By Declan Ingram.

Thought provoking read over at the Register: Feds seize $143M worth of bogus networking gear.

While the article is mainly about counterfeit hardware, (Cisco etc), seized in the US, (some of which was used by the US Marines in Iraq), there are two parts that got my attention:

1) The counterfeit gear could have backdoors. (Well yes – and this is not news for many…be surprised if some or most doesn’t).

2) This lovely quote: “In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors” – If these are the same officials that have missed all the other security issues to date (and in the future), then I’m not sure this statement makes me feel any better.

This reminds me of a friend of mine who years ago purchased some pirated operating systems on CD in Malaysia. They had been backdoored and once installed allowed anyone on the Internet to gain full access. I had a giggle, I must say. You really get what you pay for…..and more. (Remote Support?) :)

The (potential) security problems of pirated software have been well documented for some time. Most will have looked at backdoored ‘cracks’ for proprietary software etc, but bogus hardware? Backdoored from day 0? Cisco gear is generally top shelf, so more likely to get noticed, but what about lesser brands or even your generic ’sourced’ components? The flash drive from eBay? The cheap video card you got for your server so you can install the OS? Have a think about it.

Could organised crime use this to offset the cost of components? OK, that could well just be pure FUD……but.. :)

I bet some, (most?) bogus gear comes from the same factory as the legit gear. Stands to reason. If it is backdoored, what assurance do we have that the legit gear isn’t? How would we, (or anyone else) ever know? Few know where to start in assessing the security of their supply chain.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:


Just got back and saw this was confirmed:

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

I thought about using the term (and have many times in the past), “virtual” CSO, but that sounded a bit wanky. This is something that I thought would take off a while ago, but like all else in our industry, things move slowly and little has happened.

With this “economic downturn” (yeah, I know…it’s been overdone also but reality is reality), I do think organisations are going to start to think about this. Staff are being laid off, sadly, but key aspects of the business still need to be in place – for regulatory requirements and moreso, just for the security and viability of the business.

I think in 2009, many companies are going to look for “specialists” (outside consultants from specialist firms – hopefully not, the usual mobs who’ve milked them of money for years for no result….yeah yeah….we know who I am talking about), in this field to replace people who have been made redundant – many who also were promoted to senior security roles that they were not capable of doing, nor ready for, ie; being able to work to a level that would be to the real benefit of the organisation. Read on….


Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

“The cloud… pretty!”….thanks Wade for pointing me to this one at loglogic. This opened up a bit of discussion between a group of us on this “security in the cloud” business. Thought some of the comments would be worth putting together.

Some of my thoughts were previously covered here also. Anyway, the following are some of our ramblings. Feel free to add your comments.


The rantings of Craig Chapman, IT Security Legend and good bloke.

I’ve previously drivelled-on about the time I was approached at a conference by a couple of computer forensic ‘experts’ from a global IT co.

If you believed their story, these guys were IT super-heroes. The only things missing from this pair of turkeys was their red capes, masks and tight fitting, lycra underpants (although I strongly suspect these were being worn under their tailored suits).


This is a topic that is going to be covered again tomorrow in a post by BG. What can IT Security specialists actually really do when investigating an “incident”? Too many kid themselves that they can provide the client with the full service. As good as I think Securus Global is, I would never promote that we can do this properly ourselves without specialist guidance and advice from legals and police type people. Too many heroes out there think they can and that is dangerous. There’s a difference between an investigation and an “investigation” that would be used for a legal case.

Risky Business talks to Declan Ingram from Securus Global on this topic:

Adam Boileau, our old colleague, 18 months down the track is getting some serious traffic now for this. Why freeze some RAM?


Sydney Morning Herald

Gees, even Slashdot! :-)

I hear even some guitar mags may be picking this up also now based upon the pic in The Age and The Sydney Morning Herald. Onya Metl!

Additions: I just fixed the SMH link with the photo. Also, it was interesting to talk with Patrick Gray today about this:
“Hi Draz — your readers might want to hear the Risky Business interview I did with Metl about this whole thing. The Sydney Morning Herald actually picked up this story from the podcast and linked back to it… no one else bothered. Que sera, what can you do?”
That’s a bit slack not passing the credit back to where it’s due. Anyway, here is the original source from Pat: Risky Business #52.

I enjoyed Patrick Gray’s take on this story:

I can think of easier ways to get the information.

Older Posts »