Disclosure standards and why they’re important (…and ReportSecurityFlaws.com) from HolisticInfoSec
I’m certainly a huge proponent of responsible disclosure, but I feel like I’m an even bigger proponent of good, no, SUPERIOR customer service. The moment you put a product out there that you’re charging people money for, you’re not only responsible for support requests stemming from this product, but you’re also responsible for ensuring that this product does not introduce adverse functionality for those who use it. That being said, the meat of this article lies in the announcement of ReportSecurityFlaws.com! While it seems like Ira and Russ are just getting this project off the ground, it certainly seems like this project can easily gain some legs.
PCI, Compliance, and Security from UncommonSenseSecurity
This is one of my favorite blog posts ever. I’m going to print it out and hand it to every single person who works with or around PCI. If you’re on Twitter, you’ve witnessed the back and forth(s), sometimes at nauseam. The reality of the situation is that both sides are right! Using standards, of any sorts, as the high stick for your security posture is bad. For the simple reason that each and every system, application, and infrastructure is different – simply applying a blanket set of requirements will inevitably leave some holes exposed. Security professionals should be able to take these standards and use them a crutch to convince executives and build an effective security program. Shouldn’t be hard, Mr. Carr thought that checkboxes made his customers’ data secure.
Yahoo!, Paypal, Google, Equifax, AOL, Verisign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government from InformationCard.net
In case you missed the announcement this week, the U.S. Center for Information Technology (CIT), the National Institutes of Health (NIH), and the U.S. Department of Health and Human Services (HHS) partnered with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) to add support for OpenID and Information Card technologies. This partnership follows President Obama’s memorandum instructing Government websites to allow citizens to participate in said websites without having to create additional usernames and passwords. I would specifically like to highlight AOL’s participation in this initiative which has been spearheaded by my colleague George Fletcher (http://practicalid.blogspot.com/). Congrats George, all that hard work and meetings has paid off big!
Good vs. Good Enough from PreachSecurity
This is a really interesting (and simple) approach to scoping. Lets say your site is a mildly interactive blog, like a generic Honda Civic with the bare bones accessory package and a stick shift. Setting your club and locking your doors is really all you need to do, unless you’re one of those really paranoid people. On the other hand, if you drive a Ferrari with every luxury option and a laptop with $20k in cash on the passenger seat, you’re not only going to set your club and lock your doors, you’re also going to install an alarm, lo-jack, and possibly post a very large and menacing looking man to stand guard. Not only that, but if the laptop and the 20k in the passenger belong to me and you’re responsible for keeping them safe, I expect you to post 2 very large and menacing men outside your car. Here’s another great post from @rybolov with a similar tone, but focusing more on motives and opportunities – http://www.guerilla-ciso.com/archives/1312
Interview about AppSec DC with OWASPs Doug Wilson from NoVAInfoSecPortal
GREAT interview by my DC area peers @grecs and @dallendoug…but, I might be a little biased as I volunteer with Doug on the AppSec DC planning committee. The interview covers questions and answers ranging from a preview of the conference training and speaking engagements, the need for volunteers (REALLY, WE NEED VOLUNTEERS, INQUIRE WITHIN!), and who would benefit from attending the conference (spoiler alert! – EVERYONE can benefit from this conference, it’s going to be the best WebAppSec con the DC area has ever seen). Once you’ve read the interview, cruise on over to http://appsecdc.org/ and checkout the training courses and conference speaker lineup, I promise you won’t be disappointed.
National Retail Federation Poll: Small Retailers Struggling To Understand PCI from DarkReading.
While the topic of small business information security is one that I’m very interested in, this article made me laugh. While the article is well written and informative, I can’t help but to think that if a large payment processor like Heartland couldn’t get it right, what in the world makes you think that small to medium size businesses with no dedicated security staff will be able to implement the appropriate controls?! The response from the PCI Council is verging on comical: “the PCI Council also offers a priority approach framework, self-assessment questionnaires, and other PCI other resources” (that’s copied straight from the article, nice proof reading DarkReading!). This sentence seems to be suggesting that the PCI Council has a list of prioritized security controls with associated tools that will fix the problem. Fiddle sticks! My advice to the small and medium businesses out there: find yourself a consultant, preferably from smaller security company (more flexibility and willingness to work within your budget), that will help you assess your current infrastructure, develop a plan with cost constraints in mind, and implement true security solutions that will not only give you PCI compliance, but also actually protect your customers’ data. Did I mention provide security consulting services?
SMBs Opening Wallets for New Security from ChannelInsider.
As a perfect follow up to my previous commentary, this article provides analysis of the Spiceworks report on SMB (Small and Medium Businesses) IT spending. This article actually makes a great point in the middle of reporting that 32% of respondents plan on spending money on “add[ing] protective measures” – “What the Spiceworks survey indicates is that solution providers must impress upon SMBs the importance of comprehensive security measures that are tailored to their risk exposure and operational threats.” I do some consulting for a solutions provider (ZZServers.com) who offers dedicated and shared PCI environments to SMBs and online merchants. These services are aimed at alleviating the burden of maintaining a secure environment for payment processing vendors which in turn allows the SMBs to focus on their core business. OK, this might have sounded a bit like a sales pitch, but SMBs who cannot afford to secure their own environments might do well with outsourcing those functions to their hosting/solutions providers.
Pwning Opera Unite with Inferno’s Eleven from SecureThoughts.com.
This was one of my favorite reads this week. Opera Unite is likely going to be a pretty widely used service – after all, doesn’t everyone want pictures of their cats, fun quips, and documents posted online with the added benefit of choosing who can access them without having to worry about some social network’s terms of service and god like ability to erase all the content you’ve worked so hard to amass? (*cough*Facebook*cough) In any event, Inferno tore up Opera Unite finding CSRF vulnerabilities, XSS vulnerabilities, CSRF, insecure communication path for authentication, ability to host phish pages, and Clickjacking. One item that he didn’t touch on was the potential for using this service to host and distribute child pornography. Wonder if Opera has followed suit with Google, AOL, and Yahoo! to join forces with NCMEC.
Cross-protocol XSS with non-standard service ports from omg.wtf.bbq.
File this under “yet another awesome use for XSS”! Seriously, Arshan’s managed to leverage an XSS vulnerability to log into an FTP server (*provided the FTP server is hosted on a non-standard port)! Let’s consider another service that uses plain text to enable client/server communications: SMTP. Now lets consider that quite often, internal SMTP servers don’t (always) enforce authentication and authorization when relaying emails. Finally, consider that most modern business communications happen via email. This really spells disaster above and beyond the usual “Email from the CEO” pranks. What about account brute forcing? I’m glad you asked! Think of the POP3 service that might be exposed on your internal networks to support all those non-Windows folks. Seems like this approach could be used to perform password brute forcing on any service that uses text for client/server interactions.
Like Stealing Candy from a Baby from Digital Soapbox Identity Thefts Use Dead Cardholders’ Data to Open Accounts from HostExploit.com
I can’t believe we haven’t solved this problem yet. For as far back as I can remember (and even before the proliferation of computers into our every day lives) there have been accounts of identity theft against the deceased. Whether it be to pad the vote count in elections, or simply assume a new identity in efforts to subvert the law, creditors, or a crazy ex-wife. What makes things worse is that the Federal Government could easily impose some basic regulations around proper care and protection of PII in this industry. Are we really making any headway in data privacy, or are we falling further behind due to new data systems being stood up quicker than we can secure them?
The Trials And Tribulations Of Public Sector CISOs from The Forrester Blog
I’m not sure why the author decided to go specifically with public sector CISOs, each of the 6 challenges laid out apply in the private sector as well!
Governor and Administration changes every four years. I know of companies where the leadership changes every 1 to 2 years. It’s not uncommon for the board of Directors to get frustrated with slow moving leadership and making swift moves to oust them. Furthermore, employee turnover happens almost yearly, it’s very difficult to lay out and execute a comprehensive strategy for information security with this kind of turmoil.
You are competing for budgets against pretty important priorities. Lets not forget that in the private sector, security is still viewed as a necessary cost center. Regulations such as PCI and SOX have given security departments some additional leverage for funds, but as we all know, “being XXX compliant” does not translate to a comprehensive security strategy roll out.
The IT environment consists of several dozen smaller agencies working independently. Unfortunately, this also applies in medium to large private companies as well. There are several silos with different roles and responsibilities who typically do not share many of the same processes and procedures.
No room for error. A mistake in the public sector might result in news headlines and leaders loosing their jobs. A mistake in the private sector could result in the company going out of business and hundreds (if not thousands) of employees loosing their jobs. You tell me which is worse.
Procurement processes are cumbersome. At least there’s money to procure. With the economic downturn, we in the private sector just feel fortunate to still have our jobs. We’re not even thinking of being able to purchase anything!
Public sector is subject to additional regulations. Well, I can’t disagree with you there, those FISMA checkboxes are hard to fill in.
Disclosure standards and why they’re important (…and ReportSecurityFlaws.com) from HolisticInfoSec
DandyID
Friendfeed
claimID
Disqus
Facebook
Twitter
myOpenID
Google Profiles
Linkedin