- Wayne from Securus Global did us proud at the DefCon Social Engineering CTF Tournament in Las Vegas recently. It picked up a bit of press coverage. Just a couple of examples from ITNews and InfoWorld. Really demonstrates how someone can target an attack and relatively simply (with the right training, know-how and expertise), own a company. Unfortunately, we don’t see many organisations doing this type of assurance and testing – nor have an interest in it. Keen on your thoughts.

- Louis from Securus Global was involved with the French team that blitzed it at the DefCon Hacking CTF. Both Wayne and Louis, along with other Securus Global team members will be doing a few presentations in Melbourne and hopefully Sydney soon on various topics including penetration testing, web application security, social engineering and others. Stay tuned to our website as we kick off again our series of Breakfast Briefs and Technical Sessions in Q4, 2010.

- This is pretty cool. The character in a new novel with a hacker as one of the leads is based upon Dean Carter. Reported here at ZDNet. Who’s going to play Dean in the movie will be interesting.

- Checkout the Australian Information Security Bloggers Directory and see what the local guys are up to.

- Local scene roundup here.

- In numerous links above, you’ll see Securus Global has a new website. It’s a WIP (again). Websites and website development is a pain. Too much information, too little information….can you win? We’re better at testing and breaking them than we are at making our own I reckon but that’s an old story. Would love to hear from people on their thoughts on which security organisation has a good website. Just curious…. :)

- With the election just around the corner, we can safely say that neither major party seems to have a clue about technology; the Internet, eCommerce and everything else related. Few if any issues and questions I have posted here will/are being addressed. I do ask again though, where has the money that Stephen Conroy promised, and has used in his marketing for the Internet Filter, ie; the millions for additional policing for child protection on the Net gone? Almost 3 years of hearing about it. No answers.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

I’ve talked about this before so I won’t rant on again too much about my position….gees, did I have a definitive one? :)

I agree with the last comments on the last post here from GoogleHack. If the research community hasn’t been able to nail this, then you have issues. If a Google takes a stand – regardless whether “official” or not, it will impact heavily on the debate. It’s Google! This is a really bad thing in my opinion. A “standard” has been set….at least for the time being.

Securus Global has taken the position that we judge all vuln research findings on a case by case basis. The upshot, to the detriment of our marketing is that we’re rarely publishing vulnerability advisories. This may upset some, but we’ve almost come to the conclusion that as a business, it’s no longer a cool thing to do (all the time).

Now please don’t get me wrong……independent researchers publishing stuff, come from a different angle and we respect that fully. We do. They don’t have the backing of a “business” in many cases, but they have a passion and other drivers…..good, bad or looking for a way. We did.

We respect our own team doing this and publishing as “independents” if they choose too. We just see, as a team, another way is working for us, and the companies who engage us directly to work with them.

In the last 12-24 months, it’s been great to be recognised more and more by large security vendors and other major software and hardware developers as an organisation they can trust to get their appliances, software and overall systems tested before going to market. We’ve built a reasonably good reputation through word-of-mouth and there’s now a lot of systems out there that have been fixed up due to our work.

Given these direct relationships, it has been a slight negative though from a broader marketing perspective for Securus Global in that public advisories are not there. Saying that, it does though align with why we started in the first place and it aligns with our approach to the industry overall…..always has had – to improve, to make things better than they were.

Marketing follows. :)

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.

Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!

It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).

Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).

I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.

Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.

The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?

I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.

You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees). :)

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

This is a question I threw onto Twitter yesterday. Some responses so far. (Track here @ddrazic though thread could dive into history):

jeremiahg @DDrazic Re: because “security” isn’t (yet) a major skill that leads developers to better employment opportunities.
securityninja securityninja @DDrazic it at dev conferences. We talk about app sec to security people at security conferences with a few developers in the crowd
securityninja securityninja @DDrazic Same worldwide I imagine. I keep coming back to the cons, lots of people talking about application security but very few are doing
securityninja securityninja @DDrazic I think the two (dev and info sec) are still seen as two separate things. Virtually no security talks at developer conferences etc
securityninja securityninja RT @DDrazic: Wonder why more web developers don’t follow infosec ppl on Twitter. A source of great information that impacts their field.
fassy fassyfassy @DDrazic result is there’s still business for you guys :P howdy anyway, long time no speak!
fassy fassyfassy @DDrazic management. sad but true i suppose.
fassy fassyfassy @DDrazic mostly they aren’t in charge of being able to fix security problems. just means more work for them if they identify them to

I’m not saying Information Security Professionals are it! Most couldn’t do anything close to what the talented developers out there can in terms of product…But, those infosec people who excel in Web Application and General Application security can rip apart applications that are insecure and turn that piece of code into a nightmare for anyone using it. We see it everyday.


(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:


- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal. :)

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Just got back and saw this was confirmed:

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

  • All scanners needed a lot of manual work to get any reasonable amount of code coverage.
  • There were a huge amount of false positives.
  • There were many false negatives. (Probably more than we know :-) )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Older Posts »