Tuesday, June 17, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Crazed Bovine Traversal [Room362.com]

Posted: 17 Jun 2008 08:17 AM CDT

So I was at a ‘talk’ recently where the topic was geared toward technically inclined, but the whole talk was geared toward managers and low level IT bubbas, if you will. But as I sat there stabbing myself in the eye with my pencil (hence the mad cow reference) I can up with some hair brained ideas. Now, some of these ideas might already be out there or thought of, and I haven’t googled any of them, just wanted to write them down somewhere for people to comment on.

1. Ringtone viruses: Now this was by no means an idea that I had but it was mentioned during the talk and I was intrigued how it worked or if the presenter just pulled it out of thin air. The reason I bring it up, other than for someone to explain it to me, but for reference later.

2. iPhone SDK based GPS hacking: So here is an idea, with the new craze that the new cheaper iPhone is going to create, what is stopping the mal-ware writers from writing an cool app that you can download, and now since you are connected to “MobileMe” it sends all of you email, contacts, files, and calendars to a new source. Plus now that it syncs everywhere, you think you are syncing with the “cool” apps servers and what they are doing a completely new form of spyware. They have a gps location on you, read your email, and have all of your corporate documents that you sync to iDisk. Talk about a Social Engineer/Phishers dream.

3. Contact Phishing: To keep going down the route we are already on, how often do you check to make sure that the phone number you have for “bank” is the correct number in your contacts list? What if someone using one of the previously mentioned avenues of attack, changed that number to another number and set up a Phishing 1800 line? Now, instead of having a browser to tell you that you are on the wrong server, you have to trust..... ? Exactly.

So to completely derail this post off the Mobile Hacking topic. I am looking for a good reference on Unix/FreeBSD crypto. I have a friend that is completely convinced that even if someone has your /etc/shadow file, that you are not in any danger. Help me out guys, a link, and explanation, anything would work.

 

Presentations: Why less is more [Security4all] [Belgian Security Blognetwork]

Posted: 17 Jun 2008 08:11 AM CDT

Simplicity means the achievements of maximum effects with minimum needs. Keep your slide design to a text-light but visual strong version. Even pausing with a blank screen as Steve does in the...

The OCC and Application Security: Vindication at Last [BlogInfoSec.com]

Posted: 17 Jun 2008 06:00 AM CDT

On May 8, 2008, the OCC (Office of the Comptroller of the Currency, part of the U.S. Department of the Treasury) issued Bulletin 2008-16, which you can find here.

As the OCC states, there have been prior mentions of application security by the FFIEC (of which OCC is a member), NIST and others. However, this is the first guidance, as far as I am aware, issued by a U.S. government regulator, which is specific to application security and is prescriptive to a relatively fine level of detail. Yes, the PCI DSS (Payment Card Industry Data Security Standard), issued and enforced by Visa, Mastercard, American Express, and others, emphasizes measures to achieve higher levels of application security, but these organizations are not government agencies and, although highly influential, do not carry the weight of the government.

Now back to the OCC Bulletin … It is gratifying to see that the OCC has acquired such a high level of knowledge and expertise in this space, as demonstrated by the content of Bulletin. For example, the OCC includes an Appendix containing the ten top vulnerabilities as posted by OWASP (Open Web Application Security Project).

As an aside, I have very high regard for OWASP, and have had some involvement with the organization. I have participated in meetings of the New York/New Jersey Chapter and am scheduled to be on a panel at their World Conference in New York on September 22-25, 2008. OWASP is essentially an all volunteer international organization that issues really great material for the practicing application security professional.

The OCC focuses on software which supports a bank's products and services and which is developed internally or outsourced to a third-party developer subject to a defined contractual arrangement, as well as on COTS (commercial off-the-shelf) banking applications, with particular emphasis on Web-based applications. It explicitly excludes "operating systems, generic office products, and other nonbanking software …"

The OCC guidance recognizes the importance of reducing risks related to the security triad: confidentiality, availability and integrity. They say that the risk assessment should include the following key factors:

  • Whether sensitive data can be accessed and processed through the application
  • The nature of the developers of applications, such as internal staff, third parties, etc.
  • The degree to which the SDLC incorporates security practices
  • Whether there is a recurring process to find and fix vulnerabilities
  • Whether there exists a process for periodic independent validation of application security

The guidance goes on to suggest the following be part of a risk assessment:

  • Incorporating attack or threat models
  • Monitoring and analyzing environments in which applications are deployed
  • Subjecting open-source applications to the same development and assurance processes
  • Performing periodic application testing and validation processes

This is all good stuff. It's what many of us have been touting for years, but we have often been subjected to a whole lot of pushback. Now that a regulator is promoting these principles for achieving greater application security, it will be an easier sell to management, particularly in financial services. But even if you are in a different industry, many of the same factors and measures apply. Why not circulate the OCC Bulletin to your management as examples of practices that everyone should be following?


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Very decent Security Podcast.. [extern blog SensePost;]

Posted: 17 Jun 2008 05:54 AM CDT

I am probably one of the last ppl around to discover this, but ill post it here for the (probably) 2 other ppl in the world who have yet to stumble upon: Risky Business.

Its pretty hard to find good quality security podcasts without some pretty sad signal to noise ratios (or adverts on spinwrite) but risky business is def. a keeper..

i downloaded a few older episodes to help me through a long drive this weekend, and was very pleasantly surprised.. if u have not yet added it to your podcatcher.. u probably will..

rethinking ye old truths [extern blog SensePost;]

Posted: 17 Jun 2008 05:49 AM CDT

since forever, i've been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases).

So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary:

In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study

Other interesting snippets that tie directly back into what we cover when we train, and why we think there is value in not only aiming at sploit-writing and 0-day:

Most breaches resulted from a combination of events rather than a single action.

Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities.

In other words, bite-sized chunks for the win, core/canvas/metasploit are cute but that's not how customers get owned most often in the real world.

Link to the report, link to summary.

Scott Richter Settles Another Spam Suit [Richi Jennings]

Posted: 17 Jun 2008 05:18 AM CDT

Oh looky, it's our "friends" Steve and Scott Richter in the news again. This time, they've settled with MySpace for $6 million after being accused of spamming thousands of MySpace.com users -- and using phished accounts to do it (see today's IT Blogwatch for more).

Of course, Scott gave up spamming some time ago. Or did he? Brian Krebs today offers an interesting investigation into domain registrations of spamvertised Web sites:
More than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars ... Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin ... the seventh most-popular registrar among spammers ... [and] owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.
Remember kids, Rule #1: Spammers lie.

Sicurezza Fisica e Logica [varie // eventuali // sicurezza informatica]

Posted: 17 Jun 2008 05:00 AM CDT

Un esempio di convergenza fra sicurezza logica e fisica:

WashingtonPost : Cyber Incident Blamed for Nuclear Power Plant Shutdown
A nuclear power plant in Georgia was recently forced into an emergency
shutdown for 48 hours after a software update was installed on a single computer.

Una centrale nucleare in Georgia é stata forzatamente chiusa per 48ore dopo che un update software é stato installato su un singolo PC.

L'esempio che generalmente faccio io é che se mi fragano il portafogli sfilandomelo dalla tasca o le credenziali del conto in banca via phishing, poco cambia. Questo della centrale nucleare é un'altro bell'esempio.

Ladies and Gentlemen please welcome.. [SIPVicious]

Posted: 17 Jun 2008 03:16 AM CDT

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?
  • Wireless security auditing
  • Web Application Security
  • VoIP security research
  • Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.

German ID card won't include fingerprints [Security4all] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 08:27 PM CDT

Remember when the Chaos Computer Club protested against biometric data on their upcoming ID cards? This measure was widely criticized and the CCC published the fingerprint of the Minister of Interior...

The used car salesmen of NAC and the BNBB [StillSecure, After All These Years]

Posted: 16 Jun 2008 08:20 PM CDT

slimy_salesguyFew occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

bnbb With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

This posting includes an audio/video/photo media file: Download Now

Social networking within large enterprises [Security4all] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 07:23 PM CDT

The enterprise architecture blog has a nice article about social networking within enterprise: Have you noticed that many consulting firms such as Accenture, Bearingpoint and even McKinsey will talk...

Nieuwe versie EID software loopt vertraging op ? [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 07:08 PM CDT

dit staat op de http://eid.belgium.be site

"Bij wijze van voorbereiding op deze nieuwe certificaten komt begin mei eveneens een nieuwe versie (3.0) van de middleware, de software waarmee de gegevens op de eID-chip kunnen gelezen worden en die de interface toelaat met toepassingen die de eID gebruiken. Deze versie wordt door Fedict ter beschikking gesteld van alle burgers. De documentatie met betrekking tot deze versie 3.0 van de middleware wordt in diezelfde periode op deze website geplaatst."

(for english readers : beginning of may the new middleware 3.0 will be made available here)

but the version that you download is

1_22

finding other sites around taxonweb.be is childsplay (kinderspel) [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 06:57 PM CDT

when we use onsamehost.be we find for taxonweb.be the following

193.191.209.193

  • eid.belgium.be [Belgium]
  • elections2003.belgium.be [Elections2003]
  • elections2004.belgium.be [Elections2004]
  • polling2003.belgium.be [Polling2003]
  • polling2004.belgium.be [Polling2004]
  • verkiezingen2003.belgium.be [Verkiezingen2003]
  • verkiezingen2004.belgium.be [Verkiezingen2004]
  • wahl2003.belgium.be [Wahl2003]
  • wahl2004.belgium.be [Wahl2004]
  • www.175-25.be [175-25]   DEAD SITE
  • www.belgie.be [Belgie]
  • www.belgien.be [Belgien]
  • www.belgique.be [Belgique]
  • www.belgium.be [Belgium]
  • www.e-gov.be [E-Gov] DEAD SITE
  • www.fedict.be [Fedict]
  • www.fgov.be [Fgov]
  • www.internetpourtous.be [Internetpourtous] DEAD SITE
  • www.internetvooriedereen.be [Internetvooriedereen] DEAD SITE
  • www.pcfobie.be [Pcfobie] DEAD SITE
  • www.peeceefobie.be [Peeceefobie] DEAD SITE
  • www.tax-on-web.be [Tax-On-Web]
  • www.taxonweb.be [Taxonweb]

I don't know but wouldn't you expect that the most important online webservice had its own independent infrastructure so you could eliminate all the other traffic and lock everything down ? The less other sites and infrastructure the better.

The higher the security has to be, the more less is better.

Security by isolation

hack of the day www.abe-bao.be [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 06:42 PM CDT

Typosquatting taxonweb is childplay (kinderspel) [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 06:28 PM CDT

When we checked, they were all still free. These are the best ones.

taxonwb.be  taxoneb.be  taxnweb.be  taxoweb.be

tawonweb.be - taxpnweb.be

tax0nweb.be

In Canada you can read everything about the Belgian arrested in Canada [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 06:10 PM CDT

In the Canadian press you can read more because in the Belgian press you will see that under Belgian law they have to call him just vincent D. as the law obliges the press to be protective. But a full story with all the details and the name can be found here on the internet. It tells a lot about how some laws just become plain stupid in these internet times.

http://www.expressottawa.ca/

http://www.cyberpresse.ca/

Video (quite amazing french for a Belgian by the way)

and if you find the name and google it "name" than you will find enough other resources but there are more people with the same name, which is a pity for them.

phishing a fgov.be change loginsite is childsplay (kinderspel) [belsec] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 04:39 PM CDT

how many people would fall for this, we could easily copy the code and the images and change the login site, but took something that doesn't exist but it could be anything else off course and this site is just to change your login which would be the traditional phishing story saying that your account was compromised and that you have to click on a link or something like that.

It is not very wise to let other sites use your graphics. You should block all graphic leeching from your site if you want to make it a bit harder on phishers.

If you think that nobody wants to steal these things, even in Holland, after the States and the UK fake tax forms and other gov things are coming to a stupid yesclicking idiot near by you.

No data are intercepted

We had to change the thing because copying the full page took to much from those very busy pages. Think some people are curieus to see what we'll do next.

You will find now a copy of the fake page that was made with the code that was available without any encryption or obfuscation or redirect links on the source page.

1_2

Lynis: Security and System Auditing Tool [/dev/random] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 02:45 PM CDT

rootkit-logo

Michael Boelen announced today a new release of his tool called Lynis dedicated to UNIX specialists. Michael is also the developer of RootKit Hunter.

Quote from the homepage: “Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).“.

I use them regulary on my servers. Keep up the good work Michael!

Upside-Down-Ternet [/dev/random] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 01:19 PM CDT

elgoog

Security is part of our daily life and is a serious topic. So, when it can be made with some fun, it’s even better! ;-)

Check out: Upside-Down Ternet.

Dutch users Alert! - Beware of fake Tax Forms [miekiemoes] [Belgian Security Blognetwork]

Posted: 16 Jun 2008 12:38 PM CDT

This is especially a warning for Dutch users (from the Netherlands). There's malware spreading where it changes your startpage to a random dutch site (.nl domain - which is a compromised/hacked site) , presenting you with this:



Full screenshot of the form:



NOTE.. This is NOT from the legitimate belastingdienst.nl site as they DON'T ask you for this info (PINCode etc).
Even though it says it's from belastingsdienst.nl, it's NOT. Only the template from belastingsdienst.nl was used here, not the form itself.
Also note the "Microsoft Certified" and "Comodo Hacker Proof" logo to make it look like a legitimate site.

This piece of malware is especially designed to target Dutch users in order to steal their banking info.

I found this out yesterday while I was helping a user with an infected PC. The PC was severly infected/badly compromised...
There was also a .bat file present, with the command to change the Internet Explorer startpage to a random .nl site with this fake tax form.
I'm still waiting for the samples and more info how this user got infected in the first place.
I guess this infection is spread via MSN, however, I cannot tell for sure yet. The samples and extra info should tell...

So beware when you see similar forms... especially when they ask to enter your PINCode.

The Pain of Ordering a Ford Escape Hybrid [The Falcon's View]

Posted: 16 Jun 2008 12:35 PM CDT

We have a baby on the way, and so it's time to get rid of my 2-door Civic. Back in April, we decided on the Ford Escape Hybrid, but found out that they were few and far between. The 2009...

VoIP e Steganografia [varie // eventuali // sicurezza informatica]

Posted: 16 Jun 2008 08:39 AM CDT

Cornell University: Steganography of VoIP Streams

In this paper we are presenting available covert channels in VoIP streams that may be utilized for hidden communication for IP telephony service.

VoIP e Steganografia, ovvero una panoramica dei covert channel degli stream voce.

Geekery [Liquid Information]

Posted: 16 Jun 2008 05:05 AM CDT

I decided to do a clean install of my Ubuntu. All other backups were fine except for firefox, so I have to start collecting links again. I chose the alternate install and just hit the guided encrypted filesystem. It calculated a reasonable swap partition so hibernate also worked out of the box. I still need to put the ppp settings in place so I can use a mobile phone to dial-out, else things seem to be pretty much as I want them.

I also got a Zyxel ADSL WLAN modem for free and replaced my old hardware (1 ADSL modem and 1 WLAN router). I am pretty happy with the device so far, throughput in local network increased with almost one 1MB/s so there was a considerable boost in WLAN performance. I also disabled all other means of administration than HTTP and tweaked some other security options.

Vacation has gone well; quite a bit of barbeque action, some handyman work with our terrace and other activities like swimming and cycling. I've read blogs and news sites quite regularly but haven't really paid attention to blogging.

As I talked in an earlier blog entry about Google's new diagnostics service, it seems they're actually in the process of removing sites from the index and contacting site owners. The site can be put back to index after the reason for removal has been corrected. I read this from belsec and it contain links to other discussions as well. I'm not sure if the removal refers to the alert banner being shown as I already talked about or if it actually gets removed from search all together (which would be a new thing).

Baby tests Two-Factor Authentication [PCI Blog - Compliance Demystified]

Posted: 16 Jun 2008 03:12 AM CDT

Yes, it’s true, even babies can be PCI DSS compliant.  It appears that having children means integrating them into your life and watching as they integrate into yours.  A good friend of mine, Jacob, blogged about how his baby utilizes two-factor authentication to verify that the person holding him really is “Daddy”.

Some of my colleagues joked with me when we were expecting that he would be born knowing the PCI DSS requirements. I guess he's got 8.3 down at six and a half months.

CPISM Wiki [PCI Blog - Compliance Demystified]

Posted: 16 Jun 2008 03:04 AM CDT

In reference to the Certified Payment-Card Industry Security Manager (CPISM) there is a Wiki article now online.   This certification is managed by the Society of Payment Security Professionals (SPSP).  If you have not registered then do so now.  Once you join you can browse the member list and see the wide range of professionals that participate.  Also, you can download the membership demographics analysis showing this distribution and member attributes.

They are currently in progress of upgrading the back-end software to improve all of the current features including the Forum and Blog.  Once updated you will be able to subscribe to individual RSS feeds for every part of the site including the updated online forum.  Look forward to new feature in the future, for even better collaboration.

PCI DSS Requirement 6.6 [PCI Blog - Compliance Demystified]

Posted: 16 Jun 2008 02:52 AM CDT

Many people know by now that PCI DSS Requirement 6.6 is going into effect (meaning you must be compliant) on June 30, 2008.  What these same people are asking is, how does this apply to me and my business?  And how can or should I comply with this requirement?  There have been a number of blog posts about this requirement and even more discussions about what it all really means.

What does it mean?

In order to understand this you have to take my Attack Vector based Risk Management (AVRM) approach towards the intent behind this requirement.  One could easily reference that the intent behind this requirement is to prevent Internet-facing web-application compromises and you would be correct, but also missing the deeper meaning and back story.

Although card-present (typically IPOS) systems account for a greater number of credit cards stolen, about half of all account compromises are a result of web-application data breaches.  Of this population, about 90%+ of the data compromises are a result of the top 5-10 web-application vulnerabilities.  These include, but are not limited to, SQL injection, cross-site scripting, cross-site request forgery (CSRF) and other input/output validation issues.  Knowing this you can now imagine that if we could mitigate the risk of these top attacks we could reduce the population of credit card data breaches by almost half!  (This does not reduce the number of credit cards stolen by half.)

The consideration here is not just to protect against the OWASP Top 10 but to consider those that apply to your web-application and understand those that cause the highest risk to your application.  Consider the risk you could mitigate simply by properly validating the input/output on your application.  Would this address all risk?  No, but it would get you significant progress towards that goal.

Also, remember there is a difference between compliance and validation.  If you validated your compliance prior to June 30 you do not need to re-validate for 12 months, but you do need to be compliant with the standard at all times.  Compliance is a state of being that you must maintain at all times; for this requirement it means on or after June 30, 2008.

How can I comply?

The best part about this (and other) requirements is the large number of ways to comply.  Remember, the goal is to meat the intent - so how can we do this?  Well the standard states two options, and the intent leaves it open to many others.  Let’s list the two given options first:

  • Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
  • Install an application-layer firewall in front of web-facing applications

First, remember that it is not comparing apples to apples here, but providing options that different enterprises can implement depending on their specific needs and abilities.  We are still aiming to meet the same intent.  Notice that, agnostic of technology, we can meet the intent using either of the prescribed methods.

Second, we should use the ‘intent’ defined above, via the AVRM model, to understand what “common vulnerabilities” means.  To clarify the meaning of “an organization that specializes in application security” they are saying you should use a company that can identify the “common vulnerabilities” and remediate them, rather than your 8 year old nephew who just took her first computer programming course.

Now people are always asking what is an “application-firewall”.  They know what it is, but want to know what you think it is.  We should no longer have to answer that question again, because agnostic of technology an “application-layer firewall” should satisfy the intent behind this requirement as outlined above.

Still not enough?  Well, the PCI SSC has released an Information Supplement that clarifies Requirement 6.6.  Among other things, this supplement offers four additional alternatives towards meeting the intent of this requirement:

  1. Manual review of application source code
  2. Proper use of automated application source code analyzer (scanning) tools
  3. Manual web application security vulnerability assessment
  4. Proper use of automated web application security vulnerability assessment (scanning) tools

Still not enough to meet your business requirements?  Then document a compensating control and write up how it mitigates the risk, to meet the intent, that could not be accomplished due to a legitimate business or technical issue.

[Chinese]做一位出色的架构师 [Telecom,Security & P2P]

Posted: 15 Jun 2008 07:16 PM CDT

前面一年多的时间里,一直不停的在寻找架构师Architect。简历收集了上百个,前后面试了至少数十人,大多有相当不错的职业经历,也有相当不错的项目经验,他们在很多技术方向都很出色,也有不少含金量高的证书,例如CCIE。可是,令人遗憾的告诉大家,找到一位令人满意的架构师实在是一件非常不容易的事情。架构师,如同字面上的含义一样,掌握着一个建筑的风格、层次、标准等。IT Architect也不例外。架构师决定技术方案的走向,很大程度上会影响管理层的决策,并且对后续的运行和业务交付都至观重要。

坦白说,虽然也有些候选人是因为英语的问题,但是大部分候选人让我放弃的原因是考虑问题的方式和技术素养。让我来总结一下我对架构师的理解。

1 面向架构的思考
一个目标或一件设计任务,在架构师的头脑中,永远是有层次感的,是立体的,就如同草稿中的一个建筑物:它应该是一个什么类型的建筑物,需要多少个支撑面、大概需要多高(几层楼)、需要满足多少功能…。实际上,这是一种考虑的习惯。我们大领导在一次讲话中,提到分类学的问题,强调分类学是管理者最应该具备的素养之一。我也借用一下,架构师的一个重要素养或价值是将一个问题或者方案的"分类学"搞清楚 - 从几个方面来考虑,最重要的"动因"是什么,关键的需要是什么,关键的设计要素是哪几个。当然,做到这一点需要很强的理论功底,也需要很丰富的经验,这样你拿出来的TOP3, TOP5才有说服力,才是真正的TOP3/TOP5.

2 深入浅出的展现沟通
忘记了在哪里有个说法:把书看厚难,再把书看薄更难。理解起来是说,看很多很多书、掌握很多很多知识很难,可是能够把很多很多知识再融汇贯通、抽象成为言简意赅的、深入浅出的"浓缩版"知识更难。为什么一定要架构师具备这样的本领? 架构师需要很多沟通:其中最重要的沟通是向上,与管理层沟通,向管理层报告方案的要点,获取管理层的理解、支持和批准。一般来说,管理层并不懂技术,至少不精通技术,也不关心技术的细节(因为他的任务是业务,不对吗?IT is a business,支持的也是业务)。

3 广博的知识面
架构师不是美术师(把建筑图纸画的很漂亮),架构师也不是力学家或材料学家。他精通主要技术,熟悉业界的最新动向,为我所用,甚至进而形成自己的设计风格和vision,然后说服管理层和团队成员。这是架构师(Architect)和某个专项专家(SME, Subject Matter Expert)的区别。

4 面向业务的成本概念
企业的IT技术不同于科学研究,技术永远都不能脱离成本来讨论,这就是你不能问奔驰和赛欧孰好孰坏的原因。出色的架构师拥有很强的成本概念,熟悉不同的技术方案的成本属性,了解不同的业务需求对于成本的基本限制。所以,出色的架构师可以向管理层和用户提供"适用"的、”secure and reliable” 的技术方案。

Firefox 3 Final released in 2 days and some security reviews [Security4all] [Belgian Security Blognetwork]

Posted: 15 Jun 2008 12:39 PM CDT

First of all, Help Firefox break a Guinness World Record by downloading it within 24h of it's release, announced for the 17th of June. Just two days from now. There are already some reviews of the...

No comments: