The Pope is coming so you must be nice or you’ll be in trouble…

July 3rd, 2008 Drazen Drazic

By straxd

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone!

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, WTF | 15 Comments »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

June 26th, 2008 Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

IT Media - Cutting Edge Reporting

June 12th, 2008 Drazen Drazic

By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are - paid advertising.

This time, it’s our old friend at Symantec - schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Dumb Security, Industry Specialists Talk, Vulnerability Management, WTF, cyber crime | 15 Comments »

The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

Microsoft serves COFEE to the police…and a death sentence to employee!?

May 1st, 2008 Drazen Drazic

By Declan Ingram

Upon speculation that Microsoft had build backdoors into Vista, Niels Ferguson, a developer and cryptographer at Microsoft wrote:

“The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data……..Over my dead body“

That’s very reassuring.. Until this was released : “Microsoft device helps police pluck evidence from cyberscene of crime“.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, Research, WTF, cyber crime | 9 Comments »

Logs - A double-edged sword? Beating PCI Fines by bad security practices?

April 23rd, 2008 Drazen Drazic

By Declan Ingram

PCI clearly states in requirement 10: “Track and monitor all access to network resources and cardholder data” And rightly so. It goes on to say “Determining the cause of a compromise is very difficult without system activity logs.”

It certainly is. Infact, for nearly all attacks where card data is at stake, it can border on impossible. Enterprise log management is hard. It is expensive, and there are few organisations that do it well. Not only that, but the organisations that do it well are also much more likely to have their general state of security much higher - meaning that (all things being equal) they are less likely to suffer a breach in the first place.
Read the rest of this entry »

Posted in Industry Specialists Talk, PCI, PCI DSS, cyber crime | 7 Comments »

Big Galoot Diatribe - Superheroes and independence of expert witnesses

March 28th, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend and good bloke.

I’ve previously drivelled-on about the time I was approached at a conference by a couple of computer forensic ‘experts’ from a global IT co.

If you believed their story, these guys were IT super-heroes. The only things missing from this pair of turkeys was their red capes, masks and tight fitting, lycra underpants (although I strongly suspect these were being worn under their tailored suits).

Read the rest of this entry »

Posted in Big Galoot Diatribe, Forensics, Industry Specialists Talk, cyber crime | No Comments »

Anchored in time and tech?

March 20th, 2008 Drazen Drazic

New Columnist: Donal O Duibhir

Why do we beat our heads against brick walls? Is it a form of mass masochism in Information Technology? Who built the walls? Who architected the building, and did they realise the building was supposed to travel in time like Doctor Who’s tardis while repelling alien invaders? …all the while the owners, masters and operators changing every so often without leaving enough intellectual property in the form of documentation or related artefacts… Why is this?

Read the rest of this entry »

Posted in Industry Specialists Talk, Uncategorized | 7 Comments »

Industry CEOs thoughts on things….a chat with Rob and Nick

March 13th, 2008 Drazen Drazic

Nick Ellsmore and Rob McAdam are guys you would term as competitors, (to Securus Global) and also just competitors in all they do. As CEOs of SIFT and Pure Hacking respectively, they have a good insight into the IT Security industry in Australia. I thought it would be good to get Nick and Rob onto Beast or Buddha for a chat. (You can’t accuse me of using BorB as purely a marketing tool for SG).

Read the rest of this entry »

Posted in Industry Specialists Talk | No Comments »

AISA “In the Hotseat” - Interview with Patrick Gray

March 6th, 2008 Drazen Drazic

The following is an interview I did with Patrick Gray that was published in the recent AISA (Australian Information Security Association) March Newsletter. It will be available under “News” at www.aisa.org.au. As a friend of BorB and we of his work as one of few journos who really understand our industry, I thought people would like to see a view on things from the other side. I really enjoyed doing this but also seeing a refreshing view from the media that differs greatly to the majority of rubbish we are fed daily. The rest is the published interview:

Read the rest of this entry »

Posted in Industry Specialists Talk | 3 Comments »

Big Galoot Diatribe - If you go out in the woods today….

March 3rd, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend.

Hold onto your seats people. What I am about to tell you might completely re-shape your ideas on cyber crime. (But I doubt it).

The rather appropriately named “Panda Labs” has conducted a cutting-edge investigation into the murky world of malware writers and cyber criminals. From; Secure Computing.

The result of their in-depth investigation? Well, according to Panda Labs, cyber-crooks are collaborating on different forums and “Internet sites”.

Read the rest of this entry »

Posted in Bad Stuff, Big Galoot Diatribe, Industry Specialists Talk, Research, WTF, cyber crime | 2 Comments »

straxd on Group Psychology, IT Security and PCI…..

February 20th, 2008 Drazen Drazic

From straxd - an unassuming dark horse

I have always had a bit of a fascination with the concept of group psychology. It’s at the same time the most evil and the most successful marketing tactic that a company can launch.

Take De Beers’ creation of the diamond industry as an example. By giving the right general impression the entire psyche of society can change (and the diamond cartel made billions as a result). Coke has converted a version of caffeinated carbonated sugar water into a drink pretty much everyone has every day. The records and movie industries have converted copyright infringement into theft, and created the previously alien idea that artists would stop creating new art if they weren’t millionaires.

Read the rest of this entry »

Posted in Bad Stuff, Industry Specialists Talk, PCI, PCI DSS, Risk Management, cyber crime | 8 Comments »

Big Galoot Diatribe - BG’s Ostrich Risk Management 101

February 13th, 2008 Drazen Drazic

The rantings of Craig Chapman, IT Security Legend.

BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:

1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!

No problems!

BG.

Related Post:
Risk Management - Great in meetings, not so much in practice

Posted in Big Galoot Diatribe, Industry Specialists Talk, Risk Management | 10 Comments »

Busting your IDS/IPS - Declan Ingram’s Kiwicon talk on Risky Business

February 11th, 2008 Drazen Drazic

Declan Ingram, Securus Global Practice Manager talks about IDS/IPS security at Kiwicon 2007. Broadcast here at Patrick Gray’s excellent weekly IT Security broadcast, Risky Business.

Synopsis: “When you consider the system as a whole, there are plenty of ways to bust an IDS / IPS. From the wire to the incident response team we will work through various limitations and examples of potential mischief.”

Posted in Firewalls, IDS, IPS, Industry Specialists Talk, Research, Vulnerability Management, cyber crime | 9 Comments »

Eee PC Default Security - Some Attention Needed

February 11th, 2008 Drazen Drazic

Declan Ingram talks about the news article on Rise Security and the Eee PC:

News this morning of the remote vulnerability in the ASUS EeePC (http://eeepc.asus.com/global/) doesn’t really come as a surprise. Vulnerabilities in default installs are really nothing new.

As an avid EeePC fanboi, this one does annoy me. (FYI - It took us about 4 seconds to do it when I purchased mine a few weeks back…..well a little more, I only slightly exaggerate). The guys at RISE are attacking a vulnerability in Samba - (http://www.zerodayinitiative.com/advisories/ZDI-07-033.html) which was released May 15, 2007.

It’s now Feb 11th, 2008, and as I check the EeePC software update program there is still no update.

C’mon guys - get it together. You can’t ship a custom OS and then not update it. You are using non-open-driver hardware so I can’t easily roll my own choice of OS (which, of course is www.openbsd.org) The Samba team have made the patches, you have even setup the update channels - this is just being lazy.

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Vulnerability Management | 2 Comments »

Big Galoot Diatribe - The Buck Stops….Where?

January 12th, 2008 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

Barclays Bank in the UK is reportedly revising its security practises following the rip-off of 10,000 pounds from their own Chairman’s personal account by a fraudster.
http://www.computerworld.com.au/index.php/id;732567044;fp;16;fpid;1

Not surprisingly, Barclays have ‘accepted liability’ and also reimbursed the stolen 10,000 pounds into the Chairman’s account. But what if it were you or I, the plebs of the world, who had suffered this loss?
Read the rest of this entry »

Posted in Big Galoot Diatribe, Industry Specialists Talk | 3 Comments »

Peter Gutmann’s Kiwicon 2007 presentation on Risky Business

December 23rd, 2007 Drazen Drazic

Risky Business #43 and #44 are well worth a listen (like all the RB podcasts are). These two recent ones include Peter Gutmann’s excellent presentation at Kiwicon 2007. Here’s the link: http://www.itradio.com.au/security/

Posted in Industry Specialists Talk, Research | 1 Comment »

Australian Bank Security vs. the rest of the world

December 22nd, 2007 Drazen Drazic

BankMan is an article submission to Beast or Buddha from the CISO from one of the region’s banks. My responses will follow….

BankMan: You mentioned in a recent post how good Australian banks were doing with IT Security. I know that came with a few extras that you also highlighted like how bad we were against the rest of the world like Asian countries like Singapore. But at least you seemed optimistic.

Mapped against levels of fraud, Australia does well so what do you base your comments upon?

Posted in Industry Specialists Talk | No Comments »

DarkSide Brothers Reality Check - Botnets? Is that the Worst of it? Part I

December 20th, 2007 Drazen Drazic

Darkside Brothers Reality Checks are article submissions to Beast or Buddha from two well respected industry researchers and consultants. Are they serious and on the ball or swaying towards conspiracy lunacy? I’ll leave it with you to work out your own opinions.

In response to the previous Beast or Buddha post on the Billion owned systems. (The SMH has had time to correct if they thought they were wrong but that’s beside the point):

We really need to move on from the idea that unless your motd is “lol fluffy bunny pwnd j00!” your computer is fine.

All your links are owned: http://cryptome.org/nsa-ip-update10.htm.

Every scrap of data that has touched the Internet has been captured under Wholesale Surveillance (owned): http://www.dailykos.com/storyonly/2006/4/8/14724/28476/. (Think MITM, passwords for all your sites (that you re-use for your work VPN, your email and all the encrypted communications and PGP passphrases too).

Read the rest of this entry »

Posted in Industry Specialists Talk | 4 Comments »

Interview with Marcus Ranum - Blunt Industry Assessment

November 19th, 2007 Drazen Drazic

Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology, and the implementor of the first commercial firewall product. Since the late 1980’s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and the ISSA Lifetime Achievement Award. Marcus is Chief Of Security for Tenable Security, Inc., where he is responsible for research in open source logging tools, and product training. He serves as a technology advisor to a number of start-ups, established concerns, and venture capital groups.
——————————————————————–
Marcus gave me some time today to ask him a few questions about his takes on the industry. You won’t die wondering as to what MjR’s true thoughts are:

Read the rest of this entry »

Posted in Industry Specialists Talk | 6 Comments »