Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

Be careful of being too cockey…Lifelock CEO cops it….

May 25th, 2008 Drazen Drazic

Watch the Lifelock ad on the site as it scrolls through. :-) Story at ha.ckers.org.

From the story in Yahoo! News.

Another one to add to the list of failed magical solutions? You have to take any promises of total security with a grain of salt. See recent posts about ScanAlert and the links within the links. (Aside: Is this the most hated product/service in the IT Security industry?)

But then again, we have the old Symantec Guarantee. Posted here again for your viewing pleasure and evidence requirements for any legal action you may ever contemplate. (Though by clicking on the software agreement when you installed it, you probably signed away all rights you had anyway, but worth a shot!)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime, news | 4 Comments »

If you’re in the business of providing IT services to customers, ignorance of good security is negligence!

April 22nd, 2008 Drazen Drazic

Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.

Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!

What blows me away is:

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »

SAFEcode - where are we at..a load of BS?!

April 2nd, 2008 Drazen Drazic

I have the barrel and the fish are in it and I am about to shoot…..Yes, we predicted this. So what is new? Okay…here’s a few free hits to the site to make them feel good: http://www.safecode.org/ and members: http://www.safecode.org/members.php

The biggest news is that Nokia has joined. The “Best Practice” papers should not be printed..save the environment or at least if you have to, let your kindergarten kid scribble on the back of the page after you have discarded the rubbish as useless! So this is what out industry is doing? So this is what shareholders of these companies are investing in?

WTF are the CEOs of these companies thinking, doing and agreeing to????

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime | 1 Comment »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

March 17th, 2008 Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

“NBA”…they gave it an acronym……still going nowhere fast!

December 27th, 2007 Drazen Drazic

This stuff called NBA (network behaviour analysis) has been around for years (but CW thinks it’s new…..read on) and while I acknowledge the intelligence of guys who build these systems….from a programming perspective only, and what could be, they have gone relatively no where in the last 6 years….ie; think heuristic antivirus technology…..big talk circa 1995 and where today? Any difference?

The following quote from this story in Computerworld, stupidly titled “NBA: Your last line of defence” pretty much inadvertently says it all: (If we solved this problem described below in the quote, the technology would be redundant anyway!) (Addition: this CW link seems to no longer work so go to Network World for the story)

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 4 Comments »

Bad guys struggling due to “Good Guy” vendors but……

November 10th, 2007 Drazen Drazic

I like these stories that come out every so often from the anti-badware vendors to remind us that they are on top of the fight against the bad guys. From ZDNet; More malware means good news in the security fight.

Somehow, while attacks are on the rise, it seems that the good guys are making it hard on the bad guys:
“While the volume of malware threats has spiked recently, one expert believes that this is a good sign, with cybercriminals having to resort to increasingly desperate measures to get a result.”

WTF? Really?

“For one thing this means that they’ve had to cast their nets wider and pump out a vast amount more than they once had to,” said Ducklin.

The bad guys are on the backfoot:
“Secondly, it means they’ve had to employ increasingly complicated tactics to expose people, such as this PDF Trojan……………the fact that it sounds complicated can be taken as a sign that we’re beginning to do very well.”

This is on the back of Kaspersky reporting upper hand on the fight.

Posted in Bad Developers, Bad Stuff, Dumb Security, MAC Security, Research, WTF, Web Application Security, cyber crime | 3 Comments »

SAFECode Forum - The first? Right focus? Losing focus?

October 27th, 2007 Drazen Drazic

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, cyber crime | 3 Comments »

The Bad Web Developer Fighting Back…..

August 3rd, 2007 Drazen Drazic

I’m going to turn BorB into a soap opera for the next week or so. I’m going to report on our “discussions” with the web developer that was a leading player in:

Web Applications more secure these days? Not from where we stand!

Securing Web Applications……choose your developers carefully

It seems that the “developer” believes that they have done nothing wrong and continue to argue the point with the business that they are under no obligation to fix anything because what they have delivered is good. (Or so we are told). As a background, we have, until now, been kept out of this by the business who have assumed that the developer would be reasonable. Not the case…..thus, next week…we have been asked to meet with them. The shotgun is ready and the fish have been loaded into the barrel. Stay tuned.

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

We’re going into production…..regardless!

August 1st, 2007 Drazen Drazic

Here’s the scenario - nothing new…we see it every day….but some just stand out big time in regards to stupidity. You have to wonder if you were given 5 minutes with the CEO as to whether things like this would happen. Same old story……what do most CIOs actually do when it comes to information security?

Large multinational - rolling out large Internet based ERP/CRM system for partners and clients. ie; do your own account changes, pricing, marketing info, updates etc etc. System has been in development for 2 years. Bugger all security team involvement from the outset. Production release - now! Cost to date - millions! Business security team reckons it potentially has holes as wide as the Grand Canyon but business does not care….it’s too late and has to go into production.

Call made SA to test the system ASAP. SA told, regardless of findings, this is going live but lets test anyway. SA responds with various testing scenarios……..most don’t cut it due to costs and times to test, so it’s agreed that lets at least do a security test from the Internet and hit the main area of exposure. SA quotes about 30K for a pretty thorough job. (Even then, heavily discounting due to a relationship with the client). Response from business: Oh my god…..30K!!!! ……Management then decides to test it in-house! Millions to build but 30K to spend on security testing?????

Guaranteed owned system very quickly.

Posted in Applications, Bad Developers, Bad Stuff, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

Australian Insurer Hacked…Lets have a closer look….

July 20th, 2007 Drazen Drazic

Okay, the SMH reports; Turkish hackers bring down insurer’s site. This is a funny story, in a weird/bad sort of way but hopefully another company that learns their lessons before being hit really bad:

- “Hackers” or kids having some fun?
- “Spokesman Robert Whelan said despite customer fears that their account information may have been compromised, no customer details were accessed.” - probably not in this case given the type of attack and who did it but seriously guys, do you really know if that is the case?
- “Customer information for AAMI is all kept on a very separate infrastructure on our website,” - Hmmmm…..if this was so easy, gees…..
- “Earlier today, AAMI, which offers general insurance, was scrambling to find out how a group calling itself the “Ay Yildiz Team” hijacked its website, replacing it with an anti-Israel message”- Ain’t rocket science generally in cases like this!
- “When contacted at around 10.15am this morning, an AAMI spokesman said he did not know what had happened. “We only found out 15 minutes ago and I’m now trying to find out what is going on in the way of whether this was just a hack into the front part of the site or it went deeper,” he said. Philip Olsen, an AAMI customer who discovered the hack around 9.30am, said he was concerned that his account information may have been compromised. “I called them and they had no idea it was a problem, so their claims that my account information, including credit card info, was safe seemed hollow at best,” said Olsen. “If they [the hackers] can get on their main web page and deface it like that, what else can they get access to,” he said.” - Philip Olsen: AAMI Security Monitoring Manager?! Hire that dude!

What am I doing even writing this? Must be a Friday thing. Off to Zone-H with you all!

Posted in Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | No Comments »

90% of Web Applications Suck……

July 12th, 2007 Drazen Drazic

Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.

The question was raised on overall web application security in the real world….what’s your call on it SA?

We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.

I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.

When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….

Japan has the right idea in the banking sector - they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol - aussie spelling - stupid as it is).

We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.

Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……

Posted in Applications, Bad Developers, Bad Stuff, Big Galoot Diatribe, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

Time to look at .NET security

July 9th, 2007 Drazen Drazic

I mentioned in a previous post that Paul Craig’s presentation on .NET would be interesting to say the least.

More on this soon but in the meantime, have a read on one of the first reports at: http://planet-websecurity.org/.NET+0-day%3F/

Posted in Applications, Bad Developers, Bad Stuff, Web Application Security | No Comments »

Test before you buy…..

June 6th, 2007 Drazen Drazic

When buying a new car, you test drive it…….to see if it floats your boat and performs as you hope it will. A big factor is the security the car comes with nowadays. If you’re in the market for a Rex, Evo or the luxury sports models (I like my cars as you can tell), you expect the security now as standard, because you know you’re a target.

Why not do the same in terms of security of new applications you’re buying……in addition to ensuring the functionality is there which you do as standard? Hey, the analogy fits.

This story from SearchSecurity is worth a read, but somehow, it looks like the last part of the journo’s story has warped into another plane and has been replaced by the end of another article, (which looks interesting in its own right).

We are seeing this trend growing and that is good! The last thing anyone wants is this. But, unfortunately, there’s still more “this”.

Posted in Bad Developers, Dumb Security, Web Application Security | 2 Comments »

Securing Web Applications……choose your developers carefully…..

May 12th, 2007 Drazen Drazic

A poorly developed web application can potentially open up an organisation to business-threatening problems. Exaggeration……no way? I know, because we see it everyday.

A friend, CEO of a good sized company (offices in Australia, Asia and London) recently decided to make a serious move into eCommerce B2B and B2C.

Security-Assessment.com did not need to be involved with the project because the third-party developer was reputable and had good reference sites I was told at a BBQ by CEO over a few beers. (CEO’s not an IT guy – he’s a successful businessman). After sharing a few generic war stories with him (incriminating no one as per our policy), I suggested I get a couple of the boys to have a look at the new site anyway - given the potential new exposures he’s opened his business up to now…..which he previously did not have to concern himself with.

In a nutshell, his business went from being a strong and secure bricks and mortar organisation to one that now bled customer and competitive information to anyone who wanted to see it on the Internet! How’s open access to back-end customer database and real-time access to orders as they came in hit you?……amongst many other things! In addition, some other nice touches included; the complete site code zipped up for anyone to download and also, get this, developer had a beautiful photo of his wife and new baby in a bath tub on the site for the world to find.

Anyway, we deliver the report with recommendations and CEO and his GM strip out the major issues to confront the developer directly. Now here’s where it gets good and keep in mind, CEO and GM are not IT guys..so the developer thinks he’s going to put it over them. Here’s the main gist of the developer’s response:

- “No, we don’t follow OWASP. The standards that we follow are W3C web standards for front end/interfaces”.
- “In regards of the back end coding, this depends on the environment and we implement the best practice. However, since the website has payment gateway, it uses SSL Certificate (128 bit encryption) to make sure no personal Credit Cards details are exposed to the net”.
- “Just so you are aware that for any big corporate website eg. [DD: Aussie Bank name removed] website we do follow security standard which is ‘Application Security Guidelines’ from [DD: company name and website link removed.. but it was a small IT security consulting business / SA competitor], basically this is a security bank standards. In order to for us to implement this standard, we need to be notified in advance if this is necessary since implementing this incur additional charges which is not small”.

Can you believe this? Lets look at this more:

(1) The first statement said nothing more than they develop websites. For a laugh, we ran a W3C validation report and guess what, they failed. Not a big deal as such but if you state this, at least be able to back it up.
(2) Well duh! But we’ll get that information (and more) from other places……as we did. :-)
(3) So, just because CEO’s company was not a “big corporate”, what, he doesn’t warrant getting a secure site built?! AND, if he wants a secure site, this will cost extra! WTF? What year are we in?? In addition, developer discusses some standard we could not find on the site he noted. In addition, we’d never heard of it and were unaware of this unheard of standard being the “security bank standard”. On contacting our competitor (who was quoted) to confirm, they stressed that in their work, they refer to OWASP to their clients and didn’t really know why their name was used or what this guy was talking about!

Sadly, we see this all the time. It is good though to see organisations are getting more aware of web application risks and are doing something about it, but it’s a long way from us being able to say this is not something we see everyday.

A few tips for anyone developing a new website and web applications – whether being done in-house or getting third-parties in:

- Aside from ensuring all the functional requirements are there, ask about how the application is going to be secured.
- Ask whether security is a strong focus in the SDLC.
- Ask how security is tested.
- Ask whether OWASP guidelines are followed. (If they’ve never heard of OWASP, I suggest you run!).
- Get a reputable security company to test the application’s security prior to release.

The risks of not doing this are potentially business threatening.

Posted in Bad Developers, Dumb Security, Web Application Security | 2 Comments »

Organising a penetration test for your organisation………

March 18th, 2007 Drazen Drazic

Some good points raised in this article:www.it-observer.com/articles.php?id=1308

There’s few good companies out there that do penetration testing well and they’re generally the smaller specialist organisations (yeah, I have to mention Security-assessment.com).

We still see and hear about mobs doing this work for clients and shake our heads at the results / output. There’s still guys out there running basic VA and port scans and delivering stock standard reports out of the likes of a Nessus to clients and calling it a penetration test.

It’s hard for organisations to know what questions to ask and how to compare offerings because it is such a specialised field. This article goes someway to helping.

Posted in Applications, Bad Developers, Forensics, Research, Vulnerability Management, Web Application Security, cyber crime | 4 Comments »

Web Applications more secure these days? Not from where we stand!

March 5th, 2007 Drazen Drazic

The recent figures posted by Accunetix (see previous post) were an eye opener to many – including long term IT industry guys…….and that is a concern.

The simple facts are that most people do underestimate the problems out there on websites and are comfortable in believing that many in the IT Security business are being alarmist, far more than they should be, and doing no more than trying to keep themselves in business.

The truth is that bad things are happening out there and just because people don’t hear about it, doesn’t mean it isn’t happening. We know, because we see it everyday.

Are web developers getting smarter in regards to secure coding? Based upon our experience, I’d say they’re not. Most haven’t heard of OWASP, have never been taught secure coding practices / skills and rarely work in an environment where security plays a role in the SDLC.

I’m not just talking about internal developers - you can lump in third-party hired guns into that category. It never ceases to amaze me when we review new sites developed for organisations by so-called experts.

A good friend is the CEO of a manufacturing business - offices in Australia, Asia and the UK. While they’ve had a basic web presence and e-business capability for a while, they recently paid for the development of a new B2B and B2C site. Good dollars exchanged hands. Now CEO is no IT guru but when dealing with a supposedly reputable development shop, he does expect a quality product for his dollars. As a favour, we offer to test the site for him. Now where do we start?

- Information leakage throughout
- Access for anyone on the net who wants to track who’s buying and how much from his company
- User-friendly access to admin screens to test password guessing capabilities
- Convenient site back up including all application source code zipped up in preparation for anyone to download
- Detailed error reporting to support our “tests”
- A nice photo of a baby in a bath with its mother (we guess it could be one the developer’s new born baby) - though you’d have to know where to look on the site to find it.
- etc etc etc ….. it goes on and on……and we’ve barely gotten into any real testing as yet.

An exception? No!

If anything, the Accunetix figures could be pumped up another 20% and I reckon you’d be closer to the mark.

DD

Posted in Applications, Bad Developers, Vulnerability Management, Web Application Security | 1 Comment »

Fun for the Acunetix Guys……………

February 22nd, 2007 Drazen Drazic

Kevin and team look like they’re in for some cool fun here……….

http://www.matasano.com/log/699/did-idg-bet-1000-that-acunetix-cant-steal-credit-cards-from-random-websites/

http://www.acunetix.com/news/acunetix_reveals_data.htm

In regards to the figures…..not that far off the estimates that we discuss with clients. The Network World response highlights what we’ve said before….even people in the IT industry can be oblivious to the extent of the issues out there.

What’s the bet they’ve been working overtime on their site(s) security since the challenge went out. Even then, they’ll probably be found wanting.

Posted in Applications, Bad Developers, Vulnerability Management, Web Application Security | 1 Comment »