Is Apple reversing “bad boy” roll with MS?

Posted on March 31st, 2008 by Drazen Drazic

Gees….the Mac OSX boys are copping a bit of a flogging on the Net now…..It’s like payback time! But is that fair?

It’s no surprise and you didn’t need to be old Nostradamus to predict it was going to happen. (Even I did!). But, the big heroes are now talking up what we all knew was the bleeding obvious! It was just a matter of time. Still, to be fair to Apple (and I use a Mac – 2 in total the office, all else….yeah, variations of Linux as primary machines for the guys and one failed 6 month Vista “experiment” which became Linux), they are not supported by a bunch of vendors helping to support their security! Okay, it’s only a matter of time…I know….but seeing something today on a test machine (Windows)….after many years…..scared me big time. I saw the Norton Antivirus screen!

Posted in Bad Stuff, Dumb Security, MAC Security | 5 Comments »

Some good IPv6 links….

Posted on March 31st, 2008 by Drazen Drazic

These are well worth a look. From Ockham’s Razor:
http://bsdosx.blogspot.com/2008/03/ipv6-trix.html

Posted in Research, news | 1 Comment »

Auditing for security – not just for compliance

Posted on March 31st, 2008 by Drazen Drazic

It used to be a standout and bold new statement; “Compliance vs. Security – one goes one way and the other goes the other way and rarely the two meet – as they should!” People would think about it and go; “Yeah….wow…that is so true now that I think about it!”. How times change and this has now almost become accepted as fact?!

PCI DSS compliance is somewhat heading down this path. I am hesitant to say it is totally but the indications are not good. Given recent news about Hannaford and ongoing news about TJX and other breaches plus things we see in the industry ourselves, I thought it might be good to re-hash this one:

http://beastorbuddha.com/2007/09/05/pci-choosing-your-auditors-carefullypart-ii/

Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime | No Comments »

Big Galoot Diatribe – Superheroes and independence of expert witnesses

Posted on March 28th, 2008 by Drazen Drazic

The rantings of Craig Chapman, IT Security Legend and good bloke.

I’ve previously drivelled-on about the time I was approached at a conference by a couple of computer forensic ‘experts’ from a global IT co.

If you believed their story, these guys were IT super-heroes. The only things missing from this pair of turkeys was their red capes, masks and tight fitting, lycra underpants (although I strongly suspect these were being worn under their tailored suits).

Read the rest of this entry »

Posted in Big Galoot Diatribe, Forensics, Industry Specialists Talk, cyber crime | No Comments »

The realities of real forensic investigations in IT….Dec on Risky Business

Posted on March 27th, 2008 by Drazen Drazic

This is a topic that is going to be covered again tomorrow in a post by BG. What can IT Security specialists actually really do when investigating an “incident”? Too many kid themselves that they can provide the client with the full service. As good as I think Securus Global is, I would never promote that we can do this properly ourselves without specialist guidance and advice from legals and police type people. Too many heroes out there think they can and that is dangerous. There’s a difference between an investigation and an “investigation” that would be used for a legal case.

Risky Business talks to Declan Ingram from Securus Global on this topic:
http://www.itradio.com.au/security/?p=64

Posted in Dumb Security, Forensics, cyber crime | 4 Comments »

On the panic bandwagon?…..

Posted on March 26th, 2008 by Drazen Drazic

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Posted in Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Australian Information Security Association (AISA) – Consider Joining

Posted on March 26th, 2008 by Drazen Drazic

If you are not aware of the Australian Information Security Association (AISA), please do consider joining. (AISA is a non-profit volunteer run organisation aligned to no vendors).

Becoming a member makes you part of Australia’s largest association of Information Security professionals. Membership gives you; monthly meetings/presentations (from industry specialists and peers), interest group participation, member forums, social events, enormous networking opportunities in person and online, opportunity to participate in industry strategy, monthly newsletters and other updates, plus other side benefits such as discounts and/or free entry to industry events and conferences. More Information.

The annual membership fee is only $50 at present and for all members who join before June 30, 2008, your membership will be valid until June 30, 2009! If you have any questions, contact AISA or myself. To join, you can do this online.

I am posting this as part of the AISA National organising committee.

Posted in news | 1 Comment »

IT Security Bloggers and Twits Directory

Posted on March 24th, 2008 by Drazen Drazic

I like Jennifer Leggio’s idea so much, I thought it might be a good one to explore here in Australia/NZ/Asia Pacific. (Thanks to Wade for the original link and cmlh for his support). (Possibly then pass on bulk updates to Jennifer if she’s keen).

So, either respond here, the forum post, the contact me or direct email if you want to be added to the list. We’ll link the directory from the main page and hopefully build more of a community around the blogging dudes here in our region and regular BorB readers.

Posted in news | No Comments »

Anchored in time and tech?

Posted on March 20th, 2008 by Drazen Drazic

New Columnist: Donal O Duibhir

Why do we beat our heads against brick walls? Is it a form of mass masochism in Information Technology? Who built the walls? Who architected the building, and did they realise the building was supposed to travel in time like Doctor Who’s tardis while repelling alien invaders? …all the while the owners, masters and operators changing every so often without leaving enough intellectual property in the form of documentation or related artefacts… Why is this?

Read the rest of this entry »

Posted in Industry Specialists Talk, Uncategorized | 7 Comments »

Times change but salesmen never do…..

