Information security in Australia, and why pentest there is no longer a cake

It is time to write about Australia and my trip to the AusCERT conference. I had to spend three weeks on this magical continent, starting with the city of Gold Coast. The expectations associated with the excellent surf spot there were the most pleasant. As a result, my surf never explored this place, finding even more chic Australian waves, after which I went straight from there to Singapore, where I spoke at the RSA cult conference.



So, the first thing I saw in Australia was - k-n-g-y-r-y, no, not dead, like a dolphin from past history , and it made me very happy. A good sign, I thought. And then - a failure caused by a difficult flight consisting of 4 flights with a total length of 36 hours.



The conference


Before the conference, I had to conduct an SAP security training. Reading reports is no longer fashionable, now it’s cool to conduct trainings. I will not talk about it, because here either everything or nothing, and our post is dedicated to Australia and AusCERT. Briefly: it was a powerful brainstorming session for local pentesters, as they had to cram daily material in 4 hours, but, in general, everyone was satisfied. And I, tired of jetlag and training, was completely free at the conference, which allowed me to get better acquainted with the local market, speakers and in general.
So, the conference: I was very surprised that this event has been held for almost 20 years! It turns out that this is almost the oldest security conference, although it is more correct to call it an exhibition or a vendor party. The exhibition had about 70 stands, which, in general, is slightly larger than usual. And scammers are everywhere sellers and marketers of everything related to information security. Just standing in line for coffee will not work there without typing leaflets or answering a dozen profiles and questions about BYOD (by the way, what is it, does anyone know?). All dinners, breaks and other nishtyaki are generously sponsored, and loud speakers buzz obsessively about benefactors. In general, the usual exhibition of vendors, only very much "selling". The apogee of this bacchanalia was the final salute of a large scale. Against this background, the guys from HackLabs were very different with a stand on the street, фото которого в начале статьи.
To complete the pathos at the conference, there was also golf. Before the conference, during the trainings, golf tournaments were held. Near the hotel there is a huge golf course. Well, while the other speakers were friendly golfing, I was training, so this field is also not covered. But nothing, I’ll still knock on the balls with a club when the sand begins to pour from me onto a Bentley chair.

Reports


So reports. Despite the fact that the conference is very business-oriented, the organizers tried to present interesting technical reports. Not directly technical and technical, as we like to see on ZeroNights but just technical. There were 4 tracks at the conference, two with normal reports, two with sponsored speeches from vendors. I attended three reports. The first is a sponsored report by Eugene Kaspersky. The content is unremarkable, about cyber warfare and stuff, but Eugene himself is cool in principle. I have long wanted to see how one of the professional Russian speakers speaks in English, although, in general, there are few interesting speakers. He performed very well, obviously he has been doing it for a long time and with pleasure, although there is no escape from the Russian accent. Undoubtedly, it’s worthy of respect that he brought the Russian company into the four world Endpoint solutions, and indeed he was the first to sell security products abroad on a similar scale, no matter what they say about the technical side of the issue and marketing policy.
The second report was from HD Moore, author of Metasploit. Nothing supernatural, but a very high-quality analysis of the results of Internet scanning from the InternetCensus project was presented .
If you aren’t in the know: one researcher who wanted to remain anonymous posted on the Internet the results of scanning the entire Internet for popular open ports, and also collected banners and conducted a number of other studies. The project is interesting in that the scanning was carried out not so much legally, but with the help of a botnet consisting of simple simple devices like home routers with default passwords for SSH. The statistics analyzed by HDMoore showed a number of interesting facts regarding what can be done with vulnerable services and how bad things are. I highly recommend referring to the source. This project was interesting to me, because for the third year now we have been analyzing open ports on the Internet, only specifically from SAP systems. By the way, expect a new report for 2013 soon.
The last report I visited was from Barnaby Jack. He talked about attacks on medical devices, and the presentation was framed in the form of a real comic strip - as always, everything is on top. After we practically agreed with him on a performance at ZeroNights, but ... You are probably already in the know.
From myself I can say that I met him in Barcelona at the Source conference 3 years ago. This was my second or third international conference, he was just talking about ATMs and for a demonstration he organized a conference call with his office, where there was an ATM, which he remotely broke from Barcelona. In the evening at the speaker party, he poisoned all sorts of stories from life, not only hacker one. In general, this person was and will forever remain an icon for me among the scribes: he always looked for new, previously unexplored and very cool topics, and most importantly, he knew how to present them in such a way that he was understood by the most remote person from technology, but at the same time, received respect from techies. Balancing on this side is a true art. Rest in peace, friend.

Cases-Rest-Cases-Rest


... After the conference, I went on a small trip, combining rest and work. The first stop was Byron Bay - a chic surfing place filled with hippies and all sorts of organic food and other delights, and even playgrounds hint at something to do in life.



Not Portland, of course, but there is something. We were there with a fellow journalist and HD Moore. By the way, in the local bar, where we went to listen to music, Evgeny Kaspersky also lit up, just an hour before my arrival ...


So, if a post about information security, I’ll tell you how things are with Australia. In general, in short, pentests and pentests of companies are very popular there, there are more than enough pentesters, there is a lot of work, the competition is huge. The work itself is not very intellectual, because everything is streamlined, there are a lot of short projects a la compliance. Why is that? Well, partly because of the laws.

.... For example, about smoking. It’s not scary that a pack of tobacco costs 30 bucks, but it’s not so easy to buy: cigarettes and tobacco are not openly displayed in stores, there are only names and prices on a separate leaf. Almost all brands are local, and it is not clear which cigarettes and tobacco are, cannot answer questions, do not give any recommendations, in short, do not contribute, as it is prohibited by law. Buying tobacco is therefore a lottery. There are still ridiculous laws in Byron Bay bars, where you can’t order shots, double cocktails, two cocktails for one in the bars, and something else that limits the speed of arrival. Apparently, this measure is dictated by the care of hippies and other citizens, unrestrained in alcohol consumption.

So the laws. They have state institutions called councils, something like district administrations. And so, all of these "management houses" were obliged to do a pentest. But I must say separately that the management houses are there - everything, they take out the garbage, and saw the trees, it is forbidden for ordinary mortals to do this. For any work, citizens write applications to the “house manager”, who removes any piece of paper for money from the sidewalk. And all these “garbage collectors,” of whom there are thousands across the country, need to be tested, more than once a year, but all four. Of course, among them there are those who do not specifically understand anything and want only a piece of paper, like some of our companies, exhausted by the mandatory compliance with PCIDSS, for example. And all this large and not very competent in technical matters market spuds a large number of mediocre performers, although, of course, there are excellent teams.
The pentest here is evaluated by man-days, and pentester companies have certain rates for the man-day of a pentester, ordinary and advanced. Often, since companies do not want to spend much on an unknown service, everything happens in 2-3 man-days. “And if they don’t have time to find anything?” I asked. To this, I was reasonably noticed that, they say, the task is not to smash everything to smithereens, as in Russia, digging five months if necessary, but simply to check, so to speak, the presence of a certain level of security equal to three man-days of the pentester.

In addition to this “splendor,” Indian companies are rapidly entering the market with a daily rate of almost 10 times lower. Naturally, some customers choose them, which they regret very much later: cunning Indians do not warn in advance that the project is likely to be delayed, and that their price only takes into account the work of the pentester, who needs different programs for work for extra money . And unhappy customers buy licenses for metasplit or nessus, etc. As a result, such “savings” are very expensive for customers. Of course, standards and a large market are, of course, better than no market at all, but the pentest in this case is no longer a cake.

Then I talked a little with partners, sold a little ERPScan, and flew to Singapore to speak at the RSA APAC conference.



This is probably the first conference where I haven’t met a single friend of the speakers, all the big bosses of large companies have button accordions with smart faces. And although my report was the most non-technical of all my reports, it turned out to be the most technically hardcore at RSA. Well, and so, of course, RSA is a status, for whoever they don’t take part in, there are only professionals among the speakers, so it’s certainly good for guests to listen to analytics and a squeeze about what happened during the year. And the techies have nothing to do there, that’s a fact. The report, if anything, is available for viewing.



PS:

Finally, I also looked into Tasmania. The locals, at the mention of her, make scary eyes and talk about two-headed Aborigines and unreal cold, well, about what they say about Zamkadye. There I was looking for a Tasmanian devil , and traditionally I found the corpse of an incomprehensible beast (and I have no idea who this is, but it’s definitely not a pelvis). In order not to injure the public, this time the photo is here . There were also kangaroos , koalas , valabis and other local animals.

Here, by the way, a competition was announced for the best achievements in information security in Russia and other delights, among companies and ordinary citizens. The wallets have probably already voted, and the techies are most likely not even up to date, so it would be fair if I just left the link here, and you already decide who deserves what.
That's all, the last post with low-quality photos, wait for a new one again from South Africa or from America. I have not decided yet what is more interesting.