Link to NoticeBored – Top information security risks for 2008….
This is worth a read: http://www.noticebored.com/blog/NBlog.html
Posted in Research, Risk Management | No Comments »
Home | Beast Or Buddha | Daily Security News | Industry Specialists Talk | Beast Hot Jobs | Contact | Blog Directory | Forums
“NBA”…they gave it an acronym……still going nowhere fast!
This stuff called NBA (network behaviour analysis) has been around for years (but CW thinks it’s new…..read on) and while I acknowledge the intelligence of guys who build these systems….from a programming perspective only, and what could be, they have gone relatively no where in the last 6 years….ie; think heuristic antivirus technology…..big talk circa 1995 and where today? Any difference?
The following quote from this story in Computerworld, stupidly titled “NBA: Your last line of defence” pretty much inadvertently says it all: (If we solved this problem described below in the quote, the technology would be redundant anyway!) (Addition: this CW link seems to no longer work so go to Network World for the story)
Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 4 Comments »
To all our readers………
We’re all taking a few days off, but the news section of the site will continue to be updated! Hopefully not too much happens! 
Thanks to all for being readers of Beast or Buddha in 2007. I really do appreciate everyone who comes here.
Have a happy and healthy new year, and see you online soon!
Best Regards
DD
Posted in Uncategorized | No Comments »
Facebook Searches…….
Does the search engine in Facebook have much intelligence? Type in the dirtiest thing you can in the search list for a friend and you will get brought up a list of people who I am 100% sure would be shocked to know they came up on the list! (Well at least some of them I think)
Now you’re probably wondering how I found this out? Well….research is my job.
The level of intelligent posts in BorB has just dropped again. I promise in 2008, I will raise the game!
Posted in Bad Stuff, WTF | 3 Comments »
Peter Gutmann’s Kiwicon 2007 presentation on Risky Business
Risky Business #43 and #44 are well worth a listen (like all the RB podcasts are). These two recent ones include Peter Gutmann’s excellent presentation at Kiwicon 2007. Here’s the link: http://www.itradio.com.au/security/
Posted in Industry Specialists Talk, Research | 1 Comment »
JetStar duds me….my fault too but…..(off topic)
So yesterday the wife calls JetStar (Australian airline) to enquire if one
of the 4 flights (wife, two kids and myself) we have booked for today can be changed to the day after. I needed to stay an extra day in Sydney for business. (The flights weren’t cheap either this time of year). We know it’s within the 24 hour period but thought we’d try….you sometimes get good people. “Not a problem” the lovely lady on the phone tells my wife. “We’ll just need to know when you want to use that flight”. Wife calls me on the phone and I suggest a date sometime later this year as they did not have a flight out for me tomorrow. So wife books a flight on another airline – $300 odd bucks. She calls back JetStar who confirm the change will be no problem to a flight later in the year, but that for some reason, I had to actually call them to confirm the change in flight details. “It won’t be a problem!” I get home, call JetStar and speak to a “gentleman” who tells me I cannot do it. After explaining about the previous 2 calls, with disdain, I am told, too bad, they were wrong! Stupid me suggested I’ll call back and take my chances with someone more pleasant like my wife had spoken too on the previous two calls. Should have known – he proudly proceeded to tell me that he would put a comment on the booking to ensure no one else would make the change per chance I got someone with some Christmas spirit and decency. Sure enough, wife calls again, explains that we would not have changed the ticket and bought another one if we had not been told and then confirmed in a second call that it was okay! (The dude had put a comment on the system – probably something nasty). So $300 odd bucks wasted. Anyway, I wish that miserable sod at JetStar a lovely Christmas…..I am sure he’ll move up in life to be a parking inspector one day and thoroughly enjoy it! He seemed the type.
Posted in Bad Stuff, WTF | 4 Comments »
You got to love some of the comments to this story….
From the Register, Symantec winning some bucks against counterfeiters.
“Did the fake copies have as many problems?”
Posted in Dumb Security | No Comments »
Australian Bank Security vs. the rest of the world
BankMan is an article submission to Beast or Buddha from the CISO from one of the region’s banks. My responses will follow….
BankMan: You mentioned in a recent post how good Australian banks were doing with IT Security. I know that came with a few extras that you also highlighted like how bad we were against the rest of the world like Asian countries like Singapore. But at least you seemed optimistic.
Mapped against levels of fraud, Australia does well so what do you base your comments upon?
Posted in Industry Specialists Talk | No Comments »
DarkSide Brothers Reality Check – Botnets? Is that the Worst of it? Part I
Darkside Brothers Reality Checks are article submissions to Beast or Buddha from two well respected industry researchers and consultants. Are they serious and on the ball or swaying towards conspiracy lunacy? I’ll leave it with you to work out your own opinions.
In response to the previous Beast or Buddha post on the Billion owned systems. (The SMH has had time to correct if they thought they were wrong but that’s beside the point):
We really need to move on from the idea that unless your motd is “lol fluffy bunny pwnd j00!” your computer is fine.
All your links are owned: http://cryptome.org/nsa-ip-update10.htm.
Every scrap of data that has touched the Internet has been captured under Wholesale Surveillance (owned): http://www.dailykos.com/storyonly/2006/4/8/14724/28476/. (Think MITM, passwords for all your sites (that you re-use for your work VPN, your email and all the encrypted communications and PGP passphrases too).
Posted in Industry Specialists Talk | 4 Comments »
Is every computer in the world compromised? They’re all owned out of the Netherlands according to the Sydney Morning Herald!
From a long story about lots of things from the SMH.
“In Australia one zombie army was found to have 400,000 computers under its power while in the Netherlands another was in control of 1 billion computers putting millions of personal details into the wrong hands. ”
That is a lot of computers to manage and control. We’re in big trouble.
Related story on number of computers: http://www.techworld.com/news/index.cfm?NewsID=9119
Posted in Bad Stuff, Too cool, WTF | 3 Comments »
Lip Service or a real call on action…….Has much changed in 2007 really?
The amount of information coming out of US Government bodies on cybercrime, Information Security and the real and immediate danger faced by all businesses has grown remarkably in the last 12-24 months. Just one recent example; ‘We’re all at risk’ of attack, cyber chief says. (In Australia, Government action, as Borat would say, “Not so much!”). Online and paper copy IT Magazines and journals have dedicated IT Security sections now. We even read more about the issues in the standard press. More and more universities now offer IT Security courses. (Though quality of many is questionable but it’s a start).
But has anything really changed that much in reality in 2007 where it matters – ie; in the minds and actions of business and individuals?
Posted in Disclosure Laws, Research, Risk Management, Vulnerability Management, cyber crime, governance | 1 Comment »
You no longer even have to sign Credit Card purchases……when you are there!
In recent times, we’ve had proud announcements from some banks that you will no longer even have to sign for purchases on your credit cards. Just swipe it and that will be it!
I know at places like Sydney Airport carpark, amongst many, as long as you hold a card, you’re sweet! Swipe and Go!
Are we going backwards or what?
Some banks even in the last 2 weeks here are marketing “smart card” (yeah right) technology and promoting the ease of how good this is…so simple for the consumer……swipe and go! These are not pre-paid cards……these are credit and debit cards!
So let me get this right? You give us a credit card…we decide to purchase something…..we swipe it…..the cashier acknowledges there are funds and we move on?! WTF?!
We work with PCI DSS on the backend and on the other side we have this? It’s not normal!
Carl G passed me this some time ago…..well worth a read and laugh…..Makes it all irrelevant doesn’t it:
http://www.zug.com/daily/journal/archive/2002_05_05_index.html
Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, WTF, cyber crime | 3 Comments »
Starting a new job – you’ve only got 2-3 months to make a big difference…any longer and it’s tough!
Following on in the series of posts about being an internal IT Security Head, I was talking to a mate today who’s about to start soon as the Regional IT Security Manager for a large global entity.
My thoughts are that you only have 2-3 months max to lay the foundations for how the rest of your time there will be.
