IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

Big Galoot Diatribe - Superheroes and independence of expert witnesses

March 28th, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend and good bloke.

I’ve previously drivelled-on about the time I was approached at a conference by a couple of computer forensic ‘experts’ from a global IT co.

If you believed their story, these guys were IT super-heroes. The only things missing from this pair of turkeys was their red capes, masks and tight fitting, lycra underpants (although I strongly suspect these were being worn under their tailored suits).

Read the rest of this entry »

Posted in Big Galoot Diatribe, Forensics, Industry Specialists Talk, cyber crime | No Comments »

Big Galoot Diatribe - If you go out in the woods today….

March 3rd, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend.

Hold onto your seats people. What I am about to tell you might completely re-shape your ideas on cyber crime. (But I doubt it).

The rather appropriately named “Panda Labs” has conducted a cutting-edge investigation into the murky world of malware writers and cyber criminals. From; Secure Computing.

The result of their in-depth investigation? Well, according to Panda Labs, cyber-crooks are collaborating on different forums and “Internet sites”.

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Industry Specialists Talk, Research, WTF, cyber crime | 2 Comments »

Big Galoot Diatribe - BG’s Ostrich Risk Management 101

February 13th, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend.

BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:

1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!

No problems!

BG.

Related Post:
Risk Management - Great in meetings, not so much in practice

Posted in Big Galoot Diatribe, Industry Specialists Talk, Risk Management | 10 Comments »

Big Galoot Diatribe - The Buck Stops….Where?

January 12th, 2008 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Barclays Bank in the UK is reportedly revising its security practises following the rip-off of 10,000 pounds from their own Chairman’s personal account by a fraudster.
http://www.computerworld.com.au/index.php/id;732567044;fp;16;fpid;1

Not surprisingly, Barclays have ‘accepted liability’ and also reimbursed the stolen 10,000 pounds into the Chairman’s account. But what if it were you or I, the plebs of the world, who had suffered this loss?
Read the rest of this entry »

Posted in Big Galoot Diatribe, Industry Specialists Talk | 3 Comments »

Big Galoot Diatribe - What’s in a “title”?

November 13th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Ladies and gentlemen, hold onto your seats while I tell you this. A technology ‘evangelist’ has arrived down under - to save you and I - the apparently hopeless and needy technology sinners of the world, at long last.

An invitation arrived in my inbox to a presentation by a bloke from the States whose title was “Lead IT Security Consultant, Information Security and Risk Management Evangelist”…….That’s right - “Evangelist”. To which you would be well entitled to ask as I did, “WTF”?

Now call me old-fashioned, but when I think of the word ‘evangelist’, I don’t usually imagine anything remotely IT related. And, I certainly don’t feel an overwhelming need to be saved from myself by anyone brave enough to describe themselves a technology risk management “Evangelist”. Oh my Lordy, no.
Read the rest of this entry »

Posted in Big Galoot Diatribe, Industry Specialists Talk, WTF | 2 Comments »

Big Galoot Diatribe - White Hats, Security Conferences and Boy Scout Meetings…….

October 11th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

As funny as it sounds, a while back I asked the serious question on Beast or Buddha?

How many white hats are actually black hats in disguise ?
http://beastorbuddha.com/2007/08/07/ethical-hackingthat-term-is-a-worry/#comments

Since then, its been reported that the so-called ‘white hat’ security professional Max Butler, has been arrested & charged with hacking offences including running a carder portal. Ironically, Butler also worked for a reputable organisation who’s name suggested they are good guys. (I believe Christian Heinrich also spotted this report). They probably are.
http://www.securityfocus.com/news/11487

We shouldn’t be surprised in any way. After all, its not unheard of for criminals to enter a certain profession in society with the motivation (and relatively easy access) of undertaking their chosen nefarious activities.

It makes a lot of sense, in a criminal way.

For instance;

- Paedophiles who become scout leaders, teachers or church leaders.
- Fraudsters & corrupt persons who become polititians or public officials.
- Arsonists who become fire fighters.

