Outsourced (unauthorised) Vulnerability Assessment – Testing for Porkies!

Posted on August 28th, 2009 by Drazen Drazic

Looking at data like this from the Conficker Working Group and talking to many Information Security Managers/CSOs still having to deal with outbreaks in their organisations, you have to wonder what’s going on? The general theme seems to be; “Infrastructure lead told us this was under control….they patch (always!)…..they now tell us [post infection], they “sometimes” patch!….Now it’s out of control!”

LOL…usually same guys who see no merit in vulnerability assessment/management systems and penetration testing (plus security in general?). Why buy something like QualysGuard when you can get a pretty thorough test for free I suppose? (If you can deal with the repercussions). From the CSO perspective; Automated Porkie Testing…no client-side input required. :)

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 1 Comment »

Macs, Snow Leopard, Malware etc….

Posted on August 27th, 2009 by Drazen Drazic

I suppose having some form of detection “engine” at the ready even if it’s just sitting idle, (if that is really what Apple is considering and it’s not just speculation waffle), makes sense in the longer term…..if that one day comes where all us Mac users come under attack!? Quicker to download a signature than a complete application when time could be of the essense. But if gameovered….doesn’t matter anyway, Hmm….Nothing new here.

Posted in Bad Stuff, MAC Security, Vulnerability Management | No Comments »

Amazing People doing Amazing Things…..Soon :)

Posted on August 26th, 2009 by Drazen Drazic

Stay tuned….

Getting asked by people all the time why I do things like “Twitter” for example. As if it is something not so worthy. Background: here and here.

So have decided I would look at some of the real benefits of such applications in relation to our industry (and wider) in a much longer post. Who’s wasting their time or missing out? Is it that uncool? LOL……we’ll see.

DD

Posted in Bad Stuff, Dumb Security, Ford Falcon, Research, Securus Global, Too cool, UFOs, WTF | 1 Comment »

Off Topic Post – Rugby Union is one dead arsed sport!

Posted on August 22nd, 2009 by Drazen Drazic

Now I am/was a Rugby Union supporter, but gees, this game is now so far behind Rugby League, it’s not funny. It’s that exciting, I can write this post as I watch the pinnacle of the sport, a Bledisloe game between Australia and the All Blacks and know I am not missing much as I type. Read on.

Read the rest of this entry »

Posted in Bad Stuff, Ford Falcon, WTF | 8 Comments »

Randon Links and Rants…….

Posted on August 22nd, 2009 by Drazen Drazic

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal. :)

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

CERTs in Australia….and the saga continues….

Posted on August 18th, 2009 by Drazen Drazic

From Australian IT; “AusCERT sidelined in CERT revamp“. Sadly the big question that most will raise from this is; “What will happen to the yearly junket, (I mean conference), on the Gold Coast?” Be shocked if anyone even responds to this post.

Positive to see the Government doing things. Hopefully it’s being well planned and thought out.

Posted in Risk Management, cyber crime, news | 17 Comments »

Memories of 2005……not an IT Security topic…..

Posted on August 16th, 2009 by Drazen Drazic

My Rugby League team, the West Tigers, had been having a pretty ordinary year until about 6 weeks ago. They’re now 6-0 in the last 6 weeks. I had no expectations before I went overseas….(not in the running for the finals), but it was great to come back and see they had won every game while I was away! (Yes, I am superstitious enough to believe that it was me being away….but today they won 56-10 so that’s BS!) :)

Now the point of this post:

Read the rest of this entry »

Posted in Too cool, Uncategorized | 5 Comments »

Might sit back this time for “Snow Leopard”……maybe….maybe not.

Posted on August 16th, 2009 by Drazen Drazic

The last update to Mac’s operating system (Leopard) didn’t really live up to the hype in my opinion but still, I’d rather be on the Mac than Windows. Just a personal choice. Thanks to cmlh for the link to this comparison between Windows 7 and the last version of the Mac OS. Worth a read if interested. Then again, with an upgrade price of around $30, who knows, I may get the urge to get it sooner. http://www.apple.com/macosx/

LOL at the dude(s) that responded to a recent press article on Mac security that I was quoted in…assuming I was on anything but the Mac and how dare I bag Mac security. But that’s another story. :) Got to love the Mac fanboys. They are a passionate bunch.