Posted on March 18th, 2008 by Drazen Drazic

Will we in 10,20,30 or 100 years time look back at what some of the big vendors throw at us now and compare it directly to the old snake oil days. (Thanks SFB in the forum). (Take anything in the link as you would with anything on the net and check the sources yourself….my point being the sales techniques…)

Posted in Bad Stuff, Dumb Security, WTF | 2 Comments »

Oops….another big one…..

Posted on March 18th, 2008 by Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 11 Comments »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

Posted on March 17th, 2008 by Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

Kicked off the Forum…..

Posted on March 14th, 2008 by Drazen Drazic

Click on the link above in the menu or here. Just for a bit of fun.

Posted in news | No Comments »

Industry CEOs thoughts on things….a chat with Rob and Nick

Posted on March 13th, 2008 by Drazen Drazic

Nick Ellsmore and Rob McAdam are guys you would term as competitors, (to Securus Global) and also just competitors in all they do. As CEOs of SIFT and Pure Hacking respectively, they have a good insight into the IT Security industry in Australia. I thought it would be good to get Nick and Rob onto Beast or Buddha for a chat. (You can’t accuse me of using BorB as purely a marketing tool for SG).

Read the rest of this entry »

Posted in Industry Specialists Talk | No Comments »

Off-Topic but it’s a message from God so BorB needs to pass this on….

Posted on March 12th, 2008 by Drazen Drazic

The Vatican has updated what is bad:
http://www.timesonline.co.uk/tol/comment/faith/article3517050.ece

How stuff like this is not front page news amazes me!

About 6 months ago, what should have been front page news world wide, was but a small column on about page 15 in the Sunday paper here in Australia. Limbo is gone….after about 1700 years!
http://en.wikinews.org/wiki/Vatican_abolishes_Limbo

WTF!?!?

Now to work on that devil character and that place called hell that was also invented…….

…………..okay back to exciting IT security topics……..

Posted in WTF | 1 Comment »

Cyber Storm II – Valuable or a waste of time?

Posted on March 10th, 2008 by Drazen Drazic

Cyber Storm II was launched recently. Darren Pauli covers it here in ComputerWorld.

Did we learn much from the last one? I’m not close enough to anyone involved so I can’t really say. On the face of it, who’s doing what and how, to come to a conclusion that it will add value? That would be interesting to know.

I know there’s a heap of companies I’d rather have testing security than the ones mentioned but maybe I’m over-complicating things by suggesting some really bad-arsed hacker dudes get a shot at this. It is termed an “international hacking exercise” in the article though.

Edith Cowan University IBM professor of Computer and Information Security, Bill Hutchinson raises some good points.

Posted in Dumb Security, Research, Vulnerability Management, cyber crime | 15 Comments »

AISA “In the Hotseat” – Interview with Patrick Gray

Posted on March 6th, 2008 by Drazen Drazic

The following is an interview I did with Patrick Gray that was published in the recent AISA (Australian Information Security Association) March Newsletter. It will be available under “News” at www.aisa.org.au. As a friend of BorB and we of his work as one of few journos who really understand our industry, I thought people would like to see a view on things from the other side. I really enjoyed doing this but also seeing a refreshing view from the media that differs greatly to the majority of rubbish we are fed daily. The rest is the published interview:

Read the rest of this entry »

Posted in Industry Specialists Talk | 3 Comments »

Metl getting some major press…I hear the groupies are flocking in also now…

Posted on March 5th, 2008 by Drazen Drazic

Adam Boileau, our old colleague, 18 months down the track is getting some serious traffic now for this. Why freeze some RAM?

ComputerWorld

Sydney Morning Herald

Gees, even Slashdot!

I hear even some guitar mags may be picking this up also now based upon the pic in The Age and The Sydney Morning Herald. Onya Metl!

Additions: I just fixed the SMH link with the photo. Also, it was interesting to talk with Patrick Gray today about this:
“Hi Draz — your readers might want to hear the Risky Business interview I did with Metl about this whole thing. The Sydney Morning Herald actually picked up this story from the podcast and linked back to it… no one else bothered. Que sera, what can you do?”
That’s a bit slack not passing the credit back to where it’s due. Anyway, here is the original source from Pat: Risky Business #52.

Posted in Forensics, Research, Too cool, news | 3 Comments »

Not too dissimilar to security consulting jobs being negotiated….

Posted on March 4th, 2008 by Drazen Drazic

Click here if the video is not working:
http://www.youtube.com/watch?v=SRuCzIO2wb0

Posted in Bad Stuff, Too cool | 4 Comments »

How tough will the Payment Card Industry and Acquiring Banks be on continued non-compliance with the PCI DSS?

Posted on March 3rd, 2008 by Drazen Drazic

In 2008, PCI DSS finally seems to have some good traction (in Australia and New Zealand at least). Most organisations that should be compliant are now aware of the requirements imposed upon them – many still though are at the early stages. Compliance levels in terms of percentage of compliant organisations are still low from what we see but progress is being made – albeit slowly.

But, there are some organisations who are not budging and have decided that they will not be doing it. They have stated they see no business value in it, with costs of compliance not being worth their investment. As a rule, these organisations have been large companies who believe their value to the acquiring bank gives them the right to say no. (Under threat of taking business elsewhere should the bank push the point).

Read the rest of this entry »

Posted in PCI, PCI DSS, governance | 6 Comments »