Bad Stuff « Beast or Buddha

Council burns and demonstrates the importance of Disaster Recovery Planning….

August 16, 2010

Liverpool City Council has burned down. Reported here in the SMH.

Listening to the Mayor being interviewed on radio this afternoon; you get the sense that the data loss and impact will be huge. I don’t think she [the Mayor] seems to get what a problem they have. They believe they have backup tapes “from last Thursday”, but don’t seem to have computers to restore them to. They believe they’ll have *a* computer in a temporary office, “but no email”.

Listening to this, I just thought, what a f**king disaster! What genius decided that a DRP was not worth having? (Unless of course this has all been reported incorrectly). If not, this will be a great case study.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (5)

Posted in: Bad Stuff, Dumb Security, WTF, governance

Random Links and Rants……..

August 11, 2010

- Wayne from Securus Global did us proud at the DefCon Social Engineering CTF Tournament in Las Vegas recently. It picked up a bit of press coverage. Just a couple of examples from ITNews and InfoWorld. Really demonstrates how someone can target an attack and relatively simply (with the right training, know-how and expertise), own a company. Unfortunately, we don’t see many organisations doing this type of assurance and testing – nor have an interest in it. Keen on your thoughts.

- Louis from Securus Global was involved with the French team that blitzed it at the DefCon Hacking CTF. Both Wayne and Louis, along with other Securus Global team members will be doing a few presentations in Melbourne and hopefully Sydney soon on various topics including penetration testing, web application security, social engineering and others. Stay tuned to our website as we kick off again our series of Breakfast Briefs and Technical Sessions in Q4, 2010.

- This is pretty cool. The character in a new novel with a hacker as one of the leads is based upon Dean Carter. Reported here at ZDNet. Who’s going to play Dean in the movie will be interesting.

- Checkout the Australian Information Security Bloggers Directory and see what the local guys are up to.

- Local scene roundup here.

- In numerous links above, you’ll see Securus Global has a new website. It’s a WIP (again). Websites and website development is a pain. Too much information, too little information….can you win? We’re better at testing and breaking them than we are at making our own I reckon but that’s an old story. Would love to hear from people on their thoughts on which security organisation has a good website. Just curious….

- With the election just around the corner, we can safely say that neither major party seems to have a clue about technology; the Internet, eCommerce and everything else related. Few if any issues and questions I have posted here will/are being addressed. I do ask again though, where has the money that Stephen Conroy promised, and has used in his marketing for the Internet Filter, ie; the millions for additional policing for child protection on the Net gone? Almost 3 years of hearing about it. No answers.

Comments (0)

Posted in: Bad Stuff, Dumb Security, Research, Web Application Security, cyber crime

Religion and Politics and Internet Filter

August 6, 2010

Let it “anger” the “Christian Lobby”: Coalition filter stance angers Christian lobby.

Would love to get some bible quotes to establish any precedence for their position. Anyone? (Assuming you abide by, and accept that as “law”).

Comments (5)

Posted in: Bad Stuff, Dumb Security, WTF

Have some banks lost interest in PCI DSS compliance?

June 16, 2010

There’s always been a discrepancy between banks in their approach to getting their merchants and service providers PCI DSS compliant.

Some have had a very strong focus on PCI DSS compliance while others have been relatively quiet. In theory, there should not have been such a discrepancy. Merchants and service providers should always have had a consistent message so that changing banks to defer PCI DSS compliance was never an option. Was it? Did many or any do it? For some, it definitely would have bought them time in my opinion.

It’s interesting that in 2010 – after deadline after deadline for compliance has passed, that there are so many organisations out there where PCI DSS compliance is just not a priority, (but where you know it should have been – a long time ago). Where you have to further question things is why a company down the road, in the same industry, about the same size, but with a different bank, has been investing heavily and working hard on compliance for 2 years with constant pressure on them from their bank?

To paraphrase a contact of mine in an aforementioned organisation where their bank is doing little; “We know that we should be PCI compliant. We were prepared for some pain a couple of years ago, but it never came. It’s gone cold now. No one’s chasing us and for most parts, it’s been forgotten. It may come back but I can’t see it in the short term”.

Where is the consistency that will bring the greater credibility? It’s only fair that some will question the overall program. How hard are the Card Brands fighting to maintain an interest from the banks?

Comments (5)

Posted in: Bad Stuff, PCI, PCI DSS

Commoditising Specialist Penetration Testing Services – To Whose Benefit?

June 7, 2010

Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.

Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!

It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).

Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).

I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.

Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.

The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?

I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.

You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees).

Comments (28)

Posted in: Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security

"Compliance" setting your whole security strategy is wrong….

May 26, 2010

We’ve talked quite a bit about PCI DSS compliance here; (http://beastorbuddha.com/category/pci/). Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.

While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.

It doesn’t work.

(more…)

Comments (6)

Posted in: Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management

IBM Letter to AusCERT delegates – Free Malware Giveaway

May 21, 2010

Dear AusCERT Delegate

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.

Steps to remove the malware:

1. Turn off System Restore
[StartProgramsAccessoriesSystem toolsSystem Restore]
Turning off System Restore will enable your anti virus software to clean the virus from both your current system and any restore points that may have become infected.

2. Update your antivirus tool with the latest antivirus definitions
[available from your anti virus vendor of choice].

3. Perform a full system scan with your AV tool to confirm the existence of the infection. If malware is detected allow your AV to complete a clean.

4. On completion of this process, complete a second scan using a different anti virus product. Free anti virus products are available from known companies such as AVG, Avira, Panda Software, or Trend Micro.

5. Once a second scan has been performed and it is determined that your workstation is free of any known malware, as a precautionary measure we recommended that you perform a back up of all vital files on your workstation and perform a full re-installation of the operating system. This process will remove the risk of other unknown or undetected malware that may be present on your machine.

If you experience difficulties with the above steps, please contact the IBM Security Operations Team at secops@au1.ibm.com. An IBM technical support person will contact you by phone to assist you.

We regret any inconvenience that may have been caused.

Glenn Wightwick
Chief Technologist
IBM Australia
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (13)

Posted in: Bad Stuff, Dumb Security, WTF

Counterfeit gear and supply chain security.

May 10, 2010

By Declan Ingram.

Thought provoking read over at the Register: Feds seize $143M worth of bogus networking gear.

While the article is mainly about counterfeit hardware, (Cisco etc), seized in the US, (some of which was used by the US Marines in Iraq), there are two parts that got my attention:

1) The counterfeit gear could have backdoors. (Well yes – and this is not news for many…be surprised if some or most doesn’t).

2) This lovely quote: “In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors” – If these are the same officials that have missed all the other security issues to date (and in the future), then I’m not sure this statement makes me feel any better.

This reminds me of a friend of mine who years ago purchased some pirated operating systems on CD in Malaysia. They had been backdoored and once installed allowed anyone on the Internet to gain full access. I had a giggle, I must say. You really get what you pay for…..and more. (Remote Support?)

The (potential) security problems of pirated software have been well documented for some time. Most will have looked at backdoored ‘cracks’ for proprietary software etc, but bogus hardware? Backdoored from day 0? Cisco gear is generally top shelf, so more likely to get noticed, but what about lesser brands or even your generic ’sourced’ components? The flash drive from eBay? The cheap video card you got for your server so you can install the OS? Have a think about it.

Could organised crime use this to offset the cost of components? OK, that could well just be pure FUD……but..

I bet some, (most?) bogus gear comes from the same factory as the legit gear. Stands to reason. If it is backdoored, what assurance do we have that the legit gear isn’t? How would we, (or anyone else) ever know? Few know where to start in assessing the security of their supply chain.

Comments (5)

Posted in: Bad Stuff, Dumb Security, Forensics, Industry Specialists Talk, Research, Vulnerability Management, cyber crime

Symantec and PGP

May 3, 2010

There’s only a few security focussed companies I trust(ed), and PGP was one of them. They’ve now fallen into the hands of this mob.

One of my all-time favourite posts here.

A case of too much money in the bank and on the flipside, easy-money. It’s business I suppose.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (3)

Posted in: Bad Stuff, WTF

Politics and Technology…..

April 28, 2010

- Did Tony Abbott really say we don’t need better Internet bandwidth and speeds? Sounds that way. Example. Don’t you hate it when politics gets in the way of growth and improvements? In Australia, this is the norm sadly. On the flipside I suppose, you could argue that Conroy and co. have struggled with the NBN project from the outset. Well it seems that way to me. Checkout some history and delivery dates here.

- Have things gone a bit quiet on the Internet Filter side of things again? It happens, and just as you think (hope) it’s going away, it pops back up again. Had some interesting chats with Kate Lundy’s office about this a little while ago. Thanks to Kate, Pia and team for taking our thoughts on board. If interested, the comments and opinions we put forward were in line with previous postings here on Beast or Buddha (as per previous link).

Overall, you’d have to say Australia moves very slowly these days in terms of Government and technology. We came out of the blocks quite well, and even up to the early 90s were up there, but we’ve slumped back into being a distant follower and have been for a long time. The last couple of years’ effort from the Government is cementing us into this position. But, while Tony Abbott plays political games, there’s nothing of substance coming from him in this regard to suggest he is an alternative, and the previous government did lay the foundations of our weak e-Economy. Keen on your thoughts…..

Comments (8)

Posted in: Bad Stuff, Dumb Security, Internet Filtering, WTF

Older Posts »