Posted in MAC Security | 2 Comments »

Me Presenting at Conferences. Laying Down Conditions…..I’m Laid Back but…

Posted on August 14th, 2009 by Drazen Drazic

Coincidental timing….seeing a discussion on Twitter and forum here between a few people on why I don’t do presentations at large conferences.

Nice to know that people give me that cred worth discussing…thank you.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Too cool, WTF | 1 Comment »

Securus Global News and Information

Posted on August 13th, 2009 by Drazen Drazic

I don’t normally use this forum to talk about the business side of things for Securus Global but thought I would take an opportunity to talk a bit about what’s been happening.

2009 surprisingly has seen good growth for us. Still hoping we’re not going to see some delayed effect of the Global Economic Crisis.

While we’ve always had a large client base in Melbourne, we’ve recently setup a permanent presence there and we’re looking at doing the same for other Australian cities. Asia and other international clients we support from Sydney at present (and travel as required like we always have), but we’re looking at our position here. (Also based upon international partnerships).

With this expansion, we are looking for good people, so we’re keen to hear from experienced and passionate Information Security Specialists. Generally, the level of expertise we look for is as described here. Working with many of Australia’s largest organisations across most industry sectors (in particular across critical infrastructure), we’re seen as leaders in our field and we’ve built our reputation and differentiation on the quality of our work and people. There’s few others that can now match our client-base and we’re proud of our achievements to have gotten to where we are.

Read the rest of this entry »

Posted in Securus Global, news | No Comments »

Random Links and Rants…….

Posted on August 10th, 2009 by Drazen Drazic

- How not to setup a Hotel Safe: I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- Ockham’s Razor post on Security Shapes. D’s stuff is always interesting and worth a read.

- Our old friend Big Galoot has certainly shown the power of the Internet Blogger. His “Protect Jerrys Plains” blog has exposed many questionable business and government practices. In recent times, his work has received attention from mainstream media. He may well have brought down a minister.

- Saw this one on my return – reported by Pat at Risky.Biz: “McAfee Leaks 1400 Security Pro Details“. I haven’t had a chance to listen to the podcast yet where Pat interviews McAfee over the incident. I question how big a deal this is. How much of the information is confidential really? AusCert and many other conferences send out similar lists (albeit the attendees have opted-in for their information to be available to sponsors). Mistake or marketing – Hey, look how many important people were interested in McAfee. Might drive others to follow these important people. DLP discussion/debate? Seriously?

- Christian has a new post where he poses some good questions around putting solutions together and approaches to Information Security; “Keep It Simple“.

- Jarrod looks at the “Full-Disclosure” debate here at his /Dev/Null blog.

- We’ve added a few more to the list of Australian IT Security Bloggers. Let me know if you want to be added to this list.

- I see Kiwicon 3 has been anounced for November 28-29, 2009. Details here. Follow on Twitter also.

Back now after almost 4 weeks abroad. While I was away, the guys at Tek-Tips kicked off publication of some of my articles. I’ll be writing more for the publication so will post links sometimes from here to the site. Anyway, I better get back to work now.

Posted in Dumb Security, WTF, news | No Comments »

Police Checks on Employees – Important Considerations

Posted on August 10th, 2009 by Drazen Drazic

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

Read the rest of this entry »

Posted in Industry Specialists Talk, Risk Management, cyber crime, governance | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Evaluating Automated Assessment Tools

Posted on August 5th, 2009 by matthew

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

  • All scanners needed a lot of manual work to get any reasonable amount of code coverage.
  • There were a huge amount of false positives.
  • There were many false negatives. (Probably more than we know :-) )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Posted in Applications, Vulnerability Management, Web Application Security | 9 Comments »