Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.Src: PCI council offering "milestones" for compliance - SC Magazine US
PCI nuggets
QOTD - Schneier on Data as pollution
Data is the pollution of the information age. It's a natural byproduct of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after effects are toxic.Src: The Tech Lab: Bruce Schneier | BBC NEWS
...
Just as we look back at the beginning of the previous century and shake our heads at how people could ignore the pollution they caused, future generations will look back at us - living in the early decades of the information age - and judge our solutions to the proliferation of data.
We must, all of us together, start discussing this major societal change and what it means. And we must work out a way to create a future that our grandchildren will be proud of.
QOTD - Schneier on Privacy as a basic right
Being constantly scrutinized undermines our social norms; furthermore, it's creepy. Privacy isn't just about having something to hide; it's a basic right that has enormous value to democracy, liberty, and our humanity. -- Bruce SchneierSrc: The Tech Lab: Bruce Schneier | BBC NEWS
H D Moore on The Best Defense is Information
The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case [Adobe PDF buffer overflow], like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.Based on reports of samples collected by AV vendors as early as December 2008 and an expected patch in mid-March 2009, this attack vector will have had a cozy 3 month exploitation window, more than enough time to do targeted damage.
As of Feb 25, 2009, there are as of yet no good ways of dealing with this exploit other than not opening PDF files using the vulnerable software applications.
Updated on 2/25/2009 at 5pm CST: Adobe has released more info and is working with AV vendors. Patch still planned for March 11.
Src: The Best Defense is Information | Metasploit
Kevin Behr on How to make changes you can believe in!
Constant firefighting and uncontrolled change weakens infrastructure and creates security problems...Src: How to make changes you can believe in! - /kevinbehr/home
Your best and most talented people are stuck on the firefighting line instead of solving business problems...
Tigger trojan takes the cake
- disables several security software products
- prevents access to kernel driver's memory (harder to detect)
- takes screen shots
- spies on browser events
- exports passwords (protected storage and over 11 popular apps)
- steals web cookies & certificates
- sniffs FTP and POP3 passwords
collects a massive amount of system information, provides a backdoor command shell on infected machines, downloads additional malware per C&C [Command & Control] instruction, and tries to clean the system of over 20 other malware families.The Washington Post article reports that Tigger seems to "target mainly customers or employees of stock and options trading firms," specifically: E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.
Src: Why I Enjoyed Tigger/Syzor | MNIN Security Blog
Src2: The Tigger Trojan: Icky, Sticky Stuff
Cyberwar QOTD and Consensus Audit Guidelines
We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted...The CAG is comprised of 20 controls, with 1-15 being automatable.
Our ability, at present, to be able to detect and defend against these attacks is really quite weak in many cases.
- Inventory of Authorized and Unauthorized Hardware
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software For Which Such Configurations Are Available
- Secure Configurations of Network Devices Such as Firewalls And Routers
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols, and Services
- Wireless Device Control
- Data Leakage Protection
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Assured Data Backups
- Security Skills Assessment and Training to Fill Gaps
On slack space, unused space, and unallocated space
Src: Don’t let what Happened to Heartland Happen to You – Part One Ascension Blog [tx @kriggins]
Gartner report on People & Passwords
'Two-thirds of U.S. consumers surveyed use the same one or two passwords for all Web sites they access that require authentication,' said Gregg Kreizman, research director at Gartner. 'Most U.S consumers want to continue managing their passwords the same ways they do now. They don't favor using software or hardware to help manage passwords, and user-centric identity frameworks such as OpenID and information card architectures face scarce consumer demand.'As consumers and customers, we have to demand that our data be treated with better care; however, this also means that as custodians of our own data (or data about others) we should exercise better care in keeping that data safe. That means that using your dog's name as your password to your email account and your financial institution is not a good idea.
As a customer, I do want my financial institutions to provide me with me enhanced authentication mechanisms. Just don't give me any more of those fake "two-factor authentication" mechanisms based on cognitive passwords - those are really just several single factor authentication challenges, no matter how many questions you ask (what street where you born on, what is you dog's name, what is your hair color, etc).
Src: Gartner Press Release Says Consumers Are Unwilling to Sacrifice Convenience for Security, Despite Widespread Online Fraud | Gartner
Bill Brenner on Insider Threat
If enterprise security shops are only now discovering the insider threat and the need for a layered defense with tighter access controls, they have bigger problems than the current recession.Companies should not only have processes for deprovisioning employees that have left, but also appropriate controls and processes for the employees that are still employed:
One could also argue that laid-off employees aren't as big a threat as those who remain on the inside with access to data they can sneak off to black marketers offering cash for proprietary data one can only obtain if they're still on the inside.Src: Laid-off Workers as Data Thieves? | CSO Online - Security and Risk
Move over LinkedIn - Hello Twitter [v1.2]
03/09/09: added more categories of infosec folks to follow
02/23/09: added a top 10 of the who's who in infosec on Twitter
For InfoSec folks, Twitter's where the action is. While LinkedIn is touted as the meeting space for professionals, Twitter allows for much more open, instantaneous interactions between information security folks, regardless of one's credentials or professional baggage. For example, a former student of mine now regularly exchanges tweets (i.e. twitter messages) with one of the top SANS author and instructor. In LinkedIn, such interactions would require finding a common discussion forum, or harder yet, to establish a direct connection between parties, with all of the prerequiste level of trust implied.
However, this open playground for the superstars of InfoSec may not last forever. As one's following grows, they are less likely to follow back in order to stay focused. I find myself in this position, having to resist following back in order to be able to focus my attention on those that I wish to learn from. That is not to say that those that I do not follow have nothing to offer, but that I have to manage my time to make the most of it. I have gone through several rounds of pruning in the past weeks, and still end up with over one hundred (100) security folks that I want to follow.
There are also possible changes looming on the horizon, stemming from Twitter's own survival and its need to make money out of the social networking space.
This is a unique moment in time, a gathering of sorts, so if you are in (or interested in) Information Security, embrace Twitter and join this cohort of security veterans and novices.
Update1:
To encourage some of my security colleagues to join Twitter and get instant value added, I created a list of ten security folks to follow on Twitter. This is of course only a start and I welcome any additional suggestions along with reasons to follow.
- @securitytwits - gathering of security folks from all walks of life
- @stiennon - former Gartner analyst, now independent speaker and prolific blogger
- @rmogull - former Gartner analyst, co-host NetSecPodcast
- @kriggins - jack of all trades, and from nearby Iowa
- @edskoudis - master SANS instructor, and co-founder InGuardians
- @PrivacyProf - top-rated privacy speaker, from nearby Iowa
- @jeremiahg - web-app vulnerability researcher and CTO of White Hat Security
- @alexhutton - risk management
- @catalyst - all around governance and staying positive
- @BrianHonan - European (Ireland) security perspective, member SANS NewsBites advisory board
Thanks to all for your feedback. Here's an extended list:
- Infosec Podcasters:
- @mckeay & @rmogull: Martin McKeay & Rich Mogull of the Network Security podcast
- @pauldotcom: Paul & Larry of the PaulDotCom Security Weekly podcast
- @riskybusiness: Patrick Gray of the Risky Business security podcast
- Security vendors (a select few):
- @SANSInsitute: Official updates from SANS - useful security tips
- @SANS_ISC: SANS Internet Storm Center - stay current
- @CoreSecurity: Often provides goodies for followers, including direct links to webcasts and slides
- More to come
SSN ghosts still haunt academia
In keeping with the academic tradition of being repositories of knowledge, universities and their staff (faculty included) often collected data that included sensitive information. IT departments across academia have the arduous task of finding and securing (or disposing) of this data before someone else finds it. With appropriate data retention policies in place, IT may still have to plead, negotiate, or persuade university staff (all ranks and all departments) to acknowledge the existence of this data.
Src: Three months, three breaches at the Univ. of Florida-Gainesville
Cloning security - when attackers go after security resources
Src: Cloning Security | HostExploit.com
QOTD - Schneier on data breach laws
The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control – or even knowledge – of the company's security practices. -- Bruce SchneierYears ago, I had the chance to attend a presentation by Bruce Schneier where he covered the various drivers to improve information security (legislation, insurance, loss of costumers). In this article, Bruce expands on the need for data breach notification laws and makes the case for stronger authentication around the use of credit (to mitigate ID theft).
Why security breach notification laws are a good thing | OUT-LAW.COM
QOTD - Alan Paller on due care and cyber lawsuits
Since security probably will never be perfect, what is needed is a minimum standard of due care that agencies, companies, and courts can use to determine how much and what kind of investment in security is 'enough'. -- Alan Paller, Director of Research at the SANS InstituteSrc: SANS NewsBites Vol 11 Num 14
The History of the Internet (video)
Src: The History of the Internet | Room362.com [tx @mubix]
Comments on The Balkanization of Web Application Security
The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution.The single solution idea is one that easily appeals to IT and security folks, as well as their management. Often based on marketing hype, it is amplified by a lack of appreciation for the complexity of the problem and the piecemeal information provided by the vendor about the inner workings of a particular solution.
Business[es] need to properly assess the risk to their companies['] assets in order to match the security spend[ing] with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.I also agree with this statement and have witnessed, during various information security assessments, that the IT department is often unaware of the IT-based solutions other departments have implemented without the knowledge of the IT department. Sadly, this is often due to one too many "No!" replies from IT, which sends the offending business unit to look for its own solution, thereby circumventing IT altogether.
IT departments need to have a yes-can-do attitude towards their constituents, or at the very least take the time to explain the business (i.e. security) concerns around various request. As the saying goes, what you do not know, you cannot control.
Src: The Balkanization of Web Application Security | The Security Catalyst
Twitter attackers can prey on their victims from affar
One source of this problem may come from the blind trust that people have in this new media leading them to follow others without a second thought. The other may be due to your own doing; if you use a tool like Twollow to automatically follow people based on certain keywords, you could easily find yourself following some nefarious characters whose aim may be to trick you into clicking on a link.
FYI, faker/spammer are usually identifiable by a combination of empty accounts with fake names, no updates, no followers, or bios which point to obvious spam (or worse, phishing) sites.
Ultimately, there is no substitute for common sense - before following someone who just started following you, review their Twitter profile, their post activity, the kind of people that they follow and who follows them.
NetworkWorld has a related post on 3 Ways Twitter Security Falls Short.
QOTD - John Pescatore on Maxwell AFB cutting off Internet access
What cutting off Internet connections or banning USB drives does not do is change behavior - once the ban is off, if processes are not changed and technological controls are not in place, the behavior returns. Humans are and will always be human - see the diet industry for a simple example.Src: John Pescatore Blog | Gartner Blog Network
Another Exploit Targets IE7 Bug [updated]
In case you needed yet another reason to apply patches, read this short but well illustrated article from TrendMicro about an active threat vector fixed by MS09-002.
Another solution? Use an alternative browser - Firefox + NoScript is one of the best security combos curently available.
Src: Another Exploit Targets IE7 Bug | Trend Micro
LongURL - A neat add-on for Twitter
Thanks to a few well-known fellow Twitters my initial tweet got picked up and before I had the chance to post a blog entry with of my own, Graham Cluley of Sophos had blogged about it. Be sure to stop by and read his blog entry. At the very least LongURL could prevent an embarrassing Rick-Roll.
Src: A neat add-on for Twitter | Graham Cluley's blog [also on Twitter as @gcluley]
QOTD - Honan on criminals using new technologies
New technologies will always be exploited by criminals for their own means. Law enforcement needs to accept that fact and develop strategies to deal with the problem.He went on to provide recent examples of law enforcement reportedly taking the matter into their own hands, adopting a stance which reminds me of the saying: "if you can't beat them [hackers & criminals], join them [hackers & criminals]".
German police have been reported to be developing a Trojan aimed at eavesdropping on Skype http://www.theregister.co.uk/2008/01/29/skype_trojan/, while the NSA is reported to be offering large sums of money to anyone who can develop a reliable means of eavesdropping on Skype calls and messaging http://www.theregister.co.uk/Src: SANS NewsBites Vol 11 Num 132009/02/12/nsa_offers_billions_for_skype_pwnage
Do as I Say, Not as I Do
Src: Do as I Say, Not as I Do | The Security CatalystI like what you have to say and agree with many of your points. However, I believe you’re mixing two different concepts in order to make your points: 1) security pros in the work vs home environment and 2) how others react to security controls/policies.
Regarding 1) security pros are people just like anybody else and have to manage their own time/lives given the risk environment. Indeed, it means that home security practices are not as thorough as they are at work. But I would argue that this is just the way it should be. At work, you are paid for your time (and your security input), presumably to help the business in its profitable endeavors. At home, you are primarily liable only to yourself and your family for food & shelter. If your spouse or your family could pay your security salary to monitor and enforce enterprise-class controls at home, why would you go to work at all. The level of security needed at home cannot be the same as required at work as both the risks and the users are vastly different.
Regarding 2) security pros are people just like anybody else and have to lead the way by acting within the confines of well established security parameters (i.e. policies). Of course, as you pointed out, if those parameters are too strict, you will often find that the IT and/or security folks grant themselves shortcuts which potentially weaken security of the entire organization.
As a faculty member, I have the unique privilege of being able to shape young minds by providing insights into security best practices. I never pass an opportunity to cover the meaning of good governance and the necessity for balanced security controls that work for everyone, including IT.
Are credit cards worth the risk?
I suspect the cost of implementing PCI controls will far outweigh the potential profit of taking credit card numbers and storing them, even if you already have many of the safeguards in place.Are credit cards worth the risk? | Network Security Blog
When Mashups Intrude on Privacy (CA Prop8)
While these contribution records are public record, the idea that your name and mapped street are online could be considered unnecessarily invasive. The mashup offers great information, but is the backlash and privacy invasion worth it?I think the fight was lost long ago when we allowed phone directories to print names and addresses.
When Mashups Intrude on Privacy | Poynter Online - Al's Morning Meeting:
Canadian Youth Privacy Video Winner Announced
Src: News Release: Office of the Privacy Commissioner
Copy/paste snafu exposes settlement details
Src: The AP Reveals Details of Facebook/ConnectU Settlement With Greatest Hack Ever [tx @mckeay]
10 Things About Hard Drives You Didn't Know (ShmooCon'09 - YouTube)
- http://www.youtube.com/watch?v=fst8IZup44c
- http://www.youtube.com/watch?v=wXmennd0xkM
- http://www.youtube.com/watch?v=_Iw2I2hxjSA
- http://www.youtube.com/watch?v=GZLLeMP6uII
- http://www.youtube.com/watch?v=ylEiGEcKqN0
Facebook photos authorization bypass (yet another)
Src: Light Blue Touchpaper » Blog Archive » New Facebook Photo Hacks [Tx @innismir @kaospunk][photo-size][uid]_[pid]_[PIN].jpg
Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number [which is actually not as random as it initially appears]
Northcutt on Printers
A modern printer is a computer. Anything that can happen to a computer can happen to a printer, especially an advanced printer. -- Stephen Nortcutt, President SANS Technology Institute.Src: SANS NewsBites
"Rickrolling" - an emerging attack vector
Src: Ever heard the term "Rickrolling"? Malware distributors have... - PandaLabs [tx @lithium]
QOTD - Security & Users
The battle [against malware] that will never be won is gaining security by asking the user to make an intelligent decision about what is safe or not. Users will enter their admin password if asked nicely by software. -- Johannes Ullrich, CTO of SANS ISCSrc: SANS NewsBites Vol 11 Num 10
Unauthorized File Access in HP LaserJets
This is by no means a new vector of attack; medium to high end printers often cache large or graphics-intensive documents. Yet printers are often seen as write-only media and thus neglected from regular patch cycles. Network printers which are often used to print sensitive documents should only be visible from machines & networks that have a business need (i.e. not the whole organization and certainly not the Internet).
Src: SANS Internet Storm Center
Quote on freedom vs security
Anyone who trades liberty for security deserves neither liberty nor security. -- Benjamin FranklinSrc: BrainyQuote.com