27 posts from March 2009
March 27, 2009
 CERT & Leisure Suit Larry in the Land of the Lounge Lizards
Pin It
256px-Leisure_Suit_Larry_1.jpgComputerworld recently conducted an interview with Rich Pethia - currently director of Carnegie Mellon University's CERT (Computer Emergency Response Team).
This year is CERT's 20th anniversary. It's hard to believe but it was started way back in 1988. Thinking back, I was using AT&T DOS at the time and playing the original Leisure Suit Larry in the Land of the Lounge Lizards with a monochrome screen.

Back in June of 2007 I participated in their podcast series with my co-author Bill Crowell (Former NSA Dep. Director), after publishing my second book. I listened to a number of other interviewees, and was instantly hooked on the quality of topics and speakers. CERT continues to have a ton of great information to offer.
Back to the interview, Pethia gives a very interesting chronology of CERT over the years - changes in focus, new threats, predictions, etc. What I found particularly interesting were Perthia's comments to the following question, "Application security is becoming an area of focus now in security. Are we at the tipping point yet?"

Perthia: "I think we are getting close to a tipping point. Organizations are getting better at securing their networks and operating systems. When you think about how difficult is it for bad guy to accomplish what he wants to accomplish, attacking operating systems is going to continue to get harder. I see the whole field of applications as the next line of attacks because that is where the least attention has been paid so far. So people will be under pressure to understand we need to do a better job there."

I couldn't agree more. When you start working with the people in this industry that seem to be doing the most cutting edge research on technologies around application and data security like WAF and DAM, as well as individuals that are focused on vulnerability assessments, code review, and the like, you certainly get a sense that the threatscape is far worse than we might even think.


 Generation Z
Pin It
Our solution for Mainframe auditing, SecureSphere DGZ is generating a lot of interest (like here or here. In perfect timing, IBM is launching a campaign to raise awerness to mainframe computers by dismissing mainframe myth. Check the cool promo movie. 

There's even more (also cool) content on squidoo. Very refreshing. (and I like it better than some of the PC vs. Mac movies)


 Analyze This
Pin It
Analyze this.pngEvery week we read few article some articles and stories about data that got lost, hacked into, breached, exposed or stolen. The reporters no longer accept the banal corporate answers and the result is fascinating (IMO). 

Wired published a well written article about the Analyzer, using some SQL injection techniques to hack into the applications and steal credit card data worth of several millions of dollars. 

"....In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company's database software. The attacker grabbed credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs."

"...In April and May 2008, agents investigated two additional hacks....  The intruder again used a SQL injection attack, and losses added up to more than $3 million."

More important the article provides a link to an affidavit with details of what happened and tracking the multimillion-dollar hacks that have hit a number of financial institutions in the last year. 


March 24, 2009
 VeriSign Enterprise Security Services Launches Managed Service for Imperva SecureSphere
Pin It
In case that you missed VeriSign's press release

Chris Cesio, VP Worldwide Channel and MSSP Sales for Imperva: 

We are pleased to be working with VeriSign to extend the reach and value of our Web Application Firewall and Database Security technology. Enabling their leading managed security service platform to support SecureSphere will help resource-constrained IT departments to maintain compliance and optimize performance for securing critical data through web applications.

Welcome to Imperva. 


March 23, 2009
 Compliance - The Flannel Nightgown of Security
Pin It
nightdress.jpgA friend of mine from the security industry and I had lunch today. We began discussing a trend we're seeing in the field. She cited how many organizations that had programs around particular regulations, standards, etc over the last couple years are now adopting security programs to specifically protect PII or Personally Identifiable Information above and beyond or simply in spite of any particular government/industry requirements.

In reality - there is a lot of overlap here. But what's interesting here is perception. These PII initiatives are seen as "security projects", not "compliance projects." The difference is simple; security folks generally dislike compliance stuff. They've generally had to do it out of necessity and it wasn't what initially interested them in this space. For a long time many have complained that compliance simply takes time away from their security focus and if they could simply focus on security instead of appeasing auditors, their organizations would be better off.

It can be said that compliance took all the "sexy" out of security. Perhaps PII is in fact "Bringing Sexy Back."


March 22, 2009
 The Spicy Food Challenge: #2
Pin It
Okay - so I'm at it for a second time - chasing down Adam Richman in Man v Food. The first challenge, which I blogged about, went pretty well. No permanent damage anyway. This time I took on SmokeEaters in San Jose California. After seeing Adam take on a challenge so close to where I live, I had no choice but to respond.

I knew this would be a difficult challenge, so before I left for SmokeEaters, I e-mailed my friends telling them that I'd return victorious with the coveted Hellfire Challenge T-shirt. After arriving at SmokeEaters I realized that this e-mail was similar to Cortes burning his ships after landing in Veracruz in 1519 in order to motivate his crew to push on and not turn back. It should be noted that there is much debate about this particular event in history. If you are interested, you can read more about it here.

But what's a challenge without some crazy rules.

Continue reading "The Spicy Food Challenge: #2" »


March 20, 2009
 Podcat Interview with Branden Williams - QSA with Imperva Partner - VeriSign
Pin It
Verisign_logo.jpgOn this episode of the Imperva Security Podcast Branden Williams is interviewed. This is a follow-up to a joint Webcast conducted by Imperva and VeriSign titled: PCI Validated, But Not Secure: Real Life Stories of a PCI QSA.

Branden discuss several PCI experiences form companies that just don't get it and those that get it right. He discusses the strong need to address application and database security, issues to look out for when working with your QSA, and the future of PCI.


 Feedback on NIST 800-122
Pin It
Protecting PII is an important task. We take this task very seriously and as the leaders we provided feedback on NIST 800-122 DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). 

According to NIST, "800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling" .

Below you can see our main comments: 

  1. The document should recognize that some elements of PII are unique to the systems and regulatory landscape in the US due to different privacy regulations beyond what stated in FAQ answer 2. Specifically full names and mother maiden names which are not as important in other countries.  Agencies that collect PII in foreign countries outside of the US and civilian organizations that will adopt NIST 800-122 should be aware of the differences.
  2. The document is missing a cross regulatory reference. There are many different regulations that require the protection of PII as it described by this document. I believe that it is important to list the affected and involved regulations in order to avoid unnecessary burden from agencies that are already fully compliant.  
  3. Appendix E--Sensitive Database Extracts Technical Frequently Asked Questions:
    1. (6)What information should be logged for each extract? We recommend to verify that the document will clear that  (iv) user/subject identity; is indeed the end user performing the operation and the application user that is acting on behalf of this user which is very common in a pooled connection database scenario.
    2. (11) What technical methods are available for restricting where sensitive extracts are stored? We recommend to use database firewall (DBFW) and database activity monitoring (DAM) systems in order to restrict access to sensitive data.
    3. (13) What is required for verifying a sensitive extract? We believe that NIST should recommend using a formal process that can locate, verify and monitor access to sensitive data, identify what was extracted and provide log of all data to be securely erased after 90 days. When automated, such process will be more effective in protecting PII.
    4. (14) What other types of technical solutions could be used for sensitive extract verification and erasure? As stated by the document, the 2nd recommendation in this section (Implement centralized processing for access to sensitive databases using dumb terminals) "This solution cannot be implemented on a large scale in the near term using current off-the-shelf components. However, there are off-the-shelf solutions that are available today that will provide this functionality. Using combinations of Database Access controls with Application access controls using WAF + DBFW would provide this necessary functionality. We urge NIST to look at database firewall solutions and how such solutions can integrate with web application firewalls and web identity management solutions. 
More feedback? tell NIST and us. 


 You Create The Caption
Pin It
We love coffee and it returns the love. In the past few months our coffee/espresso machine was dying. After serving us coffee for many years (sometimes more than 100 cups per day!), its time arrived. 

We changed the water supply, cleaned it more often, pressed the buttons gently, and even talked more quietly around kitchen without much avail.  

Last week it passed away.  


March 18, 2009
 Podcast Interview with Amichai Shulman - Co-founder and CTO of Imperva: Clickjacking
Pin It
On this episode of the Imperva Security Podcast Amichai Shulman is interviewed. Amichai talks about Clickjacking. He gives a detailed background on the attack, how it works, some high profile examples, as well as mitigation techniques to protect both applications and users. The graphic below illustrates what this looks like, making the user think that they'll win a new 'Shevy" (Wig Salon).




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: