Blog :: by Wade Woolwine

News and Commentary :: by WadeW and You (09/04/2009)

National Retail Federation Poll: Small Retailers Struggling To Understand PCI from DarkReading.
While the topic of small business information security is one that I’m very interested in, this article made me laugh. While the article is well written and informative, I can’t help but to think that if a large payment processor like Heartland couldn’t get it right, what in the world makes you think that small to medium size businesses with no dedicated security staff will be able to implement the appropriate controls?! The response from the PCI Council is verging on comical: “the PCI Council also offers a priority approach framework, self-assessment questionnaires, and other PCI other resources” (that’s copied straight from the article, nice proof reading DarkReading!). This sentence seems to be suggesting that the PCI Council has a list of prioritized security controls with associated tools that will fix the problem. Fiddle sticks! My advice to the small and medium businesses out there: find yourself a consultant, preferably from smaller security company (more flexibility and willingness to work within your budget), that will help you assess your current infrastructure, develop a plan with cost constraints in mind, and implement true security solutions that will not only give you PCI compliance, but also actually protect your customers’ data. Did I mention provide security consulting services?

SMBs Opening Wallets for New Security from ChannelInsider.
As a perfect follow up to my previous commentary, this article provides analysis of the Spiceworks report on SMB (Small and Medium Businesses) IT spending. This article actually makes a great point in the middle of reporting that 32% of respondents plan on spending money on “add[ing] protective measures” – “What the Spiceworks survey indicates is that solution providers must impress upon SMBs the importance of comprehensive security measures that are tailored to their risk exposure and operational threats.” I do some consulting for a solutions provider (ZZServers.com) who offers dedicated and shared PCI environments to SMBs and online merchants. These services are aimed at alleviating the burden of maintaining a secure environment for payment processing vendors which in turn allows the SMBs to focus on their core business. OK, this might have sounded a bit like a sales pitch, but SMBs who cannot afford to secure their own environments might do well with outsourcing those functions to their hosting/solutions providers.

Pwning Opera Unite with Inferno’s Eleven from SecureThoughts.com.
This was one of my favorite reads this week. Opera Unite is likely going to be a pretty widely used service – after all, doesn’t everyone want pictures of their cats, fun quips, and documents posted online with the added benefit of choosing who can access them without having to worry about some social network’s terms of service and god like ability to erase all the content you’ve worked so hard to amass? (*cough*Facebook*cough) In any event, Inferno tore up Opera Unite finding CSRF vulnerabilities, XSS vulnerabilities, CSRF, insecure communication path for authentication, ability to host phish pages, and Clickjacking. One item that he didn’t touch on was the potential for using this service to host and distribute child pornography. Wonder if Opera has followed suit with Google, AOL, and Yahoo! to join forces with NCMEC.

Cross-protocol XSS with non-standard service ports from omg.wtf.bbq.
File this under “yet another awesome use for XSS”! Seriously, Arshan’s managed to leverage an XSS vulnerability to log into an FTP server (*provided the FTP server is hosted on a non-standard port)! Let’s consider another service that uses plain text to enable client/server communications: SMTP. Now lets consider that quite often, internal SMTP servers don’t (always) enforce authentication and authorization when relaying emails. Finally, consider that most modern business communications happen via email. This really spells disaster above and beyond the usual “Email from the CEO” pranks. What about account brute forcing? I’m glad you asked! Think of the POP3 service that might be exposed on your internal networks to support all those non-Windows folks. Seems like this approach could be used to perform password brute forcing on any service that uses text for client/server interactions.

Like Stealing Candy from a Baby from Digital Soapbox
Identity Thefts Use Dead Cardholders’ Data to Open Accounts from HostExploit.com
I can’t believe we haven’t solved this problem yet. For as far back as I can remember (and even before the proliferation of computers into our every day lives) there have been accounts of identity theft against the deceased. Whether it be to pad the vote count in elections, or simply assume a new identity in efforts to subvert the law, creditors, or a crazy ex-wife. What makes things worse is that the Federal Government could easily impose some basic regulations around proper care and protection of PII in this industry. Are we really making any headway in data privacy, or are we falling further behind due to new data systems being stood up quicker than we can secure them?

The Trials And Tribulations Of Public Sector CISOs from The Forrester Blog
I’m not sure why the author decided to go specifically with public sector CISOs, each of the 6 challenges laid out apply in the private sector as well!

1. Governor and Administration changes every four years. I know of companies where the leadership changes every 1 to 2 years. It’s not uncommon for the board of Directors to get frustrated with slow moving leadership and making swift moves to oust them. Furthermore, employee turnover happens almost yearly, it’s very difficult to lay out and execute a comprehensive strategy for information security with this kind of turmoil.
2. You are competing for budgets against pretty important priorities. Lets not forget that in the private sector, security is still viewed as a necessary cost center. Regulations such as PCI and SOX have given security departments some additional leverage for funds, but as we all know, “being XXX compliant” does not translate to a comprehensive security strategy roll out.
3. The IT environment consists of several dozen smaller agencies working independently. Unfortunately, this also applies in medium to large private companies as well. There are several silos with different roles and responsibilities who typically do not share many of the same processes and procedures.
4. No room for error. A mistake in the public sector might result in news headlines and leaders loosing their jobs. A mistake in the private sector could result in the company going out of business and hundreds (if not thousands) of employees loosing their jobs. You tell me which is worse.
5. Procurement processes are cumbersome. At least there’s money to procure. With the economic downturn, we in the private sector just feel fortunate to still have our jobs. We’re not even thinking of being able to purchase anything!
6. Public sector is subject to additional regulations. Well, I can’t disagree with you there, those FISMA checkboxes are hard to fill in.