PCI nuggets

The PCI will be releasing milestones for compliance, which I call "nuggets" for now until they get officially published; others might call it a roadmap or a prioritized list.
Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.
Src: PCI council offering "milestones" for compliance - SC Magazine US

QOTD - Schneier on Data as pollution

Data is the pollution of the information age. It's a natural byproduct of every computer-mediated interaction. It stays around forever, unless it's disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after effects are toxic.
...
Just as we look back at the beginning of the previous century and shake our heads at how people could ignore the pollution they caused, future generations will look back at us - living in the early decades of the information age - and judge our solutions to the proliferation of data.
We must, all of us together, start discussing this major societal change and what it means. And we must work out a way to create a future that our grandchildren will be proud of.
Src: The Tech Lab: Bruce Schneier | BBC NEWS

QOTD - Schneier on Privacy as a basic right

Being constantly scrutinized undermines our social norms; furthermore, it's creepy. Privacy isn't just about having something to hide; it's a basic right that has enormous value to democracy, liberty, and our humanity. -- Bruce Schneier
Src: The Tech Lab: Bruce Schneier | BBC NEWS

H D Moore on The Best Defense is Information

H D Moore, founder of the Metasploit project, writes about the need for vendors to come forward with information when faced with reports of exploits for their products.
The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case [Adobe PDF buffer overflow], like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.
Based on reports of samples collected by AV vendors as early as December 2008 and an expected patch in mid-March 2009, this attack vector will have had a cozy 3 month exploitation window, more than enough time to do targeted damage.

As of Feb 25, 2009, there are as of yet no good ways of dealing with this exploit other than not opening PDF files using the vulnerable software applications.

Updated on 2/25/2009 at 5pm CST: Adobe has released more info and is working with AV vendors. Patch still planned for March 11.

Src: The Best Defense is Information | Metasploit

Kevin Behr on How to make changes you can believe in!

Good article by Kevin Behr about the need to move IT away from firefighting and steer it towards achieving business goals. Some notable statements:
Constant firefighting and uncontrolled change weakens infrastructure and creates security problems...

Your best and most talented people are stuck on the firefighting line instead of solving business problems...
Src: How to make changes you can believe in! - /kevinbehr/home

Tigger trojan takes the cake

If there was a competition for best-designed piece of malware, the Tigger trojan would likely take the cake. This is one of those worse-than-you-could-ever-imagine piece of malware that combines features from the best (worst) of them all. For a complete list, see the blog post by MNIN Security. Features include:
  • disables several security software products
  • prevents access to kernel driver's memory (harder to detect)
  • takes screen shots
  • spies on browser events
  • exports passwords (protected storage and over 11 popular apps)
  • steals web cookies & certificates
  • sniffs FTP and POP3 passwords
Tigger apparently
collects a massive amount of system information, provides a backdoor command shell on infected machines, downloads additional malware per C&C [Command & Control] instruction, and tries to clean the system of over 20 other malware families.
The Washington Post article reports that Tigger seems to "target mainly customers or employees of stock and options trading firms," specifically: E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.

Src: Why I Enjoyed Tigger/Syzor | MNIN Security Blog
Src2: The Tigger Trojan: Icky, Sticky Stuff

Cyberwar QOTD and Consensus Audit Guidelines

Amid much anticipation and press, a conglomerate of US agencies (incl. NSA, US-CERT, DoD) and the SANS Institute have released the Consensus Audit Guidelines (CAG). John Gilligan, CAG project leader and former CIO for both the USAF and DOE, said:
We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted...
Our ability, at present, to be able to detect and defend against these attacks is really quite weak in many cases.
The CAG is comprised of 20 controls, with 1-15 being automatable.
  1. Inventory of Authorized and Unauthorized Hardware
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available
  4. Secure Configurations of Network Devices Such as Firewalls And Routers
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering
  17. Red Team Exercises
  18. Incident Response Capability
  19. Assured Data Backups
  20. Security Skills Assessment and Training to Fill Gaps
Src: Defense agencies list top 20 security controls | CNET News

On slack space, unused space, and unallocated space

Computer concepts in general, and forensic concepts are particular are often hard to explain to lay folks. This article does a good job at providing analogies for slack space, unused space, and unallocated space.

Src: Don’t let what Happened to Heartland Happen to You – Part One Ascension Blog [tx @kriggins]

Gartner report on People & Passwords

"It won't happen to me" seems to be the behavior exhibited by US consumers in light of the Gartner report entitled "Consumers Don't Want to Change the Ways They Manage Online Passwords". The findings are unlikely to come as a surprise to any security professional.
'Two-thirds of U.S. consumers surveyed use the same one or two passwords for all Web sites they access that require authentication,' said Gregg Kreizman, research director at Gartner. 'Most U.S consumers want to continue managing their passwords the same ways they do now. They don't favor using software or hardware to help manage passwords, and user-centric identity frameworks such as OpenID and information card architectures face scarce consumer demand.'
As consumers and customers, we have to demand that our data be treated with better care; however, this also means that as custodians of our own data (or data about others) we should exercise better care in keeping that data safe. That means that using your dog's name as your password to your email account and your financial institution is not a good idea.

As a customer, I do want my financial institutions to provide me with me enhanced authentication mechanisms. Just don't give me any more of those fake "two-factor authentication" mechanisms based on cognitive passwords - those are really just several single factor authentication challenges, no matter how many questions you ask (what street where you born on, what is you dog's name, what is your hair color, etc).

Src: Gartner Press Release Says Consumers Are Unwilling to Sacrifice Convenience for Security, Despite Widespread Online Fraud | Gartner

Bill Brenner on Insider Threat

Bill Brenner, Senior Editor at CSO Online, wrote an article in response to a recent Symantec / Ponemon Institute survey which found that 79% percent of respondents took data without an employer's permission and 24% still had access to company systems after leaving the company. Bill's point is that this is nothing new:
If enterprise security shops are only now discovering the insider threat and the need for a layered defense with tighter access controls, they have bigger problems than the current recession.
Companies should not only have processes for deprovisioning employees that have left, but also appropriate controls and processes for the employees that are still employed:
One could also argue that laid-off employees aren't as big a threat as those who remain on the inside with access to data they can sneak off to black marketers offering cash for proprietary data one can only obtain if they're still on the inside.
Src: Laid-off Workers as Data Thieves? | CSO Online - Security and Risk

Move over LinkedIn - Hello Twitter [v1.2]

Last updated:
03/09/09: added more categories of infosec folks to follow
02/23/09: added a top 10 of the who's who in infosec on Twitter

For InfoSec folks, Twitter's where the action is. While LinkedIn is touted as the meeting space for professionals, Twitter allows for much more open, instantaneous interactions between information security folks, regardless of one's credentials or professional baggage. For example, a former student of mine now regularly exchanges tweets (i.e. twitter messages) with one of the top SANS author and instructor. In LinkedIn, such interactions would require finding a common discussion forum, or harder yet, to establish a direct connection between parties, with all of the prerequiste level of trust implied.

However, this open playground for the superstars of InfoSec may not last forever. As one's following grows, they are less likely to follow back in order to stay focused. I find myself in this position, having to resist following back in order to be able to focus my attention on those that I wish to learn from. That is not to say that those that I do not follow have nothing to offer, but that I have to manage my time to make the most of it. I have gone through several rounds of pruning in the past weeks, and still end up with over one hundred (100) security folks that I want to follow.

There are also possible changes looming on the horizon, stemming from Twitter's own survival and its need to make money out of the social networking space.

This is a unique moment in time, a gathering of sorts, so if you are in (or interested in) Information Security, embrace Twitter and join this cohort of security veterans and novices.

Update1:
To encourage some of my security colleagues to join Twitter and get instant value added, I created a list of ten security folks to follow on Twitter. This is of course only a start and I welcome any additional suggestions along with reasons to follow.
  1. @securitytwits - gathering of security folks from all walks of life
  2. @stiennon - former Gartner analyst, now independent speaker and prolific blogger
  3. @rmogull - former Gartner analyst, co-host NetSecPodcast
  4. @kriggins - jack of all trades, and from nearby Iowa
  5. @edskoudis - master SANS instructor, and co-founder InGuardians
  6. @PrivacyProf - top-rated privacy speaker, from nearby Iowa
  7. @jeremiahg - web-app vulnerability researcher and CTO of White Hat Security
  8. @alexhutton - risk management
  9. @catalyst - all around governance and staying positive
  10. @BrianHonan - European (Ireland) security perspective, member SANS NewsBites advisory board
Update2:
Thanks to all for your feedback. Here's an extended list:
  • Infosec Podcasters:
    • @mckeay & @rmogull: Martin McKeay & Rich Mogull of the Network Security podcast
    • @pauldotcom: Paul & Larry of the PaulDotCom Security Weekly podcast
    • @riskybusiness: Patrick Gray of the Risky Business security podcast
  • Security vendors (a select few):
    • @SANSInsitute: Official updates from SANS - useful security tips
    • @SANS_ISC: SANS Internet Storm Center - stay current
    • @CoreSecurity: Often provides goodies for followers, including direct links to webcasts and slides
  • More to come

SSN ghosts still haunt academia

While it is easy and tempting to point the finger at the University of Florida in light of the details about the latest data breach - the 3rd in 3 months according to ComputerWorld (Feb 17, 2009 notification letter) - it is likely that many academic institutions could find themselves in similar situation due to data remnants dating back to widespread use of social security numbers (SSN).

In keeping with the academic tradition of being repositories of knowledge, universities and their staff (faculty included) often collected data that included sensitive information. IT departments across academia have the arduous task of finding and securing (or disposing) of this data before someone else finds it. With appropriate data retention policies in place, IT may still have to plead, negotiate, or persuade university staff (all ranks and all departments) to acknowledge the existence of this data.

Src: Three months, three breaches at the Univ. of Florida-Gainesville

Cloning security - when attackers go after security resources

It's no secret that attackers are constantly shifting their tactics, thereby staying miles (or at least hundreds of feet) ahead of the game. This latest round is troubling as attackers have now taken to duplicate legitimate security web sites and, as expected, enhanced them with their malware. The result is that it will be become increasingly difficult for average folks to know where to go to get help.

Src: Cloning Security | HostExploit.com

QOTD - Schneier on data breach laws

The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control – or even knowledge – of the company's security practices. -- Bruce Schneier
Years ago, I had the chance to attend a presentation by Bruce Schneier where he covered the various drivers to improve information security (legislation, insurance, loss of costumers). In this article, Bruce expands on the need for data breach notification laws and makes the case for stronger authentication around the use of credit (to mitigate ID theft).

Why security breach notification laws are a good thing | OUT-LAW.COM

QOTD - Alan Paller on due care and cyber lawsuits

Alan Paller, Director of Research at the SANS Institute, wrote the editorial opinion on the recent lawsuits against RBS (Royal Bank of Scotland), Heartland Payment Systems, and the US Veterans Administration:
Since security probably will never be perfect, what is needed is a minimum standard of due care that agencies, companies, and courts can use to determine how much and what kind of investment in security is 'enough'. -- Alan Paller, Director of Research at the SANS Institute
Src: SANS NewsBites Vol 11 Num 14

The History of the Internet (video)

Every once in a while, a gem emerges amid the flurry of mindless multimedia content. This time, it is a video about the History of the Internet created by PICOL and hosted on Vimeo. I wish that this presentation had been available a decade ago when I was teaching an Introduction to Data Communications and Networking class.


Src: The History of the Internet | Room362.com [tx @mubix]

Comments on The Balkanization of Web Application Security

Bill Pennington, a contributor for the SecurityCatalyst blog, framed the debate over web application firewalls this way:
The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution.
The single solution idea is one that easily appeals to IT and security folks, as well as their management. Often based on marketing hype, it is amplified by a lack of appreciation for the complexity of the problem and the piecemeal information provided by the vendor about the inner workings of a particular solution.
Business[es] need to properly assess the risk to their companies['] assets in order to match the security spend[ing] with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.
I also agree with this statement and have witnessed, during various information security assessments, that the IT department is often unaware of the IT-based solutions other departments have implemented without the knowledge of the IT department. Sadly, this is often due to one too many "No!" replies from IT, which sends the offending business unit to look for its own solution, thereby circumventing IT altogether.

IT departments need to have a yes-can-do attitude towards their constituents, or at the very least take the time to explain the business (i.e. security) concerns around various request. As the saying goes, what you do not know, you cannot control.

Src: The Balkanization of Web Application Security | The Security Catalyst

Twitter attackers can prey on their victims from affar

Reviewing my Twitter followers to get rid of obvious fakers/spammers, I found what could be a new (and stealthy) means for attackers to find easy prey: search for people who follow others too willingly. This is twist on the straightforward search for victims which would simply attempt to lure you into following them by first following you. What I'm describing is one step removed from that, somewhat of an indirect attack in which other attackers can hone in on you by looking at who you have chosen to follow.

One source of this problem may come from the blind trust that people have in this new media leading them to follow others without a second thought. The other may be due to your own doing; if you use a tool like Twollow to automatically follow people based on certain keywords, you could easily find yourself following some nefarious characters whose aim may be to trick you into clicking on a link.

FYI, faker/spammer are usually identifiable by a combination of empty accounts with fake names, no updates, no followers, or bios which point to obvious spam (or worse, phishing) sites.

Ultimately, there is no substitute for common sense - before following someone who just started following you, review their Twitter profile, their post activity, the kind of people that they follow and who follows them.

NetworkWorld has a related post on 3 Ways Twitter Security Falls Short.

QOTD - John Pescatore on Maxwell AFB cutting off Internet access

What cutting off Internet connections or banning USB drives does not do is change behavior - once the ban is off, if processes are not changed and technological controls are not in place, the behavior returns. Humans are and will always be human - see the diet industry for a simple example.
Src: John Pescatore Blog | Gartner Blog Network

Another Exploit Targets IE7 Bug [updated]

[Update: The SANS Internet Storm Center has confirmed reports of this exploit being used in the wild. While current usage relies on MS Word documents, drive-by-attacks are possible. Remediation: apply MS patches. SANS ISC Diary entry ]

In case you needed yet another reason to apply patches, read this short but well illustrated article from TrendMicro about an active threat vector fixed by MS09-002.

Another solution? Use an alternative browser - Firefox + NoScript is one of the best security combos curently available.

Src: Another Exploit Targets IE7 Bug | Trend Micro

QOTD - Veltsos on All roads lead to...

All Internets lead to Twitter -- Christophe Veltsos

LongURL - A neat add-on for Twitter

Earlier today I found myself getting several notices of new Twitter followers in a matter of minutes. When I displayed their profiles to find out more about them (i.e. whether I should follow back), I discovered that their profiles linked to abbreviated URLs. Not content to simply click on a link that could take my Firefox+NoScript anywhere, I searched around for URL expanding applications and found LongURL.

Thanks to a few well-known fellow Twitters my initial tweet got picked up and before I had the chance to post a blog entry with of my own, Graham Cluley of Sophos had blogged about it. Be sure to stop by and read his blog entry. At the very least LongURL could prevent an embarrassing Rick-Roll.

Src: A neat add-on for Twitter | Graham Cluley's blog [also on Twitter as @gcluley]

QOTD - Honan on criminals using new technologies

Brian Honan, a member of the SANS NewsBites advisory board and a leading information security professional in Ireland, recently commented on reports that Italian criminals are turning to VoIP to avoid wiretaps.
New technologies will always be exploited by criminals for their own means. Law enforcement needs to accept that fact and develop strategies to deal with the problem.
He went on to provide recent examples of law enforcement reportedly taking the matter into their own hands, adopting a stance which reminds me of the saying: "if you can't beat them [hackers & criminals], join them [hackers & criminals]".
German police have been reported to be developing a Trojan aimed at eavesdropping on Skype http://www.theregister.co.uk/2008/01/29/skype_trojan/, while the NSA is reported to be offering large sums of money to anyone who can develop a reliable means of eavesdropping on Skype calls and messaging http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage
Src: SANS NewsBites Vol 11 Num 13

Do as I Say, Not as I Do

Andrew Hay has authored a good article entitled "Do as I Say, Not as I Do" on the Security Catalyst blog. He argues that security folks often ignore their own advice. Here is my reply (also posted on link below):

I like what you have to say and agree with many of your points. However, I believe you’re mixing two different concepts in order to make your points: 1) security pros in the work vs home environment and 2) how others react to security controls/policies.

Regarding 1) security pros are people just like anybody else and have to manage their own time/lives given the risk environment. Indeed, it means that home security practices are not as thorough as they are at work. But I would argue that this is just the way it should be. At work, you are paid for your time (and your security input), presumably to help the business in its profitable endeavors. At home, you are primarily liable only to yourself and your family for food & shelter. If your spouse or your family could pay your security salary to monitor and enforce enterprise-class controls at home, why would you go to work at all. The level of security needed at home cannot be the same as required at work as both the risks and the users are vastly different.

Regarding 2) security pros are people just like anybody else and have to lead the way by acting within the confines of well established security parameters (i.e. policies). Of course, as you pointed out, if those parameters are too strict, you will often find that the IT and/or security folks grant themselves shortcuts which potentially weaken security of the entire organization.

As a faculty member, I have the unique privilege of being able to shape young minds by providing insights into security best practices. I never pass an opportunity to cover the meaning of good governance and the necessity for balanced security controls that work for everyone, including IT.

Src: Do as I Say, Not as I Do | The Security Catalyst

Are credit cards worth the risk?

Martin McKeay, a PCI assessor, has posted a good yet short blog entry on the cost benefits of taking credit cards and PCI compliance. He summarizes it as follows:
I suspect the cost of implementing PCI controls will far outweigh the potential profit of taking credit card numbers and storing them, even if you already have many of the safeguards in place.
Are credit cards worth the risk? | Network Security Blog

When Mashups Intrude on Privacy (CA Prop8)

While these contribution records are public record, the idea that your name and mapped street are online could be considered unnecessarily invasive. The mashup offers great information, but is the backlash and privacy invasion worth it?
I think the fight was lost long ago when we allowed phone directories to print names and addresses.

When Mashups Intrude on Privacy | Poynter Online - Al's Morning Meeting:

Canadian Youth Privacy Video Winner Announced

The Office of the Privacy Commissioner of Canada has announced the winner of its 1st National Youth Privacy Video competition. Maybe it's time to send the rest of your employees to Privacy awareness. Winner's video on YouTube, entitled "A Lesson in Privacy School." What can't we learn from clay models?

Src: News Release: Office of the Privacy Commissioner

Copy/paste snafu exposes settlement details

While meta-data may expose sensitive information about your organization's structure or inner workings, sometimes the dangers are in something far simple: regular data. Using copy/paste, one can see through the redacted information of this settlement between ConnectU and Facebook. If you want to try for yourself, find "redacted" and copy/paste around those areas... surprise, surprise. The document can be found here.

Src: The AP Reveals Details of Facebook/ConnectU Settlement With Greatest Hack Ever [tx @mckeay]

10 Things About Hard Drives You Didn't Know (ShmooCon'09 - YouTube)

Scott Moulton, a rising star in the computer forensics world (just recently created a new SANS forensics course) did at talk at ShmooCon 2009 entitled "10 Things About Hard Drives You Didn't Know." Here are the various parts of his talk on YouTube (to be watched in sequence):
  1. http://www.youtube.com/watch?v=fst8IZup44c
  2. http://www.youtube.com/watch?v=wXmennd0xkM
  3. http://www.youtube.com/watch?v=_Iw2I2hxjSA
  4. http://www.youtube.com/watch?v=GZLLeMP6uII
  5. http://www.youtube.com/watch?v=ylEiGEcKqN0
More ShmooCon'09 videos and content listed on security4all Blog.

Facebook photos authorization bypass (yet another)

What happens when a programmer reinvents the wheel? From a security perspective, all kinds of bad stuff. Here is another report of authorization bypass for Facebook photos which can allow anyone (i.e. not those in your friend-network) to see your photos. The "secret" to getting to someone's photo?
[photo-size][uid]_[pid]_[PIN].jpg
Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number [which is actually not as random as it initially appears]
Src: Light Blue Touchpaper » Blog Archive » New Facebook Photo Hacks [Tx @innismir @kaospunk]

Northcutt on Printers

A modern printer is a computer. Anything that can happen to a computer can happen to a printer, especially an advanced printer. -- Stephen Nortcutt, President SANS Technology Institute.
Src: SANS NewsBites

"Rickrolling" - an emerging attack vector

The folks at PandaLabs have reported an increase in social networking attacks using fake news stories on sites like digg.com. The stories are seeded with links to malware, either in the post itself or in comments, effectively "rickrolling" readers into getting infected. The initial infection vector appears to be focused on fake codecs (for now).

Src: Ever heard the term "Rickrolling"? Malware distributors have... - PandaLabs [tx @lithium]

QOTD - Security & Users

The battle [against malware] that will never be won is gaining security by asking the user to make an intelligent decision about what is safe or not. Users will enter their admin password if asked nicely by software. -- Johannes Ullrich, CTO of SANS ISC
Src: SANS NewsBites Vol 11 Num 10

Unauthorized File Access in HP LaserJets

Just when you thought it was safe to print your documents to your network-ready HP LaserJet, a new vulnerability has been discovered which allows unauthorized file access (configuration files and cached documents) to be remotely accessible on certain HP LaserJets.

This is by no means a new vector of attack; medium to high end printers often cache large or graphics-intensive documents. Yet printers are often seen as write-only media and thus neglected from regular patch cycles. Network printers which are often used to print sensitive documents should only be visible from machines & networks that have a business need (i.e. not the whole organization and certainly not the Internet).

Src: SANS Internet Storm Center

Quote on freedom vs security

Anyone who trades liberty for security deserves neither liberty nor security. -- Benjamin Franklin
Src: BrainyQuote.com