pci and data security compliance blog

A recent post by Ed at SecurityCurve.com pointed me over to the PCI and Data Security Compliance blog. Now, I can’t speak intelligently about PCI these days, and a real auditor would run circles around me about compliance. I also don’t have to deal directly with this yet in my job, but someday I will, no doubt. And while I don’t have a ton of learning bandwidth right now to learn compliance, I at least can regularly peruse this blog and get used to the terminology and what is all kinda going on. So by the time I do get thrown into the PCI maelstrom, I can at least orient myself quickly. Kinda like webappsec blogs. I don’t do any web app coding for my job right now, but I certanly want to be familiar with the topic.

home entertainment project, planning stages

I’m just posting quick about a pet project of mine that is still just in the planning stages and likely won’t be done until later this year at the earliest. I’d like to develop and complete a more robust home entertainment system than I currently have.

I watch movies. I listen to music (cd and mp3). But I do not watch TV, and thus also do not record shows. In fact, despite owning a plasma TV, I have not watched a television show or had it even set up with television in about 10 months. I do game, although I own none of the latest generation of consoles. I’m looking to buy into that hobby again soon. I don’t typically download movies or rip them from existing media, but I am looking into doing that. There are many movies I’d love to have on hand, but wouldn’t really ever pay for. Netflix is as far as I would go there, and I wouldn’t mind ripping Netflix movies to digital media, or even copying them with a DVD burner (although I have little experience in that).

FurryGoat pointed me to the InFrant ReadyNAS device which I think is awesome. An alternative might be using FreeNAS, which could be a good project itself. This could act as a media repository, which is something I would certainly need.

I plan to purchase an X-Box 360, at a minimum, so I would stick to that for my DVD/media playing needs. I think I might need to get a Vista box for my Media Center, but I’m not terribly keen on that idea. I don’t really have a powerful enough system right now to run Vista well, although I do have some basic parts for a good base (motherboard and CPU that are good workhorses, but bad for gaming).

Any ideas, feel free to post, but otherwise this is just a planning post for me. I think I would be best served looking into getting into DVD ripping and burning, grab a console machine, and also get a storage NAS set up.

email anonymity notes

I tend to cloak myself in layers of anonymity in my professional online life. Mailing lists are not an exception. In fact, I try my best to participant on mailing lists in a way that does not disclose the company I work for, for various reasons (whether I stick to my other name or move back to LonerVamp, I’m still debating). I see other people do the same, and sometimes they use some wacky (and creative) psuedonyms that harken back to hacker days of old when handles were used more often than real names. They also typically come from email account at Gmail, Hotmail, or Yahoo.

To anyone who uses such accounts, be aware that how you use them may determine just how anonymous you remain. Using the webmail interface for each account is pretty secure when it comes to what the mailing list can see. However, if you do your email on a mail client and then POP3/SMTP up to the service, you may be revealing your home IP address in the mail headers. I am not sure if Gmail reveals this information, but I do know Hotmail reveals this. I encourage people to test such functionality well in advance of blindly trusting your security and anonymity.

Or, if the mailing list supports it, submit your replies via a web form. I know SecurityFocus has web-based submissions to its mailing lists if you so prefer. I actually prefer that method.

backtrack install

Backtrack 2 is maybe my favorite livecd, largely due to being security/pen-testing oriented. I have an older laptop which doesn’t do so well with 128MB RAM when running a livecd. So, I’ve permanently installed BackTrack on this laptop (which I’m using for this update right now). Here’s my steps (very abbreviated) on doing this. I largely followed this tutorial with minor adjustments.

I had to transplant the HD into another laptop that had enough RAM to properly load the livecd. After that, I booted up into BackTrack and logged in as root. Then:

fdisk /dev/hda1
d (since this is an existing drive, have to delete the first partition first)
1
n (now I want to make new partitions)
p (partition)
1
[enter]
+100M (100M boot partition)
n
p
2
[enter]
+512M (512MB swap)
n
p
3
[enter]
[enter] (will use the rest of the disk for this partition)
a
1
t
2
82 (the code for a Linux Swap)
p (one last print to make sure it all looks good, we can still back out to this point)
w (write!)

Then I went graphical with startx and followed the rest of the steps in the doc. After transplanting the drive back into my older laptop here, I was able to boot into BackTrack quite nicely (and fast compared to cd, even on this old hardware!). From here, I needed to get my wireless going. I started up K->Internet->KWifiManager which then got my Orinoco card going. I then opened a terminalL

iwconfig eth0 essid home key 7027…F9F5 (my wireless network and WEP key)
dhcpcd eth0
ifconfig (to verify I have a proper IP)
ping www.google.com

is technology costing too much?

I really should have put this in my 2007 predictions, but I guess it might be a prediction that spans a few more years. But this year is going to mark a tough year for IT managers due to the ongoing cost of IT operations. Often, upper management thinks that a project will be planned, budgeted, completed, and then they all move on. Sadly, most IT projects require ongoing maintenance, monthly costs, and people to maintain them. Too many senior managers don’t get that, and it is those same senior managers who won’t ever “get” security either: you don’t achieve it, clap yourself on the back, and stamp it Project Closed.

IT costs a shitload of money over the years, and management is starting to or will start to feel that slow attrition. Security costs a ton and is only going to get bigger as regulations keep edging forward. Windows Vista is out now which is going to put pressure on companies that pay licensing fees to upgrade and hardware upgrades to prepare for it. Not only that, but companies with licensing contracts with Microsoft will start to wonder why they spend that money in the first place. Is Vista worth the last 5 years’ of software assurance? What about SQL licensing? If a company had that assurance contract the last 3 years, you have absolutely nothing to show for it. You want a disaster site and other business continuity plans? You’ll be shelling out monthly fees for that. Mobility is needed by the workforce? Good luck not spending money to secure those devices or provide for mobile needs. Also, mobile devices tend to cost more to get the same performance as a desktop machine, and their lifecycle is shorter.

IT is a huge impact on business these days. Not only can I not imagine business without IT (say, 20 years ago), but I can’t imagine how we spend so much money on it today. It is no wonder MSSPs and other outsourced IT services providers are feeling the love as businesses get sick of the constant IT drain and start to let others handle it (for better or worse).

This is why I still prefer to focus on the basics in my career. Focus on doing what needs done on the lowest levels. Use the open source and free tools, know how to do things without the fancy and expensive appliances and servers. If you know the basics and low level foo, you’ll be able to pick up on the luxury appliances and tools you’re allowed to spend money on, just fine when you get them.

some goings-on around here: new sites, changes sites, less sites

If you’re not watching the toolswatch feed from Security-Database, you’re missing out on one of the better notification methods for new security tools. I love it!

The folks at nCircle have expanded their blog to more people and this has resulted in lots more posts lately. Good stuff!

It is with much sadness that I am removing a few cherished links from the side. The PacketSniffers were an awesome video cast team from Ohio that posted a series of excellent (albeit more electronics-heavy) video casts back in 2005. Sadly, they have not had any in some time. Seems they have maybe moved on from that endeavor. Also, shortly before LUHRQ was purchased, they started this excellent vidcast called “The Hookup.” This was very promising, but never progressed past 4 episodes. I think there is still room in the security sphere for a short show like that, kinda like hak5 and others, only shorter and more focused.

Unfortunately, a work-related demand to cease blogging about technology has caused Securosis to become more personal and less technical. It’s a shame, too, since the blog was excellent. For some reason, the latest post doesn’t look reflected on the front page…so maybe it is still sorta there. Either way, if it is, I’ll re-add it later. Tenable Security’s blog, while really cool and interesting, is mostly useless to anyone that does not use their commercial product. If I used that product, this blog is a must-read whenever it is updated. Otherwise, I can just learn by reading and possibly gain insight into Nessus, but the useless content (to me) outweighs the good. I’m also removing Jesper Johansson mostly because, well, I don’t read it. And lastly, while I read the updates and the podcast is ok, I really don’t care to read Alan Shimel’s blog daily anymore. This has been building, but mostly just because I’m not an analyst, I’m in the trenches. And reading what an analyst says really doesn’t do me any good at all. Besides, I can follow along on other blogs and get the same effect, or pointed to his occassional excellent posts from elsewhere. I’ll still listen to the podcast now and then, though.

ftp audits

IT Audit has an article on 11 steps to an effective FTP audit. I like this article and gives some good steps to auditing FTP activity, however I think it misses a few things. While many people are likely already wondering why FTP should be so large-looking a project for such an old and probably under-utilized technology, it is still important, especially if this is a publicly open route into your network. Here are some steps I would add.

A. Audit user accounts and activity – Find out where user accounts are tracked and how expired accounts are handled. Do they linger for years and years without activity? Are client accounts even for active clients anymore? Once this audit is done, keep that list handy so that FTP admins can refer to it later and build upon it so that accounts are removed as needed and existing accounts are tracked. If an account has no activity in 4 years, raise questions on its continued need. I really like the rest of the author’s monitoring suggestions. Even if there is seemingly no value in knowing who consistently is the largest transferrer of files, it becomes more important when that consistency is broken one month and some other otherwise quiet account suddenly becomes very active. As part of the account audit, be sure to verify that FTP account access is limited only to their slice of the FTP server, and not overlapping other accounts or able to access other shared spaces. Twenty vendor accounts for 20 vendors that all dump into the same folder is a big risk. Try to also identify shared accounts or those accounts used by just one person, and identify the impact of regularly changing the passwords. Keep in mind that even legitimate users might use the FTP location for malicious reasons such as storing movies or games or other copyrighted property.

B. Recommend granular firewall policies for FTP account access – Whenever possible, require clients, vendors, and FTP users to provide their external IP or IP block to be included in access to the FTP server. It is better to only allow 1,000 IPs access to the FTP server through the firewall than to have all IPs allowed through. It has been my experience that most companies are amiable to providing this information when pressed.

C. Evaluate the patching and security state of the FTP server – Determine the FTP server in use and the version, then research any known vulnerabilities in the server. Recommend patching policy, someone to track patch availability ongoing, and perhaps recommend more secure FTP server solutions. Utilizing an old, insecure version of something like WarFTP or IIS5 should not be very acceptable.

D. Recommend including firewall logs of port 21 access in the audit – It could be beneficial for finding rogue or new FTP servers to include checking firewall logs for successful incoming port 21 occurrences outside the scope of known FTP servers.

FTP servers are still a necessary evil in many corporate environments, and far too many admins put them up, add new users per corporate requests, but otherwise don’t consider them with much more interest. As one of likely only a few inroads into your network, FTP servers should be taken as seriously as web and mail servers. The last thing you want to do is find out someone has been using one of your client’s accounts to store gigabytes of child pornography over the last 2 years…and be told about it by the client. And even if more secured file transfer options are utilized, such as SFTP or even SSH, most of these guidelines still apply.

skype is still knocking on the corporate doors

I found a Skype article from CNET posted over at InfoSecPlace and nCircle, and as usual with Skype, I have strong opinions about it. It seems Skype is looking to “partner” with some security companies to provide some additional functionality like “provide add-ons to its software to scan text sent through Skype’s chat feature for malicious links.”

Ugh. Let’s build the frustration just a bit more and quote the article again, “Skype has caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks.”

Ugh, again. First of all, let’s get this popular media misconception out of the way. Skype is not my biggest concern because it can find new ways to make a connection to the Internet. Please. If Skype is not a welcome product in a company, this can be circumvented with policy, software/OS restrictions, and even on the network by blocking the sites that Skype initially contacts for logon. Unless they changed in the last year, you couldn’t necessarily block authenticated users, but you could easily block the logon process and prevent people from using the system. Not only that, but this is not a “new” headache for admins. Malware has been doing this for a long time…

Second, Skype’s problem in the corporate space is not that suspicious links can be sent over the service. Skype’s problem is meeting regulations that require Instant Messaging to be logged and/or loggable. And Skype falls into the grey area between phone usage and digital IMing: digital phone calls. I think there is still debate on whether Skype calls need to be monitored as well. Skype needs to deal with that issue before it should spend any more money trying to enter more than just the SOHO corporate space.

Third, Skype has the annoying habit of making outbound connections…everywhere. Anyone who sometimes (or regularly) looks at outbound connections on firewalls for anything suspicious will know that almost every Skype connection seems suspicious. Skype raises the false positive rate so much that it pretty much kills that sort of monitoring. This doesn’t kill Skype, but it certain is a factor in saying no to it in a corporate network.

Fourth, Skype needs to look into making a standalone product. They might be able to have a closed IM solution for a corporation that is not open to the public, and still provide decoding capabilities only to that company. Another widespread corporate requirement is the IM network not being publicly accessible. Again, this won’t kill Skype, but is another black mark.

Fifth, Andrew at nCircle mentions, rightly, that it also should be centrally managed and configured. Again, if Skype wants to break into anything beyond SOHO markets, they need to provide mangement for the staff. This is important enough to be a possible deal-breaker as well.

Skype is awesome at home and for SOHO use. It saves money, is easy to use, provides good security for the mobile crowd (for now, until the encryption is broken or other MITM attacks might arise), and tends to make employees happy; and one of the things I will thump loudly about: happy users means productive users. I hate having to sport an anti-Skype opinion in the corporate space, but the program itself forces me to be able to take either side, passionately, depending on the corporate environment (i.e. HR, senior management, and regulations).

the dark underbelly of carding

Wired.com occassionally has stories of such depth and quality that I am amazed I don’t regularly read the mag (I did back in the day about 6 years ago, but drifted away). This is one of those stories about the dark underbelly of illegal credit card and identity dealing and investigations into them. Definitely a must read. Part 1 Part 2 Part 2.5 and Part 3 (I don’t understand the sequencing, honestly…)