Branden Williams' Security Convergence Blog

Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision.

One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1:

Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization's risk management policies.

I hear the caliber of those breach bullets is pretty high.

One of the bigger changes ones that is perfectly laid out is the sunset date for WEP. THANK GOODNESS! Yes, I realize that companies are STILL deploying new WEP installations, but they have no business in any environment where sensitive data exists—meaning storage and transmission of networks missing segmentation. There will now be a requirement to replace all of those devices by June 30, 2010.

Requirement 5 now seems to have more strength in it, but I'll wait to see the testing procedures. I don't believe the council will be requiring A/V on mainframes, but I do believe that other operating systems like Linux and Mac OS X could now come into scope. VeriSign's belief is if it is a desktop operating system with access to the internet (including indirectly through email), it should have some kind of A/V on it.

In Requirement 11, there are so many goodies there that we will just have to wait for the SAP. Internal Penetration Testing is a really fun one that I fear will cause many merchants to have a slight case of freakout (or death-panic as I like to call it). Also, are we getting closer to Wireless IPS in environments where cardholder data exists? I'm getting so excited! It feels like Christmas morning over here.

My favorite change is the one listed under Requirement 7: Clarified language around testing procedures. We'll just have to wait for the new SAP to be released before we can let out that deep breath we're all holding!

Posted by Branden Williams at 4:49 PM | Permalink | Comments (0)

Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years.

Well, it's a new month, and we have a new flaw.

Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here.

I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked... that pesky IMAP flaw in 1997 taught me a TON about security), and I always marveled at how easy it was to goof up parts of the Internet with bad BGP announcements. Thankfully, we were too small to ever be a victim of such an attack, but I do remember fat fingering IP space and seeing my goofed up announcements propagate quickly across the internets. I also got a kick out of a goofed up as-path prepend statement I did once (which is exactly how part of this attack works).

Ahh, those were the good old days.

But apparently, the good old days are still around! Imagine being able to target specific users to read all of their email before they can. Or maybe launch attacks on the inside of your own company (many companies use IBGP to route internally, some use straight BGP) to learn about an impending layoff. This is a classic Man in the Middle attack (MITM), and should reinforce our beliefs that the Internet (and maybe your internal network) IS NOT to be trusted.

Kapela and Pilosov state that the only way to fix this problem is with "perfect filtering." That will never happen. A better way is to start wrapping your traffic inside SSL or other types of encryption technologies that include assurance and integrity checks.

What will it be next month?

Posted by Branden Williams at 6:57 AM | Permalink | Comments (0)

First off, I want to apologize for the lack of posting. Travel across the date line is one of those things that looks like a productivity enhancer, at FIRST. Then the realization slowly sets in.

One of the articles I wanted to post on was Bill Homa (Edit: Sorry, got the spelling wrong!), the former CIO of Hannaford, who is changing his tune a little bit. Apparently, the PCI Standard is not his problem, but now he blames Microsoft for the breach that occurred on his watch.

I don't know if you are like me, but I can't wait for the lawsuits to start flying so that all of the speculation on this incident can end. Legal discovery can be a beautiful thing. As with most major breaches, there is not one giant big goof that you can point your finger to, there tends to be a series of events that lead to the breach.

Maybe Bill can hook up with Dave Hogan from the NRF and they can practice playing the blame game together? I imagine it would go something like this.

"I blame PCI! It's too hard to comply to!" (Dave)

"No, it's not strong enough! If they would have required internal encryption, things would be different!" (Bill)

"Wait, what? Dude, I'm going to have a lot of pissed off members if I say what you said." (Dave)

"Call me dude again, and see what happens!" (Bill)

"I blame PCI! It's not strict enough!" (Dave)

"That's more like it." (Bill)

"No one is listening to me anymore... you try." (Dave)

"I blame Microsoft!" (Bill)

"Ooo, nice one." (Dave)

Or maybe THEN the fun and games can start?

Posted by Branden Williams at 10:50 AM | Permalink | Comments (0)

No, not my niece, but the great city in Australia! I've finally made it back state side. I'm a little tired, but more so when I start working through the email!

Thanks to everyone who joined our event in Sydney! I hope to talk to you all in the coming months.

Posted by Branden Williams at 1:44 PM | Permalink | Comments (0)

We've been true road warriors this week, and so far have done briefings in Brisbane and Melbourne, Australia! We are heading back to Sydney tonight to do our last PCI briefing of the trip tomorrow. Thanks for the hospitality Brisbane & Melbourne! I look forward to seeing you again soon!

Posted by Branden Williams at 3:07 AM | Permalink | Comments (0)

Down Undero! Finally made it down here and nobody down here has said "G'day Mate!" or offered me shrimp on the barbie.

So disappointed.

Anyway... If you are in Sydney, shoot me an email and we'll do a pub crawl!

Posted by Branden Williams at 2:55 AM | Permalink | Comments (1)

So you all know (well the three of you that read this... Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won't need? Check. Log into my credit card account to make sure we're good? DOH!

My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz.

The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place.

This is the only piece that annoys me is the inconvenience. Irrespective of their internal beliefs, companies that come into contact with consumer data should still do whatever they can to protect it, even if consumers are relatively insulated from its effects (such as with credit card theft).

Posted by Branden Williams at 10:15 AM | Permalink | Comments (0)

Entitled, The Carl Method to Security, I compare CIOs to our lovable friend Carl Spackler when it comes to reacting from a breach. If you read this and don't believe me, just troll the news for recent CIOs responding to breaches.

I don't need to make this stuff up, people do it quite nicely on their own. Just like that time I was in the Las Vegas airport and a TSA agent came over the PA and said, "To the person who left your dentures and hearing aid at the security checkpoint, if you can hear me, please return to claim your items."

See? Don't need to make it up.

Anyway, go check it out!

Posted by Branden Williams at 10:50 AM | Permalink | Comments (0)

When I was flipping through some RSS feeds and saw this fantastic post from Gizmodo, I HAD to bring it here for discussion. Now keep in mind, this is a photographer's artistic work, but it sure does open the door to other low tech ways to subvert security systems.

One of my personal favorites is the McGuyver style (sans chewing gum and dental floss) method of defeating magnetic lock doors with a balloon, tape, and a straw. Convenience says that we should not badge in AND out. Just on the way in is fine. On the way out, we'll put sensors there so that the door will magically unlock for you. It's the high tech version of the black treadmill mat looking thing at the grocery store that we kids always used to go jump on to make the door open.

And then came the footless shoe smacking me upside my head leaving me reeling, wondering how my mom can catch me getting in trouble when she is in the back of the store buying milk and beer.

After all, it is the breakfast of champions.

Anyway, with a little ingenuity (and some luck) we can get those heavy magnets to unlock from the outside of the door! No badge required!

What other kinds of hacks have you guys seen out there for defeating security systems?

Posted by Branden Williams at 10:14 AM | Permalink | Comments (1)