Monday, August 25, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Wikileaks shows documents about Belgian tax evasion techniques [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 07:27 AM CDT

It doesn't happen often that Wikileaks is used by Belgians to place documents that maybe could steer a bit of a debate in Belgium. Wikileaks is perfect for that. You should only be sure that when you do it you use a proxy, another free emailadress that has no reference to yours and that you don't do it from work or any other monitored place. You should prefer a cybercafe and if you are uploading often documents or looking at the other mail (that you otherwise don't use at all anywhere) you should change (there should be nothing that could be foreseen or planned in your behaviour).

Back to the document now

1.) This file and this context have never been released before.

2.) This file shows, how the belgium tax-department supports tax evasion for belgium citizens living outside from Belgium. The belgium land-register belongs to the tax department; It allows to bring in wrong addresses of landowners in the land-register. The land register is run electronical, so land owners can anonymize their foreign address and they can not be found by tax authorities in the country they are living. The document shows the work of a notary and a lawyer, Anne Van Ysendyck; Her address is completely wrong, the other addresses are wrong too. The addresses are in that way changed, that the owner can not be found by foreign tax authorities.

3.) The audience could be all tax payers in the European Union, angry about tax evasion by the rich.

Security Briefing: August 25th [Liquidmatrix Security Digest]

Posted: 25 Aug 2008 07:25 AM CDT

If you were/are an (European) customer of Best Western : Take Care [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 06:48 AM CDT

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.


Some hacker succeeded in placing a trojan on a PC used to make the reservations and got the login and than downloaded the whole database. This means that someone who made a reservation had access AND downloadrights to the WHOLE database. Mama mia. There you go again, make HIS day.

Restrict all the rights in a database to the strict minimum. Use special seperate machines for management control of those machines and give only downloadrights after approval, especially of this kinds of databases. But off course outsourcing to India if so safe....... 

If you are a customer of Best Western than you should

* tell this to your credit company and ask them to be suspicous of transfers of money that are not normal with your normal behaviour.

* control all the transactions with your cards for some time. Some people that were in stolen databases only saw their first fraudulent use after some months. (Delhaize US).

* safest is to ask a new one alltogether, say that you have lost it if you can life without it for a few days.

* ask more information at Best Western, let them sweat a bit, make it clear you don't appreciate this kind of lax security

And if you are an European who thinks this could only happen in the US according to the article this is the first time that the Russian (mafia) Business Network has gotten hold of such a big database with European ID's and Creditcards. Maybe they expect the Europeans not to be too prepared or educated against the crimewave that could (in theory) take place now. Question is if it will happen at once or bit by bit....

For our Belgian readers now you can maybe understand a bit better why we were so angry that the ID information on our EID (electronic Identity Card) could be intercepted so easily by a virus. All public information they said, yes but very dangerous if it was coupled with a database with credticards. This is now the case. Imagine if you could combine an EID database with a creditcard database. Pretty impressive not ?

dubious payment services accepting payment for rogue antivirus2008 [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 06:08 AM CDT

If an payment service still accepts payment for a program of which the whole web now knows that it is a total scam, than it has no ethics and will probably work with any crook to accept whatever money.


spamming blogger promotes antivirusxp2008 [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 05:58 AM CDT

He has been placing links in forums (registration as a member) or in guestbooks

his site is an attrapment with an illegal scanner that will warn you of threats real or unreal. But you should never use software like this. They don't have the quality and expertise and they are just crap and install sometimes spyware on your computers.



the rogue (false, dangerous) antivirus2008 blocklist [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 05:48 AM CDT
antivirus-xp-2008. net
2008antivirusxp. com

added some others while I was at it

SQL injections still in full swing (blocklist) [belsec] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 05:07 AM CDT

these attacks are going on in full strength according to the Internet storm center and they say that particulary these seem to be increasing while others are cleaned up

this is also a list

Video of Dan Kaminsky's DNS talk from Blackhat USA is now online [Security4all] [Belgian Security Blognetwork]

Posted: 25 Aug 2008 01:01 AM CDT

For those who weren't satisfied with slides alone from Dan Kaminsky's DNS talk, the video (m4v) and the audio (mp3) from Black Ops 2008: It's the end of the cache as we know it (ppt) is now available (courtesy of They already have the majority of presentations and whitepapers from Blackhat USA 2008 online on this page and it will be updated with videos as well. Keep an eye on it.

Related posts:

What The Media Doesn't Get About Obama Choosing Biden [The Converging Network]

Posted: 25 Aug 2008 12:20 AM CDT

I don't write about national politics much on this blog, but as soon as I heard Obama chose Biden for his VP, it was obvious to me why. All the issues the media raises about Biden's negatives (he's old, been in Washington too long, was an Obama naysayer, etc.) are simply missing the point.

My view on the strategy behind why Biden is Obama's VP pick: Biden is basically the democrat version of McCain. Biden's got the foreign policy experience, senate experience, he's outspoken, he has a temper he doesn't always control, has foot-in-mouth disease, has that independent, hard to control spirit, and is seen as a maverick. Very much like McCain.

Biden neutralizes McCain – Why cross over and vote McCain when you can get the same thing in Biden. If you're a Democrat, don't cross over to McCain because you've got Biden. If you're a Republican considering going for Obama, it's "safer" now because you get most of what you liked about McCain in Biden. (Except the national hero, POW hero factor.) And the knock that Obama's not ready to be President? Well, Obama must be if Biden changed his mind enough to be Obama's VP. Biden left that door open in the Democrat debates when he said "[Obama] could be ready".

It's the neutralize McCain strategy by taking away most of the differentiating reasons you'd vote for him. Personally, I believe Hillary would have given Obama the best chance of winning, even though she would have made the run up to the election more like a Bill-ary turkey shoot for the Republicans.

The media isn't buying into Obama's Biden VP pick but I think this is the real strategy behind it.

Acronyms [Last In - First Out]

Posted: 24 Aug 2008 09:28 PM CDT

Two acronyms worth remembering.


RGE: (Resume Generating Event) – An event that forces a person, or the persons manger to generate an updated resume.
An  RGE is something most of us don't want to experience, at least not too often. RGEs are often followed by changes in income, housing, marital status, etc.


HGE: (Headline Generating Event) – An event that causes news reporters to write stories and generate headlines.
HGEs can be either positive or negative, depending on the causes and effects of the event, although with the exception of dot-com startups, most IT initiated HGEs are negative events related to system or project failures of some sort.

HGEs are often followed by RGEs.

Obviously a goal of system mangers, security people and IT folks in general is to make sure that that acronyms like the above don't show up unexpectedly. Those of us in public service are particularly sensitive to HGEs. There are not too many circumstances where public service IT organizations can generate positive headlines. Odds are that if there are headlines, they are not good. There is no incentive for the local news broadcast to begin with a segment on your shiny and fast new servers or your four nine's of application uptime.

We spend a lot of time analyzing risk in security decisions, system designs, deployments and upgrades. If we do it right, we can design, build, manage and maintain systems that meet user/customer requirements while minimizing the probability of triggering an HGE and the follow on RGEs.

And if we are REALLY doing it right, we'll have fun while we are doing it.

Over 8 million Best Western records stolen and sold to Russian mob [Security Karma]

Posted: 24 Aug 2008 08:11 PM CDT

Looks like this one is going to be up there with the TJX and Hannaford breaches. The London Telegraph is reporting that over 8 million customer accounts have been stolen from Best Western and sold to the Russian mafia. This story is still breaking but from the article:
It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.

The next time a staff member logged in, his or her username and password were collected, stored then put up for sale on a website operated by a branch of the Russian mafia.

The stolen data includes a range of private information such as home addresses, telephone numbers, credit card details and place of employment.

Best Western fixed the security breach on Friday after being alerted by a Sunday newspaper, which had discovered the crime.

A Sunday newspaper discovered the crime? Jeez. I'm sure there will be much, much more to come about this one.

Original Story: Hackers steal details of millions of Best Western hotel guests

One More Little Puzzle [Didier Stevens] [Belgian Security Blognetwork]

Posted: 24 Aug 2008 05:07 PM CDT

What’s this? Have a guess!

Hacker Media Archive is looking for a new home. [Security4all] [Belgian Security Blognetwork]

Posted: 24 Aug 2008 05:01 PM CDT

Darkoz was so kind of maintaining a huge media archive of talks of the past Defcon, Blackhat, Shmoocon, HOPE, and others conferences over at

In the end, the archive was near a terabyte of diskspace and easynews couldn't support the archive anymore.

If you can help us with bandwith and storage, please check out Darkoz's post over on his blog. Even if you don't have these resources, pass the word.

(Photo under creative commons from RobotSkirts' photostream)

Twitter Weekly Updates for 2008-08-24 [/dev/random] [Belgian Security Blognetwork]

Posted: 24 Aug 2008 04:59 PM CDT

  • F*cking weather! #
  • upgraded wordpress to 2.6.1 #
  • Upgrade iPhone to 2.0.2 #
  • Sounds interesting #
  • Excellent: #
  • DNS down? #
  • OpenVAS installation… #
  • First scan launched from OpenVAS #
  • Testing Tweeterrific on iPhone #
  • will VirtualBox run on Ubuntu running in a VMware? #
  • mmmmh… XP crashes during setup #
  • Live from Ile de Re! With Sun! #
  • Hmmm ice cream on the port! #

Check your Redhat/Fedora OpenSSH Packages. Redhat servers were compromised. [Security4all] [Belgian Security Blognetwork]

Posted: 24 Aug 2008 04:42 PM CDT

Last week, some of Redhat's computer systems were compromised. During this incident, the attacker was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

As a precaution, Redhat is releasing an updated version of these packages. Redhat has also released a script with which you can test your system for any affected packages:

The script has a detached GPG signature from the Red Hat Security Response Team (key) so you can verify its integrity:

This script can be executed either as a non-root user or as root. To execute the script after downloading it and saving it to your system, run the command:

 bash ./

If the script output includes any lines beginning with "ALERT" then a tampered package has been installed on the system. Otherwise, if no tampered packages were found, the script should produce only a single line of output beginning with the word "PASS", as shown below:

 bash ./
PASS: no suspect packages were found on this system

The script can also check a set of packages by passing it a list of source or binary RPM filenames. In this mode, a "PASS" or "ALERT" line will be printed for each filename passed; for example:

 bash ./ openssh-4.3p2-16.el5.i386.rpm
PASS: signature of package "openssh-4.3p2-16.el5.i386.rpm" not on blacklist
Source: (
(Photo under creative commons from Michell Zappa's photostream)

Outsourced Call Centers + Security = !Sleep [Security Karma]

Posted: 24 Aug 2008 02:34 PM CDT

An article over at Dark Reading entitled Hacking the Call Center got me thinking about some of the issues I have discovered with outsourcing call centers. I have written about one such issue here. I have found that business units assume that the call center is discrete with their data and that every customer is handled on separate systems. Nothing could be farther from the truth.

When you outsource call centers you may have your own phone numbers, assigned operators, and perhaps even a dedicated information system for tracking data. Let's assume best case scenario: How does the data travel to your "dedicated" server? Over their shared infrastructure? Yes! Now now, I know what you're about to say... "they could just put those operators on a separate VLAN, problem solved." Typically that would mean one of three scenarios:
  1. That the phone and computer system is set up to dynamically change VLANs on the fly as operator desks are not "fixed" and often will need to handle more than one customer call at any time (they work in shifts and the person after you may get calls for a different client).
  2. They create a separate infrastructure for each client which is:
    • expensive, which would decrease the call centers economies of scale
    • inefficient, if a client doesn't get calls on the weekend those cubes sit idle
  3. They use VM, Citrix or some other virtual desktop environment which is expensive and difficult to maintain.
How do call centers handle this? They usually don't. Remember, they are all about handling large volumes of calls quickly, they are not usually overly concerned with information security as it doesn't help their bottom line.

So how do we solve some of these problems?
  • First and foremost, only contract with data centers that are (and can prove) compliance with various standards such as PCI.
  • Second, purchase (or write) software that encrypts all data as it hits the disk or get put into the database. Make sure you have key management processes in place to ensure your organization that can see the data.
  • Third, either have the operators hit the audio kill button during credit card transactions or have intelligent software that will go through and perform hygiene on the data as it is saved to archive.
  • Fourth, don't be afraid to send some auditors down to the location and verify that your security standards and policies are being followed. The only way providers care about your data and security standards is if you make them.

Using credit cards at airport kiosks is as safe using them anywhere else... which isn't saying much. [Security Karma]

Posted: 24 Aug 2008 02:32 PM CDT

The Terminal 3 Grand HallImage via Wikipedia
Bob Sullivan wrote a post titled "Are airline kiosks safe?" for The Red Tape Chronicles at last week that made me frown when I first read it. (Note: I'll give Bob Sullivan credit... at least he tried to be balanced, read on). On July 24th the The Toronto Star broke a story titled "Airports a natural target for credit card fraud: Expert." Ok, airports are a target... so are discount retail chains and grocery stores... what's with the title? It turns out that Visa was investigating "isolated fraud incidents" that were occurring when people used the cards to check in to their flights and get their boarding passes. What drives me nuts is that the article spends almost 500 words scaring the bejeebus out of people when right in the middle of the article there is this gem of a quote:
"WestJet has cautioned against pinning the blame solely on the kiosks until the investigation is complete."
Eh? They didn't really know where the fraud was originating from, the banks (which do not usually have detailed information regarding POS (Point of Sale) location or IT infrastructure of organizations) were guessing that the kiosks was a logical place to start looking. Makes sense to me. But then the UPI picked up on the story with the albeit better title "Toronto airport credit card scam probed." Unfortunately, this article also takes the tact that it's better to scare people about swiping your card than emphasize that the banks were investigating whether there was something to investigate.

Well, not long after the UPI story came out the security and travel blogosphere grabbed the ball and ran. With titles like these who wouldn't be scared about checking in at a kiosk?
    Ok, ok, I know what you're thinking, it's better to spread the word about possible fraud than to keep it quiet and let people continue to be at risk. Fine. I agree... although I think by upping the hyperbole you spread FUD (Fear, Uncertainty, Doubt) and damage the airports, the kiosk owners, and the airlines. Let's stick to the facts and leave the outrageous headlines out (except for the last one I listed above... if a reader of "Nuttin' But Pimp" takes anything on that site seriously... well then send me an email because do I have some offers for you!

    Why am I picking on this particular news item? Well, just a few days after the initial story broke (five (5) days to be exact) cbc news reported that "No fraud linked to Toronto Pearson airport kiosks." Yes, that's right... they did an audit and found that there are "no confirmed cases of fraud currently at [Pearson] airport kiosks."

    I scoured the blogosphere for follow-up articles giving the "all clear" to let people use credit cards in addition to their passports or PNR numbers to check into their flight. I could only find a few stories in the Canadian press about it. At least there will be one article out there spreading the good news. Swiping your credit card (CC) at an airport kiosks is just as dangerous as storing your CC information online, swiping it at the grocery store, handing it to a waiter at a resteraunt, etc. In other words, not really all that safe at all but convenient.

    Shout out to Howard for sending me the msnbc post.

    Related Articles
    Edit: Fixed some spelling and cleaned up the language a bit.

    Grave Robbers Hit Montgomery Ward For Up To 200K Credit Card Numbers [Security Karma]

    Posted: 24 Aug 2008 02:32 PM CDT

    The AP is reporting that the online-retail store Montgomery Ward was breached back in December with between 51,000 to 200,000 credit card numbers, expiration dates, and CVV2 numbers. Details of the breach aren't widely known and it wasn't reported whether Direct Marketing Services [DMS], the company that purchased the Montgomery Ward name out of bankruptcy, was PCI DSS compliant.

    None of that information is that troubling to me however. Breaches happen. We learn from them (hopefully) and move on. What irks me about this one is that DMS didn't notify their customers after the breach occurred. Since the penalties for non-disclosure are far less (non-existent in some cases) than the costs associated with replacing credit cards and monitoring up to 200,000 credit reports DMS did what companies do best: Act in their own self-interest, watch the bottom line, and hope nobody finds out.

    Obviously there is no easy solution to this problem. DMS followed guidelines and notified banks of the breach. However, it is not mandated that the bank notify a customer that their information was potentially compromised. Disclosure is left up to the merchant that was originally hit and will ultimately pay for any and all costs associated with replacement of cards and monitoring of accounts.

    Unfortunately, this is a case where the private market will not lead to an efficient outcome. Legislation is needed in order to hold companies accountable for the non-disclosure of private and financial information breaches. We will see proper disclosure of breaches when we start walking CIO's and CEO's out of headquarters in handcuffs and making the fines high enough to make full disclosure seem like a bargain. I hope companies start doing the right thing by their customers but I, for one, will hold my breath.

    They have the technology, but no security [Security Karma]

    Posted: 24 Aug 2008 02:30 PM CDT

    Great article in the London Times this morning entitled "We have the technology, but no security." Author Simon Davies goes through the laundry list of compromises that have hit the British government over the past year and correctly comes to the conclusion that it is a lack of standards, policy, and understanding about data security that lead to a culture of carelessness.

    Hackers in Britain don't need to scan servers for vulnerabilities nor do they have to prepare "spear phishing" attacks to compromise desktops within the government... they just need to walk around the street and look for discarded DVDs and USB key drives.   Their problems are definitely on the people and process side of the security triad (people, process, technology).

    I hope someone in the British government takes control of the situation and institutes an educational program coupled with a strong encryption and data access policies with the necessary technical controls to help enforcement.

    Related Articles

    Should the Airlines be Forced to Fingerprint Passengers? [Security Karma]

    Posted: 24 Aug 2008 02:30 PM CDT

    ...and should they have to pay for it?

    The Bush Administration and the Department of Homeland Security have told the airline carriers that they will collect biometric information such as fingerprints from foreign travelers on their exit from the United States. I will refrain from discussing the political and social aspects of this request and instead will focus on the financial and technological aspects of such an idea.

    The US-based airline carriers are facing record fuel prices, increased competition, price elastic demand, and a volatile customer base. If the administration forces the airlines to also fingerprint passengers, the additional infrastructure, storage, networking, and security costs would kill IT budgets. It could also cause the airlines that are close to the edge financially to either further pull back operations or perhaps file for bankruptcy.

    Beside the financial burden this would place on the airlines another question that must be asked is: why? Why should the airlines collect and maintain biometric records of their passengers? We currently have the federal government stopping to check for both citizen/visa status as well as customs inspection at all ports of entry. Why can't we just turn some of those booths around the other way?

    The DHS is already collecting fingerprints and taking pictures of people that visit the country. Why should the airlines duplicate the entire infrastructure costs that are associated with this program? The costs would include the purchase of fingerprint scanners, computer systems, programs, databases, and storage as well as an interface into the federal government system. The cost for putting these systems into each international airport will be huge, and will have to be duplicated by each airline.

    This is the ultimate "pass the buck" program. The Bush administration and the DHS shouldn't place this undue burden on the airlines who will, in turn, pass the costs onto the consumer... that is, if the airline stays in business and continues to fly internationally.

    Reference Links:

    NIST releases three new security guidelines [Security Karma]

    Posted: 24 Aug 2008 02:28 PM CDT

    Government Computer News (GCN) reported that the National Institute of Standards and Technology (NIST) recently released three draft guides for public comment before their official publication. From the article:
    SP 800-107, titled "Recommendation for Applications Using Approved Hash Algorithms," is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.
    Draft SP 800-121, titled "Guide to Bluetooth Security," describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.
    Draft SP 800-41 Revision 1, titled "Guidelines on Firewalls and Firewall Policy," updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.
    I have begun reading and intend on commenting on the Firewall draft. From my first peek inside it seems very thorough and covers not only firewall policies and requirements but also architecture, rule selection, and life-cycle management.

    Are Security Devices Making Us Lazy? : Part 1 : Introduction [Security Karma]

    Posted: 24 Aug 2008 02:28 PM CDT

    Let me clarify before I begin... by "us" I mean IT as a community, not information security specifically. Now that I have that out of the way let's discuss how our reliance on network firewalls, application firewalls, VPNs, encryption, etc. have caused system administrators, architects, programmers, and yes, even us security-type-folk lazy. Let me explain a bit.

    Let's pretend for a moment that we didn't have AV, network firewalls, SSL, IDS, or any other security-specific solutions available to us. How would we design our information systems? How would we protect resources? How could we possibly defend our networks against attack? These are the questions I like to ask myself when I have to design a new security architecture, review a proposed design, or audit an existing system.

    I am not saying we should design all of our systems with these questions in mind. I understand the fact that we have these wonderful network and system security tools at our disposal. Thus, we can adapt our architectures, designs, and programs to include these solutions. The problem I see is an over-reliance on these tools. As an industry we have moved away from pushing most of the security work to the system administrators and programmers. We have told them (implicitly) "Don't worry about it... we've got it covered."

    So how do we fix it? How do IT professionals stop relying on "things" and start building security from the ground-up? How do we do this while increasing functionality, ease-of-use, and speed? In future installments of this series I will attempt to look at where IT professionals can focus their energies to begin "spreading the gospel" to the developers and administrators and have them buy into the idea of secure system from the start.

    Information Security Around The House : Part 2 : Packet Sniffers [Security Karma]

    Posted: 24 Aug 2008 02:28 PM CDT

    Packet Sniffers

    From the Wikipedia Article on Packet Sniffers:
    A packet sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.

    YAR! IANA & ICANN Get Hijacked By Turkish Pirates [Security Karma]

    Posted: 24 Aug 2008 02:28 PM CDT

    The net is abuzz about how ICANNIANA were redirected for a short time on Friday. The Turkish hacker group NetDevilz posted the following message on, and
    "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us? haha :)"
    The hackers aren't saying how they pulled off the attack but smart money is on either some some of code injection. I can't imagine why every Internet-facing site isn't scanned daily for SQL Injection, XSS, CSRF, and similar vulnerabilities.

    The reason why we (the good guys) should be scanning daily because they (the bad guys) are already performing the scans and will pounce within seconds of spotting a soft spot.

    The administrators got the sites back online within 20 minutes but imagine if the hackers didn't publically expose the hack but instead started delivering malware or altering data. Scary stuff when it comes to organizations that manage the Internet's core infrastructure (routing & DNS).

    PCI DSS update (1.2) pre-released and boy howdy it's about time! [Security Karma]

    Posted: 24 Aug 2008 02:25 PM CDT

    The Payment Card Institute (PCI) Security Standards Council has pre-released it's highly anticipated Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:

    • Relaxed firewall configuration review from three months to six.
    • Language changes to include routers into the fold (not just firewalls).
    • Clarified the requirement applies to wireless environments "attached to cardholder environment or transmitting cardholder data."
    • Got rid of WEP language... long live WEP! (just kidding of course)
    • Finally got rid of the silly SSID hiding requirement... I got in some very intense arguements here about the futality of hiding the SSID... so that's a big ITYS to my colleagues (except you Ryan).
    • Clarified the local user accounts databases need to be encrypted but the DB in my secure data center sitting behind eight layers of security devices need not go through the hassle... not that they shouldn't be encrypted... maybe I won't share that new requirement with management ;)
    • Wireless networks must follow industry best standards (whatever that means... more ambiguity!) for encryption, AAA, and transmission.
    • New WEP projects must be implemented by the end of March 2009 (hear that PM's... better hurry) and all WEP must die by June 30, 2010
    • AV is now required to all operating systems and must be updated and protect against known attacks
    • Thankfully loosened patching requirements to allow a risk-based prioritization of patches.
    • 6.6 is mandatory! All Internet facing websites have to either be behind a WAF or have vulnerability assessment tools pointed their direction or a rubber-glove code review
    • You have to test and verify that passwords must be unreadable both at rest and in motion.
    • They did something surrounding the 2FA requirement for access but I guess we'll have to wait to get the actual requirement (bummer)
    • Passphrases join passwords as acceptable forms of authentication (another ITYS)
    • Must visit all off-site storage facilities at least once a year. (Ugh!)
    • Added some flexibility surrounding cameras to allow other access control types.
    • Finally clarified what "secure media" meant. It applies to electronic AND paper media and how to destroy it.
    • Logs for external devices must send logs to internal logging servers (well DUH!)
    • Relaxed audit trail requirements to three months and that they can be archived but quickly restored.
    • More guidance surrounding wireless analyzers and WIDS/WIPS, ASVs must be used in quarterly external scans and internal and external pen tests but you don't have to use a QSA or ASV for those!
    • This one I don't get: 'Expanded list of examples of critical employee-facing technologies to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)"' (Big WTF?!?!?!)
    • Security policy must be reviewed by all employees annually.
    • Cleared up language regarding service provider account access and hygiene.
    • Generally cleaned up language for consistency and clarity (we'll see about that!)
    All-in-all I am glad to see some of the clarifications and new requirements but there is still enough ambiguity and confusing language in the "clarifications" to keep security professionals busy and QSA's well employed over the next few years.

    To cert, or not to cert, that is the Question: [Security Karma]

    Posted: 24 Aug 2008 02:24 PM CDT

    Mike Rothman wrote an interesting article titled "Security certifications: Are they worth the trouble?" at His take was pretty close to the one I have and his expierence is in line with what I have experienced in my years within the IT field. From the article:
    I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.
    I don't have a CISSP, nor have I earned a CEH, CISA, Security+, etc. Quite honestly I am too busy to study for any of them. I have found a few types of "certified" folks out there:
    • Smart, dedicated professional looking to expand knowledge and become an expert in their chosen field spending hours studying texts, reading white papers, etc.
    • Smart, dedicated professional that went to training and took the exam at the end because... "why not?"
    • Poor soul sent to a boot camp training course to take on new technology / responsibility that they have no experience in, took the test on Friday afternoon after getting their free travel mug and polo shirt.
    • Sales engineers and the ilk that need certifications to "prove" expertise... I still remember the CISSP, CEH, LMNOP vendor dude that didn't understand basic routing issues and insisted that eBGP could NOT be run on an internal network.
    I am, of course, taking a light-hearted job at my certified security bretheren out there. Seriously though, I have not impressed with some of the CCIE (I helped one write an ACL on a PIX firewall once... no joke), CISSP, CEH, etc. that I have been meeting and interviewing lately.

    I think what is beginning to happen with security certifications is what has happened with Cisco certifications and college degrees... so many unqualified, uninterested, and incompetent people have been attaining the high level certs that they are becoming almost worthless as a selection criteria of value or knowledge.

    That being said, I would actually consider a certification that still meant something like the CISSP (but that is changing by the day) or a newer, lesser known SANS certification (management or technical tracks... I still haven't decided which direction I want my career to go). Of course that would put me in the first type of certified professional I listed above ;)

    Preaching to the choir [Security Karma]

    Posted: 24 Aug 2008 02:24 PM CDT

    Stuart King wrote an excellent post at regarding how to reduce the cost of information security. His points are spot on and very similar to things I have been bringing up at work over the past few months. My organization in particular is being hit particularly hard due to current economic conditions so it is imperative that I show value for every dollar I spend, perform thorough risk analysis on new projects, and evaluate existing security projects, services, and infrastructure for cost savings. Of course I have to do all this while maintaining (or improving) the current security posture of the enterprise.

    Good times.

    Guest Post at ZDNet Zero Day [Security Karma]

    Posted: 24 Aug 2008 02:24 PM CDT

    For your reading pleasure: a guest op-ed piece in Ryan Nariene's Zero Day blog at ZDNet.

    A recent blog proclaiming that Twitter could soon become a rival to PayPal made me shudder in fear. The blog author postulated that Twitter could offer a method to transfer money between users via "tweet." After reading these posts I thought to myself, "Cool, what a super convenient Web 2.0-ish way to lose my money!"

    There are many pitfalls to this but I will start by tackling the obvious concerns. Twitter is extremely user-friendly by allowing users a plethora of interfaces: SMS, IM, third-party apps and Web sites, and, of course, the Twitter site itself. With so many ways to communicate, how do we verify that the person sending money is actually authorized to do so? If a Twitter users' Facebook, Google Talk, or Netvibes account becomes compromised, their money is instantly at risk. Users of SMS are at even greater risk as there is absolutely no authentication or authorization – the phone number itself is the only way to "prove" you are the sender. Unfortunately, SMS is easily spoofed, and there are multiple Web sitesapplications that allow you to send a text message from any phone number you wish. Nitesh Dhanjani wrote about how Twitter is already vulnerable to this sort of attack; imagine the havoc that would be caused by spoofed test messages that transferred funds.

    Since users are limited to 140 characters per tweet, the use of URL redirection sites is a normal (and encouraged) practice. Unfortunately, that opens up users to cross-site scripting attacks that would be crafted to send money between accounts without the user's knowledge. All a malicious user would need is one hit every once in a while to make it worth the trouble of setting up a bot to send random URLs to users. And while Twitter has said it is cracking down on bots, it is a long way from solving that problem.

    Beyond the security issue is stability. What happens to payment messages that get lost when Twitter is down? Do you resend when the site is back up? What if an acknowledgement message is lost during downtime? Twitter users have gotten used to seeing the "Fail Whale" quite often over the past few months and they are vocal with their frustration. Multiply that frustration with the anger one would feel if his or her payment got screwed up. Availability of data is one of the cornerstones of security and until Twitter has a its stability problems fixed, any payment system would be a nightmare.

    Many of the issues I bring up have possible solutions. Two-factor authentication is something that has come up as a possible solution to ensure the Twitter user is the actual account holder. But one major issue with a two-factor solution is timing. A one-time code can be attached to a message but if Twitter is down or if the message gets delayed for a period of time then the tweet will eventually get through but the code will no longer be valid. There are many other issues with two-factor authentication such as spoofing, man-in-the-middle attacks, and non-security issues such as deployment and support.

    Even if a secure method of tweeting money from one account to another can be worked out and the legal and payment issues are smoothed out, the biggest question that remains is: why bother? If I have to carry a token with me or log into the Web site to send money the benefits of a Twitter payment system goes away and I am left to wonder: "Why don't we just use PayPal?" Ultimately, that question — not ones of stability or security — is the one that will keep Twitter from joining the online payment industry anytime soon.

    Why Banks Won't Follow Blizzard And Offer Security Tokens [Security Karma]

    Posted: 24 Aug 2008 02:24 PM CDT

    Verisign tokenImage via WikipediaAfter reading this article over at Errata Security and this article over at about Blizzard (makers of StarCraft and World of Warcraft) selling security token devices for €6 on their European website. In a nutshell, you have a small device that displays a random six digit number that corresponds to a number on a login server. Coupled with a username and password it meets the standards of two-factor authentication (something you know and something you have). The general sense I get from these two blogs and others I have read on the subject is that banks and other insitutions should be providing similar tokens to their customers. For instance:
    Isn't it kind of funny when an online game has better security than most banks?
    Errata Security
    If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn't offer the same.
    I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:
    • cost: additional cost to customer, shipping, inventory, infrastructure, licensing, staff, overhead, etc.
    • complexity: dealing with lost tokens, mistyped numbers causing locked acconts, countless help desk calls, etc. If you are locked out of your WoW account you can't play a game, when you are locked out of your bank account you can't pay bills, transfer funds, check your balance, etc. Simply put, the downside risk of customer convenience is greater than the upside risk of greater levels of security.
    • motive: Blizzard is providing these tokens to help secure customers accounts, but also to further secure their future revenue stream and also to combat piracy and cheating, in short, it makes business sense. Banks don't typically suffer very much if a customer account is breached as they very rarely take the hit themselves but instead either insure against the loss (either federally or privately) or simply passing the costs onto customers.
    That being said, I do believe that either through public pressure or government mandate eventually consumers will have various security tokens to access sites. Great security, right? Imagine this world: You have a token for your bank, one for your investments, one for work, one for your 401K, one for your medical provider, one for paypal, one for amazon, one for ... you get the point. People complain about having to change passwords every 90 days and having to use special characters, imagine when we start handing them devices to forget at home, lose, break, drop in the toilet, etc.

    Perhaps there needs to be an OpenID style system of purchasing a security token that is centrally managed and can be accessed by multiple businesses. Verisign was demonstrating that very technology at the RSA conference this year. But until the technology becomes ubiquitous and cheap keep your passwords strong and your cookies safe.

    No comments: