Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

A look at Australian Telecoms……

June 28th, 2008 Drazen Drazic

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

Posted in Bad Stuff, Research, To cool | 1 Comment »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

It must be the Chinese Hackers again….

May 9th, 2008 Drazen Drazic

Is there anything bad happening on the net not being blamed on “Chinese Hackers”? Forget the story….same old stuff. Some of the comments here are priceless:

www.theregister.co.uk/2008/05/08/belgium_india_china_warnings/comments/

Now just in case there is some language issues thing here in translation, this is a sarcastic post and in no way talking bad about Chinese Hackers. Point those probes in another direction. :-)

Posted in Bad Stuff, Dumb Security, To cool, WTF, cyber crime | 2 Comments »

LOL - Chaser Team gets off.

April 28th, 2008 Drazen Drazic

No surprise the Chaser dudes got off.

Previous post on this and full clip. This was a classic!

Posted in Bad Stuff, Dumb Security, To cool, WTF | 1 Comment »

Metl getting some major press…I hear the groupies are flocking in also now…

March 5th, 2008 Drazen Drazic

Adam Boileau, our old colleague, 18 months down the track is getting some serious traffic now for this. Why freeze some RAM?

ComputerWorld

Sydney Morning Herald

Gees, even Slashdot! :-)

I hear even some guitar mags may be picking this up also now based upon the pic in The Age and The Sydney Morning Herald. Onya Metl!

Additions: I just fixed the SMH link with the photo. Also, it was interesting to talk with Patrick Gray today about this:
“Hi Draz — your readers might want to hear the Risky Business interview I did with Metl about this whole thing. The Sydney Morning Herald actually picked up this story from the podcast and linked back to it… no one else bothered. Que sera, what can you do?”
That’s a bit slack not passing the credit back to where it’s due. Anyway, here is the original source from Pat: Risky Business #52.

Posted in Forensics, Research, To cool, news | 3 Comments »

Not too dissimilar to security consulting jobs being negotiated….

March 4th, 2008 Drazen Drazic

Click here if the video is not working:
http://www.youtube.com/watch?v=SRuCzIO2wb0

Posted in Bad Stuff, To cool | 4 Comments »

The Big Bang Approach to Vulnerability Management

February 18th, 2008 Drazen Drazic

An ongoing vulnerability assessment/management program is probably the most proactive tool-based measure an organisation can take to identify weaknesses in infrastructure, OS and mainstream applications, (with web application testing abilities of such systems still developing). It amazes still that many organisations still don’t do this but that’s another story.

The toughest part of VA as any organisation that has implemented VA will tell you is not in selection of a solution (QualysGuard is the standout choice :-)) nor implementing it…nor even the initial scanning - it is dealing with the deluge of vulnerabilities reported and where to start to fix them?! That first report is an eye-opener for most organisations! And, this is where 90% of organisations get bogged down! It’s here that many organisations stall and some stall big time!

We’ve been working with organisations on vulnerability assessment/management programs for years so I thought I would talk about the most effective approach that we have seen to implementing a program that works. The following is not for everyone, but if you can make it happen, it will make your life easier and your organisation more secure in the quickest time.

Read the rest of this entry »

Posted in Risk Management, To cool, Vulnerability Management, governance | 8 Comments »

McAfee: Email is not intended for sending attachments….

January 7th, 2008 Drazen Drazic

Yep, you heard that right. Background: one of few Windows systems we use cannot send any attachments with email. We try everything and narrow it down to McAfee’s product. Numerous emails to support were like talking to a brick wall…. but you got to love this comment from the McAfee dude (thanks Dec), who tells us that email is not intended for file attachments. Trust me, there’s no hidden context to this email. Gees….here’s me doing the wrong thing for the last 15 odd years. Check this out! (oh, and by the way, this is just one part of a large email trail to get the problem fixed…many more funny parts to it….Dec…you want to post them?)….BTW, we gave up in the end. :-)

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Ford Falcon, To cool, WTF | 3 Comments »

Is every computer in the world compromised? They’re all owned out of the Netherlands according to the Sydney Morning Herald!

December 18th, 2007 Drazen Drazic

From a long story about lots of things from the SMH.

“In Australia one zombie army was found to have 400,000 computers under its power while in the Netherlands another was in control of 1 billion computers putting millions of personal details into the wrong hands. ”

That is a lot of computers to manage and control. We’re in big trouble. :-)

Related story on number of computers: http://www.techworld.com/news/index.cfm?NewsID=9119

Posted in Bad Stuff, To cool, WTF | 3 Comments »

The coolest dude of all…..

November 30th, 2007 Drazen Drazic

http://www.deanmartin.com/

This site changes with time but the man is the man.

Posted in To cool | 4 Comments »

The conspiracy theory returns and its 2007…..

November 24th, 2007 Drazen Drazic

Let me start by saying that many “experts” in our industry that I have spoken to also have a very strong opinion on this - many inline with what I am about to throw out there.

None have spoken out to my knowledge, given they feel they will be branded as conspiracy theorists and their reputations will be questioned and tarnished.

Are some “good guy” vendors doing “bad” things?
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, To cool, WTF, cyber crime | 2 Comments »

Dec and Brendan talk about Kiwicon 2007

November 23rd, 2007 Drazen Drazic

Kiwicon, New Zealand’s first hacker conference, took place in Wellington over last weekend. It was conducted with world class standard with great Speakers and smooth running from start to finish - our thanks go out to the organisers for all their efforts.

There were many familiar names, including Peter Guttman, Brett Moore, and Adam ‘Met1storm’ Boileau, as well as many first-time speakers who were warmly welcomed to the scene.

There were several presentations highlighting the effectiveness of old-school techniques against modern infrastructure, as well as introducing new techniques that are effective against legacy infrastructure.
Read the rest of this entry »

Posted in Research, To cool, Vulnerability Management, Web Application Security, cyber crime | 5 Comments »

Just stumbled across this Frank Abagnale interview…..

November 17th, 2007 Drazen Drazic

http://www.computerworld.com.au/index.php/id;1699361144;fp;4;fpid;16

This is good.

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, cyber crime, governance | 1 Comment »

One of the best CIO stories I have read in a while…..

November 14th, 2007 Drazen Drazic

Every so often you come across a good story.

This ZDNet Australia interview with Cesare Tizi, CIO of AGL, by Munir Kotadia and Alex Serpo proves there are some good CIOs out there who seem to understand security and their role in protecting an organisation’s Information and Technology assets. Unfortunately, Cesare is a rare beauty but hopefully others [CIOs] will learn from the likes of him.

I’m taking the story at face value and I have noted the response/comment to the story on the ZDNet site.

Posted in Risk Management, To cool, cyber crime | 5 Comments »

Too good not to highlight……

November 1st, 2007 Drazen Drazic

I know this one about the House of Lords debating the liquid ban has done the rounds, but gees it’s worth a read. “The Register” dudes cover it well.

Posted in Bad Stuff, Dumb Security, Ford Falcon, To cool, WTF | 1 Comment »