Archive for June, 2008

Jun 30 2008

Last call for WAF and Code Review

Published by under PCI

Today’s the day. According to Payment Card Industry Data Security Standards (PCI-DSS) requirement 6.6, today is the last day having code review and/or a web application firewall (WAF) is optional. If you’re a merchant accepting credit cards online, you have to meet this requirement for any and all assessments from July 1, 2008 on.

The good news is that the PCI Security Standards Council has provided a clarification on what exactly constitutes code review and what a code review and the exact requirements for a WAF. Code review does not have to be done by a third-party specializing in code review, but it does have to meet at least one of the following points:

1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment
(scanning) tools

It does mean you have to have someone who’s actually got training in code review viewing the output of your tools and processes; it does not mean you can have your security manager running Nikto or some other web scanner against your site and call it good. He or she actually has to have the training and experience to make use of the output of the tool and the process. If you don’t already have some sort of code review built into your processes, this will definitely be the more painful and time consuming way to meet with the 6.6 requirements. But once you have it in place, it’s also the more secure option.

Installing a WAF is the easier, quicker way to meet with 6.6. You install another piece of hardware in your network, fire it up, and you’re done. Or almost; you still have to have someone who knows how to configure the web application firewall to work with your environment, which is not always an easy task. Out of the box most WAF’s will go far towards protecting your site from cross-site scripting (XSS) and SQL injection attacks, but they’re not infallible. Tuning a WAF to meet your site’s specific needs can be a full time job by itself and it means working with the application team to understand exactly what can and cannot be blocked to keep your site secure.

Rich and I often discuss PCI on the podcast and Rich is of the opinion that PCI is just another set of requirements that don’t really make the Internet more secure. I think he’s wrong and that requirement 6.6 is one of many things in PCI that proves my point. Web Application Firewalls and code review aren’t the solution to all of the problems web sites face on the Internet, but it goes a hell of a long way towards establishing a baseline of security for companies to meet with. Yes, attacks are going to continue and sites are going to be compromised; but by mandating code review and/or web application firewalls, we go a long way towards removing the low hanging fruit that is XSS, SQL injection and poor coding practices. It may just mean attackers have to find smaller merchants and other sites that don’t have to meet requirement 6.6 (yet), but that will still be an improvement.

If you’re a PCI Level 1 merchant (taking more than 6 million Visa/MasterCard transactions annually), this is the last day you have any excuse not to be doing code review or putting a WAF in place. And if your a Level 2 or lower merchant, you’d better start thinking about this requirement as well, since you’re responsible for the exact same requirements. The main difference is Level 2 and lower merchants don’t have to have an annual on-site assessment. But rumor has it that might be changing in the not to distant future. No, that’s not insider information, since I haven’t read any more of the PCI 1.2 requirements than any one else, but it is the rumor I’ve been hearing for a while.

As of tomorrow, the bar for securing your web site is being raised one more notch. You have to meet with requirement 6.6 to be PCI compliant. The alternatives are being fined, having your per transaction fees raised or possibly even lose your ability to take credit card transactions. No one wants to deal with any of those possibilities, so I foresee a lot of web application firewalls being purchased in the near future. After all, it’s easier to put in another piece of hardware than to change your whole application development process to include code review. But the smart merchants are going to be doing both.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 26 2008

The Internet is a public place

Published by under Uncategorized

Some time in the distant past, or maybe just a couple of years ago, I signed up for the US-CERT Cyber Security Tips mailing list. Every week they send out an email concerning online security, targeting the average home user with a simple concept they should be able to digest fairly easily. It’s not something that’s going to educate most of the professional paranoids who hang out and read a blog like this one, but it is usually a subject your parents or non-technical friends can learn from.

This week’s mailing is “Guidelines for Publishing Information Online“. To quote their own synopsis,

Remember that the internet is a public resource. Avoid putting anything online that you don’t want the public to see or that you may want to retract.

If you’ve reading the blog or listening to the podcast, you’ll probably have seen me use words very similar to that a number of times. Especially when Uncle Mike Rothman tries to get me going on a subject like privacy. Privacy isn’t dead, but the vultures are gathering and it’s up to each and every one of us to safeguard our own privacy by being aware of what we put on the Internet. ‘Cause once it’s out there and Google’s indexed it, you’ll never get that piece of information back in the bottle.

Isn’t it funny when someone who blogs as much as I do says be careful what you put on the Internet?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 26 2008

OMG: 30 years of AD&D

Published by under Humor

I just had a startling realization: This weekend marks thirty years that I’ve been playing Advanced Dungeons and Dragons. How do I know? Because this weekend is my birthday and I spent all of my birthday money from my 12th birthday on buying the only D&D book that was out at the time. Or at least the only book at my local store, Toy and Model.

I’d received the blue box set of Dungeons and Dragons the Christmas before, but quite frankly had no one to play it with. I’d been playing with my childhood best friend, Fred Zeiber, but it’s hard to play a game like that with just two people, so we usually ended up forgetting the rule books and just playing pretend games. Every once and a while I try to look up Fred, but it appears he has almost no presence on the net, not being a computer geek like I turned out to be.

There were other games like Gamma World and Traveller, but AD&D is the one I’ve always come back to. I do have to give Traveller credit for getting me interested in math; you had to know some basic trig and calculus to even attempt to create a game world in that system. And all of the games taught me what the word “probability” means.

I still have my Monster Manual in a storage locker across town. The cover is still recognizable, even though there are so many layers of marks from using it as a hard surface to write on. I could probably recreate at least a few of those earliest characters I created just from the marks on that book.

I know 4th Edition is out, but I haven’t had the time or the interest to pick it up. When Second edition came out, I tried playing it once or twice, but after I purchased most of the books, I realized I still liked first edition better. I got a lot of play out of editions 3 and 3.5, so I’ll probably pick up some 4th Edition books eventually. Unless someone wants to send them to me for my birthday :-).

What’s my all time favorite Role Playing Game? While I love playing AD&D, I have to say Champions: the Superhero Roleplaying game wins out. I’ve always loved four-color comic books and the epic struggle between evil. Not the angst-ridden Iron Age stuff we have now, but the wonderful Silver Age comic book stories that ended with the death of Gwen Stacy in Spiderman.

And now back to the angst-ridden real world of being an adult.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Jun 26 2008

Looking forward to Black Hat 2008

Published by under Hacking

Black Hat 2008 is fast approaching, and I’m really looking forward to it. And as a bit of a teaser, there’s a “Forbidden Sneak Peek” webinar this afternoon. Unluckily, I’ll be boarding a plane somewhere about half way through the presentation, but I’m hoping to get a good enough signal in the airport to at least watch the beginning of the event.

I’m also looking forward to seeing a lot of friends and security professionals I only get to see a couple of times a year. Christofer Hoff will be giving a talk on virtualization; there’s a strange rumor that he may be doing it as interpretive dance. Jeremiah Grossman is co-presenter on all the dangers of Web 2.0 and the dangers of the business logic presently in use. Hacker Court will be in full swing once again, I just hope there are no pictures of Simple Nomad this year. And Johnathan Squire will be giving a talk on UPnP, which will probably go over my head, but will be full of energy and information none the less.

There’s also going to be a lot of opportunities to talk to other security bloggers and podcasters throughout the week. Alan will be there, Mike Murray better be there, and I’m hoping some of my friends like Michael Farnum and Cutaway will be able to drive up from Texas to visit, especially since Cutaway is organizing a team for the L0st challenge at Defcon over the weekend. It’ll also be the second time Rich and I have had a chance to meet face to face since we started podcasting together.

Speaking of podcasting, Rich and I are starting to formulate our plans for the event. We got a lot of positive feedback from the ‘microcasts’ we did at RSA 2008 and we plan on doing more of the same for Black Hat and Defcon. Rich is helping out at both events and I’ve applied for a press pass, so we should have some really good opportunities to interview speakers and other interesting people at both events. I’m going to take my Canon HD video camera in addition to my H4 Zoom, so I may even get more video this year. I know I’m going to be taking time to hang out at the Lock Pick Village again, especially since that ended up being some of the most popular video I ever did.

Black Hat and Defcon are both great opportunities to learn, meet people, and generally have a great time. Not to mention get a little drinking in at night. Really, please don’t mention that last part to my wife and kids, who might end up joining me for a day or two in Vegas. Well, at least they’ll be there somewhere while I learn, meet people, drink and have a great time.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Jun 25 2008

And this is why I like ScribeFire

Published by under Blogging

Yesterday I complained on the blog that ScribeFire had been acting funny and eating parts of my post. Actually, in a lot of cases, it had been the majority of the posts it ate. Later in the morning, I got a comment on the post from Christopher Finke saying they think they know what it is. That’s cool. Today, I got some new code to test out and see if the same thing is still happening. Now that’s really cool.

If you haven’t guessed yet, I’m writing this post to try to recreate some of the conditions that have caused me previous problems with ScribeFire. I started the post, wrote a few lines and then changed tabs in the right window. If the problem isn’t fixed, I’ll probably get the first line of the post and nothing else will show up. I’m keeping my fingers crossed as I hit the Publish button.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 25 2008

Scan your drive for PII

Published by under Privacy,Simple Security

Most people have no idea how much personally identifiable information (PII) they have on their hard drives. To be honest, the average consumer has no idea that they might be in danger by having PII on their drives in the first place. They don’t realize that many of the viruses today aren’t looking to do anything other than scan their hard drives looking for their credit card numbers so they can be sent back to the mothership. But now, thanks to Sensitive Number Finder (SENF) from the University of Texas, you can scan your hard drive to look for all those files that might have PII in them.

