May « 2010 « Beast or Buddha

"Compliance" setting your whole security strategy is wrong….

May 26, 2010

We’ve talked quite a bit about PCI DSS compliance here; (http://beastorbuddha.com/category/pci/). Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.

While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.

It doesn’t work.

(more…)

Comments (6)

Posted in: Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management

IBM Letter to AusCERT delegates – Free Malware Giveaway

May 21, 2010

Dear AusCERT Delegate

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.

Steps to remove the malware:

1. Turn off System Restore
[StartProgramsAccessoriesSystem toolsSystem Restore]
Turning off System Restore will enable your anti virus software to clean the virus from both your current system and any restore points that may have become infected.

2. Update your antivirus tool with the latest antivirus definitions
[available from your anti virus vendor of choice].

3. Perform a full system scan with your AV tool to confirm the existence of the infection. If malware is detected allow your AV to complete a clean.

4. On completion of this process, complete a second scan using a different anti virus product. Free anti virus products are available from known companies such as AVG, Avira, Panda Software, or Trend Micro.

5. Once a second scan has been performed and it is determined that your workstation is free of any known malware, as a precautionary measure we recommended that you perform a back up of all vital files on your workstation and perform a full re-installation of the operating system. This process will remove the risk of other unknown or undetected malware that may be present on your machine.

If you experience difficulties with the above steps, please contact the IBM Security Operations Team at secops@au1.ibm.com. An IBM technical support person will contact you by phone to assist you.

We regret any inconvenience that may have been caused.

Glenn Wightwick
Chief Technologist
IBM Australia
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (13)

Posted in: Bad Stuff, Dumb Security, WTF

AusCERT2010 – Updates

May 16, 2010

AustCERT 2010 kicks off tonight. I’ll be there this year thanks to SC Magazine.

If you can’t make it, checkout the almost live Twitter feed for the latest as reported by attendees, media and others, here and here.

Feel free to post your thoughts and comments on the event as responses.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (6)

Posted in: Research, news

Counterfeit gear and supply chain security.

May 10, 2010

By Declan Ingram.

Thought provoking read over at the Register: Feds seize $143M worth of bogus networking gear.

While the article is mainly about counterfeit hardware, (Cisco etc), seized in the US, (some of which was used by the US Marines in Iraq), there are two parts that got my attention:

1) The counterfeit gear could have backdoors. (Well yes – and this is not news for many…be surprised if some or most doesn’t).

2) This lovely quote: “In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors” – If these are the same officials that have missed all the other security issues to date (and in the future), then I’m not sure this statement makes me feel any better.

This reminds me of a friend of mine who years ago purchased some pirated operating systems on CD in Malaysia. They had been backdoored and once installed allowed anyone on the Internet to gain full access. I had a giggle, I must say. You really get what you pay for…..and more. (Remote Support?)

The (potential) security problems of pirated software have been well documented for some time. Most will have looked at backdoored ‘cracks’ for proprietary software etc, but bogus hardware? Backdoored from day 0? Cisco gear is generally top shelf, so more likely to get noticed, but what about lesser brands or even your generic ’sourced’ components? The flash drive from eBay? The cheap video card you got for your server so you can install the OS? Have a think about it.

Could organised crime use this to offset the cost of components? OK, that could well just be pure FUD……but..

I bet some, (most?) bogus gear comes from the same factory as the legit gear. Stands to reason. If it is backdoored, what assurance do we have that the legit gear isn’t? How would we, (or anyone else) ever know? Few know where to start in assessing the security of their supply chain.

Comments (5)

Posted in: Bad Stuff, Dumb Security, Forensics, Industry Specialists Talk, Research, Vulnerability Management, cyber crime

Australia and International Cybercrime Treaty

May 7, 2010

As reported in ITNews and syndicated sites:

“The Federal Government has announced plans to sign an international treaty designed to facilitate the identification, extradition and conviction of cybercriminals around the world.”

In principle, the thinking and premise behind this is what you would expect in terms of technology issues/practices trying to align with “traditional” laws. But is this happening to mirror “traditional/current” laws in the member countries? What impact such a treaty owned and driven out of the EU for “other members” such as Australia? While 99% of this may be acceptable and most already a practice accepted here, care must be taken that we don’t jump into something without a full understanding of the impacts to our country and it’s citizens.

Are we prepared to fully jump into something like this (albeit, we do formally and in-formally undertake and work against most of these principles now), without other foundation legislation in place that would strengthen our abilities to really make this work on all levels?

The Government(s) in Australia have not really instilled us with much confidence for a while that they truly get IT, IT Security, eCommerce etc. Hopefully this is not another case of kicking something off and then having it come back to haunt them later….and there’s quite a bit of that.

I’m no expert in this field but find it an interesting topic. Am keen on your thoughts.

Comments (1)

Posted in: Disclosure Laws, cyber crime, governance

Logging Security Events and Logging in General

May 5, 2010

An interesting question in the forums that is worth bringing out here for discussion. From Statman entry:

“How do others out there in their companies log security breaches? Do you? Where? How? It would be interesting to see how people are doing this?”

Further it would be interesting to hear from you all what sort of process, procedure etc you have around “logging”? What drives it, is it working, does anyone care?

[Edit Clarification: distinction between "event" and "breach" should have been clearer. Same question remains though for both.]

Comments (3)

Posted in: Logging and Monitoring

Symantec and PGP

May 3, 2010

There’s only a few security focussed companies I trust(ed), and PGP was one of them. They’ve now fallen into the hands of this mob.

One of my all-time favourite posts here.

A case of too much money in the bank and on the flipside, easy-money. It’s business I suppose.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (3)

Posted in: Bad Stuff, WTF

Boring Blog Posts

I’d love to know who’s reading this post here. It is by far the most read post on Beast or Buddha according to the stats I have. It is one though that explains why I rarely post lately or rather when I go through times of little inspiration. (Or times, I feel I have said it before).

What you do get from me here is certain things – not always watered down but only what I can say. At a high level, uncut thoughts, but gees, I do wish I could have diary here of what we see day in and day out. That would make for some reading!!…if not for NDA’s and other contracts. I suppose you have to read between the lines sometimes here but even then, not close! It is a scary world in IT…..trust us…..it really is!

Comments (0)

Posted in: WTF

Links and Random Things…….

- Check out the Australian IT Security Blog Directory. There’s some really good blogs here and growing.

- Jarrod Loidl at /dev/null is posting some really interesting thoughts; regulation, facebook, book reviews, “wall of shame”, etc etc. Check it out and bookmark Jarrod’s site. Get onto @xntrik’s site also while at it here.

- The PCI DSS has something new for non-QSAs. Have a look but open your wallet here. Worth an investigation and finally something for non-QSA organisations. As such, a good thing I believe.

- The Australian Information Security Association (AISA) has hit 1000 members. For you overseas people, it may not sound like much, but remember, Australia is small. Well done to AISA. Information and how to join, checkout the AISA website here.

- OWASP Australia has a bit of a new lease of life in Sydney, and Melbourne kicks on. Also, Ruxcon is doing monthly meetings in Melbourne. I haven’t seen the security community as busy as it has been lately. Info here. Stay tuned….Securus Global will be announcing monthly security management meetings, hacker/tech meetings and some in-betweeners, plus a few social sessions for the security community. Email me also for more details.

- Is the Government listening? http://beastorbuddha.com/?s=government. I reckon they are. I know AusCERT reads this. Here we go: from ComputerWorld. Nah….we’re one little voice here.

- Yeah, flame on but as you know, I’m more than happy to be in the ruck rather than screaming instructions from the sideline:
http://awards.scmagazine.com.au/judging-panel

I know I haven’t been posting much lately but read the stuff from the guys that are in the blog directory, and if you want to add your blog here, let me know.

Comments (0)

Posted in: news