All of which leads me to ask the following:

1. Would a country planning a war also invite their enemies along to their pre-war planning meeting ?
2. Are tactics for defeating hackers, latest research etc openly discussed at IT Security conferences ?
3. Is there a strong likelihood that amongst the hundreds of IT security professionals attending a conference, some may be highly experienced black hat hackers ?
4. Is the IT security industry deluding itself about the preventative value of such conferences ?
5. Rather than helping to put the flames out, are large conferences a mechanism fuelling the fire ?

I think we know the answers to most of these questions so do we kid ourselves that the industry is not rife with people who can easily sway into the dark side or are already firmly entrenched there?

Food for thought.

Posted in Bad Stuff, Big Galoot Diatribe, Disclosure Laws, Dumb Security, Industry Specialists Talk, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 11 Comments »

State Sponsored Cyber Attacks and Crime?

September 13th, 2007 Drazen Drazic

This seems to come up quite often lately in the press. I think it was Risky Business (ITRadio.com) in a recent interview also covered it. Big Galoot raised it in a previous post.

The kiwis first and now the Aussies also are getting into it: http://www.news.com.au/story/0,23599,22403224-2,00.html

I wonder how someone can definitively state that it was this government or that. Anyone heard of spoofing IP addresses? Was it raised with China at APEC?

Big Galoot sent me the following:

“Organisations that still have the mindset that the enemy they are battling against is mainly organised crime gangs. They’d better face up to the grim reality! Cyber crime is also State-sponsored, which given the resources available to an entire country for this type of activity, raises the stakes massively!”

Posted in Bad Stuff, Big Galoot Diatribe, Vulnerability Management, Web Application Security, cyber crime, news | 2 Comments »

Big Galoot Diatribe - Standards For Forensics…a Need?

July 13th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.

Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.

For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do - from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process - at the expense of performance?

A recent article at CIO mag http://www.cio.com.au/index.php/id;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”

What a complete load of puffed-up, breast-beating, piffle! Read the rest of this entry »

Posted in Big Galoot Diatribe, Forensics | 6 Comments »

90% of Web Applications Suck……

July 12th, 2007 Drazen Drazic

Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.

The question was raised on overall web application security in the real world….what’s your call on it SA?

We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.

I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.

When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….

Japan has the right idea in the banking sector - they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol - aussie spelling - stupid as it is).

We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.

Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……

Posted in Applications, Bad Developers, Bad Stuff, Big Galoot Diatribe, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

Big Galoot Diatribe - Computer Forensics “Specialists”

July 4th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

The other day I met a couple of guys at a security conference who introduced themselves and announced proudly that they did “Computer Forensics”.  I had no reason at that stage to disbelieve them, since they were wearing some rather impressive-looking nametags, bearing the logo of a very well known global company.

After a bit of big-noting themselves, it was what they said next in relation to investigation techniques that sent my alarm bells ringing;

“We’ve just done a course on interviewing suspects.  We can tell you when someone is lying.”

“Really ?” I said, rather disbelievingly. (Gees, these guys have it 100% - something that takes good police detectives years to develop).

“Aside from your lie detector skills, how do you keep an arm’s length between your forensics role and being the interviewer of a suspect?” I asked, very curious to hear their response.

“Bah! No need to worry about that!” they replied rather boldly, as if that were a mere technicality not worth worrying about.

Unfortunately, as they might discover, the courts don’t exactly share their view on wearing both the hat of the interrogating Investigator and Computer Forensics Expert, simultaneously. See fellas, there this thing that courts are big on, it’s something known as ‘Independence’.

Nor is computer forensics simply a fancy term for checking of audit logs, as they would later try to rather incredulously argue.  Make no mistake, these guys were not computer forensics people in any form.  They were at best, a pair of audit-log-checking, boofheads calling themselves “computer forensics” people.  As the term “forensics” suggests, it also involves the gathering of evidence in a manner that is lawfully admissible to a court.  Judging by their manner, and their high degree of BS, I’d have to conclude that these gentlemen have spent far too much time watching CSI or NCIS, and very little time, if any, in an actual court or in a witness box.

Fellas, if by chance you recognise yourselves & happen to be reading this blog, here’s a really good definition of computer forensics as described at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1007675,00.html

Computer Forensics:
“The application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”

And by the way, if you’re still reading, perhaps you should remove the “Computer Forensics” label from your nametags and replace it with “Audit Log file checkers”.  Ok, it doesn’t sound as impressive, but it’s perhaps a lot closer to the truth.  and it avoids more potential embarrassment for you.

