Australian Government E-Security Review….

July 6th, 2008 Drazen Drazic

The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview

Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

Posted in Research, Risk Management, Vulnerability Management, cyber crime, governance | 2 Comments »

McAfee concludes some awesome research….

July 2nd, 2008 Drazen Drazic

I don’t really know what more to add. Just in case you weren’t aware of spam and its prevelence and intent:

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime | 1 Comment »

Another consortium formed to “enhance global IT security”…

June 28th, 2008 Drazen Drazic

Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium!

Recent update on SAFECode.

Posted in Dumb Security, Research, Risk Management, WTF | 6 Comments »

A look at Australian Telecoms……

June 28th, 2008 Drazen Drazic

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

Posted in Bad Stuff, Research, To cool | 1 Comment »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

Information Security Certifications……

June 22nd, 2008 Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

The monkeynet project kicks off…..

June 6th, 2008 Drazen Drazic

Speculation has been rife and the rumour mill going crazy but I can announce that the monkeynet project has now kicked off. Visit and explore the site for more information and to stay abreast of the latest news on the monkeynet project. (Find the secret area with information on the “secret” projects). Join the initiative and become part of the monkeynet project.

Background:

Read the rest of this entry »

Posted in Research, news | 8 Comments »

AusCert Roundup and Malware Giveaways at the conference….

May 23rd, 2008 Drazen Drazic

Hot off the press from Patrick who sent me this one: Telstra distributes malware-infected USB drives at AusCert.

Thanks to all the people that have been reading my posts on AusCert and those people who have been sending me emails about the posts and their AusCert experience. I was going to close it off with yesterday’s post but I’ve been asked a few times now to add some final thoughts. So here we go:

Read the rest of this entry »

Posted in Research, Uncategorized | 7 Comments »

AusCert Day 3: Conference last day

May 22nd, 2008 Drazen Drazic

I can see many “sore” heads this morning walking around, but then again, that’s pretty standard throughout AusCert. The dinner last night (Tuesday) was pretty good and great to catchup with people. Always enjoy my time with my mates at TrustDefender. (Blatant promo for the guys. They will do well and I highly recommend you check them out).

Here we go:

Read the rest of this entry »

Posted in Research, Uncategorized | 1 Comment »

AusCert Day 1: Ends up okay…somewhat….

May 19th, 2008 Drazen Drazic

Okay, I don’t have great expectations of AusCert conferences as most know. They’re a great junket and the social side of things is fantastic. Content though is usually ordinary with only a handful of presentations worth remembering.

I was looking forward to seeing Scott Charney’s “Enabling End to End Trust” keynote given recent discussions about his paper since it’s release. Scott: Impressive background, impressive presenting skills, but gees, if you’re going to travel half-way around the world to talk about your End to End Trust, talk about it!

Read the rest of this entry »

Posted in Research, cyber crime | 10 Comments »

Thank Heavens we have Ruxcon and Kiwicon….

May 17th, 2008 Drazen Drazic

It would be really sad for the Australian and New Zealand security community if we did not have Ruxcon and Kiwicon, (and OWASP this year I here was pretty good).

Just thinking about this as I head up to another AusCert conference on the Gold Coast. It’s not that we lack security conferences here in Australia and some of them are even okay……rare few though that don’t wheel out the same old people rambling on about the same old topics and working on their own self-promotion.

Read the rest of this entry »

Posted in Research | 8 Comments »

IPv6 Ramblings…..

May 9th, 2008 Drazen Drazic

Interesting and good to see IPv6 get a mention/submission in Australia’s 2020 Summit. The submission is here. Not sure where it is headed as I couldn’t see any mention in the Initial Summit Report. Maybe others have heard more about this?

We haven’t lacked in some good write-ups on IPv6 in recent times. Thanks to Donal for passing this one from Arbor Networks onto me.

The Google IPv6 2008 Conference panel video is well worth seeing if you haven’t already.

Are we getting much closer?

Previous Beast or Buddha posts:
http://beastorbuddha.com/2008/03/31/some-good-ipv6-links/
http://beastorbuddha.com/2007/05/10/ipv6whenwhysecurity/

From 2001; IPv6 and the Future of the Internet.

Posted in Research | 4 Comments »

Microsoft serves COFEE to the police…and a death sentence to employee!?

May 1st, 2008 Drazen Drazic

By Declan Ingram

Upon speculation that Microsoft had build backdoors into Vista, Niels Ferguson, a developer and cryptographer at Microsoft wrote:

“The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data……..Over my dead body“

That’s very reassuring.. Until this was released : “Microsoft device helps police pluck evidence from cyberscene of crime“.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, Research, WTF, cyber crime | 9 Comments »

Kiwicon 2k8

May 1st, 2008 Drazen Drazic

After the awesome Kiwicon 2k7, the 2008 event has been announced.
http://www.kiwicon.org/

Posted in Research | No Comments »

Clouding Log Analysis - Anything New worth a Look?

April 17th, 2008 Drazen Drazic

“The cloud…..so pretty!”….thanks Wade for pointing me to this one at loglogic. This opened up a bit of discussion between a group of us on this “security in the cloud” business. Thought some of the comments would be worth putting together.

Some of my thoughts were previously covered here also. Anyway, the following are some of our ramblings. Feel free to add your comments.

Read the rest of this entry »

Posted in Firewalls, Forensics, IDS, IPS, Research, Risk Management, Vulnerability Management | No Comments »

Further on the MS End to End Trust…..

April 12th, 2008 Drazen Drazic

Our friend Donal posts his thoughts in some detail at Ockham’s Razor. As with most of D’s stuff, well worth clicking the link!

Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »

“End to End Trust” - funky name for what?

April 11th, 2008 Drazen Drazic

It will be interesting to follow the response to this on the net:

http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx

Posted in Research, Risk Management, cyber crime | 3 Comments »

Secure Security Appliances? - Making Assumptions can be Risky.

April 7th, 2008 Drazen Drazic

I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.

Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.

We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.

Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.

Posted in Research, Risk Management, Vulnerability Management | 4 Comments »