Enjoying this semi-holiday…..

Posted on September 28th, 2008 by Drazen Drazic

Yeah, it’s tough at the moment…Sunday night in the far north of Australia. It took me a bit longer to get up here than I thought it would (sorry Frank…had hoped to catch up with you). That long lunch on the harbour though is on the cards when I get back!

Hitting the rivers soon I hope for some fishing and croc watching.

Getting into that “4 Hour Working Week” book but I reckon I’ll probably take some on board and be realistic about the rest of it. You just get some books after the event. :)

Audioslave pumping in the background as I try to go through emails….nice….Brother-in-law has two new tatts….encourages me to get another tomorrow. Lets see how it goes when the wine wears off. Stephanie did his dragon “freehand”….not sure if I am that brave….just trace the transfer for me I reckon…

Damn interesting and worrying to watch the US situation…..saw the presidential debate (even in Townsville)….personally thought McCain looked like another idiot of the last 8 years but I heard later most pundits thought he won the debate…..am sure I was not on any drugs and while Obama was not overly impressive, he still seemed to stand head and shoulders above this other guy who used words to BS just like his mate has done for 8 years. While not our problem here, it does affect us…..good luck America!

Posted in Uncategorized | 4 Comments »

I missed the party again this year…..

Posted on September 27th, 2008 by Drazen Drazic

How was it? What did I miss at this year’s Global Security Week?

Posted in Uncategorized | No Comments »

There’s a new credit card security standard called “PCI DSS”…

Posted on September 19th, 2008 by Drazen Drazic

And, if you read what is written in Australia’s “My Business” magazine, it; “demands your attention”.

Scroll down to this gem here but you’ll need the hardcopy to really get the gist of this awesomely stupid and poorly researched article. Where has “My Business” been for the last 3 years?

There is just so much in this article I could comment on, but it’s just not worth it and most people here would gain zero from anything I have to add. Worth a read for a sad laugh though!

One I will mention is that there is a table in there which I see is Visa’s (from somewhere…see later) and that’s described as; “See the handy at-a-glance table included in the article appearing in this month’s My Business for an indication of PCI DSS compliance chores in relation to the annual tally of credit card transactions”

The source is: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm

For any readers of “My Business”, please skip over this article. Talk to your acquiring bank and QSA if you need further information. I can’t understand what message they have tried to convey. They seem confused by it all. Please “My Business”…you are a source of valuable information to small business….look at some quality control on what you publish.

Posted in Bad Stuff, PCI, PCI DSS, WTF | 4 Comments »

Looking at reasons why data breach notification could fail – Risk Management Magazine story

Posted on September 17th, 2008 by Drazen Drazic

This is a topic I’ve covered quite a bit and I was asked recently to write an article for Risk Management Magazine on this topic.

http://www.riskmanagementmagazine.com.au/

You can read it online pp 14-15. I would be interested in your thoughts and comments.

Posted in Disclosure Laws, Risk Management | 4 Comments »

Crazy 7 days…just wondering if I just noticed it or whether it’s just normal….

Posted on September 15th, 2008 by Drazen Drazic

It’s a full moon as I post this….kind of feels fitting. Sometimes people criticise me when I post off-topic stuff here….Funny how the hits to Beast or Buddha seem to multiply at times when I’m not talking IT security. I wonder sometimes whether I should just head down the path of passing opinions on the funny things in life I run into instead and become a Web 2.0 dude talking it. That stuff seems to interest people in our industry more at times than a post on the latest rant about someone doing something in our industry, which outside of our industry, no one seems to give a rats about anyway. Surprising that…. (he laughs).

Read the rest of this entry »

Posted in Too cool, Uncategorized | 1 Comment »

Government’s Stay Smart Online program…Any Value? Anyone There?

Posted on September 12th, 2008 by Drazen Drazic

Interesting to see the output so far of the work undertaken by AusCert as part of the Stay Smart Online program. I wasn’t even aware it had started, but we’re a couple of newsletters and alerts into it I noticed today. As discussed here previously, I have to wonder who’s using this service or even aware of it? Not sure I have changed my views on the value to the taxpayer…..easy money for some….need to get me some gigs like this!

Posted in Dumb Security, Research, WTF, cyber crime | 6 Comments »

Interesting to see how the various banks are positioned on this one.

Posted on September 12th, 2008 by Drazen Drazic

From the feeds, CookieMonster nabs user creds from secure sites. Just looking at the responses to it.

Posted in Bad Stuff, Research, Web Application Security, cyber crime | No Comments »

You just have to let some business opportunities go….

Posted on September 11th, 2008 by Drazen Drazic

Some companies need to do some homework on the people they’re hoping to go into business with. Had this mob taken some time to research Securus Global, and myself, they’d probably have realised that we’d have zero interest in working with them or promoting them to our clients.

Without mentioning names and in this case, who cares if it tarnishes the lot of them, they’re a “HackerSafe” type company that provides a “seal” for a company’s website that says it is safe from hackers (if the Nessus scan passes them).

Their website is dominated by the typical BS and testimonials that if their seal is on your website, your business will grow. All credit to anyone promoting some good practice but there’s a difference between that and false and misleading advertising. Anyway, nothing new here….we’ve been over all this many times before.

Just another tip to these guys. Your site has some pretty cool vulns in it….. :-)

Maybe you should engage Securus Global to fully test it for you.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security | No Comments »

Center for Internet Security (CIS)?!

Posted on September 10th, 2008 by Drazen Drazic

Gees, what planet have I been on? Never heard of these guys and they sound important by their title:
http://www.securityfocus.com/brief/814

Now I am worried I have missed something.

Posted in Research, WTF | 9 Comments »

The Big Galoot steps into the researcher vs. ZDNet Warz….

Posted on September 9th, 2008 by Drazen Drazic

…..and gets censored and asked to “refrain from posting”.

The famous Big Galoot has now upset my favourite lady in IT security research, Joanna Rutkowska.

Though we don’t have the details of what was said given responses to her blog are checked and censored before being posted, we understand, she’s aware of the stuff in the forum here.

We’ve defended Joanna here in the past and if the Big Galoot has overstepped the boundaries of political correctness, well all I can say is…..he probably deserves everything he gets by not being allowed to post on Joanna’s forum ever again.

Big Galoot needs a wikipedia entry I believe. Just so people can reference the man who is the “Opinion” of this industry! (Some hooks don’t even need bait….do they BG?) :-)

Posted in Uncategorized | 3 Comments »

“Surfing Safer” Website – Worth a Look

Posted on September 7th, 2008 by Drazen Drazic

A good friend in the UK has recently kicked off this site; Surfing Safer. They’re only new and expect things to grow as they spend a bit more time on it.

Their aim is to provide practical security advice about what solutions could be used both within a home environment and at work. As Information Security professionals, they’re trying to impart their expertise in security to a wider audience, and try to reduce the number of computers compromised through inadequate or non-existent security. I say all credit to anyone who puts back into the industry like this. Good luck to the team at Surfing Safer. Everyone starts somewhere and it looks better now than many others I have seen, including most government sites.

I am sure the guys are open to feedback and suggestions so let them know what you think.

Posted in Risk Management, Too cool, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

Lets kill some IT dudes…….

Posted on September 5th, 2008 by Drazen Drazic

This article in CW reminded me of a story in Hong Kong many years ago during an audit we did.

Looking at the Data Center controls for a large multinational….in the event of a fire/emergency/disaster, the Data Center doors would lock immediately……Anyone in there, would not be able to get out! Seriously!

We had to explain to the CEO that more than likely, IT staff were going to be in there at any point in time. Once the gas (very toxic) started, you would be killing your staff.

Response: “Oh…You think we should change that?”

Well in Australia we would have…….I hope…….

Haven’t been back since….I hope it has changed. Really I do!

Posted in Bad Stuff, Dumb Security, WTF | 2 Comments »

Securus Global Update

Posted on September 5th, 2008 by Drazen Drazic

Well it’s been a while since I talked about Securus Global. I thought I would take a bit of time to post an update on what we’ve been up too.

Aside from the usual consulting work which has seen us have our biggest year to date – big thank you to all of our clients, we’ve continued on with the projects that we believe deliver the indirect benefits to our clients, help promote the industry in general and try to build awareness of Information Security.

- We’re about to start our Breakfast Brief sessions again. We’re planning the topics for the first few events at the moment, and hoping to fit in 3 sessions in Sydney and a couple in Melbourne (if possible) before the year ends….and depending upon demand, possibly elsewhere. In addition, this will kickstart again the Qualys User Group meetings that will take place after the presentations. I know many of you have been keen for this to restart. If you want to be added to the Qualys User Group mailing list, let me know through the contact form here.

Read on…..

Read the rest of this entry »

Posted in news | 6 Comments »

More Nth Queensland – Town Water (Not IT related…again)

Posted on September 3rd, 2008 by Drazen Drazic

The in-laws live on a large property just outside of Townsville in a place called Alligator Creek. (Aside: no idea why it’s called Alligator Creek given we only have crocs……strangely, there’s about 4 Alligator Creeks in Queensland…..Queenslanders for you).

They recently moved over to “town water” at a pretty significant cost to the locals.

Local council dude comes out to finish off the connections and then spends the rest of his time putting stickers and signs on all “old” taps connected to the existing tanks and bores:

“Rain Water or Bore Water – Not Fit for Human Consumption”

Father-in-law turns to him……as he would; “We’ve been drinking this stuff for 20 years and now because you bastards have decided to let us pay for the privilege of having town water, the stuff we had is no longer safe?!”

You have to ask; WTF? :-)

Posted in Too cool, WTF | No Comments »

The “Cloud” is taking us backwards! Please punch anyone who uses that term to you in the face! They deserve it!

Posted on September 1st, 2008 by Drazen Drazic

The “cloud”!! The thing we knew as the Internet on many a whiteboard for so many years…..that thing we all decided to know little about, (okay, at least layers 1-2), because it was magic!!!!

WE HAVE LEARNED OUR LESSONS NOW YOU DUMB PRODUCT VENDORS!!!! We don’t need another cloud…..we’re smarter than that now! WE KNOW YOU USE THAT TERM TO HIDE THE FACT THAT YOU HAVE NO IDEA AND WANT TO “CLOUD” THAT FACT IN A BLOODY CLOUD!!!

Can you seriously believe, that we believe that by “hiding” the “difficult” things, you make us think you know what you are doing and keeping us secure?! You’ve lost the plot….not that most ever had it, so to regain face (ie; keep revenue growth on path), lets hide sh*t in a “cloud” to cover up our inadequacies.

So, I am starting an anti-cloud movement and I ask you all that anytime you hear and see a sales rep talking about “clouds”, you ask the question; “what happens when many clouds come together….do we have a storm? and what does that mean to my investment with your company?…will I get my money back if I cop a category 5?”….. Please share your stories here!

BG did a post in the forums about this today:

http://beastorbuddha.com/forums/index.php?action=vthread&forum=1&topic=108

I had to comment. Some of the people’s thoughts are priceless….I also need to rethink the software I use for this blog :-)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF | 28 Comments »

Getting the news on what’s happening…slow death of current mainstream news media?

Posted on September 1st, 2008 by Drazen Drazic

Nothing new here. We’ve all seen the progression from IT “news” sites to bloggers for the latest, more up to date and investigative journalism news in our field of information security. The smart “mainstream” publications have recruited their own industry specialists to write for them – not trained journalists.

It’s interesting after studying e-business (and continuing to) and how things that were predicted many years ago are happening now. (ie; convergence of media, marketing etc etc). It all seems to follow the trend of predictions being made, people assessing those predictions, many critics….”hey, it won’t happen for a long time for these reasons or never at all……” and then, almost in the blink of an eye, it happens and people go; “WTF?!” …. okay…you’ve come this far, read on….

Read the rest of this entry »

Posted in Bad Stuff, Research, WTF, news | 9 Comments »