By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are – paid advertising.

This time, it’s our old friend at Symantec – schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?


The rantings of Craig Chapman, IT Security Legend and good bloke.

I’ve previously drivelled-on about the time I was approached at a conference by a couple of computer forensic ‘experts’ from a global IT co.

If you believed their story, these guys were IT super-heroes. The only things missing from this pair of turkeys was their red capes, masks and tight fitting, lycra underpants (although I strongly suspect these were being worn under their tailored suits).


The rantings of Craig Chapman, IT Security Legend.

Hold onto your seats people. What I am about to tell you might completely re-shape your ideas on cyber crime. (But I doubt it).

The rather appropriately named “Panda Labs” has conducted a cutting-edge investigation into the murky world of malware writers and cyber criminals. From; Secure Computing.

The result of their in-depth investigation? Well, according to Panda Labs, cyber-crooks are collaborating on different forums and “Internet sites”.


The rantings of Craig Chapman, IT Security Legend.

BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:

1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!

No problems!


Related Post:
Risk Management – Great in meetings, not so much in practice

The rantings of Craig Chapman, Computer Forensics Geek.

Barclays Bank in the UK is reportedly revising its security practises following the rip-off of 10,000 pounds from their own Chairman’s personal account by a fraudster.;732567044;fp;16;fpid;1

Not surprisingly, Barclays have ‘accepted liability’ and also reimbursed the stolen 10,000 pounds into the Chairman’s account. But what if it were you or I, the plebs of the world, who had suffered this loss?

The rantings of Craig Chapman, Computer Forensics Geek.

Ladies and gentlemen, hold onto your seats while I tell you this. A technology ‘evangelist’ has arrived down under – to save you and I – the apparently hopeless and needy technology sinners of the world, at long last.

An invitation arrived in my inbox to a presentation by a bloke from the States whose title was “Lead IT Security Consultant, Information Security and Risk Management Evangelist”…….That’s right – “Evangelist”. To which you would be well entitled to ask as I did, “WTF”?

Now call me old-fashioned, but when I think of the word ‘evangelist’, I don’t usually imagine anything remotely IT related. And, I certainly don’t feel an overwhelming need to be saved from myself by anyone brave enough to describe themselves a technology risk management “Evangelist”. Oh my Lordy, no.

The rantings of Craig Chapman, Computer Forensics Geek.

As funny as it sounds, a while back I asked the serious question on Beast or Buddha?

How many white hats are actually black hats in disguise ?

Since then, its been reported that the so-called ‘white hat’ security professional Max Butler, has been arrested & charged with hacking offences including running a carder portal. Ironically, Butler also worked for a reputable organisation who’s name suggested they are good guys. (I believe Christian Heinrich also spotted this report). They probably are.

We shouldn’t be surprised in any way. After all, its not unheard of for criminals to enter a certain profession in society with the motivation (and relatively easy access) of undertaking their chosen nefarious activities.

It makes a lot of sense, in a criminal way.

For instance;

- Paedophiles who become scout leaders, teachers or church leaders.
- Fraudsters & corrupt persons who become polititians or public officials.
- Arsonists who become fire fighters.

All of which leads me to ask the following:

1. Would a country planning a war also invite their enemies along to their pre-war planning meeting ?
2. Are tactics for defeating hackers, latest research etc openly discussed at IT Security conferences ?
3. Is there a strong likelihood that amongst the hundreds of IT security professionals attending a conference, some may be highly experienced black hat hackers ?
4. Is the IT security industry deluding itself about the preventative value of such conferences ?
5. Rather than helping to put the flames out, are large conferences a mechanism fuelling the fire ?

I think we know the answers to most of these questions so do we kid ourselves that the industry is not rife with people who can easily sway into the dark side or are already firmly entrenched there?

Food for thought.

This seems to come up quite often lately in the press. I think it was Risky Business ( in a recent interview also covered it. Big Galoot raised it in a previous post.

The kiwis first and now the Aussies also are getting into it:,23599,22403224-2,00.html

I wonder how someone can definitively state that it was this government or that. Anyone heard of spoofing IP addresses? Was it raised with China at APEC? :-)

Big Galoot sent me the following:

“Organisations that still have the mindset that the enemy they are battling against is mainly organised crime gangs. They’d better face up to the grim reality! Cyber crime is also State-sponsored, which given the resources available to an entire country for this type of activity, raises the stakes massively!”

The rantings of Craig Chapman, Computer Forensics Geek.

Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.

Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.

For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do – from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process – at the expense of performance?

A recent article at CIO mag;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”

What a complete load of puffed-up, breast-beating, piffle! (more…)

Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.

The question was raised on overall web application security in the real world….what’s your call on it SA?

We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.

I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.

When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….

Japan has the right idea in the banking sector – they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol – aussie spelling – stupid as it is).

We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.

Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……

Older Posts »