April 30th, 2008 Drazen Drazic
Nice timing with the little muscle man picture. Hacker Safe not safe again. You’d think they’d learn but no…..
Everyone as we know should be using Symantec. They have the guarantee against “unknown and zero-day threats” as documented here.
Give us a flex dude!
Posted in Bad Stuff, Dumb Security, WTF | No Comments »
April 30th, 2008 Drazen Drazic
The following is an enormous bitch about the PCI Security Standards Council. If you are sick of hearing about PCI DSS or reading about it from me, hit the “back” key now.
Securus Global/DD is industry focused so if this means I lose business because I piss off the PCI SSC, so be it! They’ve already cost me business because of how they operate. Before I rant, let me start with this from a couple of weeks ago; my last rant about them. Interesting responses! Also thought it was finally getting better at the end. Little did I know…….
Now for the latest in Fawlty Towers operations:
Posted in Bad Stuff, Dumb Security, PCI, PCI DSS | 6 Comments »
April 29th, 2008 Drazen Drazic
Just wrote about this on ITSecuritylink.
Posted in Bad Stuff, WTF | No Comments »
April 29th, 2008 Drazen Drazic
We’ve just released the updated Securus Global website:
www.securusglobal.com
Since we changed our name from Security-Assessment.com Australia/Asia Pacific to Securus Global, the response from our clients and the industry has been fantastic. Thank you to everyone.
We’ve tried to make the new site different and hopefully a site that provides you with information more than just our service offerings. The information in the side-bars will continue to evolve and to provide further industry information and help to businesses. Stay tuned to the site and hopefully consider Securus Global if there’s ever anything you need assistance with.
Drazen Drazic
Securus Global
Posted in news | No Comments »
April 28th, 2008 Drazen Drazic
No surprise the Chaser dudes got off.
Previous post on this and full clip. This was a classic!
Posted in Bad Stuff, Dumb Security, To cool, WTF | 1 Comment »
April 23rd, 2008 Drazen Drazic
By Declan Ingram
PCI clearly states in requirement 10: “Track and monitor all access to network resources and cardholder data” And rightly so. It goes on to say “Determining the cause of a compromise is very difficult without system activity logs.”
It certainly is. Infact, for nearly all attacks where card data is at stake, it can border on impossible. Enterprise log management is hard. It is expensive, and there are few organisations that do it well. Not only that, but the organisations that do it well are also much more likely to have their general state of security much higher - meaning that (all things being equal) they are less likely to suffer a breach in the first place.
Read the rest of this entry »
Posted in Industry Specialists Talk, PCI, PCI DSS, cyber crime | 7 Comments »
April 22nd, 2008 Drazen Drazic
Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.
Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!
What blows me away is:
Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »
April 18th, 2008 Drazen Drazic
Darren Pauli puts it our there at CW with his new Vent IT section (good stuff Darren!):
You can see if you squint really hard what they are trying to do but gees, it seems like they are [the government], swinging a bat in dark room hoping to connect with the “target” - not that they really know what the target is. In the meantime, connecting with all else in the room and doing some big damage and creating a mess. Bad analogy?
Somewhat related:
http://beastorbuddha.com/2008/03/01/stuff-like-this-scares-me/
Posted in Bad Stuff, Dumb Security, WTF, cyber crime, governance | No Comments »
April 17th, 2008 Drazen Drazic
“The cloud…..so pretty!”….thanks Wade for pointing me to this one at loglogic. This opened up a bit of discussion between a group of us on this “security in the cloud” business. Thought some of the comments would be worth putting together.
Some of my thoughts were previously covered here also. Anyway, the following are some of our ramblings. Feel free to add your comments.
Posted in Firewalls, Forensics, IDS, IPS, Research, Risk Management, Vulnerability Management | No Comments »
April 15th, 2008 Drazen Drazic
Maybe I should be nicer and say Security People vs. Security Vendor Sales guys. Two different worlds as we’ve talked about before and as we had a laugh about here with the Symantec Guarantee.
Security product sales guys can be dangerous to an organisation that takes on trust these products are going to be their security salvation. Remember this one? Happy to send the press release out but when actually questioned by Michael Crawford……no response! I got a nice wrap for this from Marcus Ranum and the boys at SANS at the time.
Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Web Application Security | 4 Comments »
April 12th, 2008 Drazen Drazic
Our friend Donal posts his thoughts in some detail at Ockham’s Razor. As with most of D’s stuff, well worth clicking the link!
Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »
April 11th, 2008 Drazen Drazic
It will be interesting to follow the response to this on the net:
http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx
Posted in Research, Risk Management, cyber crime | 3 Comments »
April 10th, 2008 Drazen Drazic
He can post absolute rubbish and his congregation will always be there for him with comments/responses… (that he never responds to…but they don’t care).
http://www.schneier.com/blog/archives/2008/04/tracking_vehicl.html
Hey, don’t get me wrong, I love a lot of BS’s stuff and his feed is on DSN but seriously…FFS….surely sometimes he’s just taking the piss and seeing how many “followers” take it seriously.
I’ll probably go to infosec hell for this.
Posted in Dumb Security, WTF | 10 Comments »
April 8th, 2008 Drazen Drazic
I now need more than 2 hands to count the number of times an organisation has told me that they make too much money for the banks to have PCI DSS compliance forced upon them. It doesn’t matter what you say or what case studies you provide (eg; TJX and the millions it has cost them), it just does not hit home. They believe their size means they don’t have to play by the rules. As covered previously here.
Maybe it’s an Australian thing and they’re just not aware of what is happening elsewhere in the world. You never wish bad upon someone, but you sometimes do think; “yeah….why don’t you just keep testing your theory….lets see how nice the bank and PCI will be if/when something happens”. (Does that make me a bad person?) 
Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, cyber crime | 3 Comments »
April 8th, 2008 Drazen Drazic
We’re expanding the coverage of DSN and also now categorising (as best we can) all the latest IT Security news feeds from around the world. You can still in one view read everything, or just view the category that interests you. In the next couple of weeks, our research team will work to expand some of the categories such as “Security Theory”. As usual, your comments, criticisms and ideas are most welcome.
Posted in news | No Comments »
April 7th, 2008 Drazen Drazic
I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.
Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.
We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.
Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.
Posted in Research, Risk Management, Vulnerability Management | 4 Comments »
April 6th, 2008 Drazen Drazic
The following is my bitch about the PCI Security Standards Council.
“Hey..WTF?”, you may say, “Draz, you have been a huge supporter of PCI DSS for a long time!…We always see you in the press being quoted on the positives of PCI DSS and we read stuff in Beast or Buddha all the time about your positive thoughts on it!”…..Yeah, I have been, but my patience/interest with the “governing” body is in some serious problems! Where do I start…no particular order:
Posted in PCI, PCI DSS, WTF | 10 Comments »
April 3rd, 2008 Drazen Drazic
Each week he visits another company and sorts out their problems in his own unique way. I could imagine a talk with many CIOs going along the lines of:
“Oh ^%$ me….what the &*$# are you actually %*&*ing doing here? Okay, show me what you actually @%$ing know about *&^%ing security!?…..if your customers actually &*$^ing knew what the $*&$ you $*&$ing do and don’t *&$#ing do, you’d make them *&^$ing ill. And who’s this #&^$ing guy you have looking after $&##ing security. Why don’t you *(#$ing listen to him?!…… oh *&#$ me!”
Blunt or beating around the bush…..what works best? I would watch this show.
Posted in Ford Falcon | 4 Comments »
April 2nd, 2008 Drazen Drazic
I have the barrel and the fish are in it and I am about to shoot…..Yes, we predicted this. So what is new? Okay…here’s a few free hits to the site to make them feel good: http://www.safecode.org/ and members: http://www.safecode.org/members.php
The biggest news is that Nokia has joined. The “Best Practice” papers should not be printed..save the environment or at least if you have to, let your kindergarten kid scribble on the back of the page after you have discarded the rubbish as useless! So this is what out industry is doing? So this is what shareholders of these companies are investing in?
WTF are the CEOs of these companies thinking, doing and agreeing to????
Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime | 1 Comment »
April 2nd, 2008 Drazen Drazic
Okay, some have seen this:
http://www.scanlesspci.com/
Yes, ScanAlert has copped it recently and rightly so! But I do take offence to my mates at Qualys being mentioned! You can’t compare a WRX to a Ferrari! The dude is funny but if all my clients ran Qualysguard at least weekly, I would be feeling like they are some way there to being more secure than 99% of companies we see! For a small investment, it’s a big step in their security! A start at least!
Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security | No Comments »
