Archive for October, 2010

Oct 26 2010

Network Security Podcast, Episode 218

Published by under Podcast

After being out for a few weeks due to international travel, Rich returns and talks about RSA Europe, RSA China, and the interesting side of presenting in China considering all the espionage issues these days.

Network Security Podcast, Episode 218, October 26, 2010

Time: 38:25

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 19 2010

Network Security Podcast, Episode 217

Published by under Podcast

While Rich is off jet setting around the world, being an International Man of Mystery^WGeekiness, a tired Martin and a just-getting-over-being-sick Zach keep tonight’s episode short and sweet.

Network Security Podcast, Episode 217, October 19, 2010

Time: 21:29

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 19 2010

PCI Hug It Out: Face to face in Orlando

Published by under PCI,Podcast,Social Networking

When Gene Kim came to me with the idea to get Mike Dahn and Josh Corman around a table in Orlando, Florida one evening after the annual PCI Community Meeting, I was excited.  Gene wanted to end a minor, pointless feud between two of our friends who’d gotten off on the wrong foot earlier in the year.  In effect, we decided to hit the reset button on the relationship between these two gentlemen.  And Orlando proved to be the perfect time and place to do exactly that.  A good size bottle of Macallum 12 didn’t hurt any either.

PCI Hug It Out-FacetoFace.mp3

To give you a quick recap, this is the third of a three part series (Part 1Part 2) being sponsored by Tripwire called “PCI Hug It Out”.  In Part One, we heard Mike’s views on PCI and why he’s such a strong proponent of the standard.  In Part Two, we heard Josh state his position and why he is sometimes thought of as being an opponent of PCI.  And here in Part Three we explore the points of commonality between Josh and Mike, and how we can turn these into calls to action from the community as a whole.

There is, of course, the question of The Hug; did Mike and Josh put aside their previous arguments and start a new friendship, did they agree to disagree, or did the night end in fisticuffs?  And how much can we raise for the EFF and Hackers for Charity?  Once again, we ask you to visit the Tripwire blog and let us know if you’ve contributed.

This was a fun project to do with Tripwire and the guys.  I’m sure the four of us will get together again in the future to listen to the sounds of our own voices.  We all hope that people who are interested in PCI and security in general found something worthwhile in our discussion over the tabletop, face to face.  For our part, this was worth doing even if no one ever heard it, so if we’ve given anyone else some things to think about, this was a win.  Thanks for listening.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Oct 13 2010

The Friendly, Snuggly Security Bear and the Internet

If you’re not already scared of the people who want to listen in to your phones, then this video won’t worry you.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Oct 13 2010

Network Security Podcast, Episode 216

Published by under Podcast

Despite catching some kind of ConFlu at HacKid, Zach manages to join Martin for a sniffle-filled show. Rich is off in London, speaking at RSA Europe 2010 (or, well, sleeping).

Network Security Podcast, Episode 216, October 12, 2010
Time: 32:45

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 11 2010

PCI Hug It Out – Interview with Josh Corman

Published by under PCI,Podcast

Last week Gene Kim and I interviewed Mike Dahn about his views on PCI and why it’s important to him.  This week we get to talk to Josh Corman of the 451 group and question him about the influence the Payment Card Industry Data Security Standards (PCI DSS) have on the security market as a whole.  Josh also gives us more about the basis for the tension between Mike and himself.

There’s a lot of ground to cover between the views of Mike and Josh.  Josh is not part of the day to day process of the compliance field.  He doesn’t see the things that assessors see every day.  But he does talk to C-level executives on a daily basis and he knows the perception that CSO’s and CISO’s have of compliance.  He realizes that the perceptions of these leaders has a direct impact on their spending and therefore on what technologies recieve market share.

Mike, on the other hand, has been involved in PCI for a long time.  He helped form much of the training that is given to each Qualified Security Assessor (QSA).  He’s trained a huge number of QSA’s himself and continues to work in various special interest groups (SIGs) related to PCI.  He’s invested a lot of his time into PCI and has a body of work to be proud of.  He sees the changes PCI has brought to the merchant and service provider landscape and believes the changes are definitely more positive than negative.

Gene and I hope that, despite their very different viewpoints of the same issues, Mike and Josh can overcome the differences to understand what they have in common.  The good news is, you only have one week to wait to find out. Four guys get around a table in Orlando, Florida, drink a bottle of good whisky and record a podcast; what could possibly go wrong?

Thanks again to Tripwire for making this series possible.  We’re almost our goal of $1000 donations to the Electronic Frontier Foundation and Hackers for Charity.  If you donate to either of these charities on our behalf, Tripwire will match, up to $1000.  So please help us raise money for these two worthy donations.  Leave a comment here after you’ve donated, send an email to mhixson@tripwire.com or use the hashtag #PCIHugItOut to let us know you’ve donated and Tripwire will contribute as well.

PCI Hug It Out – Interview with Josh Corman

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 06 2010

DC does the right thing in testing eVoting

Published by under Government,Hacking,Privacy,Risk

I really respect the work folks like J. Alex Halderman and the other folks at the Freedom to Tinker blog do.  We all know there’s a lot of corruption, or at least room for error, in the real world voting infrastructure.  It’s understandable, there are a lot of edge cases and special considerations that make subverting the process on purpose or by accident almost a requirement.  But we have a lot of checks and balances in place to detect and hopefully prevent the vast majority of the subversion of the voting process.  Simply having a physical ballot that has to be counted goes a long way as a detective measure.  But as we move quickly towards an online, electronic voting infrastructure, we lose one of the most basic protections of our voting process, that same physical token, the ballot.

And the companies building the various evoting solutions aren’t helping matters any; the majority of these companies espouse how secure their systems are without ever letting an independent third party test them.  Indeed, in many cases, they fight tooth and nail if anyone so much as hints that independent testing might be a good idea.  Or worse, someone tries to test a voting solution without their explicit permission.  And as most people in security know, even if you don’t allow testing by qualified security personnel, any product that is exposed to the Internet is going to get plenty of ‘free testing’ whether you want it to or not.

So I was very pleasantly surprised to see that Washington DC had decided to open up their new ‘Digital Vote by Mail’ pilot project to testing early and a group of researchers had taken them up on the challenge.  Not surprisingly, J. Alex Halderman and his crew were able to subvert the system and make it jump through nearly any hoop they wanted.  They found a vulnerability in the underlying system that encrypts the pdf ballots that allowed them to create a shell-injection attack and take over.  This vulnerability had nothing to do with Adobe, so don’t blame them this time.  After that, they could do anything they wanted to the system.

Surprisingly, it looks like the folks at the DC Board of Elections and Ethics believe they have the problem solved; they’re opening the site to testing again until this Friday.  They’ve made a the sourcecode available, you can request you’re own testing credentials, you can play with the live application.  I have to give them kudos, they’ve done nearly everything I could ask for when it comes to rolling out an eVoting system.  About the only thing I wish they’d do is give the testing more time, but at that point I’m just whining about details.  I’m hoping they can make it work to give everyone who’s overseas a chance to vote quickly and easily.

One last thought:  This solution may be secure by November, but will it remain secure?  It’s a computer system, it will require patches, it will have configuration changes made by system administrators.  So will they be able to maintain it in a manner that will prevent other vulnerabilities from creeping in?  In the long run, I’m almost certain the answer to this question is no, since we have multi-billion dollar companies and governments that can’t effectively secure their own systems.  And the bad guys only need to find one hole in the system, as we all know.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 05 2010

Network Security Podcast, Episode 215

Published by under PCI,Podcast

Martin has been a busy little interviewer, so tonight you don’t have to listen to the regular crew nearly as much. In the next couple of weeks Rich is heading for parts unknown in the for a couple of weeks, or at least parts of Europe and Asia that have RSA Conference’s.  But he’ll be back eventually.  And Zach was on the road this week.

Network Security Podcast, Episode 215, October 5, 2010
Time: 45:17

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 04 2010

PCI Hug It Out – Interview with Mike Dahn

Published by under PCI,Podcast

I hate it when my friends argue.  Disagreement is fine, but when it get’s to point of high emotions and deteriorating listening skills, I get sad.  So when two of my friends, Josh Corman and Mike Dahn started disagreeing and fighting after Shmoocon earlier this year, I was more than a little upset.  Both men are people I respect greatly due not only to their passion for security in general and PCI specifically, but also for their ability to see aspects of the industry that no one else sees.  And I usually respect their ability to not only form their own logical, reasoned arguments but to listen to and pull out the best of what other people are telling them.  So when these two started feuding, I was understandably upset.  Josh and Mike, while coming from very different viewpoints, both agree that the end goal is to make our industry more secure, no matter how we get there.

I wasn’t the only one who noticed the friction between these two.  Gene Kim, creator of Tripwire and the then CTO of Tripwire had also noticed and included several comments about getting Mike and Josh to sit down and reconcile their differences in his presentation at BSides Las Vegas.  This was followed by Nick Owen (aka wikidsystems) offering $100 to donate to charity if Josh and Mike would ‘hug it out’, with a number of other people offering up donations if Mike and Josh would just hug and make out .. er.. make up.  And thus was the idea for PCI Hug It Out was born!

The idea languished for a little while, until Gene approached me with an idea:  Tripwire had offered to support a project to help understand the stances Mike and Josh take on PCI, why they are so different and where they both agree on what can be done to improve the security of the industry as a whole.  By understanding their differences and commonalities, we hoped that both of these outspoken proponents of security would be able to harness their energy to move us all forward rather than concentrating on each other.  Gene and I interviewed first Mike, then Josh and thanks to Tripwire’s sponsorship, we were all able to meet in Orlando at the PCI Community Meeting and have a real face to face discussion about what can be done to improve our situation.

On top of everything else Tripwire has done, they’ve agreed to match the first $1000 dollars worth of donations to the Electronic Frontier Foundation and Hackers for Charity!  These are both very worthy charities and everyone who’s been involved with the project is glad we’re able to support them in this way.  We hope you’ll add to the donations that Tripwire and others are supplying and allow these organizations to continue their efforts.  Leave a comment here after you’ve donated, send an email to mhixson@tripwire.com or use the hashtag #PCIHugItOut to let us know you’ve donated and Tripwire will contribute as well. 

The first installment is our interview with Mike Dahn.  Mike explains how he got into the PCI arena, a lot about his philosophy concerning PCI and why he continues to support efforts to make PCI better.  The podcast is available from the Network Security Podcast site, or you can download it directly at http://traffic.libsyn.com/mckeay/PCIHugItOut-MikeDahn.mp3.  Next week we’ll be joined by Josh Corman to explain his viewpoint on PCI and how it’s driving the security industry, followed by the recording of our meeting in Orlando, FL the week after.  And yes, there will be photos of the final confrontation between these two industry exemplars. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 04 2010

Verizon 2010 PCI Compliance Report is out

Published by under PCI,Risk,Security Advisories

This morning the Verizon 2010 Payment Card Industry Compliance Report was released.  This report looks at the assessment’s of approximately 200 Verizon Business done between 2008 and 2009 and draws some very interesting conclusions from the data in a very clinical, statistical way.  This is the first year of the report and there’s a lot of interesting data here, but much as the Verizon Data Breach Investigation Report created nearly as many questions as it answered, so does this report.  It’s a great start, there’s a lot of useful information here, but given a couple of years to mature and expand, the Compliance Report will become a very useful benchmark to show how effectively PCI is being implemented.  Or isn’t.

I have a business relationship with Verizon, as in I work there, so I’m going to let others provide the majority of the criticism, constructive or otherwise, of the Compliance report.  I’m allowed to have my own opinions and I’m very vocal about them, but I’d rather see a lot of critical thinking by other security professionals who aren’t as close to the issue as I am before I weigh in.   As it says in the sidebar, “The views expressed on this blog do not reflect the views of my employer …” etc.  This means that I don’t claim to speak for them.  It also means that I don’t allow anyone else to tell me what to say.  But I’d rather wait and at least pretend to be impartial for a little while before throwing my own hat into the ring regarding the report.

With just a little luck and timing I’ll be recording an interview with a couple of the primary authors of the Compliance Report later today for release with this week’s podcast.  So stay tuned.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »