We’ve got a long show to night, but well worth it. Rich was able to talk Dino Dai Zovi into appearing on the show after his recent talks at both SOURCE Boston and CanSecWest, despite Dino’s feeling the effects of so much travel. We talked about his new book, about his post “No More Free Bugs” and general dealings with vendors about vulnerabilities. Rich also succumbs to the darkside and let’s his fanboi roots show more than a little. We finish by talking about the impending doom that is (or isn’t) Conficker and the GhostNet. We had a lot more to talk about, but in honor of your time and our energy, we ended it before we really got rolling. Still not as long as a Pauldotcom show though. Speaking of which, congratulations to Paul on his new role over at Tenable!
Network Security Podcast, Episode 144, March 31, 2009
PCI was under fire today during a US House of Representatives subcommittee meeting. If you didn’t watch the meeting while it was in progress or watch the tweets myself, Anton Chavukin and a few other security professionals were sending, you missed what will end up being a very important meeting for the future of PCI. Our representatives asked some very pointed questions and both Robert Russo from the PCI Council and Joeseph Majka from Visa were put on the hot seat. The representatives from Michaels and the National Retail Federation definitely were in an adversarial position to the PCI Council and the card brands. It made for great spectator sport.
The video’s supposed to be available soon, so if you’re interested in PCI, take a little while and watch this. It was only the opening round in what promises to be a very interesting set of meetings to determine the future of PCI.
Do the Payment Card Industry Data Security Standards reduce Cybercrime?
It’s not too often that we get an honest evaluation of the security of a corporate network let alone a government network. But that’s exactly what David Bowen, the Federal Aviation Administration’s Assistant Administrator for Information Services and Chief Information Officer gave IT execs in Dallas last week. In a very frank speech, he disclosed that the FAA has more Internet access points than they can manage, more systems than they can secure and generally a network that they know is insecure but don’t have the time and budget to do anything about.
I doubt there are many security professionals that are surprised that the FAA network is insecure, but the sheer scope of what Mr. Bowen is facing is scary in the extreme. They lost information on 45,000 employees in February and even though they deny that other systems, such as air traffic control, are affected, how can they know for certain when they have a network with so few security controls in place? Unless there’s an air gap of some sort between the rest of the FAA systems and the air traffic control systems, the answer is they can’t.
This isn’t a rogue IT professional disclosing the dirty secrets of an organization, this is the CIO publicly admitting that he doesn’t have a handle on the security of his organization with full acknowledgment by his superiors. You can read entire transcript of the speech on the FAA site, something you wouldn’t be able to do if the higher ups in the organization were trying to keep this from getting out. To me that means that this isn’t just an admission of guilt, it’s a plea for help from Federal government to help supply the resources needed to secure his networks.
Statistically, flying is one of the safest ways to travel. Usually when we hear about an airplane accident it’s because what happened was spectacular and unusual. But if the FAA networks are really as insecure as Mr. Bowen is indicating, it’s not inconceivable that we could have a scene that looks like something out of a Die Hard movie at sometime in the not too distant future. I don’t even think this is a case of crying wolf or exaggerating the potential consequences, I believe this a real threat we could face in the future if the FAA systems aren’t secured.
If you want a good place to spend TSA and Homeland Security money, I’m willing to bet securing the FAA network would be a lot better place to put it than making travelers take off their shoes when they’re trying to board a flight. True, it wouldn’t be as flashy and noticable as taking away people’s pen knives and baby formula, but securing the computers that guide each and every flight taking place in the United States would save more lives than every shoe x-ray combined.
Last week I had a chance to sit down and talk to Michael Dahn and David Bergert to discuss the payment industry in general and PCI specifically. Michael is the CTO of the Aegenis Group and the Society of Payment Security Professionals and David is the Technology and Development Director for On-Line Strategies. I always enjoy talking with like minded security professionals, especially when they say ‘Martin has a good point.”
PCI and the payment industry is always a little hard to talk about because we can’t give specific advice on how to implement technologies or how to solve particular problems listeners may have. Not just because my employer is a QSA company, but also because when you get down to actually implementing PCI, it really depends on your particular environment and what works for one company will be completely wrong for another company because of minor differences between the two. Which is why we talked about some of the philosphy behind becoming both PCI compliant and secure at the same time.
This is part of a series of discussions with payment industry professionals Michael will be doing over the next few months. It should be interesting to see who he’ll get talk about the payment security industry and how opinions differ based on what part of the industry they’re in. The Payment Card Industry Data Security Standards (PCI-DSS) are the most visible part of the payment industry at the moment, but it’s just the tip of the iceberg for the industry as a whole.
Secure Payments Podcast, Episode 1
When we started planning the Security Bloggers Meetup last October, one of the comments I made was “We’re not starting too early, are we?” If nothing else, I’ve learned since then that there’s no such thing as starting too early for an event like this. In fact, for the 2010 meetup we may start even earlier, like some time in May of 2009. I’m mostly kidding, but not entirely.
The meetup is going to be huge this year, mostly thanks to the awesome sponsors who’ve stepped up to the plate and given us the money to put on an event of this magnitude. F5, Fortinet, Microsoft and Websense are the main sponsors and they’ve been very generous, which is even more amazing when you think of the hard economic times we’re in. Seagate has also contributed BlackArmor drives to be given out to the winners of the Social Security Awards as well as a BlackArmor NAS 420 for the door prize at the meetup (more information on how to enter the drawing). I almost wish I was attending instead of being involved in the planning so I’d have a chance to get the NAS 420 myself. Not that I need another drive on my home network that badly, but more geek toys are always lusted after.
The invites with the uber-secret location of the Meetup will be going out just a few days before RSA starts, but if you’re a security blogger who’s going to be at RSA please drop a line to Jennifer Leggio (jleggio_at_fortinet.com) to get on the list. The list will be closing a couple weeks before RSA starts, so even if you don’t have your travel schedule solidified yet, get on the list now. It’s always better to not make an event you RSVP’d for than be turned away because you tried to sign up too late.
Sorry for the late show notes, I’ve been on the road and a late night/early morning combo doesn’t exactly promote a lot of blogging. Rich and I recorded a little early this week in anticipation of my travel schedule and it’s a good thing we did as my time ended up being every bit as tied up as I’d expected, possibly even more.
Network Security Podcast, Episode 143, March 24, 2009
The Google Summer of Code projects have always turned out some very interesting results, but this summer promises to hold something special for security professionals. The Honeynet Project has been selected to be a sponsor for the competition, which means we can hope to see some tools coming out of it that help parse, manipulate or otherwise transform the data into information we can use. The sheer amount of data gathered by the Honeynet Project makes drawing meaningful conclusions difficult, so I’m hoping there will be a bunch of new tools coming out to sift through it.
It’s been another incredibly busy week and a lot of tabs have accumulated in my Firefox browser bar. I kept meaning to blog about a number of these stories but between work, kids and discovering a ton of anime on Hulu, it never happened. So once again, I’m cleaning up my browser by creating a quick blog post to reference these sites later. As if that ever really happens. But the intent is there.
I have to say, it’d be a bad week to be Diebold/Premier; they’re under attack here in California because they’ve admitted to a number of problems in their audit logs of their e-voting devices and their ATM’s are under attack in Russia. I’m not a big fan of electronic voting machines in the first place, but when you have to admit that your machines can have votes deleted wholesale without any record of the vote existing in the first place, you shouldn’t be in the business to begin with. Which is probably why Diebold spun the e-voting machine business off in the first place. It’s crazy stupid that such a mistake happened in the first place, but the fact that they made it through the audit process with a vulnerability like this means that there’s a lot in the process of certifying electronic voting machines that’s broken. Paper ballots aren’t perfect either, but at least they always leave physcial evidence that can be referred back to later.
Twitter, I mean TinyURL, had some major issues this week as well, exposing some of the functionality behind the tool. Fox News’ Twitter stream exposed some SQL code which turned out to be caused by TinyURL improperly securing their systems. I use both services a lot, so this was more than a little disturbing. If someone had been able to use this exposure to compromise TinyURL, it could have been used to send bogus links to millions of people. And while we’re on the topic of shortened URL’s, take a look at LongURL.org, a tool that lets expand a most of the shortened URL’s so that you can know where you’re going before you actually follow the link.
More stories from this week:
Now to go back to my streaming anime and kids. If I can pry the kids away from creating new games of their own using Scratch that is. Geeks in training, that’s my boys. I’m not sure whether to be proud of them or to chase them away from the computer.
I’m sometimes amazed at how quickly people forget that Twitter and all social media platforms are public forums. The ‘social’ in social media means that what you post is out there in the public for all of your friends, as well as people who aren’t your friends, to read. It’s like standing in a crowded room, talking to a group of your friend, with other people on the fringes listening to the conversation. You never know who’s in that fringe group and what they’ll do with what you say.
Yesterday a job seeker got a very graphic example of the dark side of social media on Twitter; they’d been offered a job by Cisco and made the mistake of tweeting the following:
Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.
Someone associated with Cisco saw the tweet and responded. I don’t know if the job offer was rescinded, but given the popularity of the meme, it’s quite likely they’ll at least have to explain themselves to the hiring manager and fight an uphill battle to keep the job. Or maybe they’ll be too embarrassed to face the hiring squad at Cisco again. In any case, it’s not a position anyone wants to be in with the current economy or any economy.
I’m no stranger to this effect and I’m sure we’ve all posted things online that we wish we could remove from the the semi-permanent record that is the Internet. It’s easy to forget that the little group of highly interactive followers you have on Twitter is also backed by a much larger group of followers who never post, just take in what we’re tweeting. It’s even easier to forget that there are a number of ways people can search on key words, like ‘Cisco’, even if they aren’t on Twitter and following you. It’s a public forum and everything you say is being recorded and read by someone and that someone might be you’re boss, the guy who’s thinking about hiring you for your next job or your mother. Would you say some of the things you do on Twitter or Facebook if you knew your mother would read it?
Making your conversations on social media sites private is no guarantee they’ll remain private. You might make a mistake and make your conversation public, the site might make a mistake, a friend might repeat what you’ve posted or any number of other ways for the information to become public. It’s social media, it’s meant to be broadcasted and it’s entirely too easy to lose control of who is receiving your message. If you really want to have a private conversation with someone, pick up the phone and give them a call. That way, at least you know the only people who might be listening in are in a small room of an AT&T building in San Francisco.
If you’re using social media tools, you’re living a public life. What you say can and will affect your future prospects. It may be a virtual soapbox, but you’re still stepping on a stage and shouting to a crowd every time you tweet or post on Facebook. Learn to live your life like someone’s listening to everything you say, because they probably are.
Rich and I were joined by a special guest tonight, Bill Brenner, Senior Editor at CSO Online. We wanted to talk to Bill because there was an interesting story about the BBC buying a botnet and we wanted his take on this, as well as our other stories. Bill’s a journalist who’s been in the security space for about five years and has a slightly different perspective than that of someone who’s down at the ground level doing security. Which is also slightly different than the perspective Rich and I have. We also wanted to bring Bill on because he has a new podcast of his own.
This ended up being one of the longer podcasts we’ve done in a while, but I think it was worth it.
Network Security Podcast, Episode 142, March 17, 2009