Where I am coming from is this:
1. No one knows you yet and what you plan to do and how you do things.
2. Because of this, it’s greenfields and you can assert your position and plans (to a degree within the bounds of good professionalism obviously)
3. Because you are the new IT Security dude and because most in the organisation will have no idea about what you do or what your role is, you can develop the “role” to a large degree yourself. You can get people to buy-into you early.
4. For the first few months, you are treated like an external consultant – the expert brought in to make a difference….so people will listen!
If you spend the first few months just settling in, trying to work in around everyone else, being everyone’s mate and worrying about how you’ll do things in the future – you’re lost…..game over and you’ll be in that miserable job where you complain that no one listens, cares or gives little attention to you. Assert your role upfront and the chances of it being that better job are good! The chance of you making a difference will be much better! Wait, and the ability to make change and a difference will be tougher. People settle into other people and this sets how they deal with each other for the future. Becoming a proactive go-getter after people have “settled” in with you is a tougher assignment.
Hey….sounds like I am preaching but it’s close to fact from my experience. (This is for all jobs – not just our industry) . Have a think about it. As usual, open to your thoughts, comments and criticisms.
Posted in governance | 1 Comment »
Toys R Us Australia….good charity or good business (non IT related side topic)
Is it just me that finds something wrong with the Toys R Us approach to charity and their support of the Childrens Hospital?
For those of you who have no idea what I am talking about, and have never been into a Toys R Us, when you purchase an item, the standard line from the cashier before you pay is; “Would you like to buy a balloon in support of the Children’s Hospital?”. The balloons sit next to the cash register. Now the first few times, I did, thinking; yeah, good cause….happy to!
Read the rest of this entry »
Posted in WTF | 10 Comments »
Security-Assessment.com Australia/Asia Pacific is not part of the Datacraft purchase of SA NZ
You may have read this morning that Datacraft NZ has purchased Security-Assessment.com in New Zealand.
I just wanted to highlight that this is just Security-Assessment.com NZ and not Security-Assessment.com Australia/Asia Pacific. We have not sold out and our business operations, team and approach to the IT Security industry remain the same. We wish NZ all the best but it’s business as usual for us here in this region.
If you have any questions, please don’t hesitate to call or email me.
Posted in news | No Comments »
Facebook? Have fun with it!
As the latest hot topic in the mainstream press for “security” issues, Facebook has copped quite a bit!
FFS, is Facebook really the biggest problem we have? (Aside: FFS...I thought I invented a new one but I did not…found this link).
As usual, mainstream IT press diverts the attention from the real issues to the hot topic of the day. YES….Facebook can be a BIG problem BUT…..gees…..we’ve got much larger ones! Facebook security is something in the hands of those participating – ie; in their control! Supposed press awareness is good, but who are you kidding?
Yes, the real issues get reported here and there in mainstream press….very ad hoc….but end of the day….they get replaced quickly by the latest large vendor product release announcements and something bad in Facebook (or similar) like Vampires striking into people.
Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 5 Comments »
CSO’s and IT Security Managers – Shouting Louder to Make Things Happen
One the biggest issues that we see facing CSO’s and IT Security Managers is the effective communication of business risks to those stakeholders ultimately accountable for the business. (Commonly referred to as the C-level team).
(There are quite a few posts in here about the tough job of being an IT Security person in any organisation and I’ve always been pretty blunt in my assessment of the state of the industry).
The recent Poll on Beast or Buddha (NB; no way a definitive sample mind you and done with as much context as most annual surveys, but I would not say being to far off on how things actually are) had over 70% of respondents stating that their organisation did not seem to care in addition to being in a bad way from a security exposure perspective.
I wonder how many Security Managers to an extent just give up and go with the flow – being careful not to upset the status quo and just believing this is how it has always been and this is how it will be…..(or at least until something really bad happens).
More than 50% of senior IT security people I speak with are not overly happy in their jobs. Most of these guys also believe that the chances of it being better elsewhere are remote. Is the industry really that low?
(Why would anyone be an IT Security Manager?)
