November 30th, 2007 Drazen Drazic
Now BG is not leaving BorB….it’s just that BG thinks some of his stuff is too out there for even BorB readers, so he’s doing his own thing. Here it is; http://galootsgossip.blogspot.com/
Posted in Uncategorized | 2 Comments »
November 30th, 2007 Drazen Drazic
This site changes with time but the man is the man.
Posted in To cool | 4 Comments »
November 28th, 2007 Drazen Drazic
The work produced by SANS and Qualys stands out as some of the best data produced on the state of security risks in most cases we allow ourselves to be exposed to. More on the data shortly. Just to clarify the statement, “we allow ourselves to be exposed to”; it is what it is. Organisations persist with doing the following:
Read the rest of this entry »
Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 3 Comments »
November 26th, 2007 Drazen Drazic
I just read the “Special Issue: Security - How to protect corporate assets in a dangerous world”.
CW Australia, are you serious? What a load of nothing! A bunch of republished stories from the US and crap ones to begin with! Why?
You have guys like Darren Pauli and co. putting out some good stuff here in Australia, yet you publish rubbish from the US. (CW US publishes some good things but you dredged the bottom of the barrel for this issue).
Pg 20-21: “Are Security Pros Worrying About the Right Stuff?” - 2 pages of nothing that adds nothing to anyones knowledge.
Pg 22-25: “Burning Questions: NAC” - space filler?
Pg 26-28: “10 IT Security Companies to Watch”: What?..none in Australia or Asia Pacific? (Good for US readers but come on, give some support to the guys here!)
Yeah, we know that “IT Security” is the buzzword at the moment but give us something of substance and not the usual drivel to fill pages and make some CIOs feel like they’re on top of everything.
Posted in Bad Stuff, Dumb Security, WTF | 2 Comments »
November 26th, 2007 Drazen Drazic
As reported by Patrick Gray in the SMH, this is a big one. Presented at Kiwicon, it does impact a lot of people/businesses. I won’t go into details either at present (I wasn’t there anyway) but you’ll know doubt get the info soon. (If you haven’t already through your own sources).
More presentation details –> http://searchsecurity.techtarget.com.au/topics/article.asp?DocID=6100986
Posted in Bad Stuff, Research, Vulnerability Management, cyber crime | 2 Comments »
November 26th, 2007 Drazen Drazic
With announcements such as this one in Computerworld and ZDNet Australia, I wonder how much we have progressed. An old story from the mid 90s is interesting reading today; from Wired (circa 1994).
Since then, a score of ideas and businesses have come and gone. The dot com bust probably did not help most but floored business models did not help either. PayPal must standout for how it has entrenched itself and looks like being around for a while but who else apart from the traditional guys (Visa, Mastercard, Amex etc) are really competing and have potential to be major players? (Even these established players have had quite a few “ideas” that just went nowhere).
The principles remain the same - pay someone for a product or service. In turn, accept money for a product or service. Did some of the start-up failures overly complicate this basic principle? On the flipside, a new standard/market leader could relatively easily oversimplify the process and from a security perspective, further open up a raft of security issues to endanger economies and open up new opportunities for financial and cybercrime. Not that there’s not enough of this already.
No answers here but keen on people’s opinions on this.
Posted in Bad Stuff, Research, Risk Management, cyber crime | 2 Comments »
November 24th, 2007 Drazen Drazic
Let me start by saying that many “experts” in our industry that I have spoken to also have a very strong opinion on this - many inline with what I am about to throw out there.
None have spoken out to my knowledge, given they feel they will be branded as conspiracy theorists and their reputations will be questioned and tarnished.
Are some “good guy” vendors doing “bad” things?
Read the rest of this entry »
Posted in Bad Stuff, Dumb Security, Research, To cool, WTF, cyber crime | 2 Comments »
November 23rd, 2007 Drazen Drazic
Kiwicon, New Zealand’s first hacker conference, took place in Wellington over last weekend. It was conducted with world class standard with great Speakers and smooth running from start to finish - our thanks go out to the organisers for all their efforts.
There were many familiar names, including Peter Guttman, Brett Moore, and Adam ‘Met1storm’ Boileau, as well as many first-time speakers who were warmly welcomed to the scene.
There were several presentations highlighting the effectiveness of old-school techniques against modern infrastructure, as well as introducing new techniques that are effective against legacy infrastructure.
Read the rest of this entry »
Posted in Research, To cool, Vulnerability Management, Web Application Security, cyber crime | 5 Comments »
November 21st, 2007 Drazen Drazic
And I bagged the Libs?! From the Sydney Morning Herald; “Schoolboy whiz helps draft Labor cyber policy”
This has to rate as the stupidest thing I have read in terms of government (potential government) approach to our industry…..and I thought my last post on this had some of the dumbest stuff I have seen! Here’s the gist of this one:
“Tom Wood, the 16-year-old schoolboy who circumvented the Government’s $84 million internet filter scheme, has been enlisted by Labor to draft a sizeable chunk of its cyber safety policy.”
Good luck to the kid. He’s a star now.
Just when you think you’ve seen the dumbest shit you could, something always tops it!
Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 9 Comments »
November 21st, 2007 Drazen Drazic
If you’ve read BorB for a while, you know my thoughts on security surveys. I’d put the Beast or Buddha polls up against most of these surveys for relevance and informational value most times. 
So another has now been announced. See this Computerworld Australia story. 10 questions, as like most surveys, very subjective and final results providing what real world value? Look, anyone raising awareness of security issues, I do in a way congratulate them but lets try not to lose focus of the issues and the root cause of the problems we have. Just read the previous interview with MjR and map that against the survey questions and objectives. See my point? Anything new we’ll learn?
Not sure what the following quote was based upon from the story?!?!
“The risk is to remain vigilant and to not become complacent,” Warrilow said, adding the success of denial-of-service attacks and/or unauthorized penetration appears low.”
Does “vendor hype” actually reflect what is going on out there? Come on!
Anyway, I’ve given it some publicity, have a look for yourselves and become part of the statistics.
Posted in Disclosure Laws, Dumb Security, Research, Risk Management, WTF, cyber crime | 1 Comment »
November 19th, 2007 Drazen Drazic
Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology, and the implementor of the first commercial firewall product. Since the late 1980’s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and the ISSA Lifetime Achievement Award. Marcus is Chief Of Security for Tenable Security, Inc., where he is responsible for research in open source logging tools, and product training. He serves as a technology advisor to a number of start-ups, established concerns, and venture capital groups.
——————————————————————–
Marcus gave me some time today to ask him a few questions about his takes on the industry. You won’t die wondering as to what MjR’s true thoughts are:
Posted in Industry Specialists Talk | 6 Comments »
November 17th, 2007 Drazen Drazic
This is no BS….I don’t think anyone could make stuff up that would be this funny!
These are actual and real links to “the source”.
Start here: http://www.nationalsecurity.gov.au/ and then go link by link……as I said, even if you were trying to be funny, you could not make this shit up….
Link 1: Map of Australia - just so we know what the scope is….ie; “Australians….this is Australia!”
Link 2: Not really sure what this link means but it talks about replacing something else that no one else has ever heard about and knows what it means. Here it is.
Link 3: “World-Leading Computer Program to Protect Critical Infrastructure” : WTF?!?! Since when? What? How? I must have missed something.
Check out the one on plastic explosives.….What?!?!
The ref has pushed me away and called the TKO…….he should have called it after the first link but then again, you have to give them a go………my fingers are tired……I skip now to this one about APEC. If you have not seen this video, please click here..it is well worth it!: http://beastorbuddha.com/2007/09/14/156/
To prove how serious the government is, click here; http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Gallery
I can’t type anymore….each link could be a whole post to itself so I will leave it with you. You just could not make this stuff up!
Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, WTF, cyber crime, governance, news | 3 Comments »
November 17th, 2007 Drazen Drazic
http://www.computerworld.com.au/index.php/id;1699361144;fp;4;fpid;16
This is good.
Posted in Bad Stuff, Dumb Security, Risk Management, To cool, cyber crime, governance | 1 Comment »
November 16th, 2007 Drazen Drazic
“An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” is Produced by Jason Franklin (CMU), Adrian Perrig (CMU), Vern Paxon (ICSI) and Stefan Savage (UCSD).
This is a good read on many levels. Take the findings and information presented how you will, but it can’t be denied that this is happening. This is one of the more detailed research reports I have seen.
Paper Abstract:
“This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from “hacking for fun” to “hacking for profit” has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.”
Thanks to Donal for passing this one through to me.
Posted in Bad Stuff, PCI, PCI DSS, Research, cyber crime | 1 Comment »
November 14th, 2007 Drazen Drazic
Every so often you come across a good story.
This ZDNet Australia interview with Cesare Tizi, CIO of AGL, by Munir Kotadia and Alex Serpo proves there are some good CIOs out there who seem to understand security and their role in protecting an organisation’s Information and Technology assets. Unfortunately, Cesare is a rare beauty but hopefully others [CIOs] will learn from the likes of him.
I’m taking the story at face value and I have noted the response/comment to the story on the ZDNet site.
Posted in Risk Management, To cool, cyber crime | 5 Comments »
November 13th, 2007 Drazen Drazic
The rantings of Craig Chapman, Computer Forensics Geek.
Ladies and gentlemen, hold onto your seats while I tell you this. A technology ‘evangelist’ has arrived down under - to save you and I - the apparently hopeless and needy technology sinners of the world, at long last.
An invitation arrived in my inbox to a presentation by a bloke from the States whose title was “Lead IT Security Consultant, Information Security and Risk Management Evangelist”…….That’s right - “Evangelist”. To which you would be well entitled to ask as I did, “WTF”?
Now call me old-fashioned, but when I think of the word ‘evangelist’, I don’t usually imagine anything remotely IT related. And, I certainly don’t feel an overwhelming need to be saved from myself by anyone brave enough to describe themselves a technology risk management “Evangelist”. Oh my Lordy, no.
Read the rest of this entry »
Posted in Big Galoot Diatribe, Industry Specialists Talk, WTF | 2 Comments »
November 10th, 2007 Drazen Drazic
I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now - you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.
At present, most organisations have little understanding of the risks they face - where they are exposed, what they are exposed to and how these exposures could impact the business! So what are the problems?
Posted in Risk Management, Vulnerability Management, governance | 4 Comments »
November 10th, 2007 Drazen Drazic
I like these stories that come out every so often from the anti-badware vendors to remind us that they are on top of the fight against the bad guys. From ZDNet; More malware means good news in the security fight.
Somehow, while attacks are on the rise, it seems that the good guys are making it hard on the bad guys:
“While the volume of malware threats has spiked recently, one expert believes that this is a good sign, with cybercriminals having to resort to increasingly desperate measures to get a result.”
WTF? Really?
“For one thing this means that they’ve had to cast their nets wider and pump out a vast amount more than they once had to,” said Ducklin.
The bad guys are on the backfoot:
“Secondly, it means they’ve had to employ increasingly complicated tactics to expose people, such as this PDF Trojan……………the fact that it sounds complicated can be taken as a sign that we’re beginning to do very well.”
This is on the back of Kaspersky reporting upper hand on the fight.
Posted in Bad Developers, Bad Stuff, Dumb Security, MAC Security, Research, WTF, Web Application Security, cyber crime | 3 Comments »
November 7th, 2007 Drazen Drazic
Last reminder that Kiwicon 2007 is approaching –> https://www.kiwicon.org
Current Presentations and Speaker List: https://kiwicon.org/presentations
Schedule: https://kiwicon.org/schedule
Reminder also for CH’s “Pre - Kiwicon 2K7″ EurekaStockadeSEC Gathering for Aussies going over:
Date: Tuesday, November 13, 2007
Time: From 5:00PM
Venue: “The Establishment”, 252 George Street, Sydney, NSW, Australia
CH, let us know if anything has changed.
Posted in Research, news | 3 Comments »
November 6th, 2007 Drazen Drazic
Matt Jonkman is a frequent speaker and author, as well as founder of Bleeding Edge Threats, (formerly Bleeding Snort). He’s worked in security in the financial and telecommunications sectors for the last 10+ years, and now consults doing vulnerability assessment, threat research and signature writing. Matt’s recent writing projects include a regular article in Hakin9 Magazine, the Snort IDS and IPS Toolkit and How to Cheat at Configuring Open Source Security Tools.
———————————————————————————————-
Matt was recently generous enough to give us some time to talk about his time in Australia, the IT Security industry here, his thoughts on the industry in general, business and some good products……
Posted in Industry Specialists Talk | 3 Comments »
