It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:


I enjoyed listening to Paul Ducklin on the latest Risky Business podcast that featured interviews on this iPhone “worm”. Worth a click through to Risky Business.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Just got back and saw this was confirmed:

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising… which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites :) To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

With some “experts” suggesting you switch browsers to hide away from bad vulnerabilities in IE, you have to wonder what some of these people are thinking. It continues to highlight the IT industry’s obsession with band-aid solutions – rarely looking at, nor attacking, the root cause of the problems we face with insecure software.

David Rice in his latest post here at the Geekonomics website covers it well.

You may have already read about this in MIS (and yes, the “spokesman” comments were mine representing the opinions of AISA – not Securus Global or Beast or Buddha), but here is the full press release that people have been asking to see:

About AISA:

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? :-) Scenario repeats every week – new developer, next website, next web app. See you then!

The “cloud”!! The thing we knew as the Internet on many a whiteboard for so many years…..that thing we all decided to know little about, (okay, at least layers 1-2), because it was magic!!!!


Can you seriously believe, that we believe that by “hiding” the “difficult” things, you make us think you know what you are doing and keeping us secure?! You’ve lost the plot….not that most ever had it, so to regain face (ie; keep revenue growth on path), lets hide sh*t in a “cloud” to cover up our inadequacies.

So, I am starting an anti-cloud movement and I ask you all that anytime you hear and see a sales rep talking about “clouds”, you ask the question; “what happens when many clouds come together….do we have a storm? and what does that mean to my investment with your company?…will I get my money back if I cop a category 5?”….. Please share your stories here!

BG did a post in the forums about this today:

I had to comment. Some of the people’s thoughts are priceless….I also need to rethink the software I use for this blog :-)

Older Posts »