Monday, June 30, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Tiger Team Operations vs. Penetration Tests [GNUCITIZEN Media Portfolio]

Posted: 30 Jun 2008 06:15 AM CDT

If you read the Wikipedia’s definition of Tiger Team you get the following: A tiger team is a specialized group tasked with testing the effectiveness of an organization’s ability to protect assets by attempting to circumvent, defeat or otherwise thwart that organization’s internal and external security. And further down we have In the computer security field, the term is now obsolete, and more common terms are penetration testers or security testers. Security assessment testing of a computer system or network infrastructure is called penetration testing, which I find very untrue.

V

There is a significant difference between a tiger team operation and a penetration test. They differentiate largely in terms of quality, pricing and also the time frame which is allocated for each project. Let’s have a look at these differences.

Quality

It is needless to say that the tiger team operations will produce more quality if this is what you are after. Tiger Team operations involve more then one expert in the info security field. Not to mention that each expert specializes or s/he is good at in a different area all together when compared to the rest of the participants. This adds a lot of value and it works a lot better in the long term for companies/organizations who are interested in protecting their digital assets.

When a tiger team operation is established, there is a lot brainstorming involved. This usually leads to greater input and therefore much better job. Simply put, the more heads are thinking on the same problem, the more solutions you will get and much more quality is provided as a result.

Penetration tests, from what I can see from the market today, usually involve only one person. I must admit that I’ve seen penetration tests which consisted of more then one info sec expert but all of them specializing in the same field. As you probably guess, this is not very good from creative input point of view since all experts will tackle the problem from the exact same angle. Therefore, the quality is much lower.

Pricing

Tiger team operations cost a lot more when compared to penetration tests, because they involve several experts for a longer period if time, as you will see in the next section. A single tiger team operation may take a lot of money but at the end of the day you get what you pay for. You can buy jeans from the local market for 5-a but if you want the quality stuff you might want to get the American denim which will cost you a lot more.

In UK for example, anything that is less then £1000 per-day onsite work should tell you that the people who will test you will run Nessus and this is how far their commitment to your situation goes. Still, many companies are doing exactly this. In some very rare situations you get good stuff for not much but this is very, very rare. Probably you’ve hired a good startup company which does not know how much to charge you just yet.

Time frames

Tiger Team operations usually take more time then standard penetration tests. Why? Because they are custom tailored for the specific situation. Strategic planning is the key. But on the good side of the things, you don’t have to attend the team progress on every single step. The quality and professionalism speak for themselves. So, in general you do a better job by not investing your time which usually costs you money.

Penetration tests are very narrowed and can take up to a single day which in some cases is enough in others is just the start but if it is a pentest then what is done is done and this is how much you get otherwise you have to pay more, which may not be enough and which again, takes up of your time. As you can see this is a mess.

Conclusion

I guess I am bias as being the leader of the only tiger team in UK but I wouldn’t have been part of such initiative unless I believe in its values and qualities. There are many differences between both types of services and they all fit different types of clients. Therefore, both of them fit different needs. It is up to the client to decide what they really need.

Wireless and PCI - executive dinner in NYC [PCI Blog - Compliance Demystified]

Posted: 30 Jun 2008 02:35 AM CDT

AirDefense and Motorola have partnered to hole an executive dinner on wireless security in NYC on July 17th, 2008.  They invited us to present and I’ll be talking about wireless security as it relates to PCI DSS compliance.  I’ll also be discussing the difference between compliance and validation as it pertains to current data compromises.

If you’re in the NYC area and care about wireless security, you should register for the event and attend.  I’ve always said that it’s better to have more tools in your toolbox.  Attending this session will broaden your understanding of the standard and help you maximize your security capital by focusing on day-to-day security while saitsfying your compliance needs.

I knew a company once that reverse engineered their database system so they could extract the encryption/decryption keys just so they could print them out and store them under “dual control” in two different safes.  That company successfully increased the risk to cardholder data just to meet a perceived compliance need.

I’d like to help you better understand the standard, especially those surrounding wireless security, so you can be more effective in securing your infrastructure.

Online Attacks for Political Reasons [Sunnet Beskerming Security Advisories]

Posted: 30 Jun 2008 02:33 AM CDT

It seems that the only time that state-sponsored online attacks are covered in the media is when someone wants to create a short term scare campaign that is focussed on driving business to a company, or on increasing funding or perceived relevancy for a government agency or group of agencies. Perhaps the best known case in the last few years was in Estonia, though there remains contention about who exactly was behind the attacks. Even though the official story is that an ethnic Russian in Estonia was responsible, there are those who still believe that the attacks were coordinated and managed from Russia.

State sponsored attacks are always guaranteed to attract interest, but the idea of semi-state and stateless organisations developing online attack capabilities for political goals is also starting to attract attention. With many of the groups that have openly admitted to developing such capability already engaged in open attacks in other environments and many also attracting designation as 'terrorist' groups, an online attack that is claimed by or attributed to one of these groups is considered far more likely than a state-sponsored attack. While the technology and methods used may be no different from those used in spam, phishing, and other online criminal activity, it is the political intent behind their use which places them in a separate class.

Supporting this argument is a number of claims by different terror groups that they have access to an electronic attack capability surfacing in recent weeks and months. These claims are actively promoted by the groups, who argue that it allows them to level the playing field against their opponents and, more importantly for them, it provides a means to disrupt their opponents without significant risk to themselves.

Even though online attacks offer far less personal risk to the instigators, there are still some global regions where this is not the case. Earlier this year Israel killed a Palestinian believed to have been in charge of the online attack element for a Palestinian militant organisation, but this is probably the only global region where an electronic attacker may be at significant personal risk.

India is the latest country to join the ranks of those accusing China of attacking their internal networks and systems. This accusation is more significant than most, given the geographic proximity of the two countries and their historical military and political tension (including two current disputed regions and a number of historical armed conflicts).

It will be interesting to see how the two most populous and rapidly developing countries in the world handle this sort of activity and how each responds to claimed attack and counter attack, given that the attacks may be attributed to state-sponsored, semi-state, and stateless bodies in varying proportions. Though the scale of the attacks is relatively small, given the overall size of both countries, the economic and technological boost that has been delivered with the outsourcing industry means that some of the juciest targets in India are actually datasets belonging to foreign companies.

There is no sign that these sorts of attacks will increase in scope anytime soon, but it is something to consider with data security concerns - especially in an outsourced environment. You might wake up one day to find that your data is being held ransom or under attack by an external party that is actually targeting your supplier and not you directly. That is cold comfort for the people whose data lies within that dataset and it will be you ultimately held responsible for its safety.

SC Magazine World Congress 2008 [StillSecure, After All These Years]

Posted: 29 Jun 2008 11:30 PM CDT

For a while over the past few years it seemed like there was a security show a month. It got so watered down that it was hard finding any value in some of these shows. Over the last few years though in a case of natural selection I guess, many of these shows began falling by the way side. This past year I have attended a few good shows and over all I would say the shows have been better attended. I think shows that have great content and not just a trade and exhibit floor provide the value that people want to see.

In any event, the folks at SC Magazine first approached me about show they were planning in the NY area, around the time of RSA. I think a good security show in the Northeast would be great. I also have a lot of respect and admiration for the Haymarket Media group who run SC Magazine. So I am really happy to write about the first SC Magazine World Congress taking place December 9and 10th at the Javits Center in NYC. I will be there for sure and hopefully you will be too! Mark your calendars.

PIN Theft [PCI Blog - Compliance Demystified]

Posted: 29 Jun 2008 11:23 PM CDT

We have blogged before about attacks on PIN terminals, but here’s another blog post and interesting video on that theft in action.  It seems The Real Hustle has a number of YouTube videos on a variety of scams ranging from technical to strictly social engineering.

Definaitions, Roles and Responsibilities of PCI [PCI Blog - Compliance Demystified]

Posted: 29 Jun 2008 11:16 PM CDT

In the payments industry there exists the PCI guidelines.  When we refer to PCI we are usually talking about the PCI DSS, although as anyone will tell you there is also the PCI PED, PCI PA-DSS, and others you should be aware of.  But what are the roles and responsibilities within this arena of acronyms?

For many of us we hear things such as PCI DSS, QSA, ASV, SAQ, SAP, and our eyes roll back in our heads.  In fact I was talking with someone to come up with the longest PCI acronym and we came up with head-spinning examples such as “PCI DSS SAQ FAQ”, which is based on the SAP, audited by a QSA.  Baaaaaaaaah!

To clarify some of this we should segment the conversation into compliance documents and validation documents.  The PCI DSS is a set of 12 requirements (the “digital dozen”) that companies must comply with.  If you are a Level 1 merchant (i.e. large company) you are required to validate using the Security Audit Procedures (SAP).  If you are a Level 2-3 merchant (i.e. medium sized company) you are required to validate using the Self-Assessment Questionnaire (SAQ).  Level 4 merchant (i.e. small companies) are not all required to validate, but must comply at all times.

The PCI Security Standards Council (SSC), or the “Council”, is an independent standards body made up of the five participating card brands - American Express, Discover, JCB, MasterCard Worldwide, and Visa Inc.  They oversee the standard itself along with the validation document.  They also qualify a closed list of assessors to perform the PCI audits and the Internet vulnerability scans.  These are called QSAs and ASVs respectively.  More on these later.

The following is a list of documents managed by the PCI SSC:

  • PCI Data Security Standard (compliance)
  • PCI DSS Security Audit Procedures (validation)
  • PCI DSS Self-Assessment Questionnaire (validation)
  • PCI DSS Security Scanning Procedures (for ASVs)
  • PCI PED Standards (compliance and validation)
  • PCI Payment Application Data Security Standard (PA-DSS)
  • as well as endless FAQs, information supplemental, and much more

Other acronyms, include those involved in assisting with the PCI DSS audit.  The Qualified Security Assessor (QSA) includes a list of companies, qualified by the PCI SSC, who assist merchants in validating their compliance against the PCI DSS.  Why would you need one of these companies?  Well, technically, Level 1 merchants can perform the audit with their internal audit department so long as the report is signed off by an officer of the corporation.  The reason companies hire QSAs is for the same reason they hire an external Penetration Tester - expertise and experience.

The Approved Scan Vendors (ASV) include a list of companies, qualified by the PCI SSC, who assist merchants in validating their compliance via the use of Internet vulnerability scans.  Merchants must scan their exposed and in-scope Internet connected systems quarterly and remediate any high risk items.

Roles and Responsibilities

As Martin McKeay aptly noted, we must first understand who is in charge of what before asking questions or making accusations.

The PCI SSC is in charge of setting the rules.  That is it.  They manage the standard, the assessors, and provide information and clarity on both.

The card brands are in charge of enforcement of the standard.  This includes setting merchant levels, service provider levels, and working with the acquiring banks to manage compliance of all merchants.  They also get involved in the event of a compromise.

Now here’s the tricky part - not all card brands are alike.  Visa and MasterCard will never deal directly with a merchant.  Instead they will work through Issuing and Acquiring banks.  Whereas American Express, Discover, and JCB can go either way (working via issuing and acquiring banks or working directly with the merchant.)  Why is any of this important?  Because whoever the merchant’s acquiring bank is, be it Bank of America or American Express, they will define your validation deadline and work with you until you fully validate compliance.

If this still doesn’t make sense or you have further questions be sure to email or call us - both are listed on the homepage of this blog.

Where does all the data go? - Hacker Underground [PCI Blog - Compliance Demystified]

Posted: 29 Jun 2008 10:39 PM CDT

These days I have been thinking and researching the great question of “Where does all the data go?”  We read about data compromises in the news and hear about large fines and penalties geared towards corporate America (or “end users” as @cmlh likes to call them.)  But what happens to that data after it’s stolen, lost, or ‘exposed’?  What happens in the hacker underground and how is it frighteningly similar to the US housing market crash?  Why do hackers wait before selling off their stolen data?  Why does this give us time to prepare?  And what is the ROI of reporting data compromises.  I’ll be creating several blog posts and podcasts on this very topic.

The carder underground is not to dissimilar to the e-commerce marketplaces we use such as eBay.  You see once a hacker can compromise credit card data (we’ll get to how very shortly), they want to monetize this data.  But who would trust someone who is selling illegal information in a digital format.  If they are a thief then what keeps them from selling the same data to multiple people and making even more money?  Well, how do you know who to buy from on eBay?  Reputation!  That’s right carders would give each other feedback online to build their reputation.  The enabled people to know who the reputable hackers were and which were not (if that’s even possible to say.)

Historically carders would sell their wares brazenly via online websites such as Boa Factory, CardersMarket, and ShadowCrew. These A-list credit card trading centers gave rise to hundreds of smaller sites such as TheftServices, CCPowerForums, ScandinavianCarding, DarkMarket, DarkPay, and The Grifters.

Boa Factory was run by Roman Vega, a Urkanian national, presently in jail in California.  He was king of the underground making large amounts of money selling passports, travelers checks, plastic cards, and “dumps” (what hackers call Track or Magnetic Stripe Data).  Roman operated unique to all others in that he subcontracted work to lawyers, botnet owners, hackers, traffickers, and carders.

Shadowcrew was a similar operation but operated as a message board for hackers to trade and exchange illegal credit card information such as “dumps”, CVV2 numbers, social security numbers (SSN), and much more.  A hacker with the handle of Iceman ran the bulletin board and policed the illegal activities.  Another member of that board David Thomas (aka. ElMariachi) disliked the operation and broke off forming another site called The Grifters.  Iceman and ElMariachi disliked each other in ways never imagined.  (You can read their banter back and forth in the comments section here.  You can read even more about this via a compilation of news articles from CanWest News Service.)

Once law enforcement took down one message board another would pop up, and the carders and buyers would migrate their operations.  CardersMarket was the largest of the last online carder forums.  It was run by, you guessed it, Iceman.  When the police took down CardersMarket they arrested Iceman (aka Max Ray Butler, Max Vision, Digits, Aphex.)

Law Enforcement (LE) quickly caught on and started shutting down each of these online sites.  They defaced sites such as ShadowCrew telling the hackers they had taken over the website and would not permit this fraud.  Sadly, not all hackers are very smart and some thought it was just a joke.  They kept emailing the Secret Service asking for the stolen cards they ordered.  Instead of credit cards they received jail time.

These days the online message boards have all but disappeared with the carders moving to older technology as their last resistance against law enforcement.  Carders exists in a low-tech world without borders.  They exchange credit card data on IRC (Internet Relay Channel) bulletin boards that have a tiered structure based on your level of access.

Now that we have identified the ‘carders’ of the underground, the next article in this series will focus on the actual flow of credit card data - from the POS to the point of monetization.  We will also explore how this channel is similar to the current housing market and why prices are so low.  Stay tuned.

Caption Contest [Random Thoughts from Joel's World]

Posted: 29 Jun 2008 07:36 PM CDT


Whomever makes the best caption wins.  I don't know what you win, probably a pat on the back.  But this picture is begging for a caption.  Please leave them in the comments section.

Oh yeah, Bill Gates retired, may he enjoy his 'retirement'.  You did good things Bill, now is the chance to take all that money and do BETTER things.


 Subscribe in a reader

Some interesting US documents [belsec] [Belgian Security Blognetwork]

Posted: 29 Jun 2008 04:55 PM CDT

European documents about immigration and border controls [belsec] [Belgian Security Blognetwork]

Posted: 29 Jun 2008 04:54 PM CDT

Some firms don't admit security breaches - Geez, ya really think so? [StillSecure, After All These Years]

Posted: 29 Jun 2008 04:51 PM CDT

It's not often that security issues make mainstream media outlets. So when I saw this article on cbsnews.com I wanted to see what kind of "investigative journalism" the same folks who do 60 minutes would bring to the story. The story takes the particular case of Direct Marketing Services, Inc, the parent company of Montgomery Ward. It does a good job documenting the breach, the discovery of the breach and how the company complied with credit card company rules by notifying Visa, Mastercard, Discover, etc. but did not notify the 51,000 potentially affected customers. It also does a nice job of giving credit to Affinion Group Inc.'s CardCops for spotting and discovering this theft.

The article than goes on to say that 44 states have passed statues making disclosure and notification of security and confidential breaches to affected consumers mandatory. The article does caution though that based upon the volume of data being sold in "online black markets", there are many more breaches than we are being told about. I think it good that CBS bangs the drums on this, but frankly that "evidence" is a bit flimsy. I also found it gratifying that the article blames the credit card companies themselves for not doing more to publicize these breaches, so that they don't have to issue new cards. Just goes to prove what has been written before, that in the bigger picture the cost of doing business may include the risk of compromised data and big business has determined that that is a risk worth taking.

New versions of interesting freeware (security and utilities) [belsec] [Belgian Security Blognetwork]

Posted: 29 Jun 2008 04:14 PM CDT

Security Companies are Boring [GNUCITIZEN Media Portfolio]

Posted: 29 Jun 2008 04:05 PM CDT

I was flipping the pages of the latest SC Magazine and I am afraid to admit that it was very boring.

as boring as watching grass grow

And this is not because the idea behind the magazine is bad. Not at all. It is mainly the fault of the numerous info security companies SC Magazine is listing, which are striving to sell you the latest crap that you don’t really need. Promises. Promises. And more Promises. But no substance! And most of the companies I have never heard of or they haven’t done anything interesting to justify their positions. I am not saying that they have to go geek tech sec, but please… If you do have a clue about the situation why don’t you inform your customers appropriately.

Cyber-attack: why care? [Phillip Hallam-Baker's Web Security Blog]

Posted: 29 Jun 2008 12:30 PM CDT

"My Internet connection goes out all the time, why should I care about a cyber-attack? - comment from a colleague"


We have only been using the Internet for a decade or so. If the Internet were to go down for a day or even a week it would be a serious problem and have a major economic effect. Congressional hearings would be held and those responsible would risk wearing an orange jumpsuit for a very long time.


But hearings would be held, which is to say that civilization would not collapse. We have become used to the Internet but we have not become dependent on it in the same way that we have become dependent on the power, water and sewage systems that make our modern cities possible.


Water can be stored, but the electricity grid is a just-in-time system. Most Internet infrastructure is protected with battery backup and standby generators, but what about the water and sewage systems? What about the agrcultural and logistic infrastructure that puts food on the table.


In many countries the power system is not dependable and as a result it is not depended on. Our industrial society has built its dependence on the power system for over a century.

Me.com is up? [Random Thoughts from Joel's World]

Posted: 29 Jun 2008 06:38 AM CDT

I received a report of me.com email addresses working, so I decided to give my account a try (I'm a .mac user).

Turns out it works.  So if your username is username@mac.com, try sending yourself an email at username@me.com.

Cool.

 Subscribe in a reader

Microsoft: NAP Infrastructure Planning and Design (IPD) Guide [/dev/random] [Belgian Security Blognetwork]

Posted: 28 Jun 2008 01:37 PM CDT

Access Denied

Microsoft (via the Solutions Acceleratos team) published an interesting document about NAP: “ Selecting the Right NAP Architecture“.

Potential BlackBerry Outage in GTA? [.:Computer Defense:.]

Posted: 28 Jun 2008 01:31 PM CDT

There seems to be a Blackberry Outage in the GTA (Toronto, Ontario). Does anyone have any details?

I ditched Mail Tags [Random Thoughts from Joel's World]

Posted: 28 Jun 2008 08:46 AM CDT

I recently wrote a post on GTD with Mail.app and iCal and everything like that, and I mentioned that I use Mail Tags.

Well, I uninstalled it.  I noticed that it really didn't provide me any value added that I couldn't do with some Smart Folders.  So now I have two more Smart folders and no more Mail Tags.  I still keep all my email (except for listserv email) in one mailbox named Read.  

Basically instead of the traditional way of using email by putting it all into separate folders, I put everything into one folder and search it by using Smart Folders.

I created two more search folders to make stuff a bit easier, one called "Today" and one called "Yesterday" so I can look for email by day.


 Subscribe in a reader

Blog Comments [Random Thoughts from Joel's World]

Posted: 28 Jun 2008 08:09 AM CDT

I changed how commenting works on the blog.  Comments are no longer moderated, but you must have an account.  (No Anonymous posting anymore)  However, I do allow OpenID postings, so you don't have to have a Google or Blogger account.

I originally turned on comment moderation because of the types of postings I was getting, now I changed it to not allow anonymous commenting because lots of people were trying to plug their own website or product by posting comments about articles on the blog.  

I'm half and half about this kind of thing, so instead of rejecting their comments, I'll just require them to have an ID.

 Subscribe in a reader

Mortgage - Doddgate = more homeless [DCS Security]

Posted: 28 Jun 2008 07:59 AM CDT

Look if we remove the risk and impact on mortgage companies of defaulted loans the result will be more defaults and therefore foreclosures. The result of congress bailing out the mortgage companies will be more foreclosures not less because they will have less incentive to negotiate with borrowers who are on the line.

This holds especially true in variable rate loans where the borrower is able to make initial payments but the increased payments are out of reach. In these cases neither the borrower or the lender should have made the agreement in the first place but if you remove the downside of the default from the vendor why would they ever entertain the idea of negotiating with someone who was making payments earlier.

This article misses the point in the end but I agree with the bailout point. Government involvement is exacerbating the problem and it isn't a solution.

This makes Doddgate even worse. Dodd's FOA status might lead directly to more people getting kicked out of their houses.

We need to make it clear to Congress and the Senate that they need to be very careful about how they walk when it comes to solutions that take away one side of the bargaining position. In this case our side.

Security Function as a Business Enabler [Musings on Information Security]

Posted: 27 Jun 2008 10:50 PM CDT

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of  your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

 

 

Blogsecurify: New Wordpress Security Scanner [spylogic.net]

Posted: 27 Jun 2008 07:00 PM CDT

Looks like GNUCITIZEN and Blogsecurity.net have joined forces to create a online Wordpress security scanner. From GNUCITIZEN:

"Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come."

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on Blogsecurity.net and didn't get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the Wordpress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! Blogsecurity.net has some really good resources for hardening your Wordpress installation by the way. I recommend that if you have a Wordpress blog you download the paper they have on hardening your Wordpress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it's worth checking out to make your Wordpress installation more secure.

SNMP Hacking [Hackers Center Blogs]

Posted: 27 Jun 2008 06:00 PM CDT

I've spent a lot of time exploring alternative attacking methods other than the traditional flaws. One of the routes I've really enjoyed exploring has been SNMP attacks. I thought I'd give an overview for those who are not very familiar with the subject.

Simple Network Management Protocol (SNMP) is an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP). Most administrators/security guys fail to understand SNMP and its security impacts.< [...]

Physical Security: The Lost Art [Hackers Center Blogs]

Posted: 27 Jun 2008 06:00 PM CDT

I had to visit my local bank today to take care of some papers. As I was sitting across the table talking about how they spelled something wrong on of my documents; I notice that right next to the Manager's office is a small but well packed Server Room.

I immediately started assessing the physical security of that server room and was disappointed by the fact that there was absolutely no access control mechanism; Just a door with a shoe rack outside. A few minutes later and a bit scared [...]

Week of War on WAF’s: Day 5 — Final thoughts [tssci security]

Posted: 27 Jun 2008 04:17 PM CDT

Did we learn anything about web application firewall technology this week?

I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don’t know why. Organizations everywhere think this is the best or only short-term answer to the web application security problem.

The PCI SSC, who has set June 30th, 2008 as the deadline for compliance with Requirement 6.6, also appears to be wishy-washy on the whole deal. I read the following two articles this morning about PCI-DSS Requirement 6.6 and the use of web application firewalls. While the titles of the articles may appear many are still leaning on or towards WAFs — after reading the information and quotes, I think the titles might be misleading.

Web application security experts Mike Andrews and Robert Auger also have some interesting things to say. They seem to be very set on the idea that WAF (with proper blacklists) or VA+WAF (to manage the blacklists) are fair enough temporary solutions until organizations can implement secure coding.

Some interesting things can go wrong during the WAF implementation phase. I can identify the following problem areas that may have many organizations wondering why they went the WAF route:

  1. You think that a network engineer or network security expert could get up to speed quickly through training or lab-time. However, I think the average time to become a web application security expert is 3-4 years of specialization. Imagine how many developers could have been trained or worked on collaborative processes with IT security in that time period.
  2. Blacklist technology (especially VA+WAF) is going to help with false positives. However, what about general performance problems? If performance or availability issues occur, the first thing thrown out will be the WAF. What good is a device that is constantly removed from the architecture and then only put back in to meet compliance issues?
  3. There is a lot of technology out there to detect specific WAF products. It’s been written about in books. Attack tools such as w3af utilize plugins such as detectWAF. Vulnerabilities exist in WAF products in the same way that they exist in all software. Adversaries are already using this information to their advantage. Using a WAF can indeed make you less secure. In order to provide a product that will protect modern web applications, we must first test the products ourselves. There is more complexity in the average WAF than in the average Intranet web application — who is going to provide the countless hours of secure code review and manual pen-testing needed for these WAF products? Or are we going to use them blindly without considering the consequences?

What are some short-term alternatives?

  1. Multiple WAF solutions — one solution that focuses on “outbound” web traffic, and another that is tuned to your specific application (e.g. language, framework, components in use, et al). If your web application uses well-formed, valid XHTML — the outbound filtering requirement is already fulfilled. Refactoring your content to XHTML is a snap. Many books and tools exist to help in this process (Dreamweaver, xmllint, TagSoup, NekoHTML, and HTML Tidy just to name a few).
  2. A softer, lighter version of Agile/Test-first development practices with basic unit tests that correct input validation issues. This would be equivalent or better than WAF in practice. James Shore discusses how to implement this sort of idea in an article, Continuous Integration on a Dollar a Day.
  3. Even Aspect-oriented programming will show immediate value, as the cost proposition lowers when you already have the existing talent to implement AOP. If you have developers that know AspectJ — input validation routines can be added with point-cuts almost overnight.

The problem with these three short-term solutions is that they involve talking to your development teams. Do they have a reason to avoid using valid XHTML? Maybe their waterfall mindset precludes them from being able to move to a situation where “building code” is more important than “programming” (although I would argue that it’s a developer’s job to write buildable code).

What I think is most sad about the state of WAF technology is that a single, cheap developer could easily replace all of the normal WAF functionality in the code using basic unit testing. A talented developer who knew AOP could do much more than a WAF, and still at a much lower overall cost. Some organizations that are implementing WAF are having the developers manage the solutions instead of network engineers or IT security. We’re hoping that this situation will allow the developers to think up better ideas as well as learn where their applications are failing.

In fact, a non-developer: such as someone in marketing who uses Dreamweaver, could also do almost as much as a normal WAF by saving their content as valid XHTML. This would buy the organization basic application security functionality, which is what WAF also attempts to do.

Summary

We know that WAF’s appear to be the easiest answer to the PCI-DSS Requirement 6.6.  But what if there was an even more simple answer?  Talk with your QSAC, QSA auditor, and an external third-party such as a web application vulnerability assessor, software risk expert, or strategy consultant about possible compensating controls, such as:

  • Unit testing and integration unit testing for security properties as part of a daily, standard build
  • Aspects for security, written by a internal developer who can front the web application in a similar way, but that is closer to the code
  • Transformation of non-standard HTML to valid XHTML by a web designer or content manager

If you are going to choose a web application firewall, we suggest:

  • WAF solutions that have been security tested and risk assessed by third parties that specialize in security appliance/product assessments
  • A product that doesn’t affect performance because it only works on outbound traffic (not inbound), or only turns itself on when an attack is in-progress
  • Instructional capability and training for the solution is cheap/free, easy to find, and well-documented everywhere

Rich Mogull also has some very new suggestions that he would like to see as a future for WAF in his blog post, The Future of Application and Database Security: Part 2, Browser to WAF/Gateway.  It’s also worth a read!

Lying for the truth [Andy, ITGuy]

Posted: 27 Jun 2008 02:03 PM CDT

The SANS Newsbites email today has a link to this article on Forbes.com. It talks about the apparent disconnect between what Security and Privacy departments think is going on and what seems to really be going on. Now I'm not accusing anyone of lying to the Security/Privacy departments or to management, but it sure looks like someone may not be telling the whole truth. More than likely what has happened is a disconnect between these departments. Security/Privacy creates a policy that states that sharing personal data or sensitive data with third parties is not allowed. Marketing either is unaware of the policy or decides that the policy is stupid and ignores it. This is where my comments in the last post about being able to monitor, verify and enforce policy is crucial to it's success.

I know in my personal experience that I've been lied to about certain things. I'm sure I'm not the only one. I've asked questions and received answers that were incorrect and the person who gave me the answers knew that they were incorrect. When later confronted I was told that I was given the answer that I wanted. Obviously since then I've learned not to be so trusting (remember: "I like you. I just don't trust you.). Now I require proof and if proof can't be given then the answer is left blank and steps are taken to fix the issue.

The real problem in this is that by lying the company as a whole is put at risk. Proper security can't be put in place because the truth isn't known. If a incident occurred as a result of this lie then it could be detrimental to the company. Again I stress that if we are to do our jobs effectively then we need to know the truth and be able to verify that truth.

Cyber-war and Cyber-crime [Phillip Hallam-Baker's Web Security Blog]

Posted: 27 Jun 2008 12:48 PM CDT

I was recently asked to give a presentation on the relationship of cyber-crime to cyber-warfare and cyber-terrorism.


This got me thinking about the fact that none of our existing categories may adequately describe the dark side of the net. There are terrorists using the net and many governments, including the US have developed an extensive cyber-warfare capability. But even if these activities fall far short of the 'lone hacker brings down civilization' scenario they should give us at least as much cause for concern, if not more.


During the dotCom boom most observers were confidently predicting that e-tail would effectively replace traditional 'bricks and mortar' stores. A few years later the same pundits had discovered that the 'clicks and mortar' model 0- using the Web to supplement conventional retail was the winning formula for most. similarly, the cyberwarfare capabilities being developed by the major powers (US, China, Russia) appear to be mostly directed at establishing a sabotage capability that might be used in conjunction with a conventional attack as a force multiplier. this is not a new strategy, the Allied D-Day landings in Normandy were greatly assisted by the sabotage campaign waged by the Free French in advance of the attack.


The major powers have avoided coming into direct conflict for the sixty years since World War II. The addition of cyber-warfare does not significantly add to their offensive capabilities. There is however a major difference: deniability. The major powers engaged in proxy warfare throughout much of the cold war. Some (but not all) of the terrorist movements active in the 1970s received training, weapons and funds from state sponsors. Supporting terrorists (or freedom fighters) was considered to provide a deniable means of engaging in low-intensity warfare.


One cyber-security risk is that cyber-warfare will become the new means of conducting deniable, low intensity warfare. But another equally grave risk is that independent groups that are not state sponsored will perform attacks that lead to an escalation in international tensions at a time when the diplomats are busy attempting to reduce them, causing an avoidable diplomatic crisis to result in a war.


A third risk is that a cyber-attack might be launched with the objective of provoking a response against an opponent. This is not a theoretical possibility. The neo-fascist group Nuclei Armati Rivoluzionari is believed to have perpetrated the Bologna Railway Station Massacre in 1980 in an attempt to provoke an authoritarian response by the state. 85 people were murdered and 200 wounded.


Similarly, every significant terrorist group is using the Web to distribute propaganda and in most cases to raise funds from supporters. It is the ability to raise cash through the net that is the biggest cause for concern here. The terrorist organizations that have had the biggest impact are the ones that have secured access to the largest supply of funds. The Baader-Meinhof gang was just another ultra-left communist faction until it began robbing banks. The decline of the Baader-Meinhof gang began when the West German government cut off the supply of funds by ordering banks to significantly reduce the amount of cash that they keep on hand at branches. Similarly the conflict in Northern Ireland came to an end and the separatist movement in Sri Lanka significantly reduced the scope of its activities after the flow of funds from North America dried up in the wake of the September 11 attack.


Just as cyber-warfare merges into cyber-terrorism, cyber-terrorism merges into cyber-crime. In . Until September 11th a bar near my house used to hold monthly fund raisers for a terrorist front organization. Today the front organizations are under close scrutiny and must disguise the flow of funds. addition Cyber-crime provides a ready-built infrastructure for handling terrorist contributions and the terrorists can turn to theft if their supporters are insufficiently generous.


Until the rise of cyber-crime, the ability to present a serious cyber-warfare threat was limited to a very small number of countries. Besides the major powers only Britain and France were thought likely to have established a major offensive capability. Israel had the capability to establish a capability, but no likely opponent that had developed a critical dependence on Internet infrastructure. Today, any state that wants to acquire a cyberwarfare capability can do so easily enough by recruiting cyber-criminals as mercenaries. Any technical capability a state might require is available for a price.


The triangle is thus complete. cyber-warfare, cyber-terrorism and cyber-crime are all interconnected and all represent a serious threat to national security.

No comments: