Network Security Blog

Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach.  Actually, he was on more to talk about the industries reaction to the breach more than the breach itself.  The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA.  Which means we know just a little more than nothing, which is not a significant improvement.

Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes.  We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry.  Except Zach, who doesn’t do touchy feely so much.  And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us.  They even have they’re own Bizarro Zack, @jsokoly.

Network Security Podcast, Episode 234, March 22, 2011
Time:  42:06

Show Notes:

• Martin’s roundup of the RSA breach coverage
• Table Stakes over at Dark Reading
• FIRST 2011
• BSides Vienna
• Josh Corman:  Why Zombies love PCI
• Tonight’s Music:  Knobs and Switches by Secret Pop Band

This group of pieces on the recent RSA breach is only the tip of the iceberg, but most of what you’ll read on the story is purely suppositional.  In other words, a lot of educated people are playing a game of “let’s pretend” and blogging about it.  No one who’s writing knows much about the details, almost everything that’s out so far is guess work about what might of happened to RSA.  And while there’s some value to running through possible scenarios, it’s probably not worth the screen time the story has been getting until we know something concrete.

So here’s three stories on the RSA APT.  The first is just the initial facts as they were known late last week, in a story from the Boston Herald.  The second is an analytical brief from NSS Labs, included as an example of some of the conjecture people are making based on what is known.  NSS Labs is known for having some good folks and this report is far from the most outrageous speculation that’s been made so far, but it’s also going to require a lot more information before we can really make a claim like “a string of breaches stemming from this event.”  Dave Shackleford does a very good job of dissecting just how little we know so far in this story and why the ‘A’ in APT is a misnomer.

And finally a story that may or may not have anything to do with what’s happening to RSA, Google is accusing China of messing with their stuff.  It’s kind of hard to trust your servers when you’re sending them to another country that has no compunctions about using any means necessary to ‘protect their citizens’. 

Update:  And moments after I posted this @N0b0d4 posted a very good post by Steve Gibson dissecting the potential risks of this compromise for people using RSA SecurID tokens.  I’m not usually one of Steve’s biggest fans, but he’s taken apart the issues pretty well this time.

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)

You’d think that security professionals would get sick and tired of attending security conferences; RSAC, Black Hat, Defcon are the big ones that everyone tries to get to, plus a lot of mid-sized cons like Shmoocon and Toorcon. But the truth is, for most people, those are either business opportunities/obligations or so far away and costly that it’s nearly impossible to attend anything that requires travel, a hotel and several days away from work. Which is why smaller, local events like BayThreat, DojoCon and BSides are becoming so important to security professionals around the globe; the ability to go to a small, local event far outstrips the cost to value ratio of any of the big cons and it’s so much easier to actually see the speakers you want to see.

This last Friday and Saturday were BayThreat, and a huge thanks has to go out to @dewzi and the crew who organized the event.  Held at the Hacker Dojo in Mountain View, CA, the event was far enough from home for me that I had to get a hotel room.  But the majority of the attendees who live in the Bay Area were able to return home each night.  Considering that a airfare and the hotel are the majority of the costs of many conferences and that BayThreat only cost $45 to attend, this was a huge draw for most attendees.  And seeing the inside of Hacker Dojo was a plus as well.

I don’t know what the real count was, but the best guess I heard for attendees was somewhere between 150 and 200 attendees between Friday and Saturday.  The speakers where some of the same people you might see at a major event like Black Hat, folks like Dan Kaminsky, Moxy Marlinspike and Dino Dai Zovi, but also a lot of great local speakers like Jeremiah Grossman, Allison Miller and Sam Bowne.  I’m just hitting some of the high points, check out the list of speakers for yourself and you’ll see how many great presentations we were treated to this weekend. 

Two of my personal favorites in the speaker track were Mike Smith’s presentation about DDoS, with a lot of information about the current situation about Wikileaks, and Steve Adegbite’s presentation “Rage against Security: A different Scene Shift”.  Mike is giving the same talk at Dojocon after flying cross country last night, which may make the presentation more amusing, if not better.  That’s not to say there weren’t other great presentations, there were, but I kept getting distracted by the hallway track and meeting many of the people who were just a twitter handle to me until this weekend. 

I have to say that BayThreat is one of the first security conferences I’ve been too that’s left me wishing it was still going on when I headed for home.  There’s a lot to be said for having a conference that’s short and sweet and doesn’t leave you spending the next week trying to recover from the hangover and exhaustion.  But I still wanted more time to hang out with so many great people.  And I’m looking forward to having another great event next year.

Update:  Mike Smith’s DDoS slides have been uploaded to the BayThreat site.

I’m not going to weigh in on the whole TSA whine fest that’s going on; I agree that the TSA has gone too far and needs to have their collar yanked on to settle them down.  But a whole bunch of us complaining on Twitter isn’t going to do much, neither are lengthy blog posts.  Quite frankly most of us have too little exposure to be taken seriously on the national stage.  I got my own whining in early, so now I’m trying to gather some information on how to be effective.

But we do have people we can contact who do have some pull, starting with our federal legislators, who are easy enough to find and monitor on the Project Vote Smart site.  I didn’t notice a political slant either way to the site, it appears to just be reporting the facts and is easy to use.  Writing to your Senator (mine is Barbara Boxer) will be slightly more effective than Twitter, at least an intern somewhere will tally your complaint.  Two other places that you can write that I’ve been told will have slightly more impact is your airline and their lobbying firm.  Explain your position in terms of how it impacts your business and how it will impact their bottom line.  The SourceWatch wiki supplied me with contact information for United Airlines and their lobbyist firms.  I’ll let you know if I hear anything back from them.  I had a friend on Twitter explain this, basically you want to start any emails you send by talking about the money, then end with little side notes like ‘protection from unreasonable search and seizure.’  It’s easier for many people to understand money issues than those of Constitutional rights.

The TSA does have a way to report a complaint, though I don’t know of anyone who’s done it so far and what the results have been.  Personally I’d be afraid of getting added to a watch list.  What might be more helpful is to read the official TSA Blog.  For instance, did you know it’s actually allowable by TSA rules to photograph a TSO in pursuit of their duties?  That is if the state and local laws allow it, which they don’t in many states.  So far California appears to.

The current pat downs and back scatter x-ray’s are both issues that need to be addressed.  As is the over-reach of the TSA to grab power at airports.  But observing and talking about them don’t do much good unless we follow up with some sort of action.  If you have some better ideas of who to contact, please leave a comment.

‘Nuff said!

This morning the Verizon 2010 Payment Card Industry Compliance Report was released.  This report looks at the assessment’s of approximately 200 Verizon Business done between 2008 and 2009 and draws some very interesting conclusions from the data in a very clinical, statistical way.  This is the first year of the report and there’s a lot of interesting data here, but much as the Verizon Data Breach Investigation Report created nearly as many questions as it answered, so does this report.  It’s a great start, there’s a lot of useful information here, but given a couple of years to mature and expand, the Compliance Report will become a very useful benchmark to show how effectively PCI is being implemented.  Or isn’t.

I have a business relationship with Verizon, as in I work there, so I’m going to let others provide the majority of the criticism, constructive or otherwise, of the Compliance report.  I’m allowed to have my own opinions and I’m very vocal about them, but I’d rather see a lot of critical thinking by other security professionals who aren’t as close to the issue as I am before I weigh in.   As it says in the sidebar, “The views expressed on this blog do not reflect the views of my employer …” etc.  This means that I don’t claim to speak for them.  It also means that I don’t allow anyone else to tell me what to say.  But I’d rather wait and at least pretend to be impartial for a little while before throwing my own hat into the ring regarding the report.

With just a little luck and timing I’ll be recording an interview with a couple of the primary authors of the Compliance Report later today for release with this week’s podcast.  So stay tuned.

I make no bones about it, I’m a very big fan of the concept of tokenizing credit card numbers as early in the merchant stream as possible.  For some merchants this will mean that they are replacing their credit cards with random tokens in their back end servers, using the token internally, but still storing the credit card in a heavily defended server somewhere in the data center.  For other merchants tokenization will mean encrypting the data at the PIN pad, sending it to their acquiring bank and receiving a token to use in place of the credit card number within their own systems and thereby taking most of the merchant’s systems out of scope for a PCI assessment.

These sound like, and are, both worthy uses of tokenization, there’s a lot of confusion about the difference between these two extremes of the technology and especially about how these differences can affect your implementation and scope!  Which is why I’m glad to see an article like Walter Conway’s, “Playing Token Trick or Treat“.  As much as many people would like to see a straight forward review of specific products that allow for tokenization, this is still to much of a nascent technology for reviews to be realistic or useful.  Anyone who implements a tokenization solution will be on the cutting edge, and in many cases will be beta testing technologies for the manufacturers.  It’s early enough in the process that by being involved in a tokenization project, you can actually have a large influence on the products we see over the next few years.  Which is exactly why it’s so very important to know exactly which questions to ask when evaluating and implementing a tokenization solution.

Walt’s first question is probably the most important of them all, “Have you found all your cardholder data?”  Even if you’re not assessing a tokenization solution, this is an important question to be asking yourself on a regular basis.  And once you’ve asked it, go back and ask again.  And again.  And again.  Until you’ve asked half a dozen or more times and continue to ask every few months, you won’t have any level of certainty that you’ve found it all.  Even then, it’s possible you’ll develop a leak somewhere and cardholder will pollute portions of you’re network that were never intended to hold or secure cardholder data. 

Walt has a good number of other questions you should be asking if you’re assessing, or just curious about, a tokenization solution.  Make sure you understand the possibilities and the pitfalls of any solution before you make the leap of faith required to implement such a young technology. 

Update 10/11/10:  Here’s the second article on tokenization and some of the questions to ask, “If your token vendor goes bankrupt, what happens to your data?”

Despite catching some kind of ConFlu at HacKid, Zach manages to join Martin for a sniffle-filled show. Rich is off in London, speaking at RSA Europe 2010 (or, well, sleeping).

Network Security Podcast, Episode 216, October 12, 2010
Time: 32:45

Show Notes:

• HacKid Conference – Boston 2010 (wrap-up by SecBarbie)
• Don’t expect to peer into Google cloud services security
• The Zombie Network: Beware ‘Free Public WiFi’
• Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
• Tonight’s Music:  Bored by Robin Tymm

I am not a lawyer and I don’t even pretend to understand the complexity of our patent system when it is applied to software, but I’m always astounded when company’s file lawsuits based on broad, over-arching technology solutions.  I find this especially distressing when it affects a market that is, in itself, a fairly simple idea, like database encryption.  So when I received a press release from Protegrity stating they’d filed suit against Ingrian, Safenet, NuBridges and Voltage this morning, it did not sit well with me.

I’ve seen too many companies over the last decade that are nothing more than patent trolls who acquire patents specifically for the purpose of lawsuits.  Protegrity clearly is not a patent troll, they’ve been very active in the database encryption market and likely have every right to file this lawsuit.  I’m more concerned in a number of ways with the turn our patent process has taken since software patents were allowed than this particular lawsuit, but I’m hoping that Protegrity isn’t using a legal attack to take out some of it’s biggest competitors in the field of database encryption.  Only time will tell if it has that affect, whether it’s intended or not.

The other thing that really worries me is the affect this will have on the still young end-to-end encryption market space.  Will the potential of a lawsuit based on these or other patents related to E2E have a chilling affect on new technology that shows the potential to make huge improvements in credit card security?  Or is there so much money to be made in the E2E field, so many big names backing the smaller players, that the potential of a lawsuit will be overcome by the potential to make a profit?  I suspect the potential lawsuits will make companies think twice, but in the end the potential profit will quickly overcome any worries about lawsuits.

As always, read the press release, read between the lines and make your own decision.  I’ve included the entire press release below the break for your review.

Continue Reading »