Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

The Pope is coming so you must be nice or you’ll be in trouble…

July 3rd, 2008 Drazen Drazic

By straxd

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone! :-)

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, WTF | 15 Comments »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »

Another consortium formed to “enhance global IT security”…

June 28th, 2008 Drazen Drazic

Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium! :-)

Recent update on SAFECode.

Posted in Dumb Security, Research, Risk Management, WTF | 6 Comments »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

Trend Micro attacks the bad guys on their own turf….

June 22nd, 2008 Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media! :-)

Related post.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, news | 3 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

39% of Australians Victims of Cyber Crime?

June 10th, 2008 Drazen Drazic

Another survey and some more frightening statistics as reported in CW and affiliated sites. Luckily the company that undertook the survey has the solution; “Protection against all Internet threats“. (Hey, their words, not mine!)

Does anyone have a link to the survey? 39% sounds pretty high but I have no context from the articles.

Secondly, AVG seems to have joined Symantec with the magic solution. Amazing that we allow companies to get away with such advertising! Related post on mis-leading and false advertising.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, news | 5 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Data Classification - Effective? Has it ever been or really worked?

June 2nd, 2008 Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on. :-)

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

Hitting the easy targets and letting the big guys get away with it again and again….

May 29th, 2008 Drazen Drazic

I started to talk about this in a response to the last post here.

I am seeing this trend of organisations with false and mis-leading promises being targeted with our industry’s ire, and as I said, rightly so but is the focus blinkered? I think so…..the easy targets are being hit while others continue to get away with it over and over again.

ScanAlert seems to be one of, if not the most hated products/services by people in our industry. Just look at most security bloggers pages and you’ll see pretty much a consensus of people’s opinions of it. See latest post here for example.

There’s plenty of individuals in our industry who put their thoughts out there and get attacked (when deserved) for it. I know I do. Individuals are easy to target!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 12 Comments »

Be careful of being too cockey…Lifelock CEO cops it….

May 25th, 2008 Drazen Drazic

Watch the Lifelock ad on the site as it scrolls through. :-) Story at ha.ckers.org.

From the story in Yahoo! News.

Another one to add to the list of failed magical solutions? You have to take any promises of total security with a grain of salt. See recent posts about ScanAlert and the links within the links. (Aside: Is this the most hated product/service in the IT Security industry?)

But then again, we have the old Symantec Guarantee. Posted here again for your viewing pleasure and evidence requirements for any legal action you may ever contemplate. (Though by clicking on the software agreement when you installed it, you probably signed away all rights you had anyway, but worth a shot!)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime, news | 4 Comments »

Some interesting news and thoughts on McAfee/ScanAlert

May 19th, 2008 Drazen Drazic

There’s some interesting links also within the following posts at 0×000000 (and yeah, some backwards and forwards between sites):

http://www.0×000000.com/?i=573
http://www.0×000000.com/?i=574

Interesting that the mainstream IT press hasn’t really picked up on the latter.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

It must be the Chinese Hackers again….

May 9th, 2008 Drazen Drazic

Is there anything bad happening on the net not being blamed on “Chinese Hackers”? Forget the story….same old stuff. Some of the comments here are priceless:

www.theregister.co.uk/2008/05/08/belgium_india_china_warnings/comments/

Now just in case there is some language issues thing here in translation, this is a sarcastic post and in no way talking bad about Chinese Hackers. Point those probes in another direction. :-)

Posted in Bad Stuff, Dumb Security, To cool, WTF, cyber crime | 2 Comments »

They should be using Symantec….

April 30th, 2008 Drazen Drazic

Nice timing with the little muscle man picture. Hacker Safe not safe again. You’d think they’d learn but no…..

Everyone as we know should be using Symantec. They have the guarantee against “unknown and zero-day threats” as documented here.

Give us a flex dude!

Posted in Bad Stuff, Dumb Security, WTF | No Comments »

My update with the PCI Security Standards Council….

April 30th, 2008 Drazen Drazic

The following is an enormous bitch about the PCI Security Standards Council. If you are sick of hearing about PCI DSS or reading about it from me, hit the “back” key now.

Securus Global/DD is industry focused so if this means I lose business because I piss off the PCI SSC, so be it! They’ve already cost me business because of how they operate. Before I rant, let me start with this from a couple of weeks ago; my last rant about them. Interesting responses! Also thought it was finally getting better at the end. Little did I know…….

Now for the latest in Fawlty Towers operations:

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS | 6 Comments »

LOL - Chaser Team gets off.

April 28th, 2008 Drazen Drazic

No surprise the Chaser dudes got off.

Previous post on this and full clip. This was a classic!

Posted in Bad Stuff, Dumb Security, To cool, WTF | 1 Comment »

If you’re in the business of providing IT services to customers, ignorance of good security is negligence!

April 22nd, 2008 Drazen Drazic

Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.

Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!

What blows me away is:

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »

“Big Kevin”…just doesn’t have the same ring to it but…

April 18th, 2008 Drazen Drazic

Darren Pauli puts it our there at CW with his new Vent IT section (good stuff Darren!):

You can see if you squint really hard what they are trying to do but gees, it seems like they are [the government], swinging a bat in dark room hoping to connect with the “target” - not that they really know what the target is. In the meantime, connecting with all else in the room and doing some big damage and creating a mess. Bad analogy?

Somewhat related:
http://beastorbuddha.com/2008/03/01/stuff-like-this-scares-me/

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, governance | No Comments »

« Previous Entries