Beast Or Buddha » Bad Stuff

Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS 6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

The Pope is coming so you must be nice or you’ll be in trouble…

July 3rd, 2008 Drazen Drazic

By straxd

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, WTF | 15 Comments »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »

A look at Australian Telecoms……

June 28th, 2008 Drazen Drazic

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

Posted in Bad Stuff, Research, To cool | 1 Comment »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

Trend Micro attacks the bad guys on their own turf….

June 22nd, 2008 Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media!

Information Security Certifications……

June 22nd, 2008 Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

39% of Australians Victims of Cyber Crime?

June 10th, 2008 Drazen Drazic

Another survey and some more frightening statistics as reported in CW and affiliated sites. Luckily the company that undertook the survey has the solution; “Protection against all Internet threats“. (Hey, their words, not mine!)

Does anyone have a link to the survey? 39% sounds pretty high but I have no context from the articles.

Secondly, AVG seems to have joined Symantec with the magic solution. Amazing that we allow companies to get away with such advertising! Related post on mis-leading and false advertising.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, news | 5 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Hitting the easy targets and letting the big guys get away with it again and again….

May 29th, 2008 Drazen Drazic

I started to talk about this in a response to the last post here.

I am seeing this trend of organisations with false and mis-leading promises being targeted with our industry’s ire, and as I said, rightly so but is the focus blinkered? I think so…..the easy targets are being hit while others continue to get away with it over and over again.

ScanAlert seems to be one of, if not the most hated products/services by people in our industry. Just look at most security bloggers pages and you’ll see pretty much a consensus of people’s opinions of it. See latest post here for example.

There’s plenty of individuals in our industry who put their thoughts out there and get attacked (when deserved) for it. I know I do. Individuals are easy to target!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 12 Comments »

Be careful of being too cockey…Lifelock CEO cops it….

May 25th, 2008 Drazen Drazic

Watch the Lifelock ad on the site as it scrolls through. Story at ha.ckers.org.

From the story in Yahoo! News.

Another one to add to the list of failed magical solutions? You have to take any promises of total security with a grain of salt. See recent posts about ScanAlert and the links within the links. (Aside: Is this the most hated product/service in the IT Security industry?)

But then again, we have the old Symantec Guarantee. Posted here again for your viewing pleasure and evidence requirements for any legal action you may ever contemplate. (Though by clicking on the software agreement when you installed it, you probably signed away all rights you had anyway, but worth a shot!)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime, news | 4 Comments »

Some interesting news and thoughts on McAfee/ScanAlert

May 19th, 2008 Drazen Drazic

There’s some interesting links also within the following posts at 0×000000 (and yeah, some backwards and forwards between sites):

http://www.0×000000.com/?i=573
http://www.0×000000.com/?i=574

Interesting that the mainstream IT press hasn’t really picked up on the latter.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

It must be the Chinese Hackers again….

May 9th, 2008 Drazen Drazic

Is there anything bad happening on the net not being blamed on “Chinese Hackers”? Forget the story….same old stuff. Some of the comments here are priceless:

www.theregister.co.uk/2008/05/08/belgium_india_china_warnings/comments/

Now just in case there is some language issues thing here in translation, this is a sarcastic post and in no way talking bad about Chinese Hackers. Point those probes in another direction.

Posted in Bad Stuff, Dumb Security, To cool, WTF, cyber crime | 2 Comments »

Microsoft serves COFEE to the police…and a death sentence to employee!?

May 1st, 2008 Drazen Drazic

By Declan Ingram

Upon speculation that Microsoft had build backdoors into Vista, Niels Ferguson, a developer and cryptographer at Microsoft wrote:

“The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data……..Over my dead body“

That’s very reassuring.. Until this was released : “Microsoft device helps police pluck evidence from cyberscene of crime“.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, Research, WTF, cyber crime | 9 Comments »

They should be using Symantec….

April 30th, 2008 Drazen Drazic

Nice timing with the little muscle man picture. Hacker Safe not safe again. You’d think they’d learn but no…..

Everyone as we know should be using Symantec. They have the guarantee against “unknown and zero-day threats” as documented here.

Give us a flex dude!

Posted in Bad Stuff, Dumb Security, WTF | No Comments »

My update with the PCI Security Standards Council….

April 30th, 2008 Drazen Drazic

The following is an enormous bitch about the PCI Security Standards Council. If you are sick of hearing about PCI DSS or reading about it from me, hit the “back” key now.

Securus Global/DD is industry focused so if this means I lose business because I piss off the PCI SSC, so be it! They’ve already cost me business because of how they operate. Before I rant, let me start with this from a couple of weeks ago; my last rant about them. Interesting responses! Also thought it was finally getting better at the end. Little did I know…….

Now for the latest in Fawlty Towers operations:

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS | 6 Comments »