Archive for February, 2010

Feb 28 2010

Comparing compromises (VerIS Metric Framework)*

Published by under PCI,Risk,Security Advisories

My friend Alex Hutton and the rest of the RISK Team at Verizon Business have done it again! This time rather than release a report about breaches however, they’ve release the Verizon Incident Sharing Metrics Framework (VerIS for short).    All the awesomeness that went into creating the 2009 Verizon Breach Report is being shared with the incident response community so that we can compare apples to apples when it comes to compromises.  Rather than each company capturing it’s own unique dataset and creating statistics in their own particular way, VerIS is a framework that allows companies to capture the same sorts of data at the compromise and compare it directly to the compromises other companies are seeing.  This is exactly what we’ve been asking for since the first Verizon Breach Report.

One of the highlights of the year for me is when the Verizon Breach Report comes out.  Many of us have anecdotal evidence of breaches and know on a visceral level that if we don’t secure our networks and enforce policies that bad things are going to happen.  But the Breach Report is what allows us to take it from feelings and anecdotes to being able to show our company’s leadership exactly what lapses in security have led to many of the breaches in the last year.  If you haven’t read the 2009 Verizon Breach Report, stop reading this and go review it now.  After you’ve read that, you may also want to fill out some marketing surveys and read the Trustwave Global Security Report of 2010. Or at least read Rich’s short review of the report.  Including the part where he asks the folks at SpiderLabs to use a standard base of metrics.

The Verizon Incident Sharing Metrics Framework gives us the ability to start collecting one of the things security is sorely missing:  common collection and comparison methods for breaches.  Long ago and far, far away I used to be in the life insurance biz and one of the cornerstones of insurance is actuarial tables. An insurance company can look at your height, weight, sex, and several dozen other statistics and tell you very easily if you’re likely to die from some factor within the span of their insurance policy.  It’s no accident that as you become older insurance becomes more expensive.  They know exactly what your chances are compared to those like you, in large part because they’ve had centuries of common data to draw from and create tables how those factors affect your long term survival.  And as much as we talk about statistics in security, we’re a fledgling science and have a relatively small, confused dataset to draw from when creating our own actuarial tables.  We literally don’t even have enough information to know what we don’t know yet, let alone create any sort of meaningful security measure to breach relationships.   VerIS gives us a chance to start changing this.

Read the slick on what data VerIS is aimed at collecting and how it can be sliced and diced; I make no secret of the fact that I’m more of a consumer of the final information than I am interested in how it was collected.  But what I find fascinating and important is the goals Verizon Business is setting with this framework.  It’s not meant to be the last word in incident metrics; it’s only a starting point that other companies can extend.  VzB is actually looking for help extending the framework and making it as powerful as they can.  The VerIS Framework is meant to promote information sharing and if enough people contribute to the underlying datasets, we can get something important out of this as a community.  It’s not hard to add your own unique twist to how you slice and dice the information, but what’s important is that we have a common set of statistics to start from so we can know we’re comparing the same factors when looking at breaches.

It’s going to be a while before we have anything as deep and rich (and boring) as an insurance company’s actuarial tables.  But if a common framework gives us the possibility of being able to scientifically state what security measures are effective and which are only skin deep, VerIS is a winner.  One of the complaints about a compliance framework like PCI is that it doesn’t respond well to changes in the real world.  But what if the PCI Council mandated the use of something like the Verizon Incident Sharing Framework and made changes to the next version of PCI based on that instead of vendor and merchant wants and desires?  Now that would make PCI something truly effective.

*Full disclosure:  I work as a QSA at Verizon Business for my day job.  However everything about this blog is strictly my opinion and no one but my wife has more than a cursory influence on what I write here.

3 responses so far

Feb 26 2010

Hitler learns about Cloud Computing

Published by under PCI

This video showing how Hitler would have responded to a breach of his Cloud Computing infrastructure was especially funny to me coming on the tail of sitting in on this week’s Cloud Audit conversation.  This is also a good example of why we’re not quite ready for ‘PCI compliance in the Cloud’.

No responses yet

Feb 24 2010

Securosis Guide to the RSA Conference 2010

Published by under General

If you want to do some research on specific technologies at the RSA Conference 2010, you won’t be led too far astray reading the guide Rich and the Securosis crew put together.  I almost wish they’d shared it a little earlier, it might have made some of the decisions about who to interview and who to get back to later a little easier.

One response so far

Feb 24 2010

LMSD should have used due process

I make no secret about being a privacy advocate, however many people misunderstand what I’m against when I talk about our government spying on us.  I firmly believe that having the ability to monitor communications, search people’s houses and generally stick their noses in anywhere are all abilities that local and federal law enforcement agencies need to have.  But there’s one caveat I believe must be in place: for any sort of monitoring and spying there has to be oversight by a third party and a way to redress problems when someone abuses this power.  This oversight is one of the primary reasons cops have to go to judges to get a search warrant and we have many of the freedoms we do in the US.  Without oversight, we’d descend into a police state that matches the worst of our criticisms against countries such as China and Iran.  This is a lesson the administrators at the the Lower Merion School District forgot in their rush to use camera’s on student laptops to spy on the kids and prove wrong-doing that may or may not have been there.

Unless you’ve been hiding under a rock for the last week, you know about this case; quick recap is that a Vice Principal used a picture captured using LANRev on school provided laptops to accuse a student of taking drugs.  This prompted a class action suit and a potential criminal investigation into the district’s use of LANRev to illegally spy on students.  There’s a lot of damning evidence available on the Internet and it’s looking likely that a number of people will be facing criminal charges.  And it’s all because these people believed they were doing the right thing in tracking their laptops and their students without some form of oversight to tell them they were being complete and utter idiots.

Absolute Software, the makers of LANRev, understand that giving customers unrestricted access to spy using their computers is a major problem; they require that a police report be filed prior to the spying capabilities of their other, similar products such as LoJack are activated.  First of all, this creates the oversight advocates such as I crave.  Not too many people are going to report a laptop stolen so they can spy on their significant other.  Secondly it creates a paper trail that lays out when and why the spying capabilities were activated.  Even after these capabilities are up and running, it’s under the control of Absolute, not the end user.  In their own words this prevents “potential vigilantism” and other abuses of power. 

If what the families in the Lower Merion School District are claiming is true, and it appears more and more likely it is, then folks like the Vice Principal at Harrington High are definitely vigilantes, someone who illegally tries to mete out punishment to a criminal.  There’s a reason we have due process and the administrators of LMSD forgot all of them in their fervor to catch students doing things they shouldn’t at home.  They also forgot that the responsibility of schools and teachers is to teach, not law enforcement.  If they truly believed there was wrong doing going on, the police should have been called in and proper procedures should have been followed.  There’s still a good probability that using LANRev without a search warrant would have been considered an invasion of privacy, but if it was done with police involvement, there’s a lot lower chance they’d be in the hot water they’re in now.  And maybe someone with a little knowledge of the law would have said, “Hey, that’s one monumentally stupid idea you’ve got there.”

3 responses so far

Feb 23 2010

Network Security Podcast, Episode 186

Published by under Podcast,Privacy

It was one of those nights where just about everything that could go wrong did.  The firewire module in Martin’s mixer died just before recording.  Rich got a call about halfway through the recording.  Zach was suspiciously lacking in rage.  Like I said, just about everything was wrong tonight.  But we pulled it off despite ourselves.  In fact, Zach managed to score an interview with a pair of his co-workers who have some insight into what’s happening at Lower Merion School District.  If you’re at all involved with the LMSD case, please, please do what you can to preserve the evidence, even if that means you just let the laptop sit in a closet somewhere.

I just realized I don’t think we stayed on topic for more than 2 minutes at a time tonight.  Not that anyone finds that unusual. 

Network Security Podcast, Episode 186, February 23, 2010
Time:  38:45

Show Notes:

No responses yet

Feb 23 2010

Hole in the system

Published by under Family,PCI,Simple Security

This one hit’s close to home quite literally; Andrew Storms had some major issues this weekend with how a pizza place close to his house handled his credit card information.  Andrew only lives a city or so away from me and the pizzeria is one that I might visit for lunch or dinner given the chance.  Or rather, I might have before I read his story.  Now I’ll probably avoid it, going some place where I have a little more hope they’ll treat my credit card and other personal information with a little more caution.

The short version of Andrew’s story is that he ordered a pizza online and when the owner/delivery guy showed up, he told Andrew he’d received the credit card number via email from the central corporate website in an email.  There are so many forms of wrong here that it’s hard to know where to start.  This is a violation of PCI, there’s a chance it’s a violation of several state and federal laws (depending on how card data is handled from this point on) and it is simply bad practice in general.  But the real problem came when Andrew tried to figure out how to report this and get the merchant to change how he’s doing business.  As best as we can figure out, there is no way for a consumer to report a merchant to the credit card companies or his acquiring bank. 

It’s a huge hole in the system.  The pizzeria is a very small chain, there’s a corporate web site that’s probably run by a third party and it’s mailing credit card numbers, along with other important PII like name and address.  Unless the owner is using a shredder, which I doubt, all it would take is one episode of dumpster diving for a local data breach to happen.  While the pizzeria probably doesn’t get more than a couple dozen online orders a week, even one breach is too many if it’s your credit card.

Consumers don’t have much power in the credit card system, but this is an egregious issue that should have some sort of reporting mechanism.  Andrew canceled his card and tried to report the merchant, but there’s literally no way I or anyone I know can think of to report the merchant and force some sort of change to their system.  Quite frankly they’re a Level 4 merchant who might have heard of PCI but has no idea it actually applies to them.  It’s not a problem of the merchant being malicious, it’s a problem of the merchant simply being ignorant of the problem and having bigger issues to worry about, such as trying to get a new business off the ground.  I don’t blame him, but I do want some form of reporting for situations like this so that consumers can be protected and merchants can be warned to stop practices that are dangerous to their customers.

2 responses so far

Feb 22 2010

RSA Interview Schedule

Published by under General

I need some help.  I haven’t had nearly as much time to prepare this year for RSA as I have in the past.  More accurately, I’ve had about the same amount of time as I’ve had in the past, but I’ve had several more projects to work on, including the Security Bloggers Meetup, the Security Groundhog Day panel and the Responsible Disclosure:  It’s Their Fault panel.  I’m doing my research on the companies I’ll be talking to at the convention, but I need more questions and would like to know more about what you want to know about the companies I’ll be meeting with.

My goal is simple:  I have 30-60 minutes with each of the companies in my list.  From that time with the CEO’s and security engineers, I want to ask the questions you have about them, their products and how they think they can solve the problems your enterprise is dealing with.  If you have some experience with a company and want me to cut through some of the hype they’re trying to sell at RSA, let me know.  When the conversation is over, I hope to have a 10-15 interview that I post within an hour or two and make available while RSA is still going on.  And if you still have questions, I can circle back around to their booth and ask for more details.

Monday’s meetings: 

  • An as yet to be named person from Voltage Security to talk about the end-to-end encryption they’re working on with Heartland.
  • ICSA Lab‘s Andy Hayter, Anti-malware program manager.  As in testing AV products, not creating.  Disclaimer: Andy and I work for the same parent company, Verizon.
  • Pedro Bustamante Senior Research Advisor of Panda Security.  I’ve been using Panda’s Cloud AV on several computers since last RSA and it’s worked well for me; does anyone have different experiences?  It will be interesting to talk to Pedro after talking to Andy. (Edit:  I originally called Pedro the CEO of Panda, Juan Santana is actually the CEO of Panda)

Tuesday’s meetings:

  • Xceedium Interim CEO Dave Olander.  Xceedium specializes in access control and helps meet with a number of PCI requirements.
  • Jan Heichart, CEO of Astaro Internet Security.  Astaro has long been a friend of the podcast they’ve recently made a good decision in putting Jack Daniel in charge of Community Development.    
  • Agiliance‘s Ed King about GRC (Governance, Risk and Compliance) I’ve only seen a couple of company’s use a GRC solution for PCI, so I’m interested in Mr. King’s take on it.
  • Kaspersky Lab‘s Roel Schouwenberg, who I missed in the list first time through.
  • Lunch with F-Secure, then off to the Security Groundhog day panel and the only block of time I have to walk the floor this year.  Anyone I should have a 5 minute talk with while I’m there?

Wednesday’s Meetings:

  • EMC Breakfast, an overview of some of the more public projects EMC is working on.
  • Hord Tipton, Executive Director of the ISC2.  As a CISSP, I’m curious how Mr. Tipton feels they’re helping me, other than adding more letters behind my name.  
  • The Responsible Disclosure:  It’s Their Fault panel.  I’m really looking forward to this panel.  
  • Jim Ivers at Triumfant.  They’re conducting a Bring Your Own Malware challenge, I’ll be interested in hearing how it’s going.
  • I’m going to run from the Triumfant meeting over to Security BSides San Francisco to see my friend Josh Corman’s panel on compliance.  I say friend, but he may rip into me in general and PCI specifically during this panel.
  • The Security Bloggers Meetup will take the rest of my afternoon and most of my evening.

Thursday’s meetings:

  • Starting the morning with the Disaster Recovery Breakfast put on my Securosis and Threatpost.  I suspect many people will need this.  They might be too tired to attend, but they’ll need it.
  • Marty Roesch from Sourcefire – Snort was my entrypoint into the security world and I spent a fair amount of time with Sourcefire and RNA before becoming a QSA.  
  • Going to the Mykonos booth to get a demonstration of a ‘live hacking & sting operation’.  No, I don’t really no what that means either, but it should be interesting.
  • Meeting with Lancope CTO Adam Powers and a couple of their customer/evangelists.   They used the magic words PCI to get my attention once again.
  • Finally, I’ll be meeting with Archer Technologies to talk about their GRC solution. 

Then it’s home to collapse in a quivering heap of exhaustion.  It may not seem like a ton from the outside, but when you get to RSA and actually try making this number of meetings, you find out how tough it can be.  I learned last year to block off time to visit the show room floor or else it doesn’t happen.  I’m going to be searching for end-to-end encryption and tokenization vendors in my walk about the floor and I’ll be taking some time to record conversations with them.  If you have someone you’d really like me to check out, leave a comment and I’ll see what I can do.  If I could clone myself, I could almost get to see all the vendors and friends I’d like to see, but I somehow know there’s going to be someone I miss.  Did I already ask you to leave a comment if you have specific questions you’d like me to ask or companies you’d like me to look at?

2 responses so far

Feb 22 2010

SecurosisTV: Three faces made for podcasting

Published by under General,Humor,Social Networking

The horror! These guys should never be allowed to show their faces! Teasing aside, Rich, Adrian and Mike do a great job of laying out the three basic themes you should expect to see at RSA this year.  Cloud computing, Advanced Persistent Threat and Compliance are going to rule the floor at RSA.  Cloud computing and APT are this year’s big buzzwords that are poorly understood by the majority of the industry, therefore vendors and their marketing departments hop on the bandwagon in an attempt to define these new terms in their favor.  And compliance is going to be big because it’s what everyone has to do, whether they want to or not.

Given what I do by day, don’t be surprised that most of the podcasts coming out at RSA are going to be about compliance.  But I hope to step outside my little box at least a little and bring you some other interesting interviews.  I may even get a chance to catch up with Rich for a few moments or at least grab one of his Securosis cronies for next week’s podcast (I’ll probably hear it for calling them that).  Zach can’t make it, he muttered something about finances and his birthday. 

No responses yet

Feb 20 2010

Interview in the LMSD case

Here’s an interview with the family of the student who is at the center of the Lower Meridion School District.  I’m glad I didn’t see the interview before I’d written my previous post on the situation.  If what the family says is true, almost every statement that the school has made so far is false, from claiming that the spyware was only used 42 times to the statement that it was only activated when a laptop was reported stolen.  The Vice Principal accused Blake Robbins of trying to sell drugs online with proof of a picture taken from the laptop.  What Blake says he was really holding up weren’t drugs but candy.  And the Father hits the nail on the head in saying that his biggest concern is his 18 year old daughter who also has a school provided laptop with the same software installed.

I’m not exaggerating when I say I believe that the majority of the administration at the Lower Merion School District needs to be at least suspended pending investigation if not summarily fired!  The utter lack of moral and ethical compass that was required for this situation to come about is staggering.  I can understand wanting to protect an investment, but the slide from that to spying on school children should be obvious to anyone with a shred of common sense.  Lacking that much common sense tells me these people are unworthy of being in the school system and of teaching our children basic knowledge.  The LMSD is going to have to do serious damage control and their first step has to be keeping the people involved in this mess away from children.

This situation is going to have far ranging consequences and will hopefully change the way school administrators feel about monitoring students.  If you’re school district provides computers for your children, you need to make them aware of this situation and ask them if they’re doing anything similar.  If they answer yes, demand a full audit of the system and who accessed it immediately!  Don’t take ‘no’ for an answer; get a lawyer involved if you have to.  If you’re a teacher or an administrator who has similar software installed on laptops you’ve provided to your students, disable the program immediately and begin an audit of your systems and who accessed it.  It’s better to be proactive and discover that your system was abused than find out because you’re being hit with a lawsuit.

I’m putting down the keyboard now because I can barely express the outrage I feel at this situation. 

3 responses so far

Feb 20 2010

Don’t spy on my children!

I am amazed that the administration at Lower Merion School District (LMSD) couldn’t figure out something my eight year old son realized in just a few minutes, “Spying on people in their own home is wrong.  And really creepy.”  But they obviously couldn’t, so when they supplied 18oo students with Apple laptops 18 months ago, they included software with the laptops that would allow them to track stolen laptops and remotely turn on the iSight cameras on the Macs and take pictures of the thief.  Or pictures of a student doing something unnamed and naughty in his own home.  And then use that picture as evidence to prove that a student was doing something inappropriate in his own home.  After all, who’d ever think a teenager with a laptop would do something inappropriate when home, alone, with access to the Internet and all the sites that are normally forbidden to him?

When LMSD purchase 1800 Mac laptops for their student body, they made what was obviously a legitimate decision in their eyes: place software on the laptops that would allow the district to track their investment if it was lost or stolen.  These are laptops we’re talking about, they’re highly mobile and cost approximately $2000 each, so it’s understandable that the district might want to protect their investment.  But they never told the students or their parents that the software came as part of accepting the laptops.  As far as I can tell, the software installed was most likely one of the following:  LoJack, Undercover, MacTrak, BigFix or Hidden.  All of these systems are meant to be used to track stolen laptops, have the ability to turn on the camera remotely and can take screen captures and pictures through the Mac’s iSight camera.  There maybe several other solutions, and with the exception of BigFix, these are all consumer level products that are meant for one user to track one laptop and aren’t really meant for tracking a large number of users.  This is important because an enterprise version of this spyware is going to have significant logging capabilities, where as a consumer version might be utterly lacking in logging.  Allegedly, only two administrators had access to the systems for turning on the tracking and camera capabilities of the software.  What we’ll have to see now is what sort of logging the use of the software generated.  If it’s a consumer level product, I don’t have much hope for an accurate count, unless the tracking service itself keeps a log of how often the tracking of each laptop is turned on.  LMSD maintains that they “only” used the software 42 times or less than 50, their stories are conflicting.

I’ve been working in IT for a long time and a lot of my friends and acquaintances are people who would loosely be called ‘hackers’ by the public.  I don’t mean the people who are trying to break into your computer, I mean the people who test the limits of any system they come in contact with, just to see what it can do.  Most of the people I know who are good at their IT and computer security jobs are like this; they want to push the envelope so that they know what their systems can and cannot do.  Which is why having tracking and spying software on student laptops scares the snot out of me!  I know from personal experience that one of the first things the administrators of this system probably did was test it to see what they could and could not see from using the spying software, see if they’d be detected when it was turned on and see how they’d be tracked when they did turn on the spy software.  In and of itself, this attitude isn’t a bad thing, it’s part of the nature of the business we work in and the people it attracts.  But given the sensitive nature of who and where these laptops were going to be, unless there’s a complete, unmodifiable log of everything that was done using the spyware, I’m all but certain it was abused at least once during the time it was enabled on student laptops.

Another potential for abuse is exactly what happened to crack this whole issue wide open; a well meaning, if ignorant, Vice Principal used the capability of the spyware to take a picture of a student doing something he wasn’t supposed to.  It’s not clear yet exactly what the nature of the student’s abuse was, if his laptop had been reported stolen, if the software was activated for some other reason or if this was part of a systematic spying on the students.  What is known is that the Vice Principal used pictures taken from the iSight camera with the spying software to confront a student and his family with evidence of wrongdoing in a misguided attempt by the Vice Principal to do what she considered to be the right thing.  Unluckily for her, when it comes to spying on students at home, it’s much less of a slippery slope and more of a sudden drop off into the abyss of ‘1984‘.  I guess the whole school district skipped the ethics class when they were earning their teaching credentials.

The scariest potential abuses of this system both involve people who’d purposefully and knowingly break the rules the school set around this spying system.  Imagine if one of the administrators of the spyware was a closet pedophile or simply thought one of the students was much more mature than his or her years.  Students probably had their laptops sitting on their desks and undressed in front of them fairly often; after all, normal people don’t think their laptop is going to spy on them, so why bother turning it off or closing it before getting ready for bed.  Even worse is the thought that some student or malicious outsider (the classic media definition of ‘hacker’) found out that LMSD had this software installed and was able to break into the spyware system and use it at will.  These are merely suppositions, worse-case scenarios, but they are some of the factors that LMSD should have thought of before implementing spyware on student laptops.  A system such that has this much potential for abuse should have a similarly appropriate level of tracking, alerting and logging to prevent the curious and malicious from doing unethical, illegal and immoral.  Don’t be surprised if at some point in the near future pictures of LMSD students start showing up on the Internet.

The good news is that in addition to the civil suit the Lower Merion School District has been hit with, the FBI has started an investigation into the allegations of wrong doing.  The lawsuit alone is going to cost LMSD more than losing every last laptop would have, possibly by several orders of magnitude.  The business decision to track the laptops therefore turns out to be an utter failure.  Hopefully the FBI will be able to poke around the LMSD systems deeply enough that they’ll find any abuse of the system or confirm the districts assertion that the system was only used 42 times.  This is where all the logging capabilities of the spyware will be tested and the software vendor should expect a subpoena and visit from the FBI soon.  My suggestion to the FBI would be to pay special attention to any system administrator or school official that has had their computer recently re-imaged; while not proof of guilt, given the severity of the potential crimes that could be committed with the schools spyware, it’d be worth sending out the hard drives for recovery of the previous file system.
 
I truly hope that the FBI finds that the LMSD number of 42 times the spyware was used is accurate.  That would mean that most of my worst case scenarios haven’t happened.  But I suspect that even if the system wasn’t purposefully abused, 42 only represents the number of times that the spyware was used while going through the proper processes and procedures at the school district; it might have been used or abused many more times by the people who had access to it by design or by flaw.  And even if 42 is accurate, it will be up to a jury to decide if each of those uses were justifiable and legal.  In a civil court it’s going to be much harder for the school district to defend itself than it will be when the criminal charges are brought against the people responsible for the installation of the spyware.  And I’m confident that at least one person will be brought up on charges unless the whole school district is run and managed by people who are perfect angels.  Given that the system has already been abused, I’m pretty sure that supposition has been disproven.

I’m a parent of two pre-teen boys.  I probably wouldn’t have accepted a laptop from the school for either of them personally; I have more than enough computing power at home that I don’t need to bring someone else’s computer into the house.  And if this had happened in my school district, I’d be screaming for blood.  The school administrators who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.  That may sound harsh, but these are people who thought that the security and safety of a few laptops was more important than the privacy and safety of the students who were using the same laptops.  A piece of hardware may be expensive, but it’s infinitely less important than my children and the children who live in the Lower Merion School District.  The inability to see that fact is proof of their utter lack of suitability to be working with children in the first place.

It may be that we find out that the spyware LMSD installed was never abused and that every instance of it’s use was justifiable.  But the installation and use of the system in the first place without notifying the parents and students was a utter and complete violation of these families civil liberties and right to privacy, not to mention the administrator’s ethical responsibility.  It shows that the school district placed more value on the laptops than the Constitutional rights of these families.  I find that unacceptable and hope that between the civil suit and the FBI investigation a strong message is sent to schools around the country that this sort of spying on students is not and never will be acceptable in any way, shape or form.  I hate to think about what I’d do if I ever found out my sons’ school district was spying on them in this way; there’s a reason I earned the nickname “Captain Privacy”. 

6 responses so far

Next »