Network Security Blog

If you were awake and online this morning, you may have seen a storm of tweets about Google marking every site on the Internet as potentially harmful to your computer!  Any searches returned the normal response, but also included the warning “This site may harm your computer.”  By the time I saw it the link to the explanation page had been flooded with requests and returned a 503 error, but it was basically a warning that the site might contain malware that could infect your computer.  Now Google has come out with an official story of what happened.  Apparently someone indicated that the ‘/’ directory for every domain might contain malware, effectively identifying every site on the Internet as a potentially dangerous site.  Just a little human error and 45 minutes later the whole thing was fixed.

I guess the official story is better than the truth:  every site on the Internet really may harm your computer!  Anyone could be compromised in this day and age and you never know for certain a site is safe.  That’s why we use little tools like NoScript, isn’t it?

This is the latest in a series of video discussions with my friends Richard Stiennon, Amrit Williams and Mike Murray.  I have a hard time watching myself on video, so I haven’t watched the whole thing, but everyone who’s reviewed it says it’s a fun, lively discussion.  Enterprise Security Management and Security Event Management for anyone who’s not up on their latest acronyms.  I think this was the last shoot of the day, which you can tell because we all let loose a little more than we had earlier in the day.

Demos on Demand: ESM & SEM

Time for Captain Privacy to don his mask, cape and baggy sweat pants (no spandex for Captain Privacy)!  It’s Data Privacy Day 2009!

Mike Rothman dubbed me Captain Privacy after a particular string of posts that rabidly argued that a person’s right to privacy far outweighed most business needs and the government desire to know everything, except in specific cases.  That’s an opinion I still hold, but it’s been modified by the fact that most people are willing to give up even the illusion of privacy if you offer them a candy bar or a shiny new widget for their desktop.  I’ve come to realize that privacy is about the government and corporations keeping their nose out of our business, but we also have a responsibility to monitor what we’re making available for public consumption about ourselves.  This is the part of the equation most people forget to think about. 

Awareness and education are the primary goals of Data Privacy Day.  A whole generation is growing up with not only the interconnectivity of the Internet, but social media and all the disclosure that’s associated with it.  We’ve already seen a number of people who’ve either been denied or lost jobs due to what they’ve written or displayed on Facebook and MySpace.  This is only the tip of the iceberg compared to many of the more minor, day to day problems with posting to sites anyone can look at.  And it’s not because people are being stupid, it’s just because most people have no idea that a potential boss or date might be able to look them up at a later time.  People lack the education to understand the consequences their actions in their social networks can lead to.

Businesses and the government have a responsibility to play in privacy as well.  A few years ago AOL gave us a graphic example of how much information persists in search engine databases even once you’ve stripped out user names.  Credit card companies know everything you’ve ever purchased on a card, the phone company knows who you’ve talked to and the government wants access to it all just in case you or I might be a terrorist.  And lets not forget the bad guys who might want to gather some of that information as well so they can pretend to be you and open accounts and steal money and goods.  Information has value and many different entities want your information because of it.

Take a couple of minutes in honor of Data Privacy Day and reflect on what you’re putting out there for the public to see.  It’s a little ironic for someone like myself, who lives a large part of their life online, publishing his day to day thoughts, to tell other people to be careful what they post to the Internet.  But I think carefully before I post and think about the long term consequences of my postings.  You should too.

And yes, I really do have a mask and cape.  My wife gave them to me for Christmas.  And no, I don’t have tights or spandex.

Lies, damn lies, and statistics. Nothing makes us more excited than being able to correlate actual monetary losses to major breaches, and a study in Maine that does exactly that leads us off this week. (Maybe some other things excite us more, but we’re not about to talk about those on the podcast). From there we dig into the pittance of information available on the Monster.com breach, before heading off into pundit land as we discuss the White House priorities for Homeland Security, spammers and short-lived websites, and yet another idiot leaving sensitive data on portable storage (an MP3 player).

We recorded during the work day this week, so a few times you get to hear our phones in the background. We promise we didn’t just add them in there to trick all of you into thinking we really have jobs.

Network Security Podcast, Episode 136, January 27, 2009
Time: 27:43

Show Notes:

• Maine surveys banks to determine some of the losses associated with major data breaches. It isn’t a small number.
• Monster.com loses some data. They don’t tell us who’s data they loss, or how or why, but they definitely lost some stuff.
• The White House homeland security agenda. There’s a cyber section. Which is cool, because someone can at least spell cyber.
• Phishers change URLs. We’re not sure why this is news, but we use it as an excuse to talk about other, more important things.
• A man buys a used MP3 player in New Zealand, with personal info on US soldiers in Iraq. WTF? Maybe it was a Zune?
• Tonight’s Music:  Mexicolas with Big in Japan

It’s been a busy week for me.  Long days, short nights and report after report to write.  I guess the one good thing is that I’ve been home for a while now instead of gallivanting around the country like I sometimes do.  What I’m trying to say is there hasn’t been much time for blogging this week, even though there’ve been some pretty big stories come out this week.  I had a lot of fun a couple times earlier in the week debating the merits of PCI with Jeremiah Grossman and HD Moore, which gave me more then enough fodder for half a dozen blog posts or more.  The funny part of the debates is that we all agree that the goal is securing enterprises in a time when more and more breaches are being reported, we just disagree about whether or not PCI is doing anything towards accomplishing that goal.  I received a couple of complaints about having the debates on Twitter and even more compliments about the quality of the conversation.  Go figure.

Saturday morning reading (aka catching up with the feeds)

• What PCI compliance really means – Michael Dahn draws the distinction between being “PCI Complaint”, being validated during an assessment and being secure.  Validation is a point in time, while being compliant is a continuous process.  Being secure means taking that compliance and continuing to improve upon it, which is a step many organizations forget.  Didn’t I write something on this recently?
• Data breach study ties fraud lossess to Hannaford, TJX breaches – One of the most annoying things I read this week is that TJX was giving customers a 15% ‘appreciation’ discount this week to thank the customers for sticking with them.  How many of those customers were using their credit cards at a company that was in this position because they were breached in the first place?  Now there’s proof that the breach led to fraud and people are still giving TJX more credit cards to lose. 
• The new Homeland Security page – So much changed at noon on Tuesday.  I wonder if the new DHS will ever step the security alert level in airports dow from Orange to Yellow.  Or [gasp] maybe even Green!  Wouldn’t that be nice.
• PCI Compliant Companies Don’t Suffer Breaches – This is an article that I have a hard time swallowing.  The logic is that no company that’s been breached has been PCI compliant (as opposed to validated, read the first article) because deeper inspection found some way they weren’t compliant.  But my own experience is that you’re always going to find at least some portion of an enterprise that’s not compliant if you dig deep enough.  No one is perfect.  And that’s exactly what the bad guys are doing to these big companies, digging and digging until they find the one server in the enterprise that was misconfigured or in the wrong network. 
• Making PCI Easier – A Reality/Health Check – Wow, merchants can make PCI compliance easier on themselves by actually applying some resources to the project.  Who’d a thunk it?  Actually, getting the manpower and tools to become complaint is one of the things that got me excited about PCI when I was a security manager several years ago.
• A Smarter Alternative to PCI – Let’s give merchants the option of complying with PCI, as long as they secure their environments.  Oh yeah, that worked soooo well before the PCI requirements started getting what little teeth they have now. Instead they’d go back to ignoring the cardholder environment and concentrate on whatever the other hot project of the day is.  Making security optional is a guaranteed failure, instead of the potential failures that happens when merchants meet the standard and don’t go any further.
• Network Solutions under large scale DDoS attack, Millions of websites potentially unreachable
• Monster.com reports theft of user data – I think I have a Monster account.  I haven’t checked it in five years or so.  If you take the Monster.com breach and add the information to the Heartland breach (which I can’t talk about), you get a huge potential for identity theft.  I just hope the two groups that perpetrated these two attacks don’t get together and cross refernce the data.

The second in a series of discussions I participated in with Richard “IDS is Dead!” Stiennon, Mike Murray and Amrit Williams is now available for your viewing pleasure.  Richard has been following the firewall and IDS market for a long time now and has a much deeper understanding of it than I ever will.  However his experience is from the market perspective, not the real world where the firewalls and IDSs are actually being installed and used.  Not that I’m configuring and monitoring either technology on a regular basis myself, but I do deal with the people who are very often as a PCI assessor.  So you can imagine we have some differing opinions of where things are going and what’s really being used in the enterprise.  I really need to learn to look directly at the camera.

Demos on Demand Firewall and IDS/IPS Discussion

Hack in the Box is one of those security conferences I’ve wanted to go to, but traveling to Malaysia is a little out of my budget.  The content of most of the presentations is probably a little over my head as well, which is another reason I’ve never pushed for it.  Now I have a chance to view the presentation and see if my estimation is correct.  This might encourage me to push to go to the next HITB in Dubai. 

HITBSecConf2008 Press release:

The videos from HITBSecConf2008 – Malaysia are now available for download!

Day 1
=====

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1
       
Keynote Address 1: The Art of Click-Jacking – Jeremiah Grossman
Keynote Address 2: Cyberwar is Bullshit – Marcus Ranum

Presentations:

- Delivering Identity Management 2.0 by Leveraging OPSS
- Bluepilling the Xen Hypervisor
- Pass the Hash Toolkit for Windows
- Internet Explorer 8 – Trustworthy Engineering and Browsing
- Full Process Reconsitution from Memory
- Hacking Internet Kiosks
- Analysis and Visualization of Common Packers
- A Fox in the Hen House – UPnP IGD
- MoocherHunting
- Browser Exploits: A New Model for Browser Security
- Time for a Free Hardware Foundation?
- Mac OS Xploitation
- Hacking a Bird in The Sky 2.0
- How the Leopard Hides His Spots – OS X Anti-Forensics Techniques

Day 2
=====

http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

Keynote Address 3:  Dissolving an Industry as a Hobby – THE PIRATE BAY

Presentations:

- Pushing the Camel Through the Eye of a Needle
- An Effective Methodology to Enable Security Evaluation at RTL Level
- Remote Code Execution Through Intel CPU Bugs
- Next Generation Reverse Shell
- Build Your Own Password Cracker with a Disassembler and VM Magic
- Decompilers and Beyond
- Cracking into Embedded Devices and Beyond!
- Client-side Security
- Top 10 Web 2.0 Attacks

By definition, every day is “historic”, but there are clearly some events that will be remembered through the annals of history more than others. Today is the inauguration of the 44th President of the United States; and boy is it a day filled with history. It’s also a day filled with a big honking data breach.

In tonight’s episode we talk about what the new administration revealed about their technology policy agenda. We also discuss worms on military systems in the UK, the security metrics of laughter, and disclosure gone bad. Again. Through all this Rich comes a little unhinged in a series of rants that cover the First Amendment, goths, and New Zealand strip clubs. Martin makes a bad submarine joke.

Network Security Podcast, Episode 135, January 20, 2009
Time:  35:32

Show Notes:

• Is this the largest data breach ever? And did they try and hide behind the inauguration?
• Worms run rampant through UK Ministry of Defense systems.
• Laughter as a security metric. Rich thinks we need to get over ourselves. Ironic, ain’t it
• The White House technology agenda.
• A disclosure gone inadvertently bad.
• Bay Area Security Professionals/PCI User Group
• Tonight’s Music:  Fire Apes with Tuesday’s Fine

I love my not-so-little desktop PC.  It’s got 3 gigs of memory, an Nvidia 8600 graphics card, two monitors an AMD X2 4600 processor and half a terabyte of hard drive space, plus another terabyte of external drive space.  But when I originally built it I only had a 160 gig drive and wanted the majority of the space to be available to record podcasts and made the horrible mistake of only giving the C drive 12 gigs, figuring putting the program files on the D drive would make that enough space on C.  Little did I know the problems that would cause.

I’ve frequently had to rummage through the drive and find temporary files to delete because the system was running out of space.  It’s amazing how much space temp files for Firefox and Internet Explorer can take up.  What really amazed me was when I installed Spore just before Christmas and how it insisted on saving everything to My Documents on the C drive, even though I’d told it to use the D drive.  I didn’t realize saved games could quickly get into the gigabyte range, which was bad for my system performance.  So Spore had to go.  (the kids still get to play it on the Mac Book Pro, however)

Yesterday I found the program I’ve been needing for over a year, Xinorbis.  I fired it up let it shift through the hard drive and a couple of minutes later a nice little pie chart came up.  The big surprise to me was that I had a ton of .flv files hanging out in various subdirectories throughout my drive from videos I’d watched over the years.  Xinorbis allowed me to select the ‘Movie’ from the categories and popped up a list of all the .flv files throughout the drive.  Clicking on each of the files allowed me open up the directory they were in and remove all of the .flv files I no longer needed or wanted.   30 minutes later I’d freed up 1.5 gigs on my drive, giving me more than enough space to go on for a couple more months until some other application takes up too much space with temp files.

Hopefully you haven’t made the same rookie mistake I did, but you might benifit by running Xinorbis on your computer and discovering where some of that extra junk on you drive is being stored.  Or it might just be fun to poke around see what’s there.  Either way, Xinorbis helped me finally solve a problem I’d been having with my computer for a long time.

While I’ve only heard of one concrete example of a situation where PCI caused a company to actually become less secure than they were before, I’ve seen multiple examples of company’s that were concentrating so hard on meeting compliance deadlines that they ignored any security measures around their network that weren’t directly related to PCI.  While this isn’t a huge problem in most cases, because PCI is generally based on ‘best practices’ (hate that term), it still left areas of the network less secure than they really need to be.

Anton Chuvakin wrote an interesting post called Tales from the “Complaince First!” World that highlights some of the dangers of the compliance first philosophy.  There is a large number of requirements in PCI calling for specific technologies, such as AV and web application firewalls, that companies are putting in place, turning on and forgetting.  While the PCI-DSS requires the technologies to be implemented and monitored, I’m sure there are QSA’s all around who’ve gotten to a company to do an assessment only to hear “We have a [insert technology here], but it’ll take me a minute to remember how to log into it.”  Great!  You have it but you haven’t monitored it in so long you can’t remember how to log in??  That makes it really useful and gives me confidence in how well you’re monitoring you other technologies.

Another point that Anton makes is about the external scanning requirements of PCI.  Your external scanning is only as good as the lower of two points:  how good the scanning vendor is and how honest/complete you are in configuring the scan engine.  Most companies aren’t going to have any control over the quality of their scans, other than chosing a new vendor if the current one is just paying lip service to scanning.  But there are a lot of companies who only scan their PCI environment or ‘forget’ to include the other couple of blocks of Internet accessible servers.  Or even worse, have servers exposed to the network they aren’t even aware of.  And just because you get a clean scan from your vendor doesn’t mean you’re secure.  If you’re not backing up your scanning vendor’s findings with your own scanning tools, you’re going to have a sense of security that may be misplaced.  Nessus is your friend.  

The point of all this is that if you’re aiming to be complaint, think about security first; it’ll make compliance easier.  Or if you have to make compliance your number one goal, follow Anton’s advice:  ”…please at least make sure that ‘Security SECOND’ happens.”  I’ve seen too many companies that attain complaince and then call it a day, forgetting about other areas that aren’t covered by PCI.  You don’t want to be the next TJX, a company that was technically PCI compliant but insecure in reality.