Security Karma

IT pros name security top concern, security pros say huh?

2008-09-03T09:30:00.000-05:00

The Computing Technology Industry Association (CompTIA) announced this week that its Web poll, conducted from June 3 through Aug. 25, showed that one-third of IT professionals believe that securing their networks and data is their biggest concern.

I don't want to seem skeptical and perhaps the IT pros I have dealt with are the exceptions... but are these the same IT pros that push poor design, complain about preventative security measures, argue about how their app is different, tell me "it's ok, really", and slash my budget? Not that I'm complaining... I'm just sayin'.

But then again, security was the top concern of 33% of those surveyed; so perhaps I just deal with the other 66% 99% of the time. ;)

Happy Labor Day

2008-09-01T09:30:00.001-05:00

Happy Labor Day weekend for all my American readers. For all my foreign readers, happy May Day… sorry I’m a four months late. Now get back to work.
In the US we use the day to catch up on napping, outdoor activities (it’s the last holiday of summer), American football, and eating. In much of the rest of the world May Day is a day of celebrating workers rights and is often filled with protests, marches, speeches, and the occasional massacre.
That being said: enjoy the day, comrades!

Password reset unsafe! Personal information easy to discover!

2008-08-29T10:30:00.000-05:00

Ok, I admit... the typical reader of Scientific American are probably not the most Internet-savvy folks out there and I actually loved Herbert H. Thompson's article "How I Stole Someone's Identity." Mr. Thompson does a good job explaining how to footprint a person online and begin compromising account after account of theirs simply by using the password reset feature and "security questions" that are used to validate identity.

For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.

To someone that has been around information security for a while now, none of this is news. This is actually a little old-school footprint and crack. The problem is: in the old days, the hacker would have to go through great lengths to investigate their marks. As this article shows, those days are gone and now with a simple web search we can find out almost everything about a person. All of our digital shadows are getting longer and keeping track of every account we've signed up for is getting more and more difficult.

It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.

Great article and well worth the read.

I'll be posting more about the new risk model in the 2.0 world soon.

TSA takes security to the slopes, travelers run into trees

2008-08-28T09:30:00.000-05:00

Michael Chertoff must have gone skiing and thought of this little beauty. If you have flown through DFW and a handful of other airports across the country you may have noticed that there will soon be three lines to pass through airport security. Taking a queue from ski resorts travelers will now have to decide between black diamonds, blue squares, green dots, and purple horseshoes.

Now I won't chide the TSA too much for trying... but let's be honest for a second here. Like skiing, how many blue square travelers will think they're good enough to take on the black diamond line only to clog things up by forgetting their liter of water in the carry on and a pen knife in their pocket. What then? Blue square folks holding up the black diamond line, black diamond travelers in the green dot line because it's empty, and green dot travelers wondering where the lift is. So... basically... what we have now. Now go hit the slopes!

More info about black diamond program here.

10 < 8,000,000

2008-08-27T15:30:00.002-05:00

Best Western has let it be known that the compromise that was widely reported was contained to only 10 guests that stayed at one of the chain's many hotels in Germany.

That's three fewer than the 13 customer records that Best Western International Inc. initially said had been exposed, and a far cry from the 8 million stolen records reported by the Glasgow Sunday Herald, a Scottish newspaper that broke the news of the breach on Sunday.

So not so bad... this is great news (unless you are one of the ten people about to get letters and free credit monitoring).

Original Story

Best Western says data breach even smaller than first thought

The Internet is broken

2008-08-27T10:00:00.001-05:00

This isn't exactly a "vulnerability" and has been around for years... but it is starting to get used more and more and is begging to get some press. Threat Level over at Wired has a nice summary and explanation of IP Hijacking and how it's getting more play today and there isn't much anyone can do about it.

That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss.

Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

This hack is a symptom of a much bigger issue. The real problem is that the Internet is built and depends on protocols that were created in 1980 (IPv4), 1982 (SMTP), 1984 (DNS), 1995 (BGP), etc. and we (the IT community) have been stacking more complexity on top of very simplistic and insecure infrastructure.

Problems such as spam, IP spoofing, DNS cache poisoning, ARP poisoning, etc. are very effective and hard to detect or stop because the protocols themselves have little to no built-in security mechanisms. Why hasn't the industry fixed this? There is too much money in not fixing the problem. Network hardware vendors such as Cisco, Juniper, 3Com, Nortel, Lucent, etc. have no incentive to fix the inherent problems since they make too much money on selling security devices, software, and services that slap band-aids on the problems, slowing down but never stopping attacks. Once the attacks pick up again or a new threat emerges the vendors are ready with more devices, software, and services... more band-aids.

ISPs... have been holding their breath, "hoping that people don’t discover (this) and exploit it."

How do we fix this? We need the users of these products big and small to start demanding fixes to the fundamental security issues. Without monetary incentive these companies will continue to push their "fixes" upon us and leave the core infrastructure of the Internet vulnerable to attack. Until then? Keep buying band-aids, check DNS and eBGP periodically to ensure proper resolution and routing and cross your fingers.

Seriously now, we're starting to spoil them

2008-08-26T13:00:00.003-05:00

Hackers are going to get lazy at this rate in Britain.

A computer hard disc containing one million sets of bank details was bought on eBay for just £35.

The secondhand PC contained details of customers from American Express, NatWest and Royal Bank of Scotland. The files included names, addresses, sort codes, account numbers, credit card numbers, mobile phone numbers, mothers' maiden names and even scans of signatures - more than enough for an identity thief.

Why Red Hat should be ashamed

2008-08-26T10:30:00.002-05:00

This is big. Real big. As a former Red Hat Enterprise Linux (RHEL) admin and dabbler in things Fedora I find this news very disturbing. I'm not upset that servers at RH got compromised... that happens. What shouldn't happen is a breach of the infrastructure servers that manage your package signing. When trust is a key part of your business model (who is going to purchase an OS let alone download and install packages they can't trust?) keeping encryption management servers protected as much if not more than your financial databases.

Certificate Authority (CA) servers, key management systems, and certificate management systems should among be the most difficult systems on your network to access, no exception. They shouldn't run web servers or the public Internet (or your Intranet for that matter). The NIDS/NIPS systems should be cranked up and watching for the baddies and your firewalls should be blocking all inbound and outbound communication other than only what is absolutely needed to function in the environment. Many businesses keep these servers off the grid (no network connectivity) in a secured room and all package signing is done via sneakernet (carrying data to be signed on physical media into the room).

Red Hat has recreated the keys for Fedora packages but there was no mention if they are creating new RHEL keys. If I were running RHEL servers I would be compiling OpenSSH from source at this point. This is coming from someone who doesn't typically fall into the "Henny-Penny" category of infosec professionals. I like to temper my paranoia with a healthy dose of reality. However, on this one I think I am upset that Red Hat's infrastructure is architected in such a way as to let this happen and can't trust they aren't still rooted in some way. I have a feeling many security-conscience system administrators will be looking sideways at any and all new packages from Red Hat and Fedora for the next few months.

I am harsh because I love. I have run Red Hat since 1998 (5.2) and still run a Fedora laptop at home and use my RHEL 4 VM a few times a week at work. I have fought long and hard to get management sign-off at various jobs to bring Linux into the datacenter and hate when the community gives Microsoft ammunition for white papers.

Red Hat admits breach of its servers, Fedora
Red Hat confirms security breach
Red Hat, Fedora servers compromised
Red Hat hack prompts critical OpenSSH update

Best Western refutes breach claims

2008-08-25T15:30:00.001-05:00

As a follow up to my post yesterday "Over 8 million Best Western records stolen and sold to Russian mob," Best Western is reporting that only 13 records (not 8,000,000) may have been exposed. A company spokesman states:

There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them.

Best Western points to their compliance with the PCI DSS as further proof that the allegations aren't true. Now everything they are saying may be true, only one hotel was involved in the breach, and only 13 records were compromised, and that they are fully PCI DSS compliant. However, with statements such as

... our most recent internal review was conducted in August 2008, as was our most recent external test and review. Both evaluations showed Best Western to be compliant with PCI DSS.

... it sounds as if they are relying on the fact they are PCI compliant as proof that such an audacious hack (the 8 million, not 13) can not happen. It can. Hannaford was "compliant" with the DSS but there were 4.2 million credit card numbers involved in that breach. That brings up the larger topic of compliance vs. best practices... which will have to wait for a different post.

In the end, I hope BW is correct in their investigation and the reports were wrong. I've stayed at numerous BW hotels over the past few years myself so I'm a stakeholder of sorts in all this.

Congress to DHS - Terror Watch List needs major overall

2008-08-25T10:00:00.004-05:00

Interesting story in the Wall Street Journal regarding a Congressional report finding that the TWL is:

...hobbled by technology challenges, and the $500 million program designed to upgrade it is on the verge of collapse, according to a preliminary congressional investigation.

Interesting fact I didn't know... the TWL DB was built by Lockheed Martin (I know when I think database I think Lockheed... WTF?) back in 2001 and is unable to do keyword searches... they have a person build a query. I'm not kidding. I'll repeat. The Department of Homeland Security builds the Terror Watch List by running a friggin' query.

Over 8 million Best Western records stolen and sold to Russian mob

2008-08-24T19:30:00.003-05:00

Looks like this one is going to be up there with the TJX and Hannaford breaches. The London Telegraph is reporting that over 8 million customer accounts have been stolen from Best Western and sold to the Russian mafia. This story is still breaking but from the article:

It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.

The next time a staff member logged in, his or her username and password were collected, stored then put up for sale on a website operated by a branch of the Russian mafia.

The stolen data includes a range of private information such as home addresses, telephone numbers, credit card details and place of employment.

Best Western fixed the security breach on Friday after being alerted by a Sunday newspaper, which had discovered the crime.

A Sunday newspaper discovered the crime? Jeez. I'm sure there will be much, much more to come about this one.

Original Story: Hackers steal details of millions of Best Western hotel guests

They have the technology, but no security

2008-08-24T11:30:00.007-05:00

Great article in the London Times this morning entitled "We have the technology, but no security." Author Simon Davies goes through the laundry list of compromises that have hit the British government over the past year and correctly comes to the conclusion that it is a lack of standards, policy, and understanding about data security that lead to a culture of carelessness.

Hackers in Britain don't need to scan servers for vulnerabilities nor do they have to prepare "spear phishing" attacks to compromise desktops within the government... they just need to walk around the street and look for discarded DVDs and USB key drives. Their problems are definitely on the people and process side of the security triad (people, process, technology).

I hope someone in the British government takes control of the situation and institutes an educational program coupled with a strong encryption and data access policies with the necessary technical controls to help enforcement.

a wii haiku

2008-08-23T22:00:00.004-05:00

a cord pulled too hard

the wii falls down crashes breaks

my heart sinks to floor

TSA ninja strikes, renders nine planes helpless.

2008-08-22T09:30:00.003-05:00

From the National Security Ninjas Desk:

ABC News: TSA Fires Back: Blames Airline for 'Security Violation'

I'll start with a summary from the article:

A TSA inspector, as part of a spot security check, used a sensitive aircraft probe as a handhold to gain access to parked American Eagle planes at Chicago's O'Hare airport.

The TSA ninja caused AE to ground nine Eagle commuter jets, causing 40 flights to be delayed, maintenance costs to repair the broken parts (they ain't cheap folks), and loads of pissed passengers.

To top it off:

TSA, however, strongly defended its inspector's actions, noting in a
statement that he was able to gain interior access to seven of the nine
aircraft he inspected, which was an "apparent violation of the
airline's security program."

The kicker is that the TSA is considering fining AE for the "violations." I'd like to deconstruct the argument that AE was in "violation of the airline's security program." Airplanes aren't cars and the airport tarmac isn't a Wal-Mart parking lot, in order to get onto the tarmac you must pass through... you guessed it, TSA security check-points.

Furthermore, you need specialized badges, passcards, and need to be recognized by sight to get into the secured areas. Trust me... it ain't easy. So if you look like you belong, you're a familiar face, and you are out on the tarmac, most likely people will let you go on with your day because the airport is a busy, busy place and they all have things to do.

I can understand if the guy bribed an Eagle shift worker for a uniform, knocked out a sleeping American Eagle security henchman standing guard outside the plane, and got inside the plane without breaking anything. Where exactly did the TSA agent gain unauthorized access in "apparent violation of the airline's security?" What they did do was walk through security checkpoints, walk into areas they are allowed to go, broke several planes so they couldn't take off, and wasted the time of a lot of hard working people.

If you are reading this blog you most likely understand that insider threats are one of the largest problems facing information security today. But seriously, this is like the IT security guy complaining that he was able to hit a server with a hammer when he has badge access to the datacenter and keys to the cage and rack where the server was located... it's just not a fair assessment.

The TSA should stick to what it's best at: frisking nuns, making up rules as they go along, peeking straight through our clothing, and detaining five year old children.

To cert, or not to cert, that is the Question:

2008-08-21T10:00:00.001-05:00

Mike Rothman wrote an interesting article titled "Security certifications: Are they worth the trouble?" at SearchSecurity.com. His take was pretty close to the one I have and his expierence is in line with what I have experienced in my years within the IT field. From the article:

I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.

I don't have a CISSP, nor have I earned a CEH, CISA, Security+, etc. Quite honestly I am too busy to study for any of them. I have found a few types of "certified" folks out there:

Smart, dedicated professional looking to expand knowledge and become an expert in their chosen field spending hours studying texts, reading white papers, etc.
Smart, dedicated professional that went to training and took the exam at the end because... "why not?"
Poor soul sent to a boot camp training course to take on new technology / responsibility that they have no experience in, took the test on Friday afternoon after getting their free travel mug and polo shirt.
Sales engineers and the ilk that need certifications to "prove" expertise... I still remember the CISSP, CEH, LMNOP vendor dude that didn't understand basic routing issues and insisted that eBGP could NOT be run on an internal network.

I am, of course, taking a light-hearted job at my certified security bretheren out there. Seriously though, I have not impressed with some of the CCIE (I helped one write an ACL on a PIX firewall once... no joke), CISSP, CEH, etc. that I have been meeting and interviewing lately.

I think what is beginning to happen with security certifications is what has happened with Cisco certifications and college degrees... so many unqualified, uninterested, and incompetent people have been attaining the high level certs that they are becoming almost worthless as a selection criteria of value or knowledge.

That being said, I would actually consider a certification that still meant something like the CISSP (but that is changing by the day) or a newer, lesser known SANS certification (management or technical tracks... I still haven't decided which direction I want my career to go). Of course that would put me in the first type of certified professional I listed above ;)

Squirtle: squirting browser-based NTLM site on your intranet

2008-08-20T22:45:00.001-05:00

Just a quick note about something interesting I ran across out at Google Code. Squirtle uses Internet Explorer's use of trusted zones and grabs NTLM hashes when a user browses to a site that is running squirtle. No muss, no fuss, just pure Windows credential hashes. After glancing through the code I honestly can't imagine why it took so long for this to come along. Personally, I think XSS and social engineering are your most likely attack vector and that deploying squirtle is dead simple... and NTLM is just dead (FD: I have never liked nor thought NTLM was effective and was a MS lock-in trick to make people feel better... but not make them more secure (like SMB signing). More info here and here.

Continental expands paperless boarding pass effort

2008-08-20T09:30:00.001-05:00

Continental has expanded their pilot program for paperless ticketing as reported on KXAN (Austin, TX NBC affiliate). The program allows passengers pass through airport "security" and board planes with electronic boarding pass barcodes that are sent to the passengers and can be downloaded and viewed on devices such as cell phones. The TSA will have scanners at checkpoints that can scan the barcode on the device, eliminating the need for paper. I can't comment in too much detail since I have been involved in the architecture of this program for my employer. I will post about this again as the more information becomes public regarding the security of the program. For now, I will list a few articles that give more details regarding the program. You can piece together a good amount of information regarding the program by reading them (Be warned... some of them are re-posts and article amplifications and don't offer much anything new... sort of like this post :) ).

PCI DSS update (1.2) pre-released and boy howdy it's about time!

2008-08-19T16:25:00.004-05:00

The Payment Card Institute (PCI) Security Standards Council has pre-released it's highly anticipated Data Security Standards (DSS) version 1.2. The standard is due to be officially released in October of this year (2008) but the PCI wanted to give businesses a chance to examine the changes and begin re-architecting half the stuff they hurriedly put in place this year in order to meet the June 30 deadline for 1.1. Enough of my babbling, onto the good stuff:

Relaxed firewall configuration review from three months to six.
Language changes to include routers into the fold (not just firewalls).
Clarified the requirement applies to wireless environments “attached to cardholder environment or transmitting cardholder data.”
Got rid of WEP language... long live WEP! (just kidding of course)
Finally got rid of the silly SSID hiding requirement... I got in some very intense arguements here about the futality of hiding the SSID... so that's a big ITYS to my colleagues (except you Ryan).
Clarified the local user accounts databases need to be encrypted but the DB in my secure data center sitting behind eight layers of security devices need not go through the hassle... not that they shouldn't be encrypted... maybe I won't share that new requirement with management ;)
Wireless networks must follow industry best standards (whatever that means... more ambiguity!) for encryption, AAA, and transmission.
New WEP projects must be implemented by the end of March 2009 (hear that PM's... better hurry) and all WEP must die by June 30, 2010
AV is now required to all operating systems and must be updated and protect against known attacks
Thankfully loosened patching requirements to allow a risk-based prioritization of patches.
6.6 is mandatory! All Internet facing websites have to either be behind a WAF or have vulnerability assessment tools pointed their direction or a rubber-glove code review
You have to test and verify that passwords must be unreadable both at rest and in motion.
They did something surrounding the 2FA requirement for access but I guess we'll have to wait to get the actual requirement (bummer)
Passphrases join passwords as acceptable forms of authentication (another ITYS)
Must visit all off-site storage facilities at least once a year. (Ugh!)
Added some flexibility surrounding cameras to allow other access control types.
Finally clarified what "secure media" meant. It applies to electronic AND paper media and how to destroy it.
Logs for external devices must send logs to internal logging servers (well DUH!)
Relaxed audit trail requirements to three months and that they can be archived but quickly restored.
More guidance surrounding wireless analyzers and WIDS/WIPS, ASVs must be used in quarterly external scans and internal and external pen tests but you don't have to use a QSA or ASV for those!
This one I don't get: 'Expanded list of examples of critical employee-facing technologies to include “remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)”' (Big WTF?!?!?!)
Security policy must be reviewed by all employees annually.
Cleared up language regarding service provider account access and hygiene.
Generally cleaned up language for consistency and clarity (we'll see about that!)

All-in-all I am glad to see some of the clarifications and new requirements but there is still enough ambiguity and confusing language in the "clarifications" to keep security professionals busy and QSA's well employed over the next few years.

Hack the Vote

2008-08-18T20:41:00.005-05:00

Image by Amarand Agasi via Flickr

Christopher Beam wrote a short article for Salon last week with an attention-getting title: Hack the Vote - Five ways hackers could tamper with the 2008 elections over at Slate. After wasting five minutes of my time reading the article I thought I would waste another five minutes of my time writing a short summary of how "hackers" can "tamper" with the elections this fall. Please note that Mr. Beam has the word "hackers" in his title but consistently refers to them as "tricksters." Mr. Beam's short list of ways hacker-tricksters (hicksters?) can sabotage the vote are:

Fake e-mails. Seems that some hicksters (I'm starting to like it... I'm slapping a trademark on it) are actually politically-savvy phishers. He offers defending against phishers with "rapid response" getting the word out about the scam to the people most likely to get duped. I do love this little bit of genius from the article: "...Obama's donation page has a security seal at the bottom designating it an "authentic site." Notice, also, that you can easily copy the seal and post it on your own site." I actually did LOL when I read the last sentence.
Dummy Web sites. I'm not sure how this one made it in but Mr. Beam spends a good amount of screen real estate rambling about: fake content, misspelled domain names, the Obama-Clinton XSS incident, the recent DNS flaw, and finally SQLi. His solution? Well, not much since every security professional I know is struggling with the exact same issues day-in day-out... but I'll give Mr. Beam credit for bringing some of these vulnerabilities to the general public's attention.
Social networking. I see this potentially being an issue for Obamanics but for McCainites? Not so much. Unless you count the golf course or barbershop.
Robo-calling. Um. Yeah, weren't they cold calling my parents to sling some serious mud back when it was Nixon vs. McGovern?
Search-engine deoptimization. Potentially could be a problem if the hicksters are very very motivated and very very organized but his scenarios are too localized to be effective (buying ads to mislead people where to vote?). Google (and the other search engines) have gotten much better about rooting out "google bombing" and other SEO tricks and hacks (hicks?).

Ultimately the article closes out with the statements that it should have started with:

That's not to say these Internet tricks will upset the election—or even dent it. There are plenty of bright mischief-makers out there, but how many of them want to screw up elections? (Elect John McCain for the lulz!) And it may turn out that traditional methods of voter manipulation—such as, say, paying busloads of homeless people to pass out inaccurate sample ballots—will prove more effective. Plus, one smear campaign probably equals a thousand polling-place misinformation campaigns.

Using credit cards at airport kiosks is as safe using them anywhere else... which isn't saying much.

2008-08-09T10:17:00.012-05:00

Image via Wikipedia

Bob Sullivan wrote a post titled "Are airline kiosks safe?" for The Red Tape Chronicles at msnbc.com last week that made me frown when I first read it. (Note: I'll give Bob Sullivan credit... at least he tried to be balanced, read on). On July 24th the The Toronto Star broke a story titled "Airports a natural target for credit card fraud: Expert." Ok, airports are a target... so are discount retail chains and grocery stores... what's with the title? It turns out that Visa was investigating "isolated fraud incidents" that were occurring when people used the cards to check in to their flights and get their boarding passes. What drives me nuts is that the article spends almost 500 words scaring the bejeebus out of people when right in the middle of the article there is this gem of a quote:

"WestJet has cautioned against pinning the blame solely on the kiosks until the investigation is complete."

Eh? They didn't really know where the fraud was originating from, the banks (which do not usually have detailed information regarding POS (Point of Sale) location or IT infrastructure of organizations) were guessing that the kiosks was a logical place to start looking. Makes sense to me. But then the UPI picked up on the story with the albeit better title "Toronto airport credit card scam probed." Unfortunately, this article also takes the tact that it's better to scare people about swiping your card than emphasize that the banks were investigating whether there was something to investigate.

Well, not long after the UPI story came out the security and travel blogosphere grabbed the ball and ran. With titles like these who wouldn't be scared about checking in at a kiosk?

Does using your credit card to check-in expose you to fraud?

Airport kiosks may be stealing your credit card info

Beware of credit card fraud at Toronto’s airport ticket kiosks

Credit Card Fraud At The Airport (with authority FTW!)

Ok, ok, I know what you're thinking, it's better to spread the word about possible fraud than to keep it quiet and let people continue to be at risk. Fine. I agree... although I think by upping the hyperbole you spread FUD (Fear, Uncertainty, Doubt) and damage the airports, the kiosk owners, and the airlines. Let's stick to the facts and leave the outrageous headlines out (except for the last one I listed above... if a reader of "Nuttin' But Pimp" takes anything on that site seriously... well then send me an email because do I have some offers for you!

Why am I picking on this particular news item? Well, just a few days after the initial story broke (five (5) days to be exact) cbc news reported that "No fraud linked to Toronto Pearson airport kiosks." Yes, that's right... they did an audit and found that there are "no confirmed cases of fraud currently at [Pearson] airport kiosks."

I scoured the blogosphere for follow-up articles giving the "all clear" to let people use credit cards in addition to their passports or PNR numbers to check into their flight. I could only find a few stories in the Canadian press about it. At least there will be one article out there spreading the good news. Swiping your credit card (CC) at an airport kiosks is just as dangerous as storing your CC information online, swiping it at the grocery store, handing it to a waiter at a resteraunt, etc. In other words, not really all that safe at all but convenient.

Shout out to Howard for sending me the msnbc post.

Edit: Fixed some spelling and cleaned up the language a bit.

