling for recognition, acceptance and being able to perform their work to the levels people believe they should be?

A couple of related posts:

Hiring a security manager and then not letting them do their job
CIOs spooked about talking about It Security

Posted in Bad Stuff, Dumb Security, Risk Management, governance | 2 Comments »

More amazing security out of NZ….

October 21st, 2007 Drazen Drazic

Hot on the heels of the recent post Kiwi company aims to beat the hackers, another company in NZ is making some big calls. Morgan from Security-Assessment.com writes about it in the NZ ISIG Mailing List.

Come on Morgan….who knows…..it may all be that amazing. :-).

Gather around and witness!!

Last month, there was Manabars, this month there is… “Janus: Human Factor Authentication”.

“Janus is our completely new and unique authentication solution. It protects identity data against theft or misdirection. By using our patented technologies that operate outside the realm of all current known forms of attack, it is immune to their effects.”

Wow. How is this accomplished you ask? With “message dissemination technology”:

“MESSAGE DISSEMINATION (NZ Patent 541356, WO2007/011240, patent pending in US and other countries) provides an alternative communication method that enhances information security and privacy by making the message known only by the sender and the receiver. It is developed with the principle of mutual understanding between the two parties that is communicating. Instead using a standard set of rules/protocols to govern all communications between everyone, MESSAGE DISSEMINATION uses dynamic rule/protocol based on a set of principles. It is using a separate set of rule/protocol between each party or simply making up the rule/protocol during the communication session for the next. For unintented receipients, the message intercepted is meaningless.”

Check it out:

http://www.forefrontint.com
These guys are so far ahead of the curve it boggles the mind

Posted in Research, WTF, Web Application Security, cyber crime, news | No Comments »

Kiwicon 2007 - It’s the real deal….

October 18th, 2007 Drazen Drazic

Just a reminder that Kiwicon 2007 is approaching. It looks like being a great event.

https://www.kiwicon.org 

Current Presentations and Speaker List: https://kiwicon.org/presentations
Schedule: https://kiwicon.org/schedule

Posted in Research, news | 3 Comments »

Integrity of annoucing new “Silver Bullets”!

October 16th, 2007 Drazen Drazic

It’s no secret that the major vendors use the press to sell new products, but in the last year or so, I have noticed the journos getting wise to it and questioning whether the speel they are getting from the “security” vendors (you know who they are) is a public service announcement or marketing BS.

Here’s the tip….we know it’s mostly BS……they want the press, and they’re using you to sell their product. (Reader note: yeah…I know I am stating the obvious) But…..your editors know that, and you need to sell subscriptions………..oh and advertising…Where is the balance?

I would like to see more journos question new products.

I have seen the silver bullets for almost 15 years (in security) and never have I seen an article that says:

“Company X released Product Y. Product Y will solve all your security problems they say (DD: like they all do), but I reckon it is all bullshit. This company has been in the security field for 15 years and every new release is supposed to solve the “Enterprise” security problem, but it has not! So why would this new release be something that a (your) company would pay good dollars for?”

As an avid car, guitar, music, sports etc fan…..the mags I buy as part of my hobby(s), I expect to tell me what is good and what is not so good about new products being released. All of them do! They’ll pick every hole in a Ferrari, Fendor, Foo Fighters, All-Blacks (world cup) latest….but…..in our field, every new product in the press is supported by the marketing speel from that company….like it’s fact!

Come on IT Press…..before you talk it….have a look at it, test it, get security guys to pass opinion on it, hit it hard enough to help companies……and then write about it.

At present. you’re giving an easy ride into millions/billions of dollars for these companies whose existance relies on us never being able to secure ourselves.

Sad thing is that us security dudes play a small role in most cases (not always) in the decision making process for costly products like this for major companies that we work for……..money that could be better spent elsewhere.

Posted in Bad Stuff, Risk Management, governance | 4 Comments »

Arnie gets involved….

October 16th, 2007 Drazen Drazic

From California:

http://www.theregister.co.uk/2007/10/16/schwarzenegger_vetoes_data_bill/

The discussions that we see around data security is a positive step. More than lip service like we see in Australia in most cases.

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime, governance | No Comments »

Law students being awesome hackers……what is going on?

October 11th, 2007 Drazen Drazic

The reason for the lack of posts recently is because I am away…..it’s harder looking after 2 young girls, 6 and 4 on school holidays in Noosa than it is running a business.

Pete Benson sent me this one yesterday and I have to admit, it blew me away on many levels. WTF:

http://www.computerworld.com.au/index.php/id;1057000875;fp;16;fpid;1

Being out of touch in paradise for the last 10 days, I have no idea where this went or whether there was a follow-up. I’ll add to this when I get back but if anyone has more to add now, please respond. This whole story sounds a bit suspect to me.

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 12 Comments »

Big Galoot Diatribe - White Hats, Security Conferences and Boy Scout Meetings…….

October 11th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

As funny as it sounds, a while back I asked the serious question on Beast or Buddha?

How many white hats are actually black hats in disguise ?
http://beastorbuddha.com/2007/08/07/ethical-hackingthat-term-is-a-worry/#comments

Since then, its been reported that the so-called ‘white hat’ security professional Max Butler, has been arrested & charged with hacking offences including running a carder portal. Ironically, Butler also worked for a reputable organisation who’s name suggested they are good guys. (I believe Christian Heinrich also spotted this report). They probably are.
http://www.securityfocus.com/news/11487

We shouldn’t be surprised in any way. After all, its not unheard of for criminals to enter a certain profession in society with the motivation (and relatively easy access) of undertaking their chosen nefarious activities.

It makes a lot of sense, in a criminal way.

For instance;

- Paedophiles who become scout leaders, teachers or church leaders.
- Fraudsters & corrupt persons who become polititians or public officials.
- Arsonists who become fire fighters.

All of which leads me to ask the following:

1. Would a country planning a war also invite their enemies along to their pre-war planning meeting ?
2. Are tactics for defeating hackers, latest research etc openly discussed at IT Security conferences ?
3. Is there a strong likelihood that amongst the hundreds of IT security professionals attending a conference, some may be highly experienced black hat hackers ?
4. Is the IT security industry deluding itself about the preventative value of such conferences ?
5. Rather than helping to put the flames out, are large conferences a mechanism fuelling the fire ?

I think we know the answers to most of these questions so do we kid ourselves that the industry is not rife with people who can easily sway into the dark side or are already firmly entrenched there?

Food for thought.

Posted in Bad Stuff, Big Galoot Diatribe, Disclosure Laws, Dumb Security, Industry Specialists Talk, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 11 Comments »

Pre-Kiwicon catchup…….

October 4th, 2007 Drazen Drazic

Guys, I’ve just been asked to pass this onto any Aussies heading to Kiwicon or others who may be interested in attending:

The “Pre - Kiwicon 2K7″ EurekaStockadeSEC (Sydney, Australia) Gathering.

While there is no formal agenda at CitySEC Gatherings, this will provide an opportunity for ppl to discuss plans for Kiwicon 2K7 - if they haven’t left Australia for New Zealand yet

The “Pre - Kiwicon 2K7″ EurekaStockadeSEC Gathering
Date: Tuesday, November 13, 2007
Time: From 5:00PM
Venue: “The Establishment”, 252 George Street, Sydney, NSW, Australia

Further information on the venue can be found at
http://www.merivale.com/establishment

In addition to the announcement at www.citysec.org under “EurekaStockadeSEC
(Australia)”, I have created a Google Calendar for EurekaStockadeSEC at
http://tinyurl.com/28kcxk too.

Also, if you have not been too or at least heard of CitySEC, please refer to
the Sticky Post “What Is A CitySec Meetup?” on www.citysec.org for further
information.

Posted in Uncategorized | 1 Comment »