Liverpool City Council has burned down. Reported here in the SMH.

Listening to the Mayor being interviewed on radio this afternoon; you get the sense that the data loss and impact will be huge. I don’t think she [the Mayor] seems to get what a problem they have. They believe they have backup tapes “from last Thursday”, but don’t seem to have computers to restore them to. They believe they’ll have *a* computer in a temporary office, “but no email”.

Listening to this, I just thought, what a f**king disaster! What genius decided that a DRP was not worth having? (Unless of course this has all been reported incorrectly). If not, this will be a great case study.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Let it “anger” the “Christian Lobby”: Coalition filter stance angers Christian lobby.

Would love to get some bible quotes to establish any precedence for their position. Anyone? :-) (Assuming you abide by, and accept that as “law”).

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



The Cloud Security Alliance has announced a new cloud security certification here.

No attempted wit, humour nor sarcasm could do this justice so I will sign off now.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Dumb Security, WTF


And the proudest moment: Grand Final Premiers 2005. (Had to add that. Never thought it would happen!)

Could almost buy Trend Micro now. Who says marketing doesn’t sell?! :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Ford Falcon, Too cool, WTF


Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.

Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!

It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).

Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).

I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.

Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.

The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?

I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.

You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees). :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Dear AusCERT Delegate

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth.   Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files.  It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

If you have inserted the USB device into your Microsoft Windows machine, we suggest that you contact your IT administrator for assessment, remediation and removal, or you may want to take the precaution of performing the steps below.

Steps to remove the malware:

1. Turn off System Restore
[StartProgramsAccessoriesSystem toolsSystem Restore]
Turning off System Restore will enable your anti virus software to clean the virus from both your current system and any restore points that may have become infected.

2. Update your antivirus tool with the latest antivirus definitions
[available from your anti virus vendor of choice].

3. Perform a full system scan with your AV tool to confirm the existence of the infection.  If malware is detected allow your AV to complete a clean.

4. On completion of this process, complete a second scan using a different anti virus product. Free anti virus products are available from known companies such as AVG, Avira, Panda Software, or Trend Micro.

5. Once a second scan has been performed and it is determined that your workstation is free of any known malware,  as a precautionary measure we recommended that you perform a back up of all vital files on your workstation and perform a full re-installation of the operating system.  This process will remove the risk of other unknown or undetected malware that may be present on your machine.

If you experience difficulties with the above steps, please contact the IBM Security Operations Team at secops@au1.ibm.com.  An IBM technical support person will contact you by phone to assist you.

We regret any inconvenience that may have been caused.

Glenn Wightwick
Chief Technologist
IBM Australia
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



There’s only a few security focussed companies I trust(ed), and PGP was one of them. They’ve now fallen into the hands of this mob.

One of my all-time favourite posts here.

A case of too much money in the bank and on the flipside, easy-money. It’s business I suppose.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Bad Stuff, WTF


I’d love to know who’s reading this post here. It is by far the most read post on Beast or Buddha according to the stats I have. It is one though that explains why I rarely post lately or rather when I go through times of little inspiration. (Or times, I feel I have said it before).

What you do get from me here is certain things – not always watered down but only what I can say. At a high level, uncut thoughts, but gees, I do wish I could have diary here of what we see day in and day out. That would make for some reading!!…if not for NDA’s and other contracts. I suppose you have to read between the lines sometimes here but even then, not close! It is a scary world in IT…..trust us…..it really is!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: WTF


- Did Tony Abbott really say we don’t need better Internet bandwidth and speeds? Sounds that way. Example. Don’t you hate it when politics gets in the way of growth and improvements? In Australia, this is the norm sadly. On the flipside I suppose, you could argue that Conroy and co. have struggled with the NBN project from the outset. Well it seems that way to me. Checkout some history and delivery dates here.

- Have things gone a bit quiet on the Internet Filter side of things again? It happens, and just as you think (hope) it’s going away, it pops back up again. Had some interesting chats with Kate Lundy’s office about this a little while ago. Thanks to Kate, Pia and team for taking our thoughts on board. If interested, the comments and opinions we put forward were in line with previous postings here on Beast or Buddha (as per previous link).

Overall, you’d have to say Australia moves very slowly these days in terms of Government and technology. We came out of the blocks quite well, and even up to the early 90s were up there, but we’ve slumped back into being a distant follower and have been for a long time. The last couple of years’ effort from the Government is cementing us into this position. But, while Tony Abbott plays political games, there’s nothing of substance coming from him in this regard to suggest he is an alternative, and the previous government did lay the foundations of our weak e-Economy. Keen on your thoughts…..

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



This is a dodgy operation who went bankrupt and did not pay their bills but somehow still exist under the same name?

http://www.commander.com/

Stay away from them. Weird they exist.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Bad Stuff, WTF


Older Posts »