Sharon Besser: September 2008 Archives

As I wrote yesterday, the PCI Community Meeting discussions are interesting and useful. Many have asked me to provide insights on the actual changes to the specification and especially on section 6 and 6.6 (ensuring that all public Web-facing application are protected against known attacks), section 10 (track and monitor all access to network resources and cardholder data) and section 3 (protect stored cardholder data).

While we still need to respect the embargo on disclosing the actual details of the PCI DSS 1.2, there are few insights that I can share regarding the community culture and the spirit of this event. As you can see below, section 6.6 can also be used as an opening sentence when one is looking for new friends...

As soon as the embargo is lifted, I will share our thoughts and insights.  And for more insight into the world of the PCI QSA, I encourage you to attend our upcoming webinar, "The Inside Story of PCI: Confessions of a QSA." 

I'm at the 2008 PCI Community Meeting in Orlando. The Standards Council asked us not to disclose any information or pictures regarding the content of the upcoming PCI DSS version 1.2 beyond what has been already discussed in the press or on the Council's web site. For those that are not familiar with the subject (can't spell P-C-I as Bob Russo, General Manager of the council explained), here is a complimentary image. 

Seriously, this is one the more important events for the data security community and if you are reading this blog, you are probably affected in some way. More reports and coverage (without revealing anything that I promised not to) will be coming soon.

Reading web server and search logs can be is fun. Every day, several people from different parts of the world (and across the web) are reading the ADC Glossary. One of the more popular search terms is 1=1. Many look at SQL injection techniques; others are learning about SQL injection signature evasion. 

For those that are interested in learning more about 1=1, check out this page. There's also a related movie:

The Register was picking on the IRS last week, citing a Department of Treasury document and using a sensational headline that the U.S. Internal Revenue Service is putting tax payers at risk by operating thousands of web servers that either contain security vulnerabilities or have not received proper authorization. (BTW, the Department of Treasury should improve their overall report card score listed in this report prepared by Tom Davis of the House Oversight and Government Reform Committee in May 2008 )

This headline makes it looks like the IRS is in complete chaos, but I think the Register is not being fair and some restraint is needed (a colleague of mine explained that the Brits will always like to sling mud at US based agencies). First, I do not think that the IRS is much different than many other agencies, commercial organizations and universities. In my experience, many large organizations have rogue and vulnerable web servers simply because they are unable to discover, find, control and manage all those systems that were previously deployed to serve a specific business need. Examining the report, I'm learning that the US Department of Treasury's Inspector General for Audit is trying to control the situation by raising a flag about the situation and recommending a solution.

I returned from Dallas last Friday and "missed" IKE. First and foremost, I sympathize with the victims and feel bad about the damage, pain and high gas prices.  However, judging by some of the amazing photos, it was quite a scene. 

According to the following story, the answer is simple: a lot.

This is a few weeks old, but I was recently asked for some ROI calculations and thought that this story could provide a good example. It also shows database activity monitoring can work even for small organizations.

Jackson Lewis, law firm for Nye Lubricants, has notified the New Hampshire Attorney General that an employee "may have accessed electronic personal information stored in certain of the Company's databases without proper authority and/or for improper purposes," on or about August 15.

According to the notification, 173 employees are being notified that their personal information, including their Social Security numbers, may have been accessed or misused, but the firm was reportedly unable to determine whether any of the current or former employees' data were accessed or misused.

Frederic C. Mock, Executive Vice-President of Nye Lubricants, wrote to those affected that an employee had accessed the network without authorization, but "despite our best efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised, only that the opportunity for unauthorized access or use of personal information existed.  Nye Lubricants reports that it is reviewing its security and systems going forward and has offered employees free credit monitoring for one year.

Let's do the math. I'm assuming that they received group discount for the 173 employees and the cost of service is only $15 per month per employee: On top of that, we have to add the cost of legal fees (Jackson Lewis will not work for free). I suspect that the lack of database activity monitoring can cost $100K for this small firm.

Source: http://www.pogowasright.org/article.php?story=20080828115925605 

Graham Cluley from Sophos recently wrote about how hackers infected BusinessWeek's website via SQL Injection attack.

Unfortunately, it looks like the daily SQL injection stories are starting to become boring as the list of victims grows day-by-day. (Dilbert hints that there are too many databases. Some might be redundant). 

Sophos is providing the community a good service as they have created a nice visual of the attack, showing how the infected site appears to the innocent, soon-to-be-a-victim visitor as well as what the page code looks like. They also provide a list of some suggestions that would allow customers to protect their site.

However, I would argue claim that they do not emphasis the most immediate solution - Web Application Firewall (WAF) - or the benefits of integration between vulnerability assessment, code review and WAF. In the real world, the process of fixing the code can take some time...

I was in Boston earlier this week, participating in a vendor panel discussion. One of the other vendor representatives tried to explain how his solution added value by having a "true zero false positive" rate. I will not mention the name of this company as I think that the novel idea of having a security system with zero false positives is so far from reality that it simply shows that their representative does not understand security. It's like Superman - great idea and I wish it could be true - but in real life, he does not exist...(Wonder Woman does though :-)

Hacking with new people is passe. It's now trendy to hack with old guys. Even though Sarah Palin is not a hacker, some stories and buzz around previous-life hackers have been recently uncovered. After reading the TechCrunch story of MySpace co-founder and real life 1980s WarGames hacker, Tom Anderson, I searched for known "old" hackers that changed their course of life. During the research I found an ancient 1984 TIME magazine article titled Let Us Now Praise Famous Hackers.

Today, we announced that multi-language support to the SecureSphere management interface GUI has been added. Localized versions of SecureSphere are now available in Simplified Chinese, Japanese, and Korean languages, making the product more accessible to IT departments throughout these regions. SecureSphere has always provided multi-language support in its monitoring engine, but in response to accelerating demand for application data security appliances throughout Asia, we can now reach more customers.

The internationalization of SecureSphere's user interface allows IT departments to switch between the standard English version and the local language on the fly. This enables the user to manage SecureSphere, set up policies, and generate reports in their native language.

Here are some screenshots:  

So Google announced their fresh take on the browser. They sure know how to create a sensation. Follow the links and read the comic book - it's worth your time. If you wish, you can also read the Googleblogoscoped analysis.

After reading the many blog reports and examining the comics, if I understand correctly, the browser will change the current Anti Malware space as it will provide real-time updates and black lists of bad sites. The kind of services that is worth a lot of money to the URL filtering vendors.