Archive for December, 2010

Dec 29 2010

Network Security Podcast, Episode 226

Published by under Podcast

It’s a week and a day late, it’s the last episode of the year, and we’re all too tired to be that excited about it.  Rich, Zach and Martin take a few minutes to look around before plunging on into the new year, and unluckily, we don’t see much change in the air.  There’s also a not-so-short interview with Mike Smith, Security Evangelist for Akamai Networks this week.  So while it’s a good show to end the year with, there are no real stories to cover tonight, just some rambling by your hosts and a good interview.  About par for us.

Network Security Podcast, Episode 226, December 28, 2010

Time:  50:12

Music:  Brian Rath with Deep End

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 21 2010

Keep a copy of your TSA rights handy!

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 20 2010

There’s nothing wrong with taking pictures

Published by under Government,Risk,Simple Security

I travel around the country a lot in my role as an assessor and being in security, I have a off again on again interest in taking pictures, specifically pictures of some of the odd places I find security cameras and the places they cover.  That and taking pictures of error messages that pop up on various screens and systems that are in public view.  I find it interesting to look at some of the odd places that companies have decided to put a camera and how much of the surrounding area surveillance catch that people probably don’t have any awareness of.  And in this day and age, I’m almost surprised that no one’s commented on my picture taking and called me a terrorist.  But guess what, people: Photographers are NOT terrorists.  Like most other photographers, I’m following a passion, however little someone else may understand it.  Get over your unfounded paranoia and get back to living your life.  And yes, 99.999% of your paranoia about terrorists plots is unfounded, no matter what the DHS and TSA might want you to think.  And most of the other .001% has some level of validity, but it’ll probably never affect you directly.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 17 2010

A PCI Christmas Wish List

Published by under PCI

What would you ask for from the PCI Council this holiday season if you knew they couldn’t say no?  Other than abolishing the PCI requirements all together that is!   Walter Conway over at Storefront Backtalk already has his PCI wish list laid out, and he’s got some good ones in there.  Of course, Walt is trying to be mostly realistic with his wishes, listing a number of requests that actually might be attainable in the year 2011.  I on the other hand, feel no such compunction to be quite so restricted, since I don’t think even his fairly modest requests will actually be fulfilled.  And since we’re shooting for things that are improbable, it’s just as easy to shoot for the stars as the moon.

So what sort of things is Walt asking for?  First of all a list of all the training classes that the PCI Council will be offering in 2011.  Here it is two weeks before the end of the year and no one knows exactly when training will be available next year.  Personally that doesn’t mean much, since my training will be computer-based as a returning QSA, but for the people coming into the industry and the folks who want the newer Internal Security Assessor (ISA) certification, that’s a major issue.  There’s a major manpower issue in the PCI industry and if we can’t get more people trained, it’s only going to get worse.

The other very important item on Walt’s list is for all Level 2 merchants to get started on their own compliance for 2011.  If you’ve been involved in an assessment recently, you know that it’s a minimum of two months between when your QSA comes on site and when you have your Report on Compliance (RoC), and that’s only if you have everything buttoned down, there’s no remediation needed and the QSA company has a streamlined process.  Even then, two months is probably not realistic, you’re better off planning for three to six months, including remediation; add in the time to actually sign the contract with your QSA company and get a QSA assigned to you on top of that.  If you’re using an internal resource in your assessment, you need to look at the first request and realize that you may not even know when you’ll be able to get the required training this coming year.  Seriously, if you haven’t started planning for compliance in 2011 already, you better get started today, otherwise June 31 is going to sneak up on you and smack you on the back of the head before you know it.  And it will feel like you’ve been hit with a clue bat, trust me.

So what would I wish for from the industry and the PCI Council this Christmas if I knew they couldn’t turn me down?  Like I said in the beginning, I’d shoot for the stars; I want a complete rewrite of the PCI requirements that focuses on the desired outcomes, not the specific technical steps that need to be used to accomplish them.  Josh Corman had a good suggestion about this; keep the current requirements as an example of how to implement the new requirements, but we’d have a list that focuses more on the outcomes we want and less on the technology that is needed to make them happen.  The problem with this solution is that it would introduce a lot more wiggle room in DSS and would require a more mature, knowledgeable group of QSA’s, but it would also give merchants and service providers the ability to be more flexible in their solutions and maybe even allow them to concentrate on security first, compliance second.

And while we’re re-writing the PCI requirements, I want to drop the plethora of requirements that are redundant in any modern operating system.  We know that every modern OS tracks event type, time, user, etc., so why do we have to include that in every RoC?  If it’s there for applications that are developed internally and externally, then let’s make it apply to those and leave the redundant writing out of the process.  I’ve looked at most versions of Windows, Linux, Unix and mainframe, so I already know that they meet with the PCI requirements, so why do I have to write them up every single time?  No, this isn’t a point of frustration with me at all.

I don’t think Walt Conway and I are going to get anything other than coal in our stockings from PCI Santa this year, truth be told.  The process we’ve gone through the last few years indicates to me that PCI has calcified, which is quite frankly what almost everyone involved in PCI wants.  And when I say ‘almost everyone’ I mean the PCI Council, the majority of merchants, all the card brands and the acquiring banks.  Merchants have enough of a problem implementing many of the PCI requirements that effectively haven’t changed in over 5 years and won’t change for another 3.  The only people who really want change in the PCI standards are the security professionals who are charged with safeguarding your enterprise and the vendors who feel they were locked out of the market by PCI. 

By the way, there’s one more group who’s perfectly happy if the PCI standards don’t change and adapt:  the attackers.  Think on that for a little while.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 15 2010

Your email deserves due process

Published by under Government,Privacy,Risk

A few years ago Mike Rothman over at Securosis dubbed me “Captain Privacy”.  And thanks to my wife’s sense of humor, I even have a cape and domino mask (but no tights, for which everyone is thankful).  I like my privacy and I often argue against movements by our government to erode the controls protecting our privacy.  And this is one of the more subtle points that Mike and other people miss about me: I am not arguing against the government having the ability to spy on people when they need to, I’m arguing for strong controls around the ability and judicial oversight to ensure that the ability to monitor citizens isn’t abused.  To some it’s a very subtle difference, but to me it’s an incredibly important distinction. 

So it should come as no surprise to anyone that I’m thrilled that the 6th Circuit Court of Appeals has ruled that email is protected by the Fourth Amendment.  For years now law enforcement has been arguing that there should be no expectation of privacy for your email on corporate and cloud services (like Gmail) and that there was no need to get a search warrant prior to seizing copies of email records from service providers.  In other words, since your email is hanging out on a public service provider’s servers, they felt they could just walk in at any time, demand a copy of your email and no one would tell you until you were served up with an arrest warrant.  No due process, no judicial oversight, just quietly take what you want whenever you want it.  Understand why the police would want this power, but I also believe that it’s something that’s just waiting to be severely abused, if it hasn’t been already.

This is an appeals court, so it is possible that the ruling could be overturned by the Supreme Court if it got to that level, but it’s unlikely.  The 6th Circuit Court made it very clear that you and I have every right to expect our email to be as secure from covert observation as our physical mail.  Which means that police and federal officers can monitor it if they can prove to a judge that it’s necessary and appropriate.  And that’s all Captain Privacy really wants for Christmas, the knowledge that someone is double-checking what our LEO’s are doing and making sure that due process is being followed.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Dec 14 2010

Network Security Podcast, Episode 225

Published by under Hacking,Podcast

It’s a show all about compromises.  And not the good kind that you do
when you’re married, rather the bad kind you experience when you have
bad security or trust the wrong people.  McDonalds, Gawker, DeviantArt
and there’s probably one or two more that we haven’t heard of yet.  Lots
of people making lots of mistakes.  And if the Gawker incident is any
indicator, there will be a lot more compromises because of password
re-use over the next couple of weeks.  Isn’t this a great way to start
winding down the year?

Network Security Podcast, Episode 225, December 14, 2010

Time:  34:35

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 13 2010

Customer information stolen

Published by under Hacking

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.  Gawker’s compromise is especially egregious as it was their full user database, including the passwords.  Rumor has it that Gawker was using DES (not even 3DES) to encrypt the passwords, which is why a large number of the passwords associated with the accounts have been published.  And we all know Gawker users wouldn’t reuse account names and passwords on other service, right?

Personally, I don’t have an account on any of these three systems.  And if I did, the chances of password and username re-use are slim to none; I use 1Password and try to use random passwords created by the program as much as possible.  But, truth be told, I probably still have a number of accounts on older systems that I forgot about and did re-use because I felt they were low importance systems at the time.  Any security professional who tells you they’ve never done the same is a better person than I am; either that or they’re lying to themselves.  And if we, the security professionals, are guilty of it, how can we expect better from our users?  Which means the Gawker compromise is going to lead to a wave of secondary compromises.  [Breaking:  Twitter accounts being compromised, potentially based on Gawker accounts]

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

This is a great way to end 2010.  Or not.  These systems were viewed by their owners as low value targets and were obviously protected as they felt appropriate.  But it’s proof that no matter how low value the data, if you accumulate enough of it, there is value to the data.  There was no financial data stolen directly but the amount of information that could be used to lead to a financial compromise is considerable.  What are the chances that at least a small percent of the accounts compromised will turn out to be using the same account name and password for their banking as well?  Probably a lot higher than we’d like to admit.

[Update:  I missed the Walgreens customer list compromise.  I wonder if it's related to the McDonalds compromise? Thanks, @falconsview]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Dec 12 2010

BayThreat was awesome, do it again!

You’d think that security professionals would get sick and tired of attending security conferences; RSAC, Black Hat, Defcon are the big ones that everyone tries to get to, plus a lot of mid-sized cons like Shmoocon and Toorcon. But the truth is, for most people, those are either business opportunities/obligations or so far away and costly that it’s nearly impossible to attend anything that requires travel, a hotel and several days away from work. Which is why smaller, local events like BayThreat, DojoCon and BSides are becoming so important to security professionals around the globe; the ability to go to a small, local event far outstrips the cost to value ratio of any of the big cons and it’s so much easier to actually see the speakers you want to see.

This last Friday and Saturday were BayThreat, and a huge thanks has to go out to @dewzi and the crew who organized the event.  Held at the Hacker Dojo in Mountain View, CA, the event was far enough from home for me that I had to get a hotel room.  But the majority of the attendees who live in the Bay Area were able to return home each night.  Considering that a airfare and the hotel are the majority of the costs of many conferences and that BayThreat only cost $45 to attend, this was a huge draw for most attendees.  And seeing the inside of Hacker Dojo was a plus as well.

I don’t know what the real count was, but the best guess I heard for attendees was somewhere between 150 and 200 attendees between Friday and Saturday.  The speakers where some of the same people you might see at a major event like Black Hat, folks like Dan Kaminsky, Moxy Marlinspike and Dino Dai Zovi, but also a lot of great local speakers like Jeremiah Grossman, Allison Miller and Sam Bowne.  I’m just hitting some of the high points, check out the list of speakers for yourself and you’ll see how many great presentations we were treated to this weekend. 

Two of my personal favorites in the speaker track were Mike Smith’s presentation about DDoS, with a lot of information about the current situation about Wikileaks, and Steve Adegbite’s presentation “Rage against Security: A different Scene Shift”.  Mike is giving the same talk at Dojocon after flying cross country last night, which may make the presentation more amusing, if not better.  That’s not to say there weren’t other great presentations, there were, but I kept getting distracted by the hallway track and meeting many of the people who were just a twitter handle to me until this weekend. 

I have to say that BayThreat is one of the first security conferences I’ve been too that’s left me wishing it was still going on when I headed for home.  There’s a lot to be said for having a conference that’s short and sweet and doesn’t leave you spending the next week trying to recover from the hangover and exhaustion.  But I still wanted more time to hang out with so many great people.  And I’m looking forward to having another great event next year.

Update:  Mike Smith’s DDoS slides have been uploaded to the BayThreat site.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 07 2010

Network Security Podcast, Episode 224

Published by under Podcast

We will not talk about that story.  We will not talk about that story.  Okay, we’ll talk about THAT story a little, but no more than 10 seconds.  And we almost made it happen.  But despite our best intentions, we talked about the Wikileaks story tonight.  But only for about 10-20 seconds.  Honest.  Amazon’s AWS getting listed as a Level 1 PCI compliant service provider on the other hand…well, you probably expected us to talk about it and we don’t disappoint.  We hope.  In any case, here’s this week’s podcast with a little bit of musical flavor to give you an idea of our mood.

Network Security Podcast, Episode 224, December 7, 2010
Time:  31:34

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Dec 07 2010

Connected systems: The NTP server is connected to the SQL DB

Published by under PCI

Scoping is one of the most subjective parts of doing a PCI assessment.  What I consider to be a ‘connected system’ and what someone else considers to be the same can sometimes be substantially different.  The PCI Council has done a decent job of defining systems that “store, process or transmit” credit card data.  At least a good enough job that most QSA’s can agree in most instances what’s in scope and what’s not.  Whether they’ve done a good enough job that people who aren’t up to their elbows in PCI on a daily basis can understand scoping is a different question all together.

Well, Jeff Lowder has a short article on this that may be helpful (or at least give you an idea what your QSA is thinking), “How to define ‘connected systems’ in the PCI Cardholder Data Environment“.  One of the problems with scoping is that it’s changed gradually since the inception of PCI and rumor has it that there will be major changes from the Scoping Special Interest Group early next year. Jeff’s article is good in that he’s pointing out all of the connected systems you may have on your network which are currently being examined, but just for their supporting role.  In other words, your QSA may be checking out your AV server to verify updates, but it’s unlikely that he’s checking it out to the same depth that he’s checking your SQL database.  Which has a possibility to change with the updates to scoping guidance, requiring the level of scrutiny of both systems.   Think of your credit card data as an infectious agent that draws any system it touches into scope of the assessment, and you won’t be too far off target.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Next »