This from the Washington Post is some serious business. In the old days, you’d be a raving conspiracy theorist to say this was going on. Nowadays, it’s just done and reported.  Double-edged sword or what? Billions of dollars? Gees….that is one big investment. How this is managed is going to be interesting to follow if we ever hear much about it again.

Posted in: WTF, governance, news

For you non UK or sub-continent readers, sorry, I thought I would throw this out there. 2 dynastys that will always be compared…..I have thrown together what I think are the best two teams from their eras.


Posted in: Uncategorized

Posted in: Bad Stuff, WTF

Michael Crawford at MIS raises some valid questions about the usefulness of the government producing yet another guide on IT security for CEOs and CIOs in his post; Critical infrastructure in the crosshairs.

A few of these things were produced in the last 18 months around various security topics, but I haven’t met one person who had actually seen them or was aware of them. I suppose by producing something like this, they can always say that they’re onto it! (ie; the protection of our critical infrastructure). How good is the focus needs to be asked.

Taking a bit of time to reflect right now…..almost a long time that we’ve been around. Thank you to all our supporters. BorB is now the most read IT Security Blog and News Site in Asia Pacific!* (But….the majority of readers are in the US and Europe!)…….?!?!

*estimated figures based upon potentially dodgy analysis.

Posted in: Uncategorized

ComputerWorld in the US recently picked up on the ScanAlert/ story and it’s an interesting read from the marketing perspective – ie; if we have the logo, clients may be more inclined to use our site. We covered this in some detail in a recent post.

Bottom line is that most sites are insecure the day they go live. We’re never lacking content for website security topics as shown in the category listing.

Things are getting better but there’s still a way to go. Now, 20% of organisations we meet have developers that have heard of OWASP (as a starter)….far better than 2 years ago. This is the core of the problem…pumping out web applications that are developed by teams that don’t understand security. Then, possibly, thinking about them being tested well after the go live or after funny things start to happen (like credit card fraud).

It all comes back to basic good security practice and controls throughout the SDLC…..yeah, I know, I am preaching to the converted. Just funny how marketing spin can take the focus away from good security practice and controls!

Based upon my experience, the J.C.Penny problem as reported here TechNewsWorld (and all other IT news sites) is more prevalent than some would imagine. I’ve lost track of the number of times I have seen and heard about missing storage media.

Most of the lost media does not get into the wrong hands. It just gets lost and probably gets tossed and destroyed due to the finders of it not having the means to read what is there. Saying that, it only takes one episode of someone finding the means to read it to cause big damage to the organisation that mis-placed their data.


The signs look bad for Mac in 2008 in regards to security, in my opinion. As 2007 came to an end, you could see throughout the year that Mac security issues were growing in terms of mainstream reporting (though numbers did not increase that much from 2006:

The expectation is that it’s only a matter of time before Mac users start to face issues that PC users have been for many years. The concern is; will Mac users be ready? Are they educated enough? To be honest, most probably are not….making them a prime target.


Our old mate Morgan’s presentation is here at Patrick Gray’s Risky Business Podcast. Well worth a listen!
Here is the brief on the presentation:


ScanAlert recently were sold to McAfee as I posted here a while ago. Good luck to them! But seriously, running a basic VA test and selling that as a full blown website security review/solution was always a bit of BS! Marketing over actual ability yet companies get duped! How smart is this Geeks mob to think a logo on their website and a basic VA meant they were secure?!

Checkout this story about being hacked and have a look at the “Hacker Safe” logo on the site! LOL


Older Posts »