Network Security Blog

Just imagine it: your web site is down, you can’t reach the server, you can’t reach the router, the guys at the datacenter aren’t answering the phone, what the heck is going on?  You get in your car and drive down to the datacenter and as you drive up you notice all the police cars in the parking lot.  Walking into your datacenter, you learn that thieves have broken in over night and made off with your hardware as well as that of half a dozen companies in the same datacenter.  Sound too ridiculous to be true?  Last.FM found out last week that steel doors aren’t enough to keep determined criminals from breaking into your datacenter.

Last week a Level 3 datacenter in London was broken into by some very tech savvy criminals. They battered down an external fire escape door, a door to the datacenter floor and the door to Last.fm’s suite.  The thieves were caught as they tried to take Last.fm’s 6500 series router, but had done a lot of damage in the mean time.  And apparently this isn’t the first time that the same datacenter has been broken into.

Level 3 isn’t the only datacenter to fall victim to this type of assault.  Masked thieves broke into a datacenter in Chicago in 2007, and not for the first time.  They’ve assaulted datacenter personnel and broke through walls on separate occasions to steal servers.  If they’d been as smart as the criminals in London, they would have gone for the routers and firewalls, which are pound for pound much more valuable and probably easier to sell on the black market than the servers.

Datacenters may need to step up security measures as criminals begin to realize exactly how valuable the equipment in datacenters is.  Even smarter criminals may realize that while the servers and routers are worth a lot, if they can find servers with credit card information on them, they may be able to hit an even bigger jackpot.  Personally, I have to think that there has to be an insider, whether a datacenter employee or a client, who’s involved with the criminals and telling them what systems to hit.  There’s too many security measures in place to break into a datacenter without some sort of insider knowledge.

Do you visit your datacenter at least annually to review it’s physical security?  If you’re a merchant who’s undergone a PCI assessment, the answer had better be ‘yes’.  But the best physical security you can afford, might not be enough as criminals get bolder.  If they’re willing to break down doors and hold datacenter personell at gun point, there may be nothing you can do but make sure you have a good set of backups and a disaster recovery site at a different datacenter. 

Imagine sending your cell phone number out to 21,000 Twitter followers.  That’s exactly what David Pogue did when he left off a the ‘d’ for direct message when he sent a friend a tweet.  He realized his mistake almost immediately, sent out a second tweet asking people not to inundate him with tweets and got lucky.  Out of his 21,000 followers, only a handful responded at all.  No one wants to hear ‘fail’ from that many followers.

We used to run into the same sort of ‘reply all’ fumbles concerning email when it first became widely used.  But we’ve had enough time to get used to email that unless someone sends something extremely sensitive, no one even notices a ‘reply all’ event any more.  The only reasons this is even a story is because Twitter is still a fairly new technology and Mr. Pogue is a well known tech writer.  Give Twitter a year or two to become more well known and it’ll take someone like Paris Hilton tweeting her phone number to become news.

Dino Dai Zovi showed at SOURCE Boston just how easy it is to get into the memory of a Mac.  Apple apparently left off tools that are available in the GNU compiler collection to protect against exactly this sort of attack.  Dai Zovi even says that the current version of OS X is easier to hack than XP.  Ouch.

Does this mean that Mac’s are less secure than PC’s?  Not really, since they’re still such a small percentage of the market that they’re not under heavy attack by malware.  Even though the capability exists to take advantage of this vulnverability, the return on time and effort is still a lot better on the Windows side for malware writers.  Of course, someone could always decide that Macs are an underutilized target for malware and create something interesting.

It seems that not even my new adventures in parenthood can keep me away from the show. After a much-appreciated 2 week break, it’s good to be back.

This week Martin and I roll through another series of articles covering the week’s security events, after a small divergence to talk about my new daughter (man, is it weird to say that). We start by discussing the resignation of cybersecurity chief Rod Beckstrom over concerns that the NSA is taking over the show. No folks, the NSA isn’t evil, and I don’t think they have a single black helicopter, but it’s probably too orthagonal a mission considering their current mandate. We also discuss the effectiveness of data breach laws, advances in botnets, and the earliest signs of some accountability in PCI. Martin closes the show with a close-call and micro-scare involving his parents and malware.

Note:  The proper name for the malware I mention at the end of the podcast is Spyware Remover 2009.  (Martin)

Network Security Podcast, episode 141, March 10, 2009
Time: 38:21

Show Notes:

• Rod Beckstrom resigns over concerns the NSA is power hungry for cybersecurity.
• NSA chief bids to take a larger role in cybersecurity. Huh, I guess even paranoids have GS ratings.
• Do breach disclosure laws work? Um… yes. Next question.
• Rich (me) releases a new whitepaper on web application security. Shameless self promotion ensues.
• Conficker gets more aggresive in defending itself.
• PCI Council sends a couple QSAs to rehab.
• The bootable antivirus CD Martin used to scan his parent’s computer.

• Tonight’s Music:  Some Strange Feeling by Davis Coen
  

I don’t watch reality TV shows, especially ones that can really embarrass people, like Dancing with the Stars.  But I’m sure my wife will want to keep me informed of Steve Wozniak’s showing for the two or three weeks he’ll be on.  Apparently he made a truly atrocious first showing.  I’ll have to remember this line, “It was like watching a Teletubby going mad…”

There have been a lot of stories directly related to PCI this week and not much time to write about them.  Of course, this weekend isn’t much better, so I’ll continue my recent trend of posting the stories that caught my eye along with any comments.

Saturday morning reading:

• Mosso – First PCI Compliant customer through self-evaluation and scanning – The title itself points out the problem I have with this article; the client self assessed, this wasn’t done by a QSA.  The next two articles provide more information on how they came to the conclusion that this solution was “PCI compliant”.
• Cloud hosting is secure for take-off:  Mosso enables the Spreadsheet store, an online merchant to become PCI Compliant – Mosso is the service provider that’s hosting the Spreadsheet store site, but they are passing off all credit card transactions to a secure payment gateway, and no cardholder information is being saved in the Mosso cloud.  
• How to utilize Cloud sites in an e-commerce solution – In this pdf, Mosso makes it clear that the customer is redirected to a payment gateway to enter the credit card information and that all the merchant ever sees is a transaction ID and dollar amount.  The payment gateway has to be PCI compliant, but that’s something you should be expecting from your gateway anyway.
• PCI Compliance and Cloud Computing – Nick Coblentz takes a look at the Cloud and being PCI compliant.  One of the things his article highlights is that there are still more questions than answers in the Cloud.  
• PCI Council issues priority tool for compliance – This is one I need to take a much longer look at myself.  A prioritized checklist isn’t a bad thing, provided the person using it looks at it critically as it relates to their unique environment.
• Why I employed a felon – Jason Calacanis talks about why he hired and continued to employ a John Schiefer at Mahalo, now a convicted hacker.  This isn’t a theoretical debate about the merits of hiring a former hacker, but the real world interaction between two individuals.  I have to applaud Jason for giving John a second chance.
• Security consultant turned hacker gets prison for running botnet – And here’s the impersonal version of the story.
• The PCI Fraud argument conundrum – Is the PCI-DSS reducing credit card fraud?  Heck if I know, but I believe it’s at least limiting the growth, which isn’t quite the same thing.
• Secure Payments Day – There’s a number of interesting speakers lining up for this event this June in San Francisco.  I’m hoping that I’ll be able to make it.
• The NetSecPodcast‘s new logo is can now be seen on the FIRST sponsor page.  I’ll be recording a series of interviews with the FIRST steering committee, keynote speakers and members of the FIRST communittee over the next couple of months and attending the event at the end of June.  here’s to having my birthday in Kyoto this year!

I think that’s enough reading for one weekend.

The PCI Security Standards Council has placed two companies in remediation status for issues surrounding reports that have been turned in.  Both companies, Payment Software Company and Fortrex Technologies Inc. are going to have to undergo some serious probing of their assessment process in the next few months to reassure the PCI Council.  This isn’t a position any Qualified Security Assessor (QSA) company want’s to be in.

There’s no word of exactly why either of the companies were placed in remediation status, but two possibilities come to mind.  First, as Rob Westervelt’s article hints at, it could have been due to complaints by merchants the companies had done business with.  The PCI Council is surveying merchants to make sure that the merchants are being properly and fairly evaluated.  Too much negative feedback isn’t be a good thing, and results in further scrutiny by the PCI Council.

The second reason the companies might be on warning is due to review of the Reports on Compliance that have been turned in.  If there was something clearly erroneous in reports or the companies couldn’t produce evidence of the assessment under the review process, the PCI Council would want to review additional reports from that company.  Too many errors places the QSA company in remediation status.  I don’t know yet what it takes for a company to pull themselves out of remediation status, that might be specific to the company rather than a set time period.

Does two companies being put on probation (if that’s what ‘remediation status’ really is) mean that the PCI-DSS and the PCI Security Standards Council are working or does it mean that the process is flawed?  I’d say it probably means both; there are a lot of issues that need to be addressed by PCI and there’s a lot of variation in how it’s being evaluated in the field.  As with any industry, there are companies working in the PCI field who probably shouldn’t.  It’s definitely an imperfect system.  But I’d say this is proof that the PCI Standards can improve.  By placing two QSA companies in remediation status, the PCI Council is showing all QSA companies that they’re serious about the quality of the reports they receive and the service merchants receive. 

Slowly but surely, the PCI Council is raising the bar on what it means to be a QSA company.  This move shows both the critics of PCI and the people working in the PCI field that they’re serious about improving.  This will hopefully translate into raising the bar on security for the merchants. 

Rich luckily couldn’t make the show tonight.  I say luckily because that means he has a brand new baby girl to bring home and he’d rather spend time with his wife and new daughter than us.  Go figure.  I found someone to fill in for Rich this week however, Joel Esler, Sourcefire security consultant, fellow blogger and handler at the SANS Internet Storm Center.  Joel is the guy you want to talk to if you have any questions about Snort and Sourcefire.  He is also someone who’s on the front lines of dealing with malware, something that’s highlighted by our conversation about the recent Acrobat 0-day.

I’m glad Joel was able to come on tonight with relatively short notice and maybe I’ll return the favor some day and be on the Internet Storm Center podcast.  I only hope I’ll be able to contribute something intelligent when the time comes.

Network Security Podcast, Episode 140, March 3, 2009
Time:  37:58 

Show Notes:

• Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
• Skype, is it right for you? – Well written posts never get old
• Blueprints of Obama’s Marine One helicopter leaked on P2P 
• The Cowtown Computer Congress opens this week!
• I’ll be podcasting and speaking at the 21st Annual FIRST Conference in Kyoto, Japan this year!
• Tonight’s music:  Gerry Joe Weise with Blueswalker

Friend and co-host Rich Mogull is the proud father of a beautiful baby girl, Riley Marie Mogull.  The baby is doing well, the mother is doing well, and Rich is doing well.  I’m sure you’ll be hearing more from the proud father soon, but he’s going to take a couple of weeks off to take care of Mom and the new baby.  Smart man.

Anti-virus discussions are always fun.  AV is one of the baseline tools almost everyone in the industry agrees you need to have, but is it an effective tool?  And if it’s not effective why are we still using it?  This is another in the series of discussions with Amrit Williams, Mike Murray and Richard Stiennon.

I am a little late to post this video, since it was available last week.  We’ve already received a couple of comments from Finjan and ESET.  We’ll see if either of these companies is willing to respond on video.    

Demos on Demand video:  Anti-Virus