Home » Feed aggregator » Sources

Network Security Blog

Syndicate content Network Security Blog
The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself.
URL: http://www.mckeay.net
Updated: 13 min 46 sec ago

Network Security Podcast, Episode 266

Wed, 02/01/2012 - 2:45pm

We’re a day late, but we still managed to get this week’s show recorded! Rich is soaking up sun (or “teaching”, as he claims) in Cancún, Mexico, so we decided to rope in the illustrious Mike “Rybolov” Smith to discuss, surprise-surprise, privacy and monitoring.

Network Security Podcast, Episode 266, February 1, 2012

Time:  42:36

Show Notes:

Standing Desk 2.0

Thu, 01/26/2012 - 8:59pm

If you follow the blog, you may remember several months ago that I built myself a standing desk out of some cheap lumber and plywood I had in the garage.  It took an afternoon to build and was a proof of concept as to whether or not I’d actually like working at a standing desk.  The funny part of the project was that it took me longer to draw it up in Google SketchUp than it did to actually put the desk together itself.  After several weeks of working on the desk I decided I really liked it and wanted a more permanent version of the desk that I could feel was an actual piece of furniture and not just something that looked like an escapee from the lumber pile.

The first week or two that I had the desk, there was some definite back and foot pain as I transitioned from sitting 12-14 hours a day to standing for the same amount of time. But it was very apparent after I’d made the adjustment that a standing desk was the right decision for me.  I felt better at the end of the day and there’s a certain mental energy that comes from standing and walking around the office that I never had while sitting.  It’s hard to describe, but standing seems to put me in a slightly different state of mind than sitting does.  And, along with walking 2-3 miles a day, I’ve lost nearly 10 pounds since the beginning of the year, though I attribute that more to the walking than the desk. Oh, and there was one problem which was created by playing MineCraft for about 6 hours straight over the Thanksgiving weekend, but I don’t blame the desk for that.

There were a few things about the desk I wanted to change after working on it for two months.  The first was the top shelf; the original shelf was six inches shorter than the desktop on each side and while it fit two monitors fine, I wanted to add a third so I can put my work laptop on it as well.  Making it the same width as the desktop was the perfect solution, all three monitors fit perfectly on the shelf.  I can check work email, personal email and twitter with just a glance.  I also wanted the bottom shelf to be lower, since the space underneath it was wasted and I hoped to add another shelf.  Finally, I wanted it edged, sanded and finished so it actually looks like a piece of furniture.

All of this is why I asked my father in law to help me build version 2.0 when he came down for Christmas week.  He’s not a professional carpenter, but he does woodworking for fun like I do computers and security for fun.  Except he’s been doing the woodworking since before I was born and experience counts for a lot.  We went shopping for wood, picked up some decent 2×4′s and 4×4′s, cabinet grade plywood and a really big can of stain/polyurethane mix for me to put a finish on with.  At which point I gave him my plans from the original, the changes I wanted to the design and got out of his way.  He came back with an offer to add a pair of drawers to the design, something I wanted, but didn’t have the skills to make myself.

When I made version 1.0, it took a Saturday afternoon; when my FiL made version 2.0, it took five days to complete the desk and another week for me to put two coats of stain/poly on the supports and 4+ coats on all the other parts of the desk.  I got slightly carried away and put six thin coast on the front of the drawers.  And because the desktop is two pieces of 3/4″ plywood together, it took calling my younger brother in order to manhandle the desk into the office.  But once everything was in place, it was worth every bit of the effort we’d put into it!

So there you have it, my experience in building a standing desk.  I’d say it was worth it, but maybe I’ll write more on it in a year or so.  I have a lab stool to sit in when my feet start to hurt, but I only use that about 15 minutes a day, maybe a little more if I decide to play any games on my PC at the end of the day.  I get a little confused once in a while when the mouse doesn’t work, until I realize I’m using the wrong mouse and have to take a step to left or right.  I also had to put a piece of stained wood under one of my monitors, since they’re not the same height.  And version 1.0 wasn’t dismantled, it was moved into the garage where it will spend the rest of it’s life as a workstation for playing with arduinos, Lego Mindstorm and occasional light soldering.  And maybe a little locksport as well.

Kill pcAnywhere right now!

Wed, 01/25/2012 - 8:40pm

If you haven’t already heard, the code base for Symantec’s pcAnywhere was stolen in 2006, and bad guys are now using that code against the installed base of users in the wild.  This sort of compromise really isn’t anything that new or different.  But what is different is that Symantec is now telling users to flat out disable pcAnywhere until a fix is released.  Which is a good, smart move, but a better move would be to remove pcAnywhere and never, ever start it up again!

I remember the first time I used pcAnywhere; I was working my first helpdesk job and they let me finish part of my shift from home when I was doing mail server work, I could start up the scripts on the server, drive home and finish my work from there.  Being pcAnywhere, every couple of times I’d also have to drive back to work because the program would crash, but hey, an 80% success rate wasn’t too bad at the time.

Fast forward a decade (and more) to when I’m a QSA and pcAnywhere is still out there, and in all too many cases, it’s actually the same version I was using, or nearly the same vintage.  But it’s not me using it to manage a OS/2 Warp mail server (yes, OS/2 Warp), it’s being used to manage Point of Sales (POS) systems all across the US.  You see, mom and pop stores with POS systems don’t have a clue on how to set up a computer, so they find a nice, local service provider who will set up the POS for them, trouble shoot it when they have problems and just generally manage the system for a price.

Herein lies the problem.  If you’re a small, local service provider who makes their living servicing these folks, you have to be able to work quickly and cheaply with clients in a large are if you’re going to make a living.  You need to be able to get on their systems quickly to troubleshot problems and get them back online.  So of course you use a remote desktop client like pcAnywhere and you’re going to leave it directly exposed to the Internet since that’s the easiest way to make sure it’s always available and you don’t have to do a lot of troubleshooting of network equipment.  And you probably use the same password on all your clients, since you don’t want to have to rely on having the right password written down somewhere when the client calls screaming that they’re system is down.  After all, no one would scan for open pcAnywhere servers, nor would they guess the user name is ‘admin’ and the passphrase is “Let me in!” (at least it has complexity).  And you don’t worry about changing passwords when an employee leaves or updating to the latest patch levels.  In other words, a security nightmare.

In 2009, when I worked for Trustwave, one of the things that annual security report dug into was some of the repercussions of this type of remote management of POS systems.  And no surprise, one of the things they discovered was that remote desktop applications like pcAnywhere were one of the leading causes of small business compromises, especially compromises that involved either small chains or a group of geographically close stores.  An attacker would scan for the remote desktop client and then brute force the password and spread out to the other clients of the service provider.  Soon you’d have a whole segment of the local merchant community who’d been compromised and didn’t know how or why it’d happened.  And things have not gotten better since then.

I doubt things will change, I doubt most of the people who actually use pcAnywhere as a tool are going to even notice or read Symantec’s posting.  It’s the only way that the current business model works, not just in the merchant community, but in many other small business communities as well.  The service provider model requires remote tools, otherwise the travel time to and from locations kills any chance of making a profit.  Which means the folks who want compromise systems and steal credit cards are going to continue to have access to the remote desktop solutions. 

Network Security Podcast, Episode 265

Tue, 01/24/2012 - 8:04pm

Unless you were hiding under a rock the last few weeks you’ve probably heard about the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA) and their even more evil brother Anti-counterfiting Trade Agreement (ACTA).  Many sites went dark last week, including Securosis, in protest and SOPA/PIPA were at least stalemated for the moment, if not entirely defeated.  And since it’s a big story, we decided to discuss it at great length, probably saying many things that have been said by much smarter people than us.  At least we hope it’s the smart people we’re agreeing with.

Zach was unavailable tonight, so we had to pull in two special guests in order to replace him.  First off, Rich’s partner in crime at Securosis, Adrian Lane, joins us.  Second, we’re joined by Liquid Matrix author and friend of the show, Jamie Arlen, aka @myrcurial.  Jamie brings a little bit of an outsider’s viewpoint to the conversation as he’s not native to the Phoenix area and comes to us from north of the border.

No real show notes tonight, if you’re intersted in learning more about SOPA/PIPA/ACTA, do a little Googling.  Or just go to the Electronic Frontier Foundations web site.

Network Security Podcast, Episode 265, January 24, 2012

Time:  55:00

Tonight’s music:  Signs are Signs by The Midnight Hour

 

SOPA was only an opening salvo

Fri, 01/20/2012 - 8:41am

I generally try to stay out of the political arena on the blog, mostly because politics is such a contentious topic in and of itself.  And I’ve been staying away from SOPA in particular because there’s been so much coverage that one more voice added to the choir wouldn’t have done anything.  The music and movie companies once again tried to introduce legislature that made pirating content a crime and gave the entertainment industry incredible power to police the internet and block any site they felt *might* link to copyrighted content.  But we, the Internet, rose up in unison as major sites blacked themselves out in protest and support for the legislation is suddenly falling away as if the Stop Online Piracy Act might be toxic.  Yay Us, we won and the bad entertainment industry was put in it’s place.  War’s over and we can all go back to our daily lives.  At least that’s what it seems like in a nutshell to me.

But it’s not over, not by a long shot.  In an oddly coincidental case of good timing, yesterday the US Government took down the site Megaupload, a hugely popular file sharing site.  Since this event probably took months of planning to set up, the timing probably was mostly accidental, though I wouldn’t be surprised to find out the date got accelerated a little in response to this week’s Internet blackout.  And in response to that, the group Anonymous started a DDoS campaign¹ against the likes of the White House, the FBI, DoJ, MPAA, RIAA and a number of other sites using the LOIC tool.  There are quite likely one or two other groups using some of the noise created by Anonymous in order to perform some slightly quieter attacks under cover.  And according to my count, the move is now back to the Government, probably coming in the form of a kinder, gentler form of SOPA or additional site take downs.

The movie and music distribution engines only see the Internet as a method for taking money out of their pockets.  The technorati see the Internet as a boon and the current distribution model used by the entertainment industry as antiquated and only serving the big studios, not the artists.  There’s a certain amount of truth to both arguments, though I find myself far more in line with the thought that the entertainment industry has refuse to adapt as technology and societal norms have changed, so they have to pay the price.  This is a lesson Kodak is learning the hard way.  Now the real battle of finding out if we make the technology and society bow to laws that are counter to how we want to act or if we change the laws to be more in line with how people want to act in the first place.

The ethics of file-sharing aren’t really important to the folks backing legislation like SOPA, they’re defending a business model and nothing more.  Therefore, they have to continue to push for this legislature in one form or another in order to gather more power to bolster a dying business model.  They have no choice, other than completely reworking the way they do business, which is more risky than doing battle in the court systems.  While the Internet may have risen up and smashed down the SOPA legislation today, it’s the long haul of trying to get the power clauses passed into law that the lawyers excel at.  Expect to see several more forms of this Act come up for  consideration and votes, later this year.

The interesting part will be see how the dynamics between the creation of laws and the Internet change over the coming year.  Between blackouts in protest and DDoS in protest, it’s clear that a lot of attention can be drawn to an issue very quickly.  But can it be sustained and will these forms of protest have any long term affect?  Part of what led to the uproar against SOPA was the technical infeasibility (or possibly stupidity) of the act; what would happen if the backers of SOPA created something that was more reasonable and technically possible to combat piracy? Will the resistance fade if something more palatable comes along?  I somehow doubt it, but more I doubt I’ll have a chance to find out, since a compromise like that isn’t even something I believe the entertainment industry could even conceive of.  It’s more likely we’ll continue to have a chance to see the evolution of the Internet as a political force.

So the back and forth between content distributors and pirates will continue, with the ball now in the government’s court.  There could be more take downs like Megaupload.com, the folks who supplied the thralls for LOIC could find FBI agents at their doorsteps, or there might be a lull while newer legislation is created.  But the reality is that what we’ve seen in the last few weeks is just an early set of skirmishes on the battlefield.  What the next step in the escalation is remains to be seen, on both sides.
 
¹I know where that graphic came from! 

Network Security Podcast, Episode 264

Tue, 01/10/2012 - 6:10pm

As Zach prepares for his jaunt down to Miami Beach,
Rich waxes paranoid about his newfangled Microsoft-powered car — and
the prospect of Martin remotely hacking throttling the engine.  It’s
hard to imagine a few of Rich’s ‘friends’ won’t try hard to get their
hands on his new remote and the system port on his car.

(Also, check out our nomination in the Social Security Bloggers Awards — and vote if you’re eligible to do so!)

Network Security Podcast, Episode 264, January 10, 2012
Time: 37:31

Show Notes:

Open tabs 01/09/12

Mon, 01/09/2012 - 8:24am

Still feels a little funny to be putting the ’12′ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012″ so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

Network Security Podcast, Episode 263

Tue, 01/03/2012 - 6:20pm

It’s our first show of the New Year… wherein Rich describes server upgrades good and bad, being a victim in a data breach, and we discuss the rest of the latest news. We have to say, it’s a weird start to the year.

Network Security Podcast, Episode 263, January 3, 2012
Time: 36:45

Show Notes:

Open Tabs 12/26/11

Mon, 12/26/2011 - 8:00am

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

  • Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
  • LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
  • The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
  • How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
  • The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
  • Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
  • Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
  • Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

Southern Fried Network Security Podcast

Tue, 12/20/2011 - 6:27pm

This is Martin, and while I know we said we weren’t going to do another podcast this year, I got started talking to Martin Fisher over at the Southern Fried Podcast and we decided, “What the heck, let’s do one more this year and thank all our listeners for supporting us!”  It was supposed to just be the two of us, but Rich happened to be available.  It was also only supposed to be a few minutes, but when you get the three of us going, it obviously has the potential for going long.

All three of us are very greatful to our audiences, and I think I can say the same on behalf of our co-hosts.  The year has had its ups and downs, but I believe we’re ending it on a high note.  I hope your life is doing the same and that you have a good ChrisHanaKanzamas or whatever you celebrate this time of year.  At least celebrate a few days off, if nothing else.

Southern Fried Network Security Podcast Christmas Special
Time:  25:29

Open tabs 12/18/11

Sun, 12/18/2011 - 10:11am

Long night last night.  We went to something called a pirate gift party; sort of like a white elephant gift (cheap, person A can take a gift from the table or steal from person B) except most of the gifts were wrapped in tinfoil cleverly disguised to hide their true nature.  Two minor variations from a normal white elephant gift is that there is no limit to the number of times gifts can be stolen per turn and no one gets to open the gifts until the last gift is chosen from the table.  This led to an interesting ‘defense’ strategy; since there was a gift that was wrapped to look like Thor’s Hammer that my Spawn wanted, they worked together to make sure they kept it at all cost.  Basically, when person A stole the hammer from whoever was holding it, that Spawn would steal his brother’s gift, and that Spawn would steal the hammer back.  This was a pretty good strategy, until Spawn1 lost concentration at one point and went after a different shiny object.  It all ended up good in the end, though another pair challenged the Spawn to a game of endurance to see who wanted the hammer the most.  It ended up being a 15 minute round robin of gifts being stolen and restolen that left everyone laughing.  Oh, and “Thor’s Hammer” ended up being a cleverly disguised box with chocolate and money in it, with a broom handle that was acting as the handle.

Oh, and very importantly, It’s that time of the year! Security Bloggers Meetup invites have gone out.

Open Tabs 12/18/11:

Network Security Podcast, Episode 262

Tue, 12/13/2011 - 6:11pm

A discombobulated Martin and a sleep-deprived Zach get together for
the final episode of 2011 (and Rich isn’t around to join us — tsk tsk).
This week’s stories seem to be more of the same — surveillance, leaks,
and dumb legislation. Here’s to hoping for a brighter 2012.

Network Security Podcast, Episode 262, December 13, 2011
Time: 30:00

Show Notes:

Open Tabs 12/12/11

Mon, 12/12/2011 - 11:20pm

Usually I try to find the time to blog first thing in the morning, but today was way too busy to allow for anything nearly as relaxing as blogging.  I spent two days traveling to and from a client site last week and then two more days at the BayThreat conference, with only Sunday at home to relax and play Skyrim … I mean spend with the family.  BayThreat was a ton of fun; my co-worker Mike Smith gave a presentation called “Zerging is for Chumps” and another friend, Gillis Jones gave his first talk, “Show me the Money”, just to name a few.  It’s interesting to go to a convention where you can almost talk to every attendee if you put your mind to it.  And you know I gave it a pretty good try.  Anyway, I’m off for more flying around the country again this week and have a ton to do in the mean time, so this may be the only chance I get to post this week, other than the podcast.  Presuming I can get that done with Zach this week.

Open tabs, 12/12/11:

Network Security Podcast, Episode 261

Tue, 12/06/2011 - 7:15pm

When Rich isn’t around to take up most of the time, Zach can actually
be pulled out of his shell to talk for a little while.  Or maybe it’s
just when there are two hosts on the podcast there’s more time to talk. 
In any case, Martin and Zach went a little long this week as well as
deep into paranoia land.  And there’s so much in the news right now to
push us there.  It’s kind of scary when you start to realize that as
much communication as modern technologies allow, they also allow a lot
of very deep surveillance.  Which we as a society seem to be okay with.

Network Security Podcast, Episode 261, December 6, 2011
Time: 42:13

Show Notes:

Open Tabs 12/5/11

Mon, 12/05/2011 - 8:42am

There’s this game called Skyrim that’s been taking up all my ‘free’ time.  The only thing that’s kept me from being completely sucked in is the fact that my eldest son keeps asking, “When is it my turn to play?”  That and the fact that my other half keeps bringing up Christmas and my commitments as far as decorating and present shopping go.  Tis the season to avoid the malls and spend time online shopping instead.  Speaking of which, my coworkers have a thing or two to say about the holiday shopping season, which is once again morphing into something bigger, yet different, than it was ten years ago.  I love working at a place that has so much access to data about what’s really happening on the Internet.  Hopefully you’ll hear more on that early next year.

Open Tabs 12/5/11:

Network Security Podcast, Episode 260

Tue, 11/29/2011 - 6:37pm

Believe it or not, all three of us managed to get together for a nice post-holiday show. After a brief discussion of pepper spray for holiday shopping, we jump into a nice menagerie of stories.

Network Security Podcast Episode 260
Time: 35:16

Show Notes:

Curing the Credit Card Cancer

Mon, 11/28/2011 - 1:08pm

Back when I was a Qualified Security Assessor (QSA), all of four months ago, I often explained credit card data as an infectious disease.  Whatever your credit card data touches is pulled into scope, requiring the full set of Payment Card Industry (PCI) Data Security Standards (DSS) to be applied to those systems to the same degree that the systems processing the transactions are.  That’s because the scope of PCI compliance is defined as “any system that stores, processes or transmits cardholder data and all systems connected to these systems“.  In other words, the switch that stands between your firewall and your processing server is in scope for PCI as are all the systems attached to that switch, unless you take specific steps to control the traffic between the two systems.  Thinking about the credit card data as an infectious agent makes sense, since the data infects everything it touches with the need for compliance and assessment, even though the system may have nothing at all to do with card processing and only made the error of being on the wrong network segment at the wrong time.

Lately though, I’ve begun thinking of credit card data as a cancer instead of simply a disease.  Consider the fact that many security departments spend hundreds of man hours each and every year trying to segment their cardholder data environment from the rest of the network to limit the impact of the annual assessment.  They modify firewall rules, implement VLAN’s, cut off access and chase down every data flow they can think of and find in order to find credit card data and prevent it from infecting systems and bringing them into scope.  Yet every year the QSA comes in and finds data where it shouldn’t be and people with access to the data who have no business reason to have it.  The credit card data continuously spreads and expands scope, and leaving even the littlest bit behind still offers the chance of the scope of the assessment and responsibility to the Data Security Standards.

Why does this continue to happen?  As security professionals, we try hard to find out where the credit card data is at, but the reality is that all too often we don’t understand the thought processes that went into the business processes that created the data flows, and neither do all to many of the people who created the business processes.  We might understand the process that takes a credit card from the customer’s browser to our web server and back to our database server, but the clearance and settlement processes are often an arcane process that we haven’t mastered and can’t figure out how to do securely with our acquiring banks.  I mean, why is it that some processors still mandate that the settlement files be sent clear text over a leased line or the Internet?  And getting them to change that can, very literally, take years to happen.  Another process that we often forget and creates no end of headaches is the fraud control portion of the business; I’ve seen more than a few businesses that had no idea that their fraud prevention team had either full access to the cardholder database or had a portion of the feed that included credit card numbers sent to them daily or weekly.  And since these teams weren’t considered during the original scoping, it often means a whole new section of the business that has to be considered and remediated, costing valuable time and money.

Another factor is how little it costs a department to ask for a stream from the database and how strongly they’ll defend it once they have the data.  I’ve run into many departments in the past that had little or no immediate need for accessing credit card data, but wanted every bit of the information from the web server and point of sales devices, simply because it might one day be valuable to them.  And even if the data is being used now, if there is some value for them to have it today, all to often that department isn’t the one that’s actually paying the cost of processing and storing the data; the IT or Security department received a mandate to make to make the data available and no additional funds were provided to secure the cardholder data in a manner compliant with the PCI DSS.  Good luck getting them to pay for something they’ve had access to for years or give up this access, despite the fact it might cost the company millions and have almost no real return on investment.

So how do we excise the cancer that is credit card information from our enterprises?  I know it’s a bit cliched to say it, but we still need to understand our businesses better.  Yes, our managers are getting better at talking to their managers, but the fact is, when you get down to the actual data flows, managers are simply a set of filters that help the people who’re doing the actual work misunderstand each other better.  It’s just as important to understand the overarching business flows as it is to understand the actual tables and fields that are being copied from one database to another.  Digging into the nitty gritty of each data transformation and export to another department’s database is hard work, made harder by the fact it’s changing all the time.  Managers need to set the policies and procedures that dictate who has access to data, including the where and why, but the line level security folks need to be able to track down the data flows and enforce the policies set up by the people higher in the chain of command. 

Departments also need to understand that there is a cost, associated with cardholder data and need to be made to bear that cost directly.  As long as they simply have to ask for the data and work the political process to get it without paying a fiscal cost, they well.  Policies and procedures are easy to circumvent if a someone in Marketing or Sales puts their mind to it, but when that same person is given a price tag for the data, the need often disappears or becomes something much more manageable and doesn’t include the cancerous data like credit card numbers and expiration dates.  This is a step that only management can take and in many organizations it’s incredibly difficult, since the concept of having to pay for data is foreign to most of the business.  But as long as someone else is paying for it or the cost of data is indirect, people will continue to ask for it.

The real, long term cure to the credit card cancer is to change the rules of the game so that businesses never have access to the credit card information to begin with.  Face it, as long as a single record remains on your enterprise, someone will find a way to get access to it and spread the contagion from system to system.  The solution that’s available to businesses today are various forms of tokenization.  First, on-site tokenization allows businesses to create a ‘toxic waste dump’ in their environment with strong controls around it and only people who have demonstrable business reason are allowed to detokenize the data.  Since there is a more limited number of people who have access in this environment, training on how to treat the data with the caution and respect it deserves is much easier to deliver and enforce.  Plus definitive consequences for treating the cancer causing data unsafely can be enforced when only a limited, educated group of people are allowed to have it.

Even better is to have the data tokenization is having someone else handle credit card authorization and settlement and never let credit card data touch your network in the first place.  Most of the acquiring banks now have partnership with PIN pad manufacturers now with end-to-end encryption built in.  The stores are encrypting the cardholder data as it’s swiped and the register and they either have no access to the credit card information or only have access through a separate backend system.  Online merchants are making more and more use of outsourced payment systems, which also prevent cardholder data from entering enterprises and small businesses alike.  Several of these solutions offer ways to tokenize cardholder data as well.

When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information.  We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data.  If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards.  Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.

Open tabs 11/22/11

Tue, 11/22/2011 - 8:33am

I got home Sunday from 3 days in Las Vegas, two of which were spent at the first ever Minecon.  For those of you who aren’t the parents of Minecraft addicts or addicts yourselves, it’s a game where you create a whole world then mine it for resources and build just about anything you can imagine.  It’s multiplayer, sometimes massively so, and it’s very easy to set up your own server and be hosting it for the world in a matter of hours.  Unluckily, it may be too easy; people who can barely figure out what their IP address is are setting up servers on their desktops then sharing their systems with friends via Hamachi or simply opening their home network to the world. It’s enough to give a security professional an aneurism!  I wrote up my own experience in creating a cloud server for Minecraft in April, but that server never caught on with the kids.  So now I’m trying a different solution, MineOS Crux, a custom build distribution of Ubuntu specifically created for people who want a secure, lightweight Minecraft installation.  I’m running it as a VM on my Mac Mini server and exposing it to the world on a non-standard port, plus I locked down the distro a little more than the standard build.  I’m still more than a little paranoid about it, so if the kids aren’t using it, it’ll go away.

Oh, and the kids got me to start playing Minecraft as well.  Good thing there are a lot of long holiday weekends coming up.

Open Tabs 11/22/11:

Google’s wifi mapping non-solution

Wed, 11/16/2011 - 8:10am

Google got in a lot of trouble last year for capturing private data from wireless networks when they were driving the googlemobiles around to get video shots for StreetView.  Basically, rather than just capturing the SSID for the access points, in a lot of cases they captured data streams from the AP’s, which violated all sorts of European privacy laws.  And in reply to this, Google came up with a solution:  users can opt-out of Google’s wireless access point mapping solution by simply adding “_nomap” to the end of their SSID!  So simple it’s stupid.  No, I mean it’s so simple it’s absolutely idiotic and a waste of the digital ink that was used to express the idea!

I think MG Siegler expresses it best when he said, “The solution is a joke.“  Siegler thought of the same things I did when he saw this so-called solution.  First, only a fraction of a percent of people are even going to understand that Google is mapping their access points and even a smaller segment of the population is going to understand what that means.  And of that small group, only a much smaller percentage are going to make the changes to SSID names necessary to opt-out of the Google mapping.  I thnk that his .01% of the 10% of the people who actually read the article is a bit generous; only the truly paranoid will opt out using this method, and they probably weren’t advertising their SSID to begin with.

Let’s think about the pain in the arse it is to change a SSID to include ‘_nomap’.  My house is probably not normal, but it’s what I have to use as an example.  I have two wireless networks, two access points, three desktops, half a dozen laptops and a server that all would have to be changed to include the ‘_nomap’ SSID.  Plus there are a few more systems to worry about when you include the gaming systems the kids use.  The average household probably doesn’t have nearly that much equipment, but they also don’t know enough about wifi to set it up with proper encryption in the first place, so why would Google assume the average home user would know enough to change the SSID on all these systems once they finally got them running on their home network?

Let’s be honest; all Google is doing is waving their hands over StreetView in an effort to claim they’re doing something in front of governmental bodies who wouldn’t know the difference between an SSID and Sid Vicious.  In most cases, they’d probably recognize Sid Vicious before they’d have a clue what an SSID was or what it’s used for!  Siegler nails it when he states that Google might as well ask for people to solve calculus problems.  And I’d be willing to guess there are a number of people would have an easier time solving advance mathmatical equations than they would changing their SSID.

I want a solution that doesn’t require me to change my SSID to opt-out of Google’s mapping.  It’s a stupid solution and I’m not changing my SSID to include the ‘_nomap’ modifier.  My last thoguht is two-fold:  What effect will this have on the all the data that Google has already collected (Answer: none) and will Google actually honor their own ‘_nomap’ identifier and drop the data at collection or will they simply not display the access points using ‘_nomap’ but keep the data in their database?  I think you and I both know the answer to the second one as well.

Network Security Podcast, Episode 259

Tue, 11/15/2011 - 6:23pm

Rich and Martin are together for the first time in about 6 weeks thanks to all our overlapping travel. We are joined by Marisa Fagan who tells us about BayThreat- one of the only actual security conferences in the Bay Area (and a really good one). Then Marisa leaves and Rich and Martin jump into the security news.

Network Security Podcast Episode 259
Time: 39:43

Show Notes: