Network Security Blog

Despite a short discussion of Rich’s paranoia in the opening of the show, we mostly play it straight and stick to the security news. We found a few interesting stories this week, and the major theme seems to be “stupidity”. On one side is a prison that let an inmate reprogram their computer system, on the other a money-mule for scams that thought sending money-grams to foreign countries was a legitimate “work at home” job.

Sigh.

Network Security Podcast, Episode 168
Time:  29:53

Show Notes:

• Inmate locks staff out of prison computers. Multiple levels of hilarity ensue.
• Microsoft releases free antivirus. World doesn’t end. (Yet).
• SMB2 exploits become public. World doesn’t end. (Yet).
• NIST releases smart grid security guidance.
• A money-mule’s story. Fascinating level of naivete.
• Tonight’s music: Caught by Emma Wallace

It’s Monday morning, time to write up a quick cluster of notes from some of the reading I’ve accumulated over the last week or so.  My reading continues in its normal PCI-related theme, though there are a couple additional articles to review.  Pay special attention to Catching the Unicorn by Jennifer Jabbusch!

• Prepare Ye List of PCI Grievances – I don’t agree with many of David Taylor’s criticisms.  His first request, asking for more guidance from the PCI Council, is a double-edged sword; merchants are going to complain if the guidance is too prescriptive as well.  In fact, many already are.  One thing I agree with David on, I’d like to see the whole PCI chain of information under the same or very similar rules.
• Infotec 2010 – April 13-14, 2010, Omaha’s annual security convention
• Catching the Unicorn: A technical exploration of why NAC is failing – I’m still working my way through this paper.  It’s technical enough to be challenging for me, but not so dry as to put me to sleep.
• Rescue CD 3.11 – F-Secure’s latest bootable recovery CD (or USB key)
• Free backup and recovery for Windows – I’m testing this out but haven’t been terribly impressed so far; it’s backup is not quite as automatic or as easy as I’d like and the synchronization options are minimal.
• First Data, RSA push tokenization for payment processing – I’m glad to see more players are getting into this space, I’d like to see a few good products come to market.
• 5 tips to protect your business from online banking fraud – These are all good ideas, whether your talking about your company’s banking or your own.
• PCI Virtualization SIG closer to proposing changes to standard – If these can get put in the proposed changes for PCI 1.3/2.0 early next year, we could see them incorporated next August or so when we’re due for a new revision of the PCI standards.
• Drudge, other sites flooded with malicious ads – Why go after the big companies that have some experience at protecting their networks when you can go after a secondary provider and have even better reach?
• Microsoft:  Google Chrome Frame makes IE less secure – In the grand scheme of things, the Chrome Frame probably does introduce additional attack vectors, but not enough to draw the picture Microsoft is trying to make.

A new survey has been released by Imperva and the Ponemon Institute concerning the effectiveness of PCI; despite the best intent and efforts of many security professionals, this survey points out that PCI is only having a limited effect in stopping digital thieves from stealing credit card information.  One of the most telling statistics from the survey is that the majority of companies, 71%, treat PCI as a tactical maneuver rather than strategic initiative.  In other words, too many companies treat PCI as a check list of requirements rather than using it as an overarching plan.  And in the end, the check list approach is always going to be less secure and leave more vulnerabilities than viewing PCI as something to be incorporated into long term thinking on security.

It’s not that PCI is ineffective in and of itself; there’s few who can still argue that the PCI requirements aren’t basic security measures that should be implemented by almost every business.  You can argue that PCI doesn’t go far enough or that there’s too much left open to interpretation, but the majority of the PCI requirements are logical and make sense to implement.  The Ponemon survey does point out one of the major flaws of the system is that merchants are only looking at credit card numbers, leaving large amounts of other information such as Social Security numbers and bank account details.  And as much as I wish PCI could address this data as well, it’s going to remain outside of the purview of the credit card industry for the foreseeable future.  

What’s ineffective is how we use PCI to secure our enterprises.  Only 27% of all companies are using PCI as a lever to raise awareness of security in their enterprises.  And by ‘raise awareness’ I mean ‘get the money to implement needed security measures’.  Security is always a fight for the budget needed to implement, in large part because preventative measures are a hard sell when you can’t point to direct consequences or benefits.  I’ve always argued that the greatest benefit of PCI is to be had by using it to garner support for security initiatives and gain the resources needed to implement security measures.  However, it requires thinking about security strategically, which can be very hard if you view PCI as just another set of requirements that are getting in the way of doing your job.

And that is the crux of an effective implementation of PCI versus an ineffective one; if you view PCI as a part of your security program and something that can be used to implement security, then the chances of it positively impacting your enterprise are pretty good.  But if you view PCI as just another annoyance that’s distracting you from your real security job, the chances are it will have little or no positive influence on your security posture.  Like so many things in life, the effectiveness of PCI is going to be based on how you look at it and how you choose to incorporate it into your strategies.  Funny how that works, isn’t it?

If you haven’t read it yet, you owe it to yourself to download and read the 2009 Data Breach Investigation Report from Verizon Business.  It backs up much of what the Ponemon Institute has discovered and should be required reading for every serious security professional.  You can also listen to my interview with one of the authors, Wade Baker, from this year’s RSA Conference.

Before we dig into this week’s security news, we diverge (slightly) to talk about Emergency- This Book Will Save Your Life and disaster planning. I (Rich) read the book last week and found it to be a ton of fun; it’s the story of a journalist who slowly descends into the rabbit hole of the survivalist community. Well written, with plenty of good advice and stories. It’s not really a survival guide, more of a personal story and lessons learned.

I had a bit of a shock as I realized that most of my disaster plans aren’t relevant anymore as my life status has changed. I used to be single, in Colorado, and part of the response infrastructure (which means access to a ton of resources). Now I’m married, with a child and pets. I can’t really run off with a backpack and play hero if something bad hits.

We also delve into some IT related disaster planning, so this isn’t a complete non-sequiter.

Network Security Podcast, Episode 167
Time:  32:13

Show Notes:

• Chinese researchers figure out how to take down the West coast power grid by hitting a smaller provider. Oh joy. At least they disclosed it.
• Some idiot logs into Facebook while robbing a house. This is now my favorite dumb-criminal move of the year. Oh wait, did I forget to mention he left himself logged in after he left?
• Some site claims to hack any Facebook account for $100. Or to pretend to hack it for $100. You get to guess which one it is.
• Court rules that just because you did something your employer didn’t like with authorized access to a computer, it isn’t a computer crime. Well done.
• Researchers come up with an idea for a new home security markup language. Good intentions, not sure it will matter.
• RSnake on Star Trek and security. If you read one post this year, it should be this one.
• Tonight’s music: Me and by Wife by Root Doctor

To get $300 off Hacker Halted 2009 in Miami, Florida from September 23-25, click on the banner below, select VIP Pass under Conference Pass and and enter code “HHUSA-MM-AP999“

Branden Williams wrote a post last week, “Why you should love the PCI hater!” It contains some very good advice about why you should talk to the people who dismiss PCI, the people who actively attack PCI and the people who think PCI is a waste of time and resources.  Whether your talking about PCI, some other security framework or security in general, engaging in conversation is almost always a good thing and something you will learn from. 

If you follow me in Twitter, you know I love to engage in PCI conversations with the haters from time to time.  The same goes with talking about it on the Network Security podcast, trying to convince Rich that PCI has it’s uses and is not the useless pain in the … backside he originally thought it was.  I enjoy helping clear up some of the misconceptions that people often have around PCI and showing them that PCI can be a benefit to almost any security program if it’s leveraged in the right way.  And I hope that sharing these conversations in public forums helps more than just the people I’m talking to, that it brings up many of the same questions and concerns that other people have about PCI.

But the most important part of these conversations is what I learn from them.  I’ve never claimed that PCI is perfect or that it covers every contingency or weakness in an enterprises networks and I know very few professionals who’d say that it does.  Engaging in conversations with ‘PCI Haters’ has helped me understand how to talk to not only other security professionals but also the clients I deal with on regular basis.  It’s helped me to understand that I need to make it clear to everyone from the system administrator to the senior VP that PCI is only a starting point for securing the enterprise, not the be all and end all of security.  There’s nothing like getting in a public argument to teach you how to conduct the same conversation in private.

I’ll never convince the true zealot that PCI is a good thing and that’s perfectly okay with me.  But I can understand why someone hates PCI and use that to understand and overcome it’s weakness myself.  Understanding the zealot will help me talk to the person who’s unsure or has misconceptions and maybe help turn the next PCI Hater from a zealot into someone who’s looking at it with a critical eye instead.

I’ve had a few opportunities to install Firefox lately, first on a new netbook, then again on the netbook when I installed Windows 7, and a third time while setting up a new work laptop.  It’s given me a good chance to figure out what’s really important to me in Firefox and how to get the most real estate on my desktop in the Firefox window.  The first thing I always install in Firefox is the NoScript plugin, which is probably the same first step most security professionals take.  I follow that up with AdBlock Plus, Tab Mix Plus and finally Scribefire.  But the real gain in screen space came yesterday when I discovered a Lifehacker article, Maximize Firefox 3.5′s viewing area for you netbook.  I strongly suggest you think about trying some of these modifications to your Firefox configuration even if you’re on a desktop, the additional space is definitely worth it.

One caveat to the Lifehacker article is that I couldn’t find the userChrome.css file in Windows 7.  Thanks to Twitter I found out later in the day that the file doesn’t necessarily exist by default, it’s something you may have to create by copying an example file.  Of course, by the time I found this out, I’d already figured out ways to perform several of the same tricks in the Lifehacker post using Tab Mix Plus and tweaking the about:config settings in Firefox.  You can remove the new tab button in Tab Mix Plus by unselecting “New tab button” in the Tab Bar tab of the Display options.  If you type ‘about:config‘ in an empty tab, you can control a number of Firefox configuration elements you wouldn’t have access to otherwise.  My favorites are disabling the delay in installing new plugins and making search bar results open in a new tab.  I now return you to your regular security conversations.

You’d think that after taking off last week Rich and I would be back and better than ever this week.  But Mr. Mogull had a speaking engagement elsewhere this week so I was joined once again by Zach Lanier of N0where.org.  In fact, Zach has agreed to join us on a regular basis and will be contributing a weekly segment where he’ll be doing a deeper dive on a news story each week.  At least that’s the plan at this time, but those are always subject to change.  I also had a chance to interview Tim Mather about his (along with Subra Kumaraswany and Shahed Latif) upcoming book, Cloud Security and Privacy.  I find it interesting to hear about how much the idea of the Cloud has changed since Tim started work on the book. 

Network Security Podcast, Episode 166
Time:  40:14

Show Notes:

• FBI Jobs site gets hacked – SQL Injection against an FBI site?  I’d be embarrassed.
• University research exposes potential vulnerabilities in cloud computing – Emphasis on the ‘potential’, but it’s an issue we do have to beware of.
• End-to-end encryption:  The PCI security Holy Grail – It all depends how we define ‘end-to-end’.
• All TI signing keys factored
• Tonight’s music: Black Rebel Motorcycle Club with Whenever You’re Ready

To get $300 off Hacker Halted 2009 in Miami, Florida from September 23-25, click on the banner below, select VIP Pass under Conference Pass and and enter code “HHUSA-MM-AP999“

Bill Brenner’s recent article, 4 ways to get the most from your PCI QSAs, hits the nail on the head.  His very first point is especially germane in my experience; merchants and service providers need to be sure they’re picking a QSA company that can successfully evaluate their particular environment and is not just the lowest bidder.  Too many companies treat PCI and their QSA as a nuisance that they have too put up with for several weeks a year and can ignore the rest of the time.

My best assessment experiences have been with companies that treat PCI and their QSA as a way to effect change in their environment and are honest with themselves and the QSA.  I’ve often asked the security manager of a company what they need to do to secure their corporation and what I can do as their consultant to help affect those changes.  It’s often surprising how many security measures have been resisted by management when the request is coming from internal security but will be okay’d the moment an external consultant or assessor mentions how the measure will help make compliance easier.  I’m sure I’m not the only one who’s ever used an external authority figure, like a QSA, to push for a new tool or policy I needed to secure my enterprise.

Another point in Bill’s article to be especially aware of is that your QSA is going to find weaknesses in your enterprise if they dig.  It’s a fact of life that mistakes happen, configurations get changed, policies aren’t written as tightly as they could and that we’re all human.  I have yet to discover an enterprise that I couldn’t find some system misconfigured or a minor point of the PCI requirements misinterpreted.  The secret is to build a relationship with your assessor before that point so that you feel comfortable with this discovery, that it is taken as a positive event that allows you to learn and that the assessor isn’t a bad guy trying tear down your hard work.  Every QSA I’ve ever talked to about it is trying their hardest to help you secure your enterprise and leave you in a better security stance than when they arrived.

The worst experiences I’ve had as a QSA are with companies that thought I was their enemy or that the best way to get through their assessment was to try to distract me from what’s really happening in their enterprise.  The best you can hope for under those circumstances is that you’ll pass your assessment, but you won’t actually gain anything from the experience the QSA brings to the table and your enterprise.  You may have gotten certified for another year, but it undermines your own security and the effectiveness of the PCI process.  In a worst case scenario, you won’t pass your assessment because of what the QSA ends up finding despite your best efforts or you’ll pass your assessment by covering up insecurities and end up being compromised through one of the systems you hid during the assessment.

I imagine there are a fair number of people out there who are like me and instead of a cup of coffee and the morning paper they take the same cup of coffee and open up their favorite news sites online to get the morning’s news.  So I imagine there were more than a few people who were surprised yesterday morning to get a little something extra when they opened the New York Times site yesterday and got a pop-up ad telling them that their computer was infected with several hundred viruses and that they needed to buy some wonderful new anti-virus product to secure themselves.

We don’t know exactly how the NYT site was compromised and this code implemented, but there is a good analysis of the malware at Inputs & Outputs.  The ad used a scare tactic but by itself it didn’t do much.  But this phishing scheme did point users to a small program that probably did some very interesting things to the end user’s computer if you believed you actually were infected.  If you’re a Firefox user with NoScript installed, you probably didn’t even notice that this fun piece of code had been added to the NYT site.  Score one more for blocking scripts by default.

Looking at the analysis of this compromise, it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through.  The New York Times probably has a great security team who’s up on the latest vulnerabilities and does an excellent job protecting their site, but if the other companies they rely on for additional code can’t protect their systems, even the best team at the NYT won’t be able to do a thing.  It’s something for anyone who relies on third-party code on their site to think about.

I’ve taken the SonicWall phishing quiz, or at least one very like it, at least once a year for the last few years.  It’s a fun test of your ability to recognize a phish at a glance, but the reality is that it’s more depressing than fun.  After a few examples you start to realize exactly how hard it really is to recognize a well done phishing attempt.  And that if security professionals have a hard time recognizing phishing attempts, what’s it like for our parents and non-geek friends? 

This is the really scary thing about phishing to me:  If I can’t easily recognize a phish and all the filters I use are having a harder and harder time sifting the good email from the bad, how long is it before we have to throw up our hands and declare the bad guys the winners?  I’ve read reports that state anywhere between 75% and 95% of all email on the Internet is actually spam these days, even though the numbers are apparently a bit down the last month or two.  How long can we sustain a minimum level of usability under those conditions?  I know that some non-geek members of my family are already stepping back from email simply because of the spam, so I’m sure there are others out there.

By the way, I scored 10/10.  How’d you do?