Archive for February, 2009

Feb 24 2009

Network Security Podcast, Episode 139

Published by under Podcast

Rich wasn’t able to make it to the podcast tonight due to last minute efforts to make his house ready for a new addition to his family.  The exact timing, as is generally the case in these matters, is almost entirely out of the hands of anyone but the baby, so Rich may bee taking another week or two off to deal with the changes to his life.  Then he’ll be back and you’ll get to listen to more discussions of dirty diapers.  Actually, I’ll try to keep that talk to a minimum, but you know it’ll happen occasionally.

So tonight I enlisted the help of friend and fellow security blogger, Andy Willingham, aka Andy IT Guy.  Andy recently went on a trip to Spain to appear with folks like Bruce Schneier and Byron Acohido on stage at an event put on by Panda Security.  Sounds like Andy had a good time and really makes me wish I’d been able to go.  I’ll take Spain over Chicago any day.  Plus talking to Andy gave me all the excuse I needed to make fun of Chris Hoff, not that I ever need much of an excuse.

Network Security Podcast, Episode 139, February 24, 2009
Time:  30:43

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Feb 23 2009

Vote for your favorite security blogs

Published by under Blogging,Podcast

The RSA Conference 2009 Security Bloggers Meetup is coming up in a couple of months!   Please take a few minutes and vote for your favorite security bloggers and podcasters at the Social Security Awards site.  If you’re a security blogger or podcaster, please encourage your listeners to vote for you.

Rich and I are not eligible, but we’d like you to vote in any case, since we’re helping put on the awards and would like to see as representative a vote as possible.  Voting closes at the end of March, so you’ve got a little time yet.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Vote for your favorite security blogs

Feb 19 2009

Repost: ESM & SEM Discussion

Published by under Video

This is a repost.  I hadn’t realized the link to the video was broken in the original post.  I blame the WYSIWYG editor.

This is the latest in a series of video discussions with my friends Richard Stiennon, Amrit Williams and Mike Murray. I have a hard time watching myself on video, so I haven’t watched the whole thing, but everyone who’s reviewed it says it’s a fun, lively discussion. Enterprise Security Management and Security Event Management for anyone who’s not up on their latest acronyms. I think this was the last shoot of the day, which you can tell because we all let loose a little more than we had earlier in the day.

Demos on Demand: ESM & SEM

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Repost: ESM & SEM Discussion

Feb 19 2009

Reporting Twitter spam

I’m pretty careful about who follows me in Twitter.  I get the email saying who’s following me every time I get a new follower, and without fail I click on the link to see who’s following me.  Most of the time I think “Cool, another follower” and move on.  If it’s an obvious bot (following 100’s to 1000’s but almost no followers) or if it’s someone who’s a marketing person who has nothing to do with security, I block them.  I’ve probably made a couple of mistakes and blocked some very good, legitimate people, but I’d rather lose a few good people than have the bots and spam twits following me.

Today I got something a little different, a twit who’s only purpose is to spam people with links to pr0n videos.  Or at least I strongly suspect they were, given the names of the videos; I wasn’t willing to risk the malware infestation I believe were probably behind the links to find out.  I immediately blocked that account, but got to thinking about other people who might not be quite as reluctant to follow the links as I am.  Which brought up an interesting question: how do you report spam accounts to Twitter?

I went to the main help page and could find information about how to report spam and didn’t see anything.  So I did what any good twit will do and sent out a tweet to see if anyone else knew how to report spam.  Turns out I’m not the only one who had little or no idea of how to report Twitter spam.  So I did the only thing I could think of and sent an email to support let it go at that.

I received back several replies asking me to let people know how to report spam, so I decided to take another look at the support page.  Lo and behold, there were instructions on the page right in front of me, I just hadn’t scrolled down the page far enough to find them.  Under the heading “Contact Twitter was the following information:

Contacting Twitter

More information about Twitter

*@spam: follow our spam profile and report Twitter spam via direct message

*Status Blog: check Twitter’s current system status.

*Twitter Blog: what’s new with Twitter

*Developer Blog: a technical blog from the Twitter engineering team

*Developer Group: if you’re a developer, join our mailing list

And there you have it.  If you receive a follower that is a spam bot, all you have to do is send a direct message to ‘spam’ at twitter.  Could they make it any easier?  Probably not.  Do your part, let the folks at Twitter know when you get a follower who’s a bot.  It’s not only good to kick those accounts off and stop the spam, it lowers the chances of seeing a fail whale.  And no one likes the fail whale.

