Security Consortium Watch…..

Posted on March 9th, 2010 by Drazen Drazic

I’m not going to go back over all the old posts to try to remember who all these mobs were, but is there a consortium still doing anything? eg; ICASI and SAFECode. etc etc…..

Some previous posts mentioning them: http://beastorbuddha.com/?s=consortium

Not much more to add that I haven’t already said in the link above and links within the posts.

Is there a Cloud one also? Sure there is.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, WTF | 1 Comment »

“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

Symantec Customers Immune to Rising Security Threats! (Late Update: Maybe Not!)

Posted on February 23rd, 2010 by Drazen Drazic

Symantec Press Release 22 February, 2010: Symantec 2010 State of Enterprise Security Study……

(Time to pump out another piece of marketing to get people thinking about buying Symantec. Here’s the report if you are interested in wasting a few minutes).

Just reading this now…….wooo…..hang on……what I don’t see anywhere in this report is a proud statement that Symantec customers are the lucky few that are safe from malicious attacks that other businesses are facing.

Why is this not in there Symantec? Surely you should be beating your own drums given you so proudly told us all some time ago that your product(s), and I quote; will provide “…proactive protection against unknown and zero-day threats”. It’s the Symantec Guarantee!

As such, surely Symantec customers do not have the same concerns as those poor businesses you mention in your study. Let us know if this was just an error on your part, or Symantec just not wanting to show off here because, surely you would not use bullshit marketing in the past?!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Too cool, Vulnerability Management, WTF, cyber crime | 20 Comments »

Big Best Congrats to iiNet……..

Posted on February 4th, 2010 by Drazen Drazic

Made my day when I heard iiNet won their case against the Film Industry! Here reported by itnews. Awesome. Hoping some common sense will prevail and workable collaborative efforts can happen now. Well done iiNet.

Some of our previous posts on this topic…worth a read:
http://beastorbuddha.com/?s=iinet

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Internet Filtering, WTF | No Comments »

Internet Censorship – Taking the Power Back (REPOST)

Posted on January 30th, 2010 by Drazen Drazic

This video was put together by Donal and Wade at the recent RSA Conference in San Francisco (April 2009).

Dan Kaminsky, Pete Lindstrom and Marcus Ranum put forward their thoughts on Australia’s plan to censor the Internet. Dan talks about many of the issues that Securus Global’s Matthew Strahan talked about in his interview with ban.this.url. Surprising that these concerns have barely rated a mention here. Marcus certainly adds some interesting analogies and angles to the whole debate.

Related Posts on Internet Filtering. Thanks to Donal and Wade for representing BorB at the Blogger Meetup at the conference.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF | 4 Comments »

Obama position on Internet Censorship

Posted on January 30th, 2010 by Drazen Drazic

Thanks to Wade for this one (and @Wadeis on Twitter). A bit late on my part, but worth a read.

Obama position on; “…right to a free internet….and unshackled internet” – article from The AGE: White House steps into China-Google row.

I wonder how that marries up to Stephen Conroy’s position and thoughts? Yes, I know he’ll “sell” his “project” as a different beast but is it really? We know the implications. More here: http://beastorbuddha.com/category/internet-filtering/

Can you have shades of grey here and spin to suit the occasion/scenario? Keep the fire burning people.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF | No Comments »

China, Google, Marketing etc etc…..

Posted on January 25th, 2010 by Drazen Drazic

Random thoughts: News?, OMG really?….nah!, Awesome marketing move Google!, Using the Net for spying…you naughty boys China…you’re the only ones and need to be punished , Hang on, he who controls the pipes…controls it all? It’s okay as long as it’s not someone other than us doing it!, yawn…..news?, Great marketing….I’m pulling out of China too! Write it up journos, I need more business!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 1 Comment »

“The Great Australian Internet Blackout” Information

Posted on January 25th, 2010 by Drazen Drazic

Run by Electronic Frontiers Australia (EFA), “The Great Australian Internet Blackout” is on.

Some background on this from our perspective can be found here. This is important.

We’ve been against this Government “initiative” from the outset. It is flawed on so many levels, so please, have a read and pass this information onto your colleagues, family and friends, if you haven’t already.

We need critical thinkers to push this information out into the broader community who may not understand the real issues outside of the Government spin on it. We need to wake up our fellow Australians!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Internet Filtering, WTF | 1 Comment »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

Only 2 minutes a day to a secure business – Trust Me!

Posted on January 2nd, 2010 by Drazen Drazic

It amazes me that just as I think there’s no more new Ab Blaster type machines that could possibly be created, a new one pops up on one those infomercials. They get stupider and stupider looking with each generation, but given those infomercials aren’t cheap, they must sell a bomb.

Who buys these things I think to myself? The obvious answer is those people who don’t know any better, know nothing about exercise and fitness, and who actually believe these things will give them; easily, in quick time and with minimal effort on their part, the same abs as the athletes who promote the devices, (who most likely have never used these machines).

Here’s the big tip: Commitment to getting there, combined with a strict diet and exercise routine will get you those washboard abs. The new whiz bang device on it’s own won’t. It won’t even play a large percentage in getting you there. I’ll guarantee that one!

No Rocket Science degree required to get the analogy here.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, WTF | 12 Comments »

Rules for Email Attachments – A Matter of Trust

Posted on December 19th, 2009 by Drazen Drazic

Re: Malware – you are always warned to not open attachments from those you don’t know. What about the ones from your dumb mates?

That should be rule number 1. Trust the stranger before trusting your non-IT, care-factor zero mates. Then move onto rule 2.

Hey, I’ve got a Mac.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, WTF | 3 Comments »

Internet “Filtering” Trial and Report – Flawed

Posted on December 15th, 2009 by Drazen Drazic

Reading through the ISP Filtering Live Report(s) – still wondering what this proves. Is anyone surprised by the findings? I’d have been surprised if it was much different. Now to base a full blown strategy (flawed in concept according to many from the outset) on a test/trial whose scope is ridiculously inadequate to represent real-life implementation. It would laughable if the impacts upon us of this progressing weren’t potentially so serious. Where to start? What hasn’t been said before? Refer here:
http://beastorbuddha.com/category/internet-filtering/

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Internet Filtering, Uncategorized, WTF | 8 Comments »

Core Security Skill Requirements

Posted on December 2nd, 2009 by Drazen Drazic

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Research, Risk Management, WTF, governance | 7 Comments »

iPhone “worm” discussion….

Posted on November 12th, 2009 by Drazen Drazic

I enjoyed listening to Paul Ducklin on the latest Risky Business podcast that featured interviews on this iPhone “worm”. Worth a click through to Risky Business.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Developers, Dumb Security, cyber crime | 44 Comments »

Industry Bodies and Representation

Posted on October 25th, 2009 by Drazen Drazic

Wondering at what stage industry associations, user-groups and the like decide that they represent their business sector and the people in it. The Australian Computer Society is a classic in it’s claims:

“The ACS (Australian Computer Society) is the recognised professional association for those working in Information and Communications Technology, seeking to raise the standing of ICT professionals and represent their views to government, industry and the community.
A member of the Australian Council of Professions, the ACS is the guardian of professional ethics and standards in the ICT sector, committed to ensuring the benecial use of ICT for all Australians.”

It’s mostly nonsense as we know but I worry about groups like this sometimes. By way of the name and their marketing, those who don’t know them could mistakingly actually believe they are all these things and make decisions based upon this. Gees, the Government seems to at times. What scares me though is; are the self-appointed “voices” for the industry sufficiently expertised to make and put forward competent positions? We’ve seen in the past that sometimes they’re not.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security | 70 Comments »

Australian Computer Society and Internet Filtering

Posted on October 12th, 2009 by Drazen Drazic

Thanks to Peter for the link to this one here:
http://www.itnews.com.au/News/158006,acs-gives-conditional-thumbs-up-to-internet-filtering.aspx

Get the splinters out of your backsides ACS. Did you need to create this piece of work to justify your existence or are you trying to come across as a voice of reason…or do you truly believe you’ve come up with something groundbreaking?

Regardless, you look dumb and as irrelevant as always. A personal opinion. Just my thoughts and as usual, opening myself up to flames.

Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF, cyber crime | 16 Comments »

Loving Cloud Computing

Posted on October 5th, 2009 by Drazen Drazic

Thanks to Wade for sending me this.

Posted in Dumb Security, Too cool | 4 Comments »

A Question of Control

Posted on September 11th, 2009 by Drazen Drazic

By Declan Ingram

There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.

The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).

Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)

From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, governance | 12 Comments »

Consulting Elite – Do Not Enter

Posted on September 5th, 2009 by Drazen Drazic

I reckon Scott Adam’s chapter on “Management Consultants”, (in his book, “The Dilbert Principle*”) is still the best I have read on this topic. If you are consultant and you haven’t read this chapter about your job, go out and do it right now! You may learn quite a bit.

It still amazes me that there is still an attitude of elitism amongst many consultants and consulting firms that if you haven’t been a “consultant” before, you are not worthy of consideration for a role within a consulting organisation – regardless of a person’s actual expertise and experience.

I know a lot of people who have tried to crack into consulting – coming from an internal role, and who have hit a brick wall.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF | 12 Comments »

Outsourced (unauthorised) Vulnerability Assessment – Testing for Porkies!

Posted on August 28th, 2009 by Drazen Drazic

Looking at data like this from the Conficker Working Group and talking to many Information Security Managers/CSOs still having to deal with outbreaks in their organisations, you have to wonder what’s going on? The general theme seems to be; “Infrastructure lead told us this was under control….they patch (always!)…..they now tell us [post infection], they “sometimes” patch!….Now it’s out of control!”

LOL…usually same guys who see no merit in vulnerability assessment/management systems and penetration testing (plus security in general?). Why buy something like QualysGuard when you can get a pretty thorough test for free I suppose? (If you can deal with the repercussions). From the CSO perspective; Automated Porkie Testing…no client-side input required.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 1 Comment »