Chappo

Posted in Big Galoot Diatribe, Forensics, cyber crime | No Comments »

Big Galoot Diatribe - Moths bred to become cyber spies….

June 18th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Now I don’t know about you, but this latest story on moths being bred with inbuilt remote sensing chips is bordering on the ridiculous, for a whole lot of reasons.

When I grew up watching Star Trek, the nasty ‘cyborgs’ were the ugly dudes with flesh growing around computer parts. The Cyborgs certainly weren’t moths (how uncool would that have been?). But, a mob of big-brained, cutting edge defence scientists, known as The Defense Advanced Research Projects Agency (DARPA) is apparently growing computer chips around insects for use in warfare surveillance. An ‘insect-cyborg’, they’re calling it.

Now I know what you’re thinking. You’ve gotta be kidding, right ?
No way, my cyborg friends. This is science-reality, not science fiction. The big-heads at ‘DARPA’, as they are known, are implanting computer chips in moths while still in the pupa stage. The moth grows around the chip and its nervous system can be controlled by a remote control.

Trotting out yet another sexy, defence techie acronym, the project is affectionately called the ‘Hybrid Insect Micro-Electro-Mechanical Systems’ (HI-MEMS) and it also includes outfitting other insects with miniscule sensors and a wireless transmitter which could send data from places inaccessible to humans.

“It is hoped by DARPA, that one day, a sensor-enabled insect with a 100-yard range could be placed within five meters of a target using electronic remote control and, potentially, Global Positioning System technologies.” From: http://government.zdnet.com/?p=3189

Now for the best bit: “Ultimately, the moth will be able to land in enemy camps in remote locations undetected and be able to beam video and other information back via what its developers refer to as a “reliable tissue-machine interface.” I say, stuff the enemy camps - I can think of a *far* greater application of this technology. Lets just say that I hope Paris Hilton’s bedroom windows have lousy flyscreens.

According to zdnet: “This latest development will allow the moth cyborgs to spy on enemy insurgents, and is the most advanced robotic technology ever conceived by DARPA.” Latest technology? Perhaps. A great idea doomed to failure ? I believe so.

In line with (much loved) rantings of Bruce Schneier http://www.schneier.com, the most advanced technology can often be defeated by the simplest and cheapest of means. So I have two words for the big tech-heads and their multi million dollar Hi-Mems cyborg insect project at DARPA….. ‘Pea-Beau’.

More articles on moth cyborgs:
http://www.foxnews.com/story/0,2933,276182,00.html

Posted in Big Galoot Diatribe, UFOs, cyber crime | 1 Comment »

Big Galoot Diatribe - The Trojan Defence…the sleeping giant for computer forensics?

June 10th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

A couple of recent cases, including http://www.securityfocus.com/news/11469 in the US have highlighted malware and trojans as an emerging problem for the computer forensics community - testing the validity of the expert evidence and calling into question the practise as a whole.

In this most recent case, problems emerged after a teacher was wrongly convicted following an
incident where her classroom PCs became infected with pop-up ads displaying pornographic images. The prosecution alleged that the pop-ups were caused by the teacher’s activity on her PC following expert testimony from a computer forensics detective.

Problems in the case emerged after the defence’s computer forensics expert successfully argued that a harmless hairstyling web site had actually re-directed the PC’s browser to pornographic sites, setting off a chain of offensive pop up ads (a sub-argument was also presented about access control).

With the benefit of hindsight, this case was perhaps more about poor forensics practises - the investigating detective was apparently not thorough enough.

But it raised a bigger issue: What about really hard-core trojans & malware? How do we prove that malware didn’t exist on a suspect’s system? Recent studies into the potential problems facing computer forensics community of malware\trojans\viruses suggests this problem is not going to go away any time soon.

Highlighting this problem, some conceptual tools developed by Security-Assessment.com and Joanna Rutowska from www.invisiblethings.org have shown the ability already exists for
malware to defeat ‘volatile’ memory forensics. Make no mistake, this is a big threat facing computer forensics practises and its ability to withstand rigorous cross-examination in the witness box.

The really big questions facing the computer forensics community right now
must be:

- How can the trojan defence be negated? and;
- What practises can be put into place by the corporate world to assist computer forensics ?

The nitty-gritty of ‘The Trojan Defence’ is that we don’t know what we don’t know. In other words, how do we prove that something (a trojan) didn’t exist?……The mere possibility of the existence of a trojan may itself be enough for a case to be thrown out, in the absence of any corroborating evidence.

The solution? (Is there any?)

In terms of hard-drive forensics, (and even perhaps volatile memory?) the ability exists to make a ‘known good’ copy of a system prior to it’s deployment & have it locked away in a safe. In an attempt to negate the trojan or malware defence argument, the ‘known good’ copy could be dragged out of the safe & compared to the original, and forensically examined for changes to that system. Operating system active processes, dlls etc could all be mapped & compared against those of the ‘known good’ system. This practise could also be a really good tool for very quickly detecting what is going wrong with a particular system when the IT Security guys are called in following an ‘incident’, say, an intrusion where their system became owned or whatever.

In reality though, this practise is unlikely to be adopted in the short term. But I’d be very interested to learn if some companies out there are already adopting the practises of having a secured, ‘known good’ copy for forensics or IT Security purposes. Has anyone heard of this being done ?

Or, perhaps someone has some other ideas about how ‘The Trojan Defence’ argument can be (relatively expeditiously) negated in a forensic manner ?

Posted in Big Galoot Diatribe, Forensics | 2 Comments »

Big Galoot Diatribe - Financial Darwinism

June 4th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

To kick off my first article in beast or buddha - my controversial thoughts
on the victims of Nigerian email scams.

I have this theory about people who send their hard earned savings to
Nigerian email scammers in the hope of huge financial gains, but end up
losing the lot. What really amazes me is, these victims, many of whom are
presumably intelligent, and some of whom occupy highly paid positions
(lawyers, doctors, etc) send their money away - even *after* being told by
police that the whole thing is a scam & they’ll never see their money
again. Its truly incredible. Its mind-bogglingly stupid. I call this
phenomenon - Financial Darwinism. Survival of the financially fittest.
For the victims of these frauds, it seems making money is the easy part,
actually holding onto it is the tough bit.

What the Nigerian email scammers do is not rocket science. But they do
prey upon two very powerful human frailties - greed and stupidity. After
mass emailing their incredulous letters with offers of vast amounts of
money, the first part of the scam involves playing the percentages, ie, a
very small percentage of people will actually believe their incredible
letters instead of hitting the delete button (or having their spam filter
kill it before it hits their in box). Secondly, an even smaller percentage
of victims will begin to participate in their scam, continuously and
robotically sending money to them in the greedy and stupid hope of vast
riches. These are the people the Nigerians are targeting.

And it seems even in the face of losing their entire life savings, some
victims coldly refuse to believe they have been a victim of a Nigerian
email scam. That is, even after they’ve been presented with the factual
evidence by the investigating police. But we shouldn’t give the Nigerians
all the credit for preying on these human frailties. Preying upon greed
and stupidity has probably been happening for thousands of years. Look at
another recent example - poker machines.

Recent estimates in Australia suggests there are a lot of financially-dumb
people out there. In the State of Queensland alone, losses to Nigerian
emails is currently thought to run around $500,000 per month. We don’t
know for sure, but if the Queensland example is a representative figure of
humankind’s stupidity, it must be an awful lot of money when you consider
that Nigerian scammers are operating on a global scale.

All of which raises interesting questions about our species. Is there some
part of the human brain within some people that switches off all financial
common sense and logic ? Or perhaps, is there something within the
victims’ DNA that has a greed override switch, completely overriding
competing factual stimuli ? Looking at this phenomenon from a Darwinism
perspective - perhaps this phenomenon is really not so amazing, but simply
a case of financial evolution taking place. The dumbest of our species
will inherently lose their money and fail, the smarter will keep their
money and prosper.

See article -
http://www.computerworld.com.au/index.php/id;660142320;fp;16;fpid;2

Posted in Big Galoot Diatribe | 3 Comments »