Australian Government E-Security Review….

July 6th, 2008 Drazen Drazic

The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview

Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

Posted in Research, Risk Management, Vulnerability Management, cyber crime, governance | 2 Comments »

Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

Internet Banking in NZ - Will be interesting to see some test cases….

July 4th, 2008 Drazen Drazic

The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; “The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

Trend Micro attacks the bad guys on their own turf….

June 22nd, 2008 Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media!

Related post.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, news | 3 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

39% of Australians Victims of Cyber Crime?

June 10th, 2008 Drazen Drazic

Another survey and some more frightening statistics as reported in CW and affiliated sites. Luckily the company that undertook the survey has the solution; “Protection against all Internet threats“. (Hey, their words, not mine!)

Does anyone have a link to the survey? 39% sounds pretty high but I have no context from the articles.

Secondly, AVG seems to have joined Symantec with the magic solution. Amazing that we allow companies to get away with such advertising! Related post on mis-leading and false advertising.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, news | 5 Comments »

Stay Smart Online - Latest Australian Government Initiative…

June 6th, 2008 Drazen Drazic

I wonder what the old teams and program developers at NOIE/AGIMO etc think about the latest re-branding of government’s effort to demonstrate care about individual’s and businesses use of IT. (As reported here). I remember the old NOIE site. It was pretty good; rich full of information and a great source of help and knowledge. It was a shame relatively very few people were aware of it.

The latest incarnation with a few added “features” comes at a cost of $1.2M (just on the contract alone to AusCERT as reported by the Australian Newspaper). Will be interesting to see how it all goes…….

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 6 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Hitting the easy targets and letting the big guys get away with it again and again….

May 29th, 2008 Drazen Drazic

I started to talk about this in a response to the last post here.

I am seeing this trend of organisations with false and mis-leading promises being targeted with our industry’s ire, and as I said, rightly so but is the focus blinkered? I think so…..the easy targets are being hit while others continue to get away with it over and over again.

ScanAlert seems to be one of, if not the most hated products/services by people in our industry. Just look at most security bloggers pages and you’ll see pretty much a consensus of people’s opinions of it. See latest post here for example.

There’s plenty of individuals in our industry who put their thoughts out there and get attacked (when deserved) for it. I know I do. Individuals are easy to target!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 12 Comments »

Be careful of being too cockey…Lifelock CEO cops it….

May 25th, 2008 Drazen Drazic

Watch the Lifelock ad on the site as it scrolls through. Story at ha.ckers.org.

From the story in Yahoo! News.

Another one to add to the list of failed magical solutions? You have to take any promises of total security with a grain of salt. See recent posts about ScanAlert and the links within the links. (Aside: Is this the most hated product/service in the IT Security industry?)

But then again, we have the old Symantec Guarantee. Posted here again for your viewing pleasure and evidence requirements for any legal action you may ever contemplate. (Though by clicking on the software agreement when you installed it, you probably signed away all rights you had anyway, but worth a shot!)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime, news | 4 Comments »

Some interesting news and thoughts on McAfee/ScanAlert

May 19th, 2008 Drazen Drazic

There’s some interesting links also within the following posts at 0×000000 (and yeah, some backwards and forwards between sites):

http://www.0×000000.com/?i=573
http://www.0×000000.com/?i=574

Interesting that the mainstream IT press hasn’t really picked up on the latter.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

AusCert Day 1: Ends up okay…somewhat….

May 19th, 2008 Drazen Drazic

Okay, I don’t have great expectations of AusCert conferences as most know. They’re a great junket and the social side of things is fantastic. Content though is usually ordinary with only a handful of presentations worth remembering.

I was looking forward to seeing Scott Charney’s “Enabling End to End Trust” keynote given recent discussions about his paper since it’s release. Scott: Impressive background, impressive presenting skills, but gees, if you’re going to travel half-way around the world to talk about your End to End Trust, talk about it!

Read the rest of this entry »

Posted in Research, cyber crime | 10 Comments »

It must be the Chinese Hackers again….

May 9th, 2008 Drazen Drazic

Is there anything bad happening on the net not being blamed on “Chinese Hackers”? Forget the story….same old stuff. Some of the comments here are priceless:

www.theregister.co.uk/2008/05/08/belgium_india_china_warnings/comments/

Now just in case there is some language issues thing here in translation, this is a sarcastic post and in no way talking bad about Chinese Hackers. Point those probes in another direction.

Posted in Bad Stuff, Dumb Security, To cool, WTF, cyber crime | 2 Comments »

More on not logging - “Reverse Compliance”

May 8th, 2008 Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

To regulate IT Security controls/practices or not?!

May 5th, 2008 Drazen Drazic

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

Microsoft serves COFEE to the police…and a death sentence to employee!?

May 1st, 2008 Drazen Drazic

By Declan Ingram

Upon speculation that Microsoft had build backdoors into Vista, Niels Ferguson, a developer and cryptographer at Microsoft wrote:

“The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data……..Over my dead body“

That’s very reassuring.. Until this was released : “Microsoft device helps police pluck evidence from cyberscene of crime“.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, Research, WTF, cyber crime | 9 Comments »