If it is, how can we expect changes and finally getting those C-level guys to start listening?
Read the rest of this entry »
Posted in Bad Stuff, Risk Management, governance | 3 Comments »
Before I tell you the purpose of my call, can you tell me a few personal things….
I’ve always had a problem with these calls….in particular when you know they are from a Call Centre. The ones I get generally go this way:
Caller: “Hello. Is this Mr Drazic?”
Me: “Yes it is”
Caller: “I’m from Company X (generally a bank or telco), and before I start, can I get your full name and date of birth?”
Me: “And what’s the purpose?”
Caller: “I can’t disclose that until you confirm your name and date of birth (plus additional information I will ask after that)”
Me: “You just called my number where I live and I confirmed it was me”
Caller: “But I need confirmation by you telling me your full name and date of birth and further questions I will ask”
Me: “Well if you tell me what it’s about, I’ll consider it”
Caller: “I cannot until I confirm who I am speaking with”
Me: “Well it’s a good chance that you are speaking with me given you called my number”
Caller: “But I need this information to discuss something with you”
Me: “Well it is me but how do I know you are from Company X?”
Caller: “I am”
Me: “Okay, can I start with your full name, address and date of birth please plus a number I can call you back on?”
Caller: “I cannot give you that information sir!”
Me: “Why not?”
Caller: “It is against policy!”
And so it goes round and round.
Read the rest of this entry »
Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 5 Comments »
“State Sponsored” attacks……more out in the open but were they ever not?
This one from the Times Online openly warns businesses that they are being targeted by state sponsored attacks. (Aside: “State Sponsored”? What a dumb term). (Also covered by Howard Dahdah in Computerworld Australia).
What is it with this softly softly response to these potential and real “attacks”? How many official responses to supposed evidence that this is occurring are being sent to the countries involved? Is it a case of governments just not being sure as to how to approach this subject? Probably.
Do we know how serious or what the implications can be? Of course we do.
Read the rest of this entry »
Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, cyber crime, news | 4 Comments »
Lessons to be learned from weak security practices…..
The great case study in what can go wrong, (TJX) continues as reported in TechNewsWorld, but are lessons being learned from this? I asked this question a while ago and the answer probably has not changed.
At the recent AISA Seminar day in Sydney, PCI DSS compliance was a big talking point and a presentation from “Sense of Security” covered the state of the industry in Australia. While the IT security community talks about it though, the feelings from the major players (PCI, Banks and IT Security people) is that there is a long way to go. There is progress….but it’s slow…really slow! Australia is reported as being leaders in Asia Pacific. Gees, how bad is everyone else in the region?!
Every step forward is a battle; PCI to the Banks. Banks to their own Account Managers. Account Managers to vendors and services providers. Security Managers to the business stakeholders. Why is the loop is large? Why isn’t the link to the CEO/CFO direct? Make sense? I ranted around this topic on ITSecurityLink and put the case for quicker progress out there but as usual, we (IT security people) are a very insular community in some respects – viewed from the inside and unfortunately from the outside.
2008 is now supposed to be THE year but we said that for 2006 and 2007 in regards to PCI. Are we then taking further steps away from what the core issues are that we are trying to address? Compliance vs. Security – heading in two different directions? (A topic also covered at the AISA day by Nick Ellsmore from SIFT – best presentation of the day).
Related posts: http://beastorbuddha.com/category/pci-dss/
Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime, governance | No Comments »
- The ramblings in the Beast or Buddha IT Security blog are predominantly focused around IT Security topics. They are just my own takes on the industry and comments from industry peers. I don't profess to being able to solve the world's problems but happy to open myself up to criticisms and debate.
Most Read Posts
- Looking at what makes good Application Security knowledge.
- Review of Information Security and Risk Management Strategy - Complex or Straightforward Exercise?
- The 7 Reasons Why Businesses are Insecure!
- Latest PCI DSS Posts
- Regulation Vs. Market Forces
- E-Security: Government Strategies
- The CIO Sticking Point - Time to Get them out of the Reporting Line