Update:  Minor problem with the process.  To report spam, you have to follow @spam.  You’d think the guys at Twitter would make an exception for that account. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Feb 19 2009

Evaluating the cost of PCI

Published by under PCI,Risk

When I was a security manager, I loved PCI because it gave me a really good reason to spend the money on the technologies I knew needed to be in place.  When faced by management that was notoriously stingy …er… thrifty, I could point to the PCI requirements and tell them we needed the technology to be compliant.  Not that this always worked when there are open source alternatives, but it did make the initial conversations less about “why do we need this?” and more about “what’s the cheapest way to do this?”, an improvement, if not much of one.

I’ve got two articles to point to today about the cost of PCI.  And believe me, the cost can be considerable, especially for smaller companies who have to put in the same types of safeguards as a larger company to become compliant. 

  • What are PCI “Best” practices:  Saving Money or Improving Security? – How do you compare ‘Cost-Effective Compliance’ to ‘Compliance Driven Security’?  I have to say I’ve used Compliance Driven Security to get what I wanted in the past because the companies I’d worked for always felt that security was a bothersome task they tacked on to the end of everything.  As a PCI assessor, I see both types of efforts, but it’s usually the companies that have the foresight to use a Cost-Effective Complaince philosophy that end up being the more secure at the end of their compliance efforts.
  • Cost of PCI Compliance – If you want to give your CFO a little bit of sticker shock, ElementPS has pulled some numbers from a 2008 Gartner report showing how much merchants spent on becoming compliant.  Knowing a few former Gartner analysts, I’m a little skeptical of the accuracy of the numbers, but they’re a good starting point for the conversation with the CFO.  “Gartner says the average cost for PCI compliance is $X, but I only want to spend $Y.  I’m trying to save us money.”  It might even work.

Back to working on some of my own PCI projects.  Or other people’s PCI projects, depending on how you want to look at it.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Feb 18 2009

BaySec tomorrow night

Published by under General,Social Networking

The monthly social meeting of San Francisco Bay Area security professionals, BaySec, is tomorrow night, Thursday February 19th, at the Gordon Biersch brewery in downtown SF starting at 7 pm.  Barring natural disaster or total meltdown due to lack of sleep, I plan on being there a little early to help stake out some tables.  It’s a hit of miss thing, we usually clump together around a group of tables until we hit the critical mass where other bar goers start avoiding us just due to volume. 

BaySec is a great networking venue and there are all manner of security professionals there to meet, from the stereotypical ‘hacker’ types to the obnoxious PCI Assessor types.  The food and beer is pretty good as well, though I keep getting reminded that garlic fries are not on the list of approved dietary substances under P90X.  Not that I’ve let that stop me before.

Here’s to seeing you at Gordon Biersch tomorrow night. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Feb 17 2009

Network Security Podcast, Episode 138

Published by under Podcast

After a three week break from each other, Rich and I are back on the mic together.  I’m at home again, Rich’s life hasn’t fundamentally shifted yet, and all is good.  Of course, considering how much work Rich and I both have in our ‘day jobs’, it’s amazing we ever find the time to podcast at all. 

My part in the podcast is a little light this week, since Rich managed to find an awesome guest to interview, Brian Krebs from the Washington Post.  I don’t know of any reporters out there who’ve done more to expose the bad guys to the light of day than Brian has, and he’s a pretty good writer too.  Rich was able to take a few minutes of Brian’s time to talk about spam, organized crime and and how we may need to change the Internet in the future to make the bad guys life harder.  I don’t think Brian is going to run out of things to write about any time soon.

We also talked for a few minutes about Valentine’s Day, the new Facebook Terms of Service and life in general.  Hopefully Rich will be back next week, but there’s a chance I may be looking for a guest co-host next week.  Or there may be more diaper talk as Rich finds out about all those things I’ve been warning him about for months.

Network Security Podcast, Episode 138, February 17, 2009

Time: 36:20

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 138

Feb 17 2009

Are credit cards worth the risk?

Published by under PCI,Risk

It sounds like a simple question, doesn’t it?  Is it worth it to your organization to take credit cards online, do the rewards outweigh the risks?  If you’re a major retailer or service provider or even a minor player in the game, the answer’s probably a no brainer, you have to take credit cards online if you want to stay in business.  But what if you’re a small business that hasn’t been taking credit cards, a boutique service provider or a one or two person business?  Then things start getting more complex and the risk vs. reward equation becomes a lot more questionable.

Late last week a question came up on one of the many mailing lists I subscribe to, a sys admin at a small service provider was asking a scoping question about PCI.  His employer hadn’t been taking credit cards before but wanted to start doing some pass through authentication and offering to collect cardholder information for small merchants who’d download the information later.  Sounds simple and easy enough to do.  At least until you start looking at all the controls that have to be put in place to meet with PCI compliance, now that the service provider is taking credit cards.

One option the service provider has, and the one I think many small merchants and service providers are taking, is to ignore or pay lip service to PCI.  I don’t have quantitative analysis to back that opinion up, but given the reactions of some larger companies to PCI, I can only assume that smaller merchants are displaying the same attitudes.  After all, it’s only a small number of credit cards, hackers will never attack a small company and the credit card companies don’t have the time to deal with the multitude of small merchants and service providers, do they?  If only that was true, a large number of the breaches that don’t make the news would never happen and forensics investigators would suddenly have a lot more time at home.  The problem with this idea is that it’s all or nothing crapshoot; either you’ll never get hit by a hacker or one day you’ll get a call from the Visa fraud department asking about the large number of bad transactions that point back to you.  Which is the point where many small businesses have to close shop and call it a day due to the costs of an investigation.

The other option is to attempt to become PCI compliant in a meaningful way.  Installing an Intrusion Detection System & File Integrity Monitoring solution, rewriting corporate policy, reviewing firewall rulesets on a regular basis and all the other task related to becoming PCI compliance.  If you’re a small service provider or merchant, this may mean hiring additional people or finding a third party managed service provider to take care of these services for you.  Even if you’re doing it yourself using free/open source software, just the cost of the additional manpower needed might be enough to take you over that tenuous line from profitable to unprofitable.  And in the current economy, that’s a line no one wants to even flirt with.

I’ve dealt with a few service providers recently that have done the math and decided it’s not worth it for them to offer ‘PCI Compliant’ services.  The overhead costs and risks involved just weren’t worth the few dollars they’d make on each client.  If you’re a big service provider, the cost of many of the PCI-related safeguards scale well and don’t require a significant increase in costs.  But for a small service provider, creating a number of the safeguards and controls needed can easily outweigh the potential profit.  Much the same can be said of merchants, however it’s much easier for a merchant to outsource card processing and storage.

If you’re boss is asking you to evaluate taking credit cards, sit down and do the math.  Realistically, the option of ignoring PCI is there, but it’s something that is almost guaranteed to bite you eventually, not to mention the ethics and morality of a security professional ignoring security compliance.  For most smaller service providers I suspect the cost of implementing PCI controls will far outweigh the potential profit of taking credit card numbers and storing them, even if you already have many of the safeguards in place.  Don’t talk to the marketing guys about the technologies that have to be in place, but instead explain the costs involved and the risks that the company will incur by taking credit card numbers.  If your business decides that the risk is worth the potential profit, than do the best job you can to secure the cardholder environment.  After all, that’s what security professionals are really here to do; evaluate the business risk then do what they can to minimize that risk.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Are credit cards worth the risk?

Feb 16 2009

Nir Zuk responds to firewall discussion with Stiennon

Published by under General

Nir Zuk, founder and CTO of Palo Alto Networks, responded via video to the conversation Richard Stiennon, Mike Murray, Amrit Williams and I had about firewalls for Demos on Demand.  He’s got a good point, that without added intellegence, once you open one port on the firewall, it’s functionally the same as a network cable.  Many applications are capable of proxying through ports 80 and 443 without any modification, so much of the filtering capabilities of an old-school firewall are rendered moot.  Not that many of firewalls are just firewalls any more, but that may be part of his point.

Nir Zuk’s response to the Firewall Conversation

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Feb 14 2009

Saturday morning reading – 02/14/09

Published by under General

I’ve been incredibly busy this week and have a ton of work to do this weekend.  Plus it’s Valentine’s Day and I don’t have anything for the wife yet.  Since I’m probably buying her tickets to a play in San Francisco, if I decide to trust the venue’s web site, I can take care of her present in short order.  I’ve also been getting hints that I might want to take her out to dinner tonight, sans kids.  I wonder if telling her I ordered a new motherboard, CPU and memory for her computer would be a reasonable substitute?  If you haven’t heard from me in a couple of weeks, assume the answer was ‘no’.

Today’s links are light on security articles and a little heavy into legal issues that I think affect us all.  YMMV

Postings will be rather light for the next few weeks, work has gotten busy, as have the kids.  Plus I have a some interesting news brewing with the Forum of Incident Response and Security Teams or FIRST.  Stay tuned for a press release.  Or at least a blog post.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Saturday morning reading – 02/14/09

Next »