Information security in Australia, and why pentest there is no longer a cake
It is time to write about Australia and my trip to the AusCERT conference. On this magical continent, I had to spend three weeks, starting with the city of the Gold Coast. The expectations associated with the excellent surf spot there were the most enjoyable. As a result, my surf never tasted this place, having found even more chic Australian waves, after which I went straight from there to Singapore, where I spoke at the cult RSA conference.
So, the first thing that I saw in Australia, it is - to-and-yrrrn, no, not dead, like a dolphin from a past story , and that made me very happy. “A good sign,” I thought. And then - the failure caused by heavy flight, consisting of 4 flights with a total length of 36 hours.
')
Before the conference, I was to conduct an SAP security training. Reading reports is no longer fashionable, now it's cool to conduct trainings. I will not talk about it, because here either all or nothing, and our post is devoted to Australia and AusCERT. Briefly: it was a powerful brainstorming for local pentesters, because they had to push daily material for 4 hours, but, in general, everyone was satisfied. And I, tired of the jetlag and the training, was completely free at the conference, which allowed me to become better acquainted with the local market, the speakers and in general.
So, the conference: I was very surprised that this event has been held for almost 20 years! It turns out that this is almost the oldest security conference, although it would be more correct to call it an exhibition or vendor party. The exhibition had about 70 stands, which, in general, a little more than usual. And everywhere sellers and marketers scurry around for everything related to information security. Just standing in line for coffee there will not work without typing flyers or not responding to a dozen questionnaires and questions about BYOD (by the way, what is it, anyone in the know?). All dinners, breaks and other nishtyaki generously sponsored, and about the benefactors obsessively buzz loudspeakers. In general, the usual exhibition of vendors, but very much so “selling”. The climax of this bacchanalia was the final salute of a short range. Against this background, the guys from HackLabs are very different with a stand on the street, a photo of which is at the beginning of the article.
To complete the pathos at the conference was also golf. Before the conference, during trainings, golf tournaments were held. Near the hotel - a huge golf course. Well, while the other speakers were friendly at golfing, I conducted the training, so this field is also not covered yet. But never mind, I will still knock on the balls with a club, when the sand from me begins to crumble onto the Bentley chair.
So, reports. Despite the fact that the conference is very business-oriented, the organizers tried to present interesting technical reports. Not directly technical-technical, as we like to see at ZeroNights , but just technical. The conference had 4 tracks, two with normal presentations, two with sponsored performances from vendors. I have been to three reports. The first is a sponsored report by Evgeny Kaspersky. The content is unremarkable, about cyberwar and so on, but Eugene himself is cool in principle. I have long wanted to look at how one of the professional Russian speakers speak in English, although, in general, there are few interesting speakers. He spoke perfectly, obviously doing it for a long time and with pleasure, although one cannot get away from the Russian accent. Undoubtedly, it is worthy of respect that he led the Russian company to the world's four Endpoint-solutions, and in general was the first to sell security products abroad on a similar scale, whatever they may say about the technical side of the issue and marketing policy.
The second report was from HD Moore, author Metasploit. Nothing supernatural, but a very high-quality analytics of Internet scanning results from the InternetCensus project was presented.
If you do not know: one researcher who wished to remain anonymous, posted to the Internet the results of scanning the entire Internet for the presence of popular open ports, and also gathered banners and conducted a number of other studies. The project is interesting in that the scan was carried out not so legally, but with the help of a botnet consisting of poked simple devices such as home routers with default passwords on SSH. Statistics analyzed by HDMoore showed a number of interesting facts about what can be done with vulnerable services and how bad things are in general. I highly recommend to refer to the source. This project was interesting to me, since we have been analyzing open ports on the Internet for the third year, only specifically from SAP systems. By the way, wait soon for a new report for 2013.
The last report I visited was from Barnaby Jack. He talked about the attacks on medical devices, and the presentation was framed in the form of a real comic book - as always, everything is up to par. Afterwards, we practically agreed with him about performing at ZeroNights, but ... You probably already know.
From myself I can say that I met him in Barcelona at the Source Conference about 3 years ago. It was my second or third international conference, he was just talking about ATMs and for demonstration he organized a conference call with his office, where there was an ATM, which he remotely broke from Barcelona. In the evening on the speaker-party, he poisoned all sorts of stories from life, not only hacker. In general, this man was and will forever remain for me an icon among writers: he was always looking for new, previously unexplored and very cool topics, and most importantly, he could imagine them so that he was understood by the most distant person from technology, but at the same time received respects from techies. Balancing on this facet is true art. Rest in peace, friend.
... After the conference, I went to a small trip, combining leisure and work. The first stop was Byron Bay - a chic place to surf, filled with hippies and all sorts of cafes with Organic-food and other delights, and even children's playgrounds hint at what to do in life.
Not Portland, of course, but there is something. We were there with a familiar journalist and HD Moore. By the way, in the local bar, where we went to listen to music, Yevgeny Kaspersky also lit up, just an hour before my arrival ...
So, if the post is about information security, then tell you how things are with this in Australia. In general, if briefly, pentest and pentesting companies are very popular, pentesters have more than enough, mountain works, and the competition is huge. The work itself is not very intellectual, because everything is put on stream, the mass of short projects a la compliance. Why is that? Well, partly because of the laws.
…… in general, there are a lot of strange laws in Australia, let me divert myself for a bit more. For example, about smoking. It is not scary that a pack of tobacco costs 30 bucks, but it is not so easy to buy it yet: it is prohibited to open cigarettes and tobacco openly in stores, there are only names and prices on a separate leaflet. Brands are almost all local, and that of them are cigarettes and that tobacco is not clear, cannot be answered, they do not give any recommendations, in short, they do not contribute, as prohibited by law. Buying tobacco is therefore a lottery. Another ridiculous laws in the bars of Byron Bey, where you can not order shots in the bars, double cocktails, two cocktails for one, and something else that extremely restricts the speed of arrival. Apparently, this measure is dictated by concern for hippies and other citizens who are incontinent in alcohol consumption.
So the laws. They have state institutions, called councils, something like district offices. And so, all these “house managers” were obliged to do pentest. But it must be said separately that the house managers there are everything, they take out the garbage, and they are sawing trees, mere mortals are forbidden to do it. Citizens write applications for any work to the “house manager”, which will remove any piece of paper for money from the sidewalk. And all these “scavengers”, of whom there are thousands in the whole country, must be pentestat, and not just once a year, but all four. Of course, among them there are specifically those who do not understand anything and want only a piece of paper, like some of our companies, exhausted by the obligatory correspondence of PCIDSS, for example. And all this big and not very competent in technical matters the market is curled by a large number of mediocre performers, although there are certainly excellent teams.
Pentest is evaluated here in person-days, and Pentester companies have certain rates per person-advanced and advanced Pentester. Often, since companies don’t want to spend much money on an unknown service, everything happens in 2-3 person-days. “And if they don’t have time to find anything?” I asked. It was reasonable for me to note that, supposedly, the task is not to break everything into smithereens, as in Russia, digging, if necessary, for five months a month, but just to check, so to speak, the presence of a certain level of security equal to three person-days of the pentester.
In addition to this “splendor”, Indian companies are rapidly entering the market with a daily rate almost 10 times lower. Naturally, some clients choose them, which they later regret: the cunning Indians do not warn in advance that the project is likely to be delayed, and also that their price takes into account only the work of the pentester, who for work will definitely need different programs for extra money . And unfortunate customers buy licenses for meta-exploit or nessus, etc. As a result, such “savings” are very expensive for customers. Of course, standards and a large market are, of course, better than no market at all, but pentest is no longer a cake in this case.
Then I talked a little with partners, sold a little ERPScan, and flew to Singapore to speak at the RSA APAC conference.
This is probably the first conference where I didn’t meet a single acquaintance among the speakers; all big bosses of large companies are all bayanes with smart faces. And although my report was the most non-technical of all my reports, it turned out to be the most technically hardcore at RSA. Well, yes, of course, RSA is a status, they don’t take anyone to speak there, only speakers are among the speakers, so it is certainly useful for guests to listen to analytics and squeeze about what happened during the year. And there’s nothing for techies to do, that’s a fact. The report, if anything, is available for viewing.
Finally, I also looked in Tasmania. Locals at the mention of her make terrible eyes and talk about the two-headed Aborigines and unreal cold, well, just like we talk about "zamkade." There I looked for the Tasmanian devil , and traditionally found the corpse of an incomprehensible beast (and I have no idea who it is, but this is definitely not the pelvis). In order not to injure the public, this time the photo - by reference . There were also kangaroos , koala , walabi and other local animals.
Here, by the way, they announced a competition for the best achievements in information security in Russia and other amenities among companies and ordinary citizens. Wallets have probably already voted, and techies most likely do not even know, so it will be fair if I just leave the link here, and you already decide who deserves what.
Everything, the last post with low-quality photos, wait for the new one again from South Africa or from America. Not yet decided what is more interesting.
So, the first thing that I saw in Australia, it is - to-and-yrrrn, no, not dead, like a dolphin from a past story , and that made me very happy. “A good sign,” I thought. And then - the failure caused by heavy flight, consisting of 4 flights with a total length of 36 hours.
')
The conference
Before the conference, I was to conduct an SAP security training. Reading reports is no longer fashionable, now it's cool to conduct trainings. I will not talk about it, because here either all or nothing, and our post is devoted to Australia and AusCERT. Briefly: it was a powerful brainstorming for local pentesters, because they had to push daily material for 4 hours, but, in general, everyone was satisfied. And I, tired of the jetlag and the training, was completely free at the conference, which allowed me to become better acquainted with the local market, the speakers and in general.
So, the conference: I was very surprised that this event has been held for almost 20 years! It turns out that this is almost the oldest security conference, although it would be more correct to call it an exhibition or vendor party. The exhibition had about 70 stands, which, in general, a little more than usual. And everywhere sellers and marketers scurry around for everything related to information security. Just standing in line for coffee there will not work without typing flyers or not responding to a dozen questionnaires and questions about BYOD (by the way, what is it, anyone in the know?). All dinners, breaks and other nishtyaki generously sponsored, and about the benefactors obsessively buzz loudspeakers. In general, the usual exhibition of vendors, but very much so “selling”. The climax of this bacchanalia was the final salute of a short range. Against this background, the guys from HackLabs are very different with a stand on the street, a photo of which is at the beginning of the article.
To complete the pathos at the conference was also golf. Before the conference, during trainings, golf tournaments were held. Near the hotel - a huge golf course. Well, while the other speakers were friendly at golfing, I conducted the training, so this field is also not covered yet. But never mind, I will still knock on the balls with a club, when the sand from me begins to crumble onto the Bentley chair.
Reports
So, reports. Despite the fact that the conference is very business-oriented, the organizers tried to present interesting technical reports. Not directly technical-technical, as we like to see at ZeroNights , but just technical. The conference had 4 tracks, two with normal presentations, two with sponsored performances from vendors. I have been to three reports. The first is a sponsored report by Evgeny Kaspersky. The content is unremarkable, about cyberwar and so on, but Eugene himself is cool in principle. I have long wanted to look at how one of the professional Russian speakers speak in English, although, in general, there are few interesting speakers. He spoke perfectly, obviously doing it for a long time and with pleasure, although one cannot get away from the Russian accent. Undoubtedly, it is worthy of respect that he led the Russian company to the world's four Endpoint-solutions, and in general was the first to sell security products abroad on a similar scale, whatever they may say about the technical side of the issue and marketing policy.
The second report was from HD Moore, author Metasploit. Nothing supernatural, but a very high-quality analytics of Internet scanning results from the InternetCensus project was presented.
If you do not know: one researcher who wished to remain anonymous, posted to the Internet the results of scanning the entire Internet for the presence of popular open ports, and also gathered banners and conducted a number of other studies. The project is interesting in that the scan was carried out not so legally, but with the help of a botnet consisting of poked simple devices such as home routers with default passwords on SSH. Statistics analyzed by HDMoore showed a number of interesting facts about what can be done with vulnerable services and how bad things are in general. I highly recommend to refer to the source. This project was interesting to me, since we have been analyzing open ports on the Internet for the third year, only specifically from SAP systems. By the way, wait soon for a new report for 2013.
The last report I visited was from Barnaby Jack. He talked about the attacks on medical devices, and the presentation was framed in the form of a real comic book - as always, everything is up to par. Afterwards, we practically agreed with him about performing at ZeroNights, but ... You probably already know.
From myself I can say that I met him in Barcelona at the Source Conference about 3 years ago. It was my second or third international conference, he was just talking about ATMs and for demonstration he organized a conference call with his office, where there was an ATM, which he remotely broke from Barcelona. In the evening on the speaker-party, he poisoned all sorts of stories from life, not only hacker. In general, this man was and will forever remain for me an icon among writers: he was always looking for new, previously unexplored and very cool topics, and most importantly, he could imagine them so that he was understood by the most distant person from technology, but at the same time received respects from techies. Balancing on this facet is true art. Rest in peace, friend.
Business-Rest-Business-Rest
... After the conference, I went to a small trip, combining leisure and work. The first stop was Byron Bay - a chic place to surf, filled with hippies and all sorts of cafes with Organic-food and other delights, and even children's playgrounds hint at what to do in life.
Not Portland, of course, but there is something. We were there with a familiar journalist and HD Moore. By the way, in the local bar, where we went to listen to music, Yevgeny Kaspersky also lit up, just an hour before my arrival ...
So, if the post is about information security, then tell you how things are with this in Australia. In general, if briefly, pentest and pentesting companies are very popular, pentesters have more than enough, mountain works, and the competition is huge. The work itself is not very intellectual, because everything is put on stream, the mass of short projects a la compliance. Why is that? Well, partly because of the laws.
…… in general, there are a lot of strange laws in Australia, let me divert myself for a bit more. For example, about smoking. It is not scary that a pack of tobacco costs 30 bucks, but it is not so easy to buy it yet: it is prohibited to open cigarettes and tobacco openly in stores, there are only names and prices on a separate leaflet. Brands are almost all local, and that of them are cigarettes and that tobacco is not clear, cannot be answered, they do not give any recommendations, in short, they do not contribute, as prohibited by law. Buying tobacco is therefore a lottery. Another ridiculous laws in the bars of Byron Bey, where you can not order shots in the bars, double cocktails, two cocktails for one, and something else that extremely restricts the speed of arrival. Apparently, this measure is dictated by concern for hippies and other citizens who are incontinent in alcohol consumption.
So the laws. They have state institutions, called councils, something like district offices. And so, all these “house managers” were obliged to do pentest. But it must be said separately that the house managers there are everything, they take out the garbage, and they are sawing trees, mere mortals are forbidden to do it. Citizens write applications for any work to the “house manager”, which will remove any piece of paper for money from the sidewalk. And all these “scavengers”, of whom there are thousands in the whole country, must be pentestat, and not just once a year, but all four. Of course, among them there are specifically those who do not understand anything and want only a piece of paper, like some of our companies, exhausted by the obligatory correspondence of PCIDSS, for example. And all this big and not very competent in technical matters the market is curled by a large number of mediocre performers, although there are certainly excellent teams.
Pentest is evaluated here in person-days, and Pentester companies have certain rates per person-advanced and advanced Pentester. Often, since companies don’t want to spend much money on an unknown service, everything happens in 2-3 person-days. “And if they don’t have time to find anything?” I asked. It was reasonable for me to note that, supposedly, the task is not to break everything into smithereens, as in Russia, digging, if necessary, for five months a month, but just to check, so to speak, the presence of a certain level of security equal to three person-days of the pentester.
In addition to this “splendor”, Indian companies are rapidly entering the market with a daily rate almost 10 times lower. Naturally, some clients choose them, which they later regret: the cunning Indians do not warn in advance that the project is likely to be delayed, and also that their price takes into account only the work of the pentester, who for work will definitely need different programs for extra money . And unfortunate customers buy licenses for meta-exploit or nessus, etc. As a result, such “savings” are very expensive for customers. Of course, standards and a large market are, of course, better than no market at all, but pentest is no longer a cake in this case.
Then I talked a little with partners, sold a little ERPScan, and flew to Singapore to speak at the RSA APAC conference.
This is probably the first conference where I didn’t meet a single acquaintance among the speakers; all big bosses of large companies are all bayanes with smart faces. And although my report was the most non-technical of all my reports, it turned out to be the most technically hardcore at RSA. Well, yes, of course, RSA is a status, they don’t take anyone to speak there, only speakers are among the speakers, so it is certainly useful for guests to listen to analytics and squeeze about what happened during the year. And there’s nothing for techies to do, that’s a fact. The report, if anything, is available for viewing.
PS:
Finally, I also looked in Tasmania. Locals at the mention of her make terrible eyes and talk about the two-headed Aborigines and unreal cold, well, just like we talk about "zamkade." There I looked for the Tasmanian devil , and traditionally found the corpse of an incomprehensible beast (and I have no idea who it is, but this is definitely not the pelvis). In order not to injure the public, this time the photo - by reference . There were also kangaroos , koala , walabi and other local animals.
Here, by the way, they announced a competition for the best achievements in information security in Russia and other amenities among companies and ordinary citizens. Wallets have probably already voted, and techies most likely do not even know, so it will be fair if I just leave the link here, and you already decide who deserves what.
Everything, the last post with low-quality photos, wait for the new one again from South Africa or from America. Not yet decided what is more interesting.
Source: https://habr.com/ru/post/194916/
All Articles