- Wayne from Securus Global did us proud at the DefCon Social Engineering CTF Tournament in Las Vegas recently. It picked up a bit of press coverage. Just a couple of examples from ITNews and InfoWorld. Really demonstrates how someone can target an attack and relatively simply (with the right training, know-how and expertise), own a company. Unfortunately, we don’t see many organisations doing this type of assurance and testing – nor have an interest in it. Keen on your thoughts.

- Louis from Securus Global was involved with the French team that blitzed it at the DefCon Hacking CTF. Both Wayne and Louis, along with other Securus Global team members will be doing a few presentations in Melbourne and hopefully Sydney soon on various topics including penetration testing, web application security, social engineering and others. Stay tuned to our website as we kick off again our series of Breakfast Briefs and Technical Sessions in Q4, 2010.

- This is pretty cool. The character in a new novel with a hacker as one of the leads is based upon Dean Carter. Reported here at ZDNet. Who’s going to play Dean in the movie will be interesting.

- Checkout the Australian Information Security Bloggers Directory and see what the local guys are up to.

- Local scene roundup here.

- In numerous links above, you’ll see Securus Global has a new website. It’s a WIP (again). Websites and website development is a pain. Too much information, too little information….can you win? We’re better at testing and breaking them than we are at making our own I reckon but that’s an old story. Would love to hear from people on their thoughts on which security organisation has a good website. Just curious…. :)

- With the election just around the corner, we can safely say that neither major party seems to have a clue about technology; the Internet, eCommerce and everything else related. Few if any issues and questions I have posted here will/are being addressed. I do ask again though, where has the money that Stephen Conroy promised, and has used in his marketing for the Internet Filter, ie; the millions for additional policing for child protection on the Net gone? Almost 3 years of hearing about it. No answers.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Great to see the local scene just kicking on. So much going on now and no shortage of things to attend.

——————————————————————————————–
Ruxcon 2010: 20-21 November, 2010 (Melbourne). Details and CFP information:
http://www.ruxcon.org.au

Monthly Ruxcon meetings (Ruxmon) in Melbourne. Details:
http://www.ruxcon.org.au/2010-rmmm.shtml

Kiwicon 2010: 27-28 November, 2010 (Wellington, NZ). Details and CFP information:
https://www.kiwicon.org/

Owasp seems to be pretty active with monthly meetings (or almost now), regular events in Sydney, Melbourne, Perth. Contact your local city chapter for more information, or if there is up to date information on the Owasp website, could someone let me know? (I am on the mailing list).

AISA (Australian Information Security Association) membership is now over 1000. Sydney, Melbourne, Brisbane, Canberra and Perth hold monthly meetings plus social events and the Annual Seminar Day will be the biggest ever in 2010. With membership still only still $50, it’s worth having a look. Details on AISA and upcoming events for all cities:
http://www.aisa.org.au/

Australian Information Security Bloggers Directory and Twitter accounts here.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Research, news


“On Monday 21 June 2010, the Standing Committee on Communications tabled its report on the inquiry into Cyber Crime entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.” Full details and report here.

We covered the updates to this inquiry last year: October 2009 post, September 2009 post.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



I’ve talked about this before so I won’t rant on again too much about my position….gees, did I have a definitive one? :)

I agree with the last comments on the last post here from GoogleHack. If the research community hasn’t been able to nail this, then you have issues. If a Google takes a stand – regardless whether “official” or not, it will impact heavily on the debate. It’s Google! This is a really bad thing in my opinion. A “standard” has been set….at least for the time being.

Securus Global has taken the position that we judge all vuln research findings on a case by case basis. The upshot, to the detriment of our marketing is that we’re rarely publishing vulnerability advisories. This may upset some, but we’ve almost come to the conclusion that as a business, it’s no longer a cool thing to do (all the time).

Now please don’t get me wrong……independent researchers publishing stuff, come from a different angle and we respect that fully. We do. They don’t have the backing of a “business” in many cases, but they have a passion and other drivers…..good, bad or looking for a way. We did.

We respect our own team doing this and publishing as “independents” if they choose too. We just see, as a team, another way is working for us, and the companies who engage us directly to work with them.

In the last 12-24 months, it’s been great to be recognised more and more by large security vendors and other major software and hardware developers as an organisation they can trust to get their appliances, software and overall systems tested before going to market. We’ve built a reasonably good reputation through word-of-mouth and there’s now a lot of systems out there that have been fixed up due to our work.

Given these direct relationships, it has been a slight negative though from a broader marketing perspective for Securus Global in that public advisories are not there. Saying that, it does though align with why we started in the first place and it aligns with our approach to the industry overall…..always has had – to improve, to make things better than they were.

Marketing follows. :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.

Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!

It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).

Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).

I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.

Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.

The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?

I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.

You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees). :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



AustCERT 2010 kicks off tonight. I’ll be there this year thanks to SC Magazine.

If you can’t make it, checkout the almost live Twitter feed for the latest as reported by attendees, media and others, here and here.

Feel free to post your thoughts and comments on the event as responses.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Research, news


By Declan Ingram.

Thought provoking read over at the Register: Feds seize $143M worth of bogus networking gear.

While the article is mainly about counterfeit hardware, (Cisco etc), seized in the US, (some of which was used by the US Marines in Iraq), there are two parts that got my attention:

1) The counterfeit gear could have backdoors. (Well yes – and this is not news for many…be surprised if some or most doesn’t).

2) This lovely quote: “In May of 2008, Cisco officials said they had no evidence that any of the counterfeit networking gear contained backdoors” – If these are the same officials that have missed all the other security issues to date (and in the future), then I’m not sure this statement makes me feel any better.

This reminds me of a friend of mine who years ago purchased some pirated operating systems on CD in Malaysia. They had been backdoored and once installed allowed anyone on the Internet to gain full access. I had a giggle, I must say. You really get what you pay for…..and more. (Remote Support?) :)

The (potential) security problems of pirated software have been well documented for some time. Most will have looked at backdoored ‘cracks’ for proprietary software etc, but bogus hardware? Backdoored from day 0? Cisco gear is generally top shelf, so more likely to get noticed, but what about lesser brands or even your generic ’sourced’ components? The flash drive from eBay? The cheap video card you got for your server so you can install the OS? Have a think about it.

Could organised crime use this to offset the cost of components? OK, that could well just be pure FUD……but.. :)

I bet some, (most?) bogus gear comes from the same factory as the legit gear. Stands to reason. If it is backdoored, what assurance do we have that the legit gear isn’t? How would we, (or anyone else) ever know? Few know where to start in assessing the security of their supply chain.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



With the Ruxcon conference shifting to Melbourne this year, (details here), the Ruxcon crew have also kicked off a monthly meetup in Melbourne. Details here. Great for Melbourne and with airline prices so cheap, maybe worth considering flying into Melbourne for the meetups.

Sydney OWASP has also restarted. Details here. (Melbourne OWASP is also on the go. Details here, but get on the mailing list to get the updates for all the sessions as I don’t think the site is up to date).

If Security Management and more “generalist” security is your style, AISA (Australian Information Security Association) could be for you. Information on AISA here.

Good to see the industry busy and some great sessions in the pipeline.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Research, Too cool


This is a question I threw onto Twitter yesterday. Some responses so far. (Track here @ddrazic though thread could dive into history):

jeremiahg @DDrazic Re: because “security” isn’t (yet) a major skill that leads developers to better employment opportunities.
securityninja securityninja @DDrazic it at dev conferences. We talk about app sec to security people at security conferences with a few developers in the crowd
securityninja securityninja @DDrazic Same worldwide I imagine. I keep coming back to the cons, lots of people talking about application security but very few are doing
securityninja securityninja @DDrazic I think the two (dev and info sec) are still seen as two separate things. Virtually no security talks at developer conferences etc
securityninja securityninja RT @DDrazic: Wonder why more web developers don’t follow infosec ppl on Twitter. A source of great information that impacts their field.
fassy fassyfassy @DDrazic result is there’s still business for you guys :P howdy anyway, long time no speak!
fassy fassyfassy @DDrazic management. sad but true i suppose.
fassy fassyfassy @DDrazic mostly they aren’t in charge of being able to fix security problems. just means more work for them if they identify them to

I’m not saying Information Security Professionals are it! Most couldn’t do anything close to what the talented developers out there can in terms of product…But, those infosec people who excel in Web Application and General Application security can rip apart applications that are insecure and turn that piece of code into a nightmare for anyone using it. We see it everyday.

(more…)



(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Older Posts »