iiNet has a battle, Conroy off again and the whole scene is a mess.

Posted on March 31st, 2009 by Drazen Drazic

In what reeks of payback (after iiNet pulled out of the Internet censorship trial being run by Conroy), Conroy calls iiNet’s defence in the case brought against the company by the Australian Federation against Copyright Theft as something “that belongs in a Yes Minister episode“. I tell you what Senator, if that is the case, you yourself have been sucked right out of the TV show and into our lives – so you should know!

I’ve discussed this case a number of times here. What irks me most of all is that they’ve gone after the easier target and the rest of the industry is just sitting back and leaving it to iiNet to defend on their own. That decision may haunt the other ISPs after a precedent is set. (If it goes against iiNet). Short-sighted thinking!

Looking forward to seeing what decision is made on the National Broadband Network. Going on recent history, this should be interesting.


Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF | 3 Comments »

The Placebo Effect….

Posted on March 27th, 2009 by Drazen Drazic

Another security appliance and we’re even more secure – everyone’s happy. Who’s measuring the effect, impacts, any benefits etc and how are they doing it? No, please don’t answer that one. Everyone has an opinion and more than likely, whatever you deem as the best way is more than likely not being followed anyway…..so lets just leave it and assume the thing is working as the vendor said it would.

Thanks David Reyne for this gem. You legend you:
http://www.abc.net.au/mediawatch/transcripts/s1607394.htm

Swapping David for well read CIO. Oh don’t bag the CIOs again. It’s not their fault. It’s just easier if you just believe all you are told and it’s another project ticked off.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF | 2 Comments »

Workarounds, accepted mediocrity and questionable future benefits/improvements….

Posted on March 22nd, 2009 by Drazen Drazic

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Not the first time rumours have been around lately re: PCI DSS demise….

Posted on March 22nd, 2009 by Drazen Drazic

http://www.securecomputing.net.au/News/140461,visa-risk-chief-reports-of-pcis-death-exaggerated.aspx

We hope any rumours are just that. Anything being announced later this week?

Interesting reference to Heartland being the “exception”. Reality? hmm…..

Posted in PCI, PCI DSS | No Comments »

WAFs, WAFs, WAFs…

Posted on March 22nd, 2009 by Drazen Drazic

So far so little but a lot of hype! Some plug them big time, but lets be real, do they cut it to a level worth the hype?

Realities are they don’t work at present to a level that warrants the hype.

Accepting small benefits versus the additional risks they introduce is a concern. If your WAF is an “appliance”…..potentially good night! 0day already…..didn’t your vendor/consultant warn you about these? Am I being paranoid about this?

It’s another AV? No, not that good yet. If anyone tells you otherwise, let me know. :)

Posted in Uncategorized | 3 Comments »

“Six ways you can bork PCI”

Posted on March 21st, 2009 by Drazen Drazic

From Risky.Biz, Dec’s article on PCI: Six ways you can bork PCI

Makes a load of sense to me but then we’ve been talking this for a long time.

Posted in PCI, PCI DSS | No Comments »

Random Things – Busy Few Weeks

Posted on March 20th, 2009 by Drazen Drazic

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

Posted in Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news | No Comments »

Cyber Security at the Crossroads

Posted on March 12th, 2009 by Drazen Drazic

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Posted in Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime | 1 Comment »

Miracle at Securus Global

Posted on March 11th, 2009 by Drazen Drazic

Declan had a clean t-shirt in the morning but by 10am, the imagine of Fatemah had appeared on it. Freaky! (Top right)

Related to this? Hmmm….
Please no pilgrims to the Securus Global offices until we get this looked at by qualified experts, (eBay).

Posted in Ford Falcon, Too cool, WTF, news | 7 Comments »

Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news | No Comments »

On my list……

Posted on March 9th, 2009 by Drazen Drazic

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one:  :)
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security, news | 3 Comments »

Not Patching Oracle – Risky Business

Posted on March 5th, 2009 by Drazen Drazic

Patrick Gray interviews Securus Global’s Declan Ingram on Risky Business 98. Make sure you listen to the end of the podcast. :)

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, Securus Global, Vulnerability Management, Web Application Security, news | 3 Comments »

Surveys, Statistics, Hearsay, Breach Disclosures….Painting an Accurate Picture?

Posted on March 2nd, 2009 by Drazen Drazic

No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Research, WTF, Web Application Security, cyber crime | 2 Comments »