Archive for April, 2011

Apr 18 2011

Network Security Podcast, Episode 238

Published by under Hacking,Malware,PCI,Risk

This weeks podcast is getting released a little bit early in order to bring you some of the goodness that is the Verizon Data Breach Investigation Report.  Rich and Zach are conspicuously absent as Martin interviews a couple of his coworkers at Verizon, Alex Hutton and Chris Porter.  If you’ve been in the security field longer than a year, you’ve probably heard of the DBIR; it’s the best source of information about what’s really going on in breaches that’s currently available anywhere.  With the inclusion of the Secret Service’s breach data the last two years, it’s hard to think of anyplace you could do better.

We’re taking a week off from the podcast, but we’ll return the first week of May.

Network Security Podcast, Episode 238, April 19, 2011
Time:  29:45

Tonight’s Music:  Head Full of Numbers by Fine Print Pariah

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Apr 17 2011

Cloud experiment: Minecraft

Published by under Cloud,Family,Linux

I have two young boys who are addicted to Minecraft.  They wake up in the morning, log onto a Minecraft server, play as long as we’ll let them and then get back onto the servers as soon as we’ll let them.  I was a little concerned at first because I really didn’t know much about the game, but I discovered I had several adult friends in the security community who were also playing the game, so I was willing to let the boys play on a system a friend runs.  I don’t know about you, but it makes me feel a lot better about letting my kids play online when I know I can contact the administrator with a quick phone call or email.

Playing on someone else’s server is fun for the boys, but since Minecraft is a game of mining resources and constructing almost anything you can imagine, an eventual request came to build the boys their own server.  Minecraft isn’t very resource intensive, it’s a Java based program that runs pretty decently on a low end server, at least if you only have two or three people using the server at a time.  Since, like most geeks, I have several computers that are running 24/7 and have some spare memory, I was able to throw up our own home Minecraft server without too many problems.  And as Minecraft has matured and added plugins, I could give the boys additional capabilities and superuser access so they can give themselves whatever resources they want to build anything they want.  This kept them happy for a little while and gave me something to hold over their heads to get their homework done.  It’s a lot easier to deny them access to the server when you can shut it down in a couple of seconds.

The next step came when the boys told their cousin about Minecraft and he started playing as well. It’s a community game and they often play together on public servers, but the lure of having superuser accounts and just having control of their environment with their cousin was strong.  So the continuing plea of ‘Dad, can we make our Minecraft server public?” started.  With the continued reply of “No.” to go with it.  They tried several tactics, such as explaining the white and black listing capabilities of Minecraft, offering their cousin’s server instead if I’d tell them how to make it public, as well as several other plans that only a pre-teen could come up with.  All of which were still denied.

It’s not that I don’t want my sons to have their own Minecraft server, it’s just that the security of my home network is more important to me than them playing a game that necessitates poking a hole in my network to the outside world.  I’m a security professional and I know that despite that, I don’t know enough to lock down any program with 100% certainty once I’ve opened it up to the Internet.  I do not currently allow any services to be served to the Internet from my home network and I have no intentions of changing that in the near future.  I’ve also had several discussions that lead me to believe that while Minecraft doesn’t have any currently know publicly exploitable vulnerabilities, security is not a major concern of the developers and it’s only a matter of time before someone turns their full attention to rectifying the lack of exploits.  Especially considering how popular Minecraft has become.

I’m the kind of father who wants to give their kids as many geek toys as he can, first to test my own abilities and second to give them something to stretch their own capabilities.  Or perhaps it’s the other way around.  In either case, I wanted to give my kids what they wanted, a publicly accessible Minecraft server that was not part of my home network and did not put any of my resources at risk, however minor.  Which is when I realized I had a technology I’ve been meaning to learn more about and was just looking for an excuse to play with:  the Cloud!  I’ve been remiss in my duties as a geek and security professional in that I’d been reading about Cloud technologies, I’ve been listening to what others have to say and I’ve even given a talk about PCI in the Cloud, but I’d never actually signed up for a cloud service and created my own server because I didn’t have a real use for one.  Setting up a Minecraft server on Amazon’s EC2 this weekend became the perfect solution to both issues, giving the boys a Minecraft server that I didn’t care who connected to and giving me a chance to stretch a little and learn more about the technology that is on everyone’s lips this year (and probably the next several)

I’ll be honest, one of the things that made this easy is that I found a step by step guide to creating a Minecraft server on the Minecraft forums.  I’m including a copy of the guide in the extended post because I don’t want to take the chance of losing the information if something happens on the forums, an old habit of mine.  I’ll add a few of my own notes to it as well.  This was a huge help and probably cut my installation time by 3/4.

Signing up for all the Amazon Web Services was easy and only took about 30 minutes.  I needed to sign up for these in any case for another project, but that’s someone else’s tale to tell when he’s ready.  From that point on, the guide was spot on.  I don’t think it was more than 30 minutes later that I had the boys personal Minecraft server up and running.  As suggested, I chose a small, spot request instance of the default Linux installation, reserved an Elastic IP address, associated it and the server was up and running.  I performed a few additional steps, like installing Bukkit and half a dozen plugins that the boys requested.  Most of it was as easy as using wget to pull first bukkit and then the plugins and restarting server.  I did have one minor problem in that one of the plugins was being hosted on a server using HTTPS and I had to modify the wget parameters, but that’s relatively minor to overcome.

I’ve been running our Minecraft server on Amazon’s EC2 for about 24 hours now.  I made it clear to the boys that this server is only going to be up when evenings and weekends, which turns out to be a good thing.  It’s not a huge cost, but in the past day this installation of Minecraft has cost me approximately $1.50 to run at a fairly low load, which could quickly add up to $40-50 or more per month.  If there were more people using it, if their cousin actually had a full Minecraft account and could play with them, and if I didn’t already have a Minecraft server running on the home network, I might be willing to pay that, but for the most part they’re going to have to live with the server only being available when I say it is.  I’m not an authoritarian … wait, no scratch that.  When it comes to my kids, yes, I am the authorities and my wife lets me say so.

All in all, this was a worthwhile project; it gave me some experience with the Cloud and specifically AWS.  I walked the kids through some sections of the installation, which taught us all a few lessons.  They get a Minecraft server they can share with their cousin and friends, without my having to open my network or pay an arm and a leg.  But I am realizing that it’s important to watch your Cloud instances or you’re going to end up paying a lot more than you thought very quickly.

Continue Reading »

19 responses so far

Apr 14 2011

Feeling one-dimensional

Published by under Blogging,General

I fell a bit guilty sometimes when I look at my own blog.  When I started blogging oh-so-many years ago, I’d blog at least daily, often two to three times a day depending on the time I had and what interesting stories I could find as the day went by.  Also depending on what my workload was, which was fairly light when I started, since monitoring an IDS really isn’t that hard once you’ve got things properly tuned.  The blog was a new toy that I wanted to play with as much as I could and there were a lot of ideas I wanted to explore back then.  But the shine has long since worn off of the toy.

Fast forward to now and I often go a week or more without a new blog post.  Sometimes the only post for the week is a link to the podcast, and some weeks even that doesn’t happen due to travel schedules.  So I’ll look at the site and feel bad because nothing’s been written, try to come up with anything and either walk away because I can’t come up with an idea or write something I don’t publish because, honestly, I sometimes write a pile of steaming crud that I don’t think should be inflicted on anyone.  These have some value, because they clear my mind a little, but you shouldn’t have to read them.

But the biggest problem I have with writing is that some days I feel like I only have one subject to write on, which is, you guessed it, PCI.  It’s an important subject, I have a fair amount of experience in it and I have points that have value and should be shared with the folks who come to the blog.  But it feels like I have been having the same conversation for a few years now, and I know that if I’m boring myself with the talk, I have to be boring others with it as well.  And if there’s one cardinal sin in writing, it would be boring your reader. 

I’m not sure there’s a solution for this problem, or at least not an easy one.  PCI is what I do for a living, I’m immersed in it 40-60 hours a week.  It’s hard to get out of the mindset of compliance.  The PCI requirements haven’t changed significantly in years, despite the fact that 2.0 came out last year.  And it’s not going to be changing again for at least three more years.  It’s not exciting, it’s not sexy and there’s not a lot of news that’s coming out about PCI.  Unless you consider all the breaches that is.

It’s a little depressing to be so one-dimensional, to not have a breadth of subjects to talk about.  And even within PCI there are some subjects and events I can’t write about because either my employer is involved, therefore I’m involved indirectly or because I’m involved directly and would be incredibly stupid to make any comment on the situation at all.  To be fair, no one I work with has editorial rights on my blog or any say in what I write about here, but I have a healthy sense of self-censorship.  I like my employer and am in no hurry to do something that would get me in hot water in a hurry.  I figure this is simply a factor of growing up and taking responsibility, not a constraint laid on me by someone else.

I’m not sure there’s a solution at the moment, but I’m open to suggestions.  I’ve started to branch out a little in my non-work hobbies; I’ve picked up a bunch of Arduino stuff and I’m working with the kids to learn more about electronics and to brush off some long neglected programming skills.  I’m also starting to talk to other security professionals I respect about long term career goals.  I often wonder how I got where I am in my career and rather than continuing to trust in the luck that got me here, I’m starting to lay some of the groundwork that will be needed to take me to the next level.  You’d be surprised how much good advice you can get if you just take the time to ask for it.  But neither of these is really at a point where I can write about it and I’m not sure this blog is the place to talk about Arduino in any case.  Career advice, yes, at least once I’ve digested enough of the wisdom folks I’ve been talking to.  Which could be a while, since this is something that I’m a little slow in assimilating.

I’m sure I’m not the only one who’s run into this issue.  I know from the comments I receive from time to time that I’m not the only one who thinks the blog has become one dimensional.  I think the proper term is ‘stuck in a rut’.  How have you broken out of your own rut in the past?  How have you broadened your skill set or interests so that you’re not a one trick pony?  Am I fretting over something that’s a non-issue and should stop whining and go back to writing about PCI and be happy I have something I’m, well, if not an expert, at least experience in?  I’m curious how others feel about running into the same problem and would like to hear from you.

Thanks.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Apr 12 2011

Network Security Podcast, Episode 237

Published by under Podcast

Zach is off in London so Rich and Martin handle things duo this week. No theme to the show, just a smattering of interesting security stories. Let’s just say “we live in interesting times” considering the flood of news on only the second day of the week.  Rich and Martin have an interesting conversation about the trade-offs you make when working from home, which really isn’t as glamorous as many people seem to think.

Network Security Podcast, Episode 237, April 12, 2011
Time: 33: 55

Show Notes:

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 06 2011

Breaking_in Drinking game

Published by under General

Ooh, all sorts of goodness starts tonight.  There’s a slim chance the new hacker show ‘breaking_in’ will fun, exciting and awesome.  There’s a slightly better chance that it will be so horrible that it’s campy and the security crowd will watch just to point and laugh.  But the majority of us are expecting it to be canceled within a month or two, to join Tiger Team in the annals of shows that represent the best shot of showing the larger public what it is a ‘hacker’ is. 

But more importantly, this is a great excuse to have a few drinks and unwind a little tonight!  So, I want to help get the idea of a Breaking In drinking game started, even though we won’t have the opportunity to play it for long.  So, pulled from twitter, here are some starter ideas for the drinking game:

Take one shot if:
- Anyone mis-states any sort of technology
- Christian Slater gives his trademark insipid grin
- Anything that happened in an episode of Tiger Team
- Someone references “Sneakers”
- There’s an inaccurate lockpicking reference
- Any time they mention a firewall as being the solution to the problem
- Anyone mentions a noop sled
- Someone mentions the Cloud
- “Boom goes the dynamite”

Take two shots if: 
- They show a screen shot of a GUI as a ‘hacking tool’
- Anyone claims to be the Worlds Greatest Hacker
- there’s mention of PCI, HIPAA or other compliance initiative (I’ll personally down the bottle on this one)

Take three shots if:
- They show a real hacking tool used in the way it’s supposed to be used.  (not much chance of this one)
- They ‘enhance’ a grainy image to the point it’s actually useful

Better have some good alcohol handy

Update:  I ended up enjoying this show and probably would have been really drunk if I’d had anything stronger than a Red Tail Ale in hand last night.  But if you’d like to see a review by a real CEO of a pen-testing company thinks about the show, check out Robert Graham’s pre-review of the show.  I’ll keep ‘Breaking_in’ recording on the DVR for a few weeks before drawing any further conclusions about it.  It does make a good excuse to take a break from writing to drink a little.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Apr 05 2011

Network Security Podcast, Episode 236

Published by under Podcast

Zach is back in this smorgasbord of an episode where we rip through discussions on the Epsilon hack, Gucci, and the insanity of a television production company losing 14 episodes of shows because they only had one copy.  Hosted with someone else.

Network Security Podcast, Episode 236, April 5, 2011
Time: 30:23

Show Notes:

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 04 2011

You are beautiful and unique…just like everyone else

Published by under PCI

I’ve got to love it when a friend writes a post that disproves its own title.  For example, my friend Mike just wrote a blog post called “You are Not a Beautiful and Unique Snowflake” in which he goes own to explain that you’re unique, as our your competitors, but that doesn’t give you any reason to expect special treatment.  And that’s his real point, that while you may see someone else who’s in the same business, doing the same thing, there’s enough individuality and uniqueness that what appears like special treatment to you is really the outward symptom of the deeper differences between businesses that can only be seen during a thorough inspection of the real workings of the business.

Ask any experienced QSA about the different businesses they’ve worked with over their tenure and you’ll really start getting the feeling that there’s not that much variation in how companies do networking, configure servers and run a web site.  That’s only natural, since as human beings we generally tend to focus on how things are alike before we start observing the differences.  And from a casual viewpoint, there really aren’t any major differences between similar businesses when you’re taking that sort of 10,000 foot view.  But PCI isn’t about the 10,000 foot view, it’s about getting into the nitty gritty details of how credit cards flow through the businesses systems, where it’s stored and all the minutia of how every system that stores, processes or transmits cardholder data is configured.  If you consider how hard it is for even one business to configure all of their servers to a set of standards, then thinking about how much variation exists between any two companies, even ones doing the exact same business, should give you a moment of pause. 

Where Mike’s most dead on is when he says “You seem to think you know everything there is to know about your competitor, but in all likelihood you do not”.  I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?”  It’s not a dig against anyone, the fact is most cardholder environments are complex and constantly changing and unless your only job is to dig into the environment on a daily basis, it’s very hard to keep up with what’s where.  Assuming you ever actually knew where everything is in the first place.  And if it’s not unusual to do this sort of accidental discovery in your own environment, how can anyone assume with any certainty that they understand their competitor’s environments well enough to make a judgment call on compliance?

It’s hard to remember sometimes how much of a difference a little segmentation or minor configuration changes with the exact same equipment configured just a little bit differently can make.  And part of the reason you consider someone your competitor is because they’re doing almost the same thing you’re doing, just a little differently.  Ask your own sales or marketing department how your product is different from your competitors and I’m willing to bet they could rattle off dozen differences in a couple of minutes.  (If they can’t, get a new sales/marketing department!)  If marketing knows that there are differences in the products, how can you reasonably expect that your cardholder data environment won’t have similar, nuanced variations?  The reality is, you can’t.

Do QSA’s miss things?  Yes, every day!  Are there QSA’s who ignore things they don’t want to review?  Probably, but that’s not an accusation anyone should make without proof.  Is you’re environment exactly the same as your competitors?  Unless a large part of your crew came from the competitor’s workforce, or vice versa, the chances are slim that when you actually look under the hood of how business is done you’ll find nearly as many similarities between you as you thought.  And it’s the ‘devil in the details’ that make all the difference in the world between passing an assessment and not.

Yes, you are beautiful and unique, just like everyone else.  And no, neither you nor your competitor are going to get special treatment under the PCI DSS.  They’re probably just not as similar as you thought they were.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 03 2011

QSA Burnout

Published by under PCI,Risk

I know it’s something I talk about at least once a year, feeling burnt out in my career path.  Like many people, I feel stressed by the huge amount of information that comes our way as security professionals, especially when I start reading about security breaches that potentially affect clients of mine.  It’s hard to feel like you’re winning the battle when you hear about a supposedly secure company that was compromised and had all their data exfiltrated.  It’s even worse when that data is probably going to be a lot of credit card information and there’s a ton of questions about the company’s last PCI assessment.

So there’s a little stress associated with being an assessor.  No matter how well you get along with the client, they know as well as you do that your job is to review their security configurations and setup, make a judgment call, and tell them whether they pass the assessment or not.  They didn’t want to deal with PCI in the first place, they don’t agree with many of the requirements, you’re the authority figure in charge of enforcing the requirements and almost invariably, you can’t meet with the time lines the client wants, usually due to circumstances beyond your control.  And who can blame them, since PCI is forcing so many merchants to spend time and money on security measures they didn’t want or didn’t feel they needed in the first place.  No one wants a third party telling them they have do put in AV or face having a higher exchange rate on each and every transaction.

It’s not an easy job, and while I am whining about it a little, what’s really surprised me lately is the number of QSA’s I know who’ve left the field in the last few months.  It’s not like people are telling me “I hate our company, I’m leaving for a better company”.  What I’m hearing is, “I hate PCI, I’m going back to some other aspect of security”.  For some it’s been the cyclic nature of PCI and going back to the same companies year after year and seeing the same exact issues show up each and every time. For others it’s been the lack of any significant changes in the PCI requirements since they came out and at least three more years before there’s much chance for change.  And in a few cases, it’s been the need to restrain themselves from commentary or criticism of PCI since it’s the main source of income.  Not a single one of the people I’ve talked to has said, “Oh, I’m sorry I left PCI, I want back in.”  And I don’t expect to hear that from anyone any time soon.

I don’t know if there’s a solution, other than training the next set of QSA’s. Companies are improving their security, some more than others, and it shows.  Unluckily, the bad guys appear to be able to bypass those security measures more adeptly than we are at putting them in place.  More security professionals are subscribing to the idea of “compliance through security, not security through compliance”, but it’s a slow process and too late to keep QSA burnout at bay.  Getting involved with the special interest groups (SIG) who work on many of the aspects of networking and security for PCI is a way to affect change, but it’s a slow process as well, and one fraught with it’s own perils and stresses.  You might be able to affect change eventually, but given the glacial pace that the SIGs have been releasing guidance, the chances are slim you’ll feel like you’re actually being effective at any point in the process.  And criticizing PCI, the PCI Council or any other aspect of the whole compliance effort is something that is always going to require careful thought and judgment no matter what role you take in the industry, something that’s not going to change.  Ever.   If you have a voice in the community, it can and will affect your job if you say the wrong things or say the right things in the wrong way.  Being right is no defense if you offend the wrong person in the compliance industry.  Not that I would know anything about that.

I suspect that we’re looking to see a spike in the burnout rate over the next year or so.  A lot of the people who have been involved exclusively in PCI since the early waves of compliance are reaching their pain threshold and looking for ways to get out.  Which is hard, since the skill set of a QSA (I know, oxymoron) is in high demand and pays well.  Even that hasn’t been enough to keep some people, since you eventually reach a point where the money isn’t worth it anymore.  People are going to continue to quit this segment of the industry, leaving holes that will have to be filled by less experience, though not necessarily less knowledgeable, assessors.   Which will in turn add to the stress most assessors are feeling.

I don’t personally have any plans in place to leave the PCI arena any time soon.  It’s hard, but fighting the stress, fighting the anxiety of being an assessor is something that can be dealt with for now, if not forever.  People I thought would never abandon PCI have left the field for other opportunities, so I know that I will also leave eventually.  And maybe this is just part of a natural career progression that occurs; learning a new skill, mastering it, then burning out and moving on.  But as opposed to leaving your company to go work in a different role elsewhere, most QSA’s leave one company to do the exact same thing at another company, until they burn out and leave entirely.  And I’m pretty sure that’s not a healthy career progression.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far