SENF is a Java applet that you download and run, no installation required. When I ran it against my “My Documents” folder, it turned up 65 files that might have PII in them. I really liked the fact that I don’t have to open the files themselves, a simple mouse click on the file in the SENF app shows me what strings triggered the match. Most of what I saw were game saves and configuration files, none of which had PII in them, but then I’m a security professional and have never to the best of my knowledge included my SSN or credit card number in a Word document.

This is a program worth keeping on your USB drive. It only takes a few minutes and while it has a high number of false positives, it will give you a good idea of what’s on your hard drive. Or what’s on your parents drive when you go over there for the 4th of July and get roped in to doing a little computer maintenance.

Found via LifeHacker
Update:Tim Krabec pointed out an alternative program, called Firefly. The only problem is it requires the .Net framework and the site doesn’t like Firefox.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jun 24 2008

Network Security Podast, Episode 109

Published by under Podcast

Long podcast tonight! Rich and I are joined by Adam Shostack, bandleader of the Emergent Chaos Jazz Combo of the Blogosphere and co-author of The New School of Information Security. Oh yeah, he does this thing during the day where he does security stuff for some company called Microsoft. Adam’s been around a while, done more than a few things in his time, and has a lot to say about security. Funny thing is, Rich and I both agree with most of what he has to say; kinda scary isn’t it?

Show Notes:

Yes, even with only two articles, we almost went an hour.

[display_podcast]

Network Security Podcast, Episode 109, June 24, 2008

Time: 55:31

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 24 2008

ScribeFire ate my post

Published by under Blogging

I love ScribeFire, but ever since the last upgrade it’s been eating half of my posts. I finally got sick of it and opened a bug ticket, but it’s been very frustrating to write a 3-5 paragraph post, publish it to the blog and see that only one or two of the paragraphs made it to the site. Sometimes what I write the second time is better than the first draft, but more often my frustration makes the second draft worse or gets the post scrapped all together.

Is anyone else out there experiencing similar problems? Is it because I haven’t upgraded Firefox on my main computer to FF3.0 yet? Or is it just a PEBCAK problem? (Problem exists between chair and keyboard)

PS. ScribeFire tried to eat this entire post, but I was too wily for it and copied the whole thing before posting it. Now to try a second time and see what happens. I think it has something to do with changing tabs in the right hand window of ScribeFire, but I’m not sure.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Jun 24 2008

OpenID is for low impact identity

Published by under Blogging,Simple Security

Last year Michael Santarcangelo and I organized a Security Roundtable with Dan York to discuss OpenID. All three of us like the technology, we like the idea, but we decided that OpenID is only for sites and systems where a compromise would be of little or no concern. In other words, it’s a great project for verifying commenter’s ID ‘s when posting to your website, but it’s not such a great authentication method for logging into your blog yourself. And now Dana Epp has discovered that Six Apart (makers of Movable Type) feel the same way.

I understand Dana’s desire to use OpenID as an authentication for his blog, but that’s not what it was meant for.  After all, the setup of an OpenID account is fairly simple and merely requires putting a code snippet on a website or blog you control (Please correct me if I’m wrong, I haven’t setup or used an OpenID account in over a year.  Which is a telling stat in itself).  Given the rate of web server compromises, that’s not a very high bar for a hacker to have to hurdle to compromise an ID.  If all you’re using your ID for is commenting on various blogs, that’s not a big deal, but when you start using it for more serious authentication, that becomes a much more important concern.

I’m glad that an organization like Movable Type understands the limitations of OpenID.  While I’m sure some comment spammers are trying to break OpenID, the majority of the bad guys are probably ignoring it as a low impact authentication method.  It would be nice to have a way to verify your identity across the Internet, but the reality is any identification method that becomes used in more important targets is going to become the target of intense attack.  I’d rather see the people behind OpenID understanding the limitations of their project and treat it appropriately.  There are already too many projects that shoot for the stars and end up falling flat on their faces.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jun 18 2008

Window Snyder, Mozilla’s Super Geek Girl

Published by under General

If you believe the USA Today story, Window Snyder from the Mozilla Foundation should be able to leap tall buildings in a single bound. That’s a little bit of hyperbole, but if you read the history of her career, it’s not that far off the mark. This is a good article to read if you want to know trivia like Window’s first name, but don’t expect much technical information. I wonder if Window will be signing copies of the article at the next BaySec? (Note: Someone needs to update the site. The next Baysec is this Thursday, June 19th at 7:30 in Pete’s Tavern.)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »

7ads6x98y