Network Security Blog

Let’s put filtering on the every computer in the country because we want to protect our 14 year old boys from seeing any inappropriate images, because that’s always worked so well in the past!  Or at least that’s what the Chinese government is saying about their new piece of ‘security software’, Green Dam.  Like something as simple as a filtering software is going to stop a semi-intelligent teenager from finding pictures of women on the Internet?  And if it is somehow fairly effective, what’s to stop them from going out and finding a magazine or three?  Of course, all the talk about  ‘protecting our youth’ is just a smoke screen for having an excuse to put a program on the computer that stops any sort of activity that might possibly be considered subversive by the Chinese government. 

I find Green Dam interesting for two reasons.  The first is that this isn’t just a web traffic monitoring program; it monitors all behavior on the computer and will terminate any program that has ‘inappropriate information’ entered into it.  The example giving by Telecom Asia states that simply typing in ‘falundafa.org’ into Notepad is enough to get the program terminated.  Even if you’re not trying to get to the actual site, Green Dam is set up to stop you from having any sort of information including the URL in use on your computer.  I guess if you stretch your imagination a little bit, this might be something that’s needed to protect the youth of China from the corrupting influence of Falun Dafa.  Or if you’re cynical, it’s just another way the Chinese government is trying to make sure that anything even vaguely subversive never sees the light of day.

The other part I find interesting (and funny) is that it appears at least part of the code for Green Dam is completely stolen code.  Not that the company responsible for ‘creating’ Green Dam admits this as fact or even is willing to admit it as a possibility, but finding code and update instructions for Solid Oak’s product in Green Dam is pretty conclusive evidence.  Given that much of Asia has long held copyright issues to be someone elses problem, as long as it’s Asia that’s doing the stealing, this doesn’t really surprise me.  Unluckily, it doesn’t appear that any bugs in the original code have been fixed.

The especially disturbing part of Green Dam is that given the base of it’s code, it could easily be updated to monitor all traffic and activity on one computer or all of the computers that have it installed.  I have to assume that the Chinese government will have a mechanism already in place to update particular computers and begin monitoring and tracking everything that’s happening on the systems.  As if what they’re doing already wasn’t enough.

Rich was somewhere in the air over the Midwest today, which would have made recording a podcast questionable at best.  So rather than take any chances with technology, we got a stand in for him in the form of our very own Security Curmudgeon, Jack Daniel.  I met Jack face to face for the first time at one of the first big ‘security’ conferences I’d ever been to on the East Coast, Shmoocon 2007.  I haven’t made it back for another conference recently, but when I do, I’m sure that there will be people like Jack who will give me a warm welcome.

Jack and I spend a little time bashing the CISSP yet again, we talk about some very interesting news stories and wrap up discussing getting involved in the security community.  All in all, another good show.

Network Security Podcast, Episode 153
Time:  41:41

Show Notes:

• T-mobile sources and data – Here’s where the news started
• T-Mobile confirms stolen data is genuine
• T-Mobile confirms hackers’ info is legit
• FTC sues, shuts down N. Calif. web hosting firm
• Google Translation of 3FN termination – Jack says read the comments
• UK web host falls victim to attack
• Webhost hack wipes out data for 100,000 sites – It doesn’t matter if it’s virtualization or cloud computing when you lose data.
• Yay, it’s Patch Tuesday again!
• Tonight’s Music:  Bradley West with Slow Train

I’ve been so busy lately that I only realized when I edited episode six of the Forum for Incident Response and Security Teams (FIRST) that I hadn’t posted that fifth episode was available, which it has been for a week.  In episode five, I interviewed Jeff Crume, the Executive IT Security Architect for IBM Compliance Solutions.  Jeff will be giving a presentation at the conference, “What the Hackers Still Don’t Want You to Know”, a follow-up to his book “What Hackers Don’t Want You to Know”.  In episode six, I had a conversation with Slawek Legier from VeriSign about his talk “On-line Fraud Prevention and Detection – Multiple Layers of Security”.  We also discuss what value he sees in being a member of FIRST.

FIRST Podcast, Episode Five:  Jeff Crume
FIRST Podcast, Episode Six:  Slawek Legier

If you haven’t heard already, Merrick Bank is suing Savvis for negligence regarding the CardSystems compromise back in 2005.   Merrick is contends that Savvis was grossly negligent when they certified CardSystems to Visa and that they hadn’t done a proper assessment, essentially rubberstamping CardSystems as compliant.  It is know for certain that a number of CardSystems databases were not encrypted, had never been encrypted; now it’s going to be up to the lawyers to prove that Savvis didn’t dig deep enough in their assesment to the level of negligence.  How this gets resolved in court is going to be something that will have a definite effect on everyone in the PCI industry.

I think this incident will be a wake up call for the industry as a whole.  Whether or not it ever goes to trial or if Merrick win’s the case, it’s going to shake the tree and there will be some people who fall out.  The fact that Merrick thinks they have a case and can prove it in court is enough to scare a lot of people who don’t have the resources Saavis does to defend themselves and make them rethink how they do assessments.  It’s also going to make a lot of them rethink whether they should be in this space in the first place; some companies definitely shouldn’t.  No one wants to be the next company who’s sued.

One point that’s being overlooked in some of the commentary I’m reading is that the CISP program is NOT the PCI DSS.  CISP was an immature standard, it didn’t have all the requirements that PCI does and in general it wasn’t being enforced with the same rigor that PCI is.  Not that PCI is perfect either, but it’s a far cry better than CISP.  How this trail goes forward will definitely impact the next itteration of PCI, but it’s not the two standards are not identical and what is discovered during this court case won’t be a validation or condemnation of the PCI DSS.  Sorry guys, but even if Merrick wins, you won’t be able to use it as proof that PCI is broken.  Of course, that’s not even taking into account that we haven’t even determined what the definition of ‘broken’ is when we’re applying it to an industry standard.  But that’s a rant for some other day.

For some background inforamtion on this lawsuit, start by reading Kim Zetter’s Wired article “In Legal First, Data-breach Suit Targets Auditor“.  Once you’ve digested that article, take a break and sit down to read David Navetta’s post “Merrick Bank vs Savvis:  Analysis of the Merrick Bank Complaint“. David’s a lawyer who explains what’s at stake, what’s going to be required to win the case and what the legal definition of ‘negligence’ is.  He’s probably looking forward to this trail in the same way many people would look forward to a playoff series.  Another pair of articles are Rafal Los’ “Dangerous Times for PCI Regulations, Auditors” and a reply to the article over at Blackfistsecurity, “Is suing a QSA the right thing to do?“  Finally, wrap it all up with an article from my podcast cohost, Rich Mogull, “How Market Forces Can Fix PCI“  I know it’s a lot of reading, but there’s a lot to think about concerning what’s working in the PCI arena and what’s not.

In closing, remember two things:  PCI is not perfect, but it is raising the security bar for many of the companies affected by it and that PCI is only a baseline you need to hit to satisfy the assessor and Visa/MC/AX.  Making your company secure is up to you and no standard is going to be effective if merchants are actively trying to do the bare minimum.  As an assessor, I can do my best (or my least) to make sure you’ve lived up to the letter of the law, but it’s up to you to make sure you’ve lived up to the spirit.

Update:  A couple additional articles of not on this issue: 

• PCI compliance accused of becoming meaningless if not correctly enforced – The problem is, the exact same thing same thing could be said about any compliance effort, so I’m not sure if this is a valid complaint.
• Why suing auditors won’t solve the data breach epidemic – Get a couple of beers into any security professional and you’ll probably hear horror stories that you wish you hadn’t.  One of the reasons I usually stop at one beer.

We hope no one begrudges us for taking last week off due to the holiday, and we’re back this week with all your juicy security goodness. After a short discussion of our mutual weekends spent recovering old hard drives and systems, we talk about the upcoming Black Hat and DefCon conferences before digging into the news. We discuss stories from a return of the L0pht Heavy Industries, to White House speeches, and Mac security.

Network Security Podcast, Episode 152, June 2, 2009
Time:  35:36

Show Notes:

• L0phtcrack 6 is officially released. It’s alive!
• Judge rules Lifelock fraud service is illegal. This is a serious blow to consumers.
• The CardSystems auditor is being sued due to certifying a non-compliant company.
• White House releases cyberspace policy review.
• Jericho Forum and the Cloud Security Alliance join forces.
• The truth about Apple, security, and responsibility. Yes, Rich wrote it, but it’s still good.

Oops, misspelled the title, should really be SiliSec, as in the Silicon Valley Security Meetup.  Of course, after a few beers it might end up being Silly Sec after all.  In either case, there’s a meeting of the security professionals in the Silicon Valley and southern Bay Area tomorrow night at St. John’s Bar and Grill. I can’t make it myself because a two hour drive each way just isn’t in my time budget right now, but there’s certain to be some interesting characters in attendance.  If you’re in the area, stop by St. John’s and look around; if the SiliSec group is anything at all like the BaySec group, you’ll know within a few minutes exactly which group is the one you’re looking for. 

Maybe I’ll see you later this month at BaySec instead.  Once this months date has been set, that is.