Another consortium formed to “enhance global IT security”…

Posted on June 28th, 2008 by Drazen Drazic

Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium! :-)

Recent update on SAFECode.

Posted in Dumb Security, Research, Risk Management, WTF | 7 Comments »

A look at Australian Telecoms……

Posted on June 28th, 2008 by Drazen Drazic

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

Posted in Bad Stuff, Research, Too cool | 1 Comment »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

Posted on June 26th, 2008 by Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket – ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

PCI DSS 6.6 – Getting on the comment bandwagon……

Posted on June 24th, 2008 by Drazen Drazic

This one’s had quite a bit of press time, and discussion around the blogs recently – moreso as the deadline has approached. In Australia, it’s been relatively quiet in comparison to the US though. I think the fact that compliance across the board here is a way behind the US has a lot to do with that, with many organisations here still either unaware of their responsibilities or far off from being compliant.

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:

Read the rest of this entry »

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security | 8 Comments »

Trend Micro attacks the bad guys on their own turf….

Posted on June 22nd, 2008 by Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media! :-)

Related post.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, news | 4 Comments »

Information Security Certifications……

Posted on June 22nd, 2008 by Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

I missed the National E-Security Awareness Week…..

Posted on June 21st, 2008 by Drazen Drazic

Why didn’t someone remind me! Was it good?
http://www.staysmartonline.gov.au/latest_news

I also missed the Over the Horizon forum, but it was for experts…..but I don’t know any experts who attended. Feeling very unloved at the moment. :-) (Thanks Nick for this link)

Posted in Risk Management | 4 Comments »

No care factor on liability and no pressure to change……

Posted on June 14th, 2008 by Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

IT Media – Cutting Edge Reporting

Posted on June 12th, 2008 by Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are – paid advertising.

This time, it’s our old friend at Symantec – schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

The Common Configuration Scoring System – NIST Draft

Posted on June 12th, 2008 by Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

39% of Australians Victims of Cyber Crime?

Posted on June 10th, 2008 by Drazen Drazic

Another survey and some more frightening statistics as reported in CW and affiliated sites. Luckily the company that undertook the survey has the solution; “Protection against all Internet threats“. (Hey, their words, not mine!)

Does anyone have a link to the survey? 39% sounds pretty high but I have no context from the articles.

Secondly, AVG seems to have joined Symantec with the magic solution. Amazing that we allow companies to get away with such advertising! Related post on mis-leading and false advertising.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, news | 5 Comments »

The monkeynet project kicks off…..

Posted on June 6th, 2008 by Drazen Drazic

Speculation has been rife and the rumour mill going crazy but I can announce that the monkeynet project has now kicked off. Visit and explore the site for more information and to stay abreast of the latest news on the monkeynet project. (Find the secret area with information on the “secret” projects). Join the initiative and become part of the monkeynet project.

Background:

Read the rest of this entry »

Posted in Research, news | 8 Comments »

Stay Smart Online – Latest Australian Government Initiative…

Posted on June 6th, 2008 by Drazen Drazic

I wonder what the old teams and program developers at NOIE/AGIMO etc think about the latest re-branding of government’s effort to demonstrate care about individual’s and businesses use of IT. (As reported here). I remember the old NOIE site. It was pretty good; rich full of information and a great source of help and knowledge. It was a shame relatively very few people were aware of it.

The latest incarnation with a few added “features” comes at a cost of $1.2M (just on the contract alone to AusCERT as reported by the Australian Newspaper). Will be interesting to see how it all goes…….

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 8 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

Posted on June 4th, 2008 by Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, Too cool, Vulnerability Management, Web Application Security, cyber crime | 10 Comments »

Data Classification – Effective? Has it ever been or really worked?

Posted on June 2nd, 2008 by Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on. :-)

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

Cringe….you’re not using that “Twitter” thing are you?

Posted on June 2nd, 2008 by Drazen Drazic

It’s either that response or something along the lines of; “What the hell is that all about?”, “I don’t understand it!”, “Looks like crap!”. I was of the same opinions when Wade introduced me to it a while ago. (Per chance, Wade’s latest post is on that exact topic). I signed up out of curiosity and followed what was going on.

Read the rest of this entry »

Posted in Uncategorized | 3 Comments »