Airlines warn customers of infected ticket invoices

2008-07-29T12:58:00.002-05:00

I haven't blogged in a while because work has been unbelievably busy lately but I wanted to pass on an article on Computerworld that falls right into my wheelhouse: information security and airlines. Delta and Northwest have put out warnings regarding malicious ticket invoices that are being emailed to unsuspecting people. The malicious email contains a trojan-packed zip file and instructs the reader to open the zip in order to see the invoice for a $400 ticket. From the article:

Photo by Flickr user: caribb

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia, according to McAfee threat researcher Craig Schmugar. McAfee has pegged the malware as "Spy-Agent.bw," but other security firms have given it different names. For example, Symantec Corp. has labeled the same Trojan horse as "Infostealer.Monstres."

It doesn't appear that the message hasn't been directed at American Airlines yet but I wouldn't bet against seeing them withing a day or two if the spam campain is successful. I'll update this blog if more details become available.

Preaching to the choir

2008-07-14T10:30:00.001-05:00

Stuart King wrote an excellent post at computerweekly.com regarding how to reduce the cost of information security. His points are spot on and very similar to things I have been bringing up at work over the past few months. My organization in particular is being hit particularly hard due to current economic conditions so it is imperative that I show value for every dollar I spend, perform thorough risk analysis on new projects, and evaluate existing security projects, services, and infrastructure for cost savings. Of course I have to do all this while maintaining (or improving) the current security posture of the enterprise.

Good times.

NIST releases three new security guidelines

2008-07-11T16:45:00.004-05:00

Government Computer News (GCN) reported that the National Institute of Standards and Technology (NIST) recently released three draft guides for public comment before their official publication. From the article:

SP 800-107, titled “Recommendation for Applications Using Approved Hash Algorithms,” is in its second draft release. It provides guidelines for achieving the appropriate level of security when using approved hash functions.

Draft SP 800-121, titled “Guide to Bluetooth Security,” describes the security capabilities of Bluetooth technologies and gives recommendations on securing them effectively.

Draft SP 800-41 Revision 1, titled “Guidelines on Firewalls and Firewall Policy,” updates the original publication released in 2002. It provides recommendations on developing firewall policies and selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.

I have begun reading and intend on commenting on the Firewall draft. From my first peek inside it seems very thorough and covers not only firewall policies and requirements but also architecture, rule selection, and life-cycle management.

Are Security Devices Making Us Lazy? : Part 1 : Introduction

2008-07-10T10:30:00.004-05:00

Let me clarify before I begin... by "us" I mean IT as a community, not information security specifically. Now that I have that out of the way let's discuss how our reliance on network firewalls, application firewalls, VPNs, encryption, etc. have caused system administrators, architects, programmers, and yes, even us security-type-folk lazy. Let me explain a bit.

Let's pretend for a moment that we didn't have AV, network firewalls, SSL, IDS, or any other security-specific solutions available to us. How would we design our information systems? How would we protect resources? How could we possibly defend our networks against attack? These are the questions I like to ask myself when I have to design a new security architecture, review a proposed design, or audit an existing system.

I am not saying we should design all of our systems with these questions in mind. I understand the fact that we have these wonderful network and system security tools at our disposal. Thus, we can adapt our architectures, designs, and programs to include these solutions. The problem I see is an over-reliance on these tools. As an industry we have moved away from pushing most of the security work to the system administrators and programmers. We have told them (implicitly) "Don't worry about it... we've got it covered."

So how do we fix it? How do IT professionals stop relying on “things” and start building security from the ground-up? How do we do this while increasing functionality, ease-of-use, and speed? In future installments of this series I will attempt to look at where IT professionals can focus their energies to begin “spreading the gospel” to the developers and administrators and have them buy into the idea of secure system from the start.

Should the Airlines be Forced to Fingerprint Passengers?

2008-07-08T13:30:00.001-05:00

...and should they have to pay for it?

The Bush Administration and the Department of Homeland Security have told the airline carriers that they will collect biometric information such as fingerprints from foreign travelers on their exit from the United States. I will refrain from discussing the political and social aspects of this request and instead will focus on the financial and technological aspects of such an idea.

The US-based airline carriers are facing record fuel prices, increased competition, price elastic demand, and a volatile customer base. If the administration forces the airlines to also fingerprint passengers, the additional infrastructure, storage, networking, and security costs would kill IT budgets. It could also cause the airlines that are close to the edge financially to either further pull back operations or perhaps file for bankruptcy.

Beside the financial burden this would place on the airlines another question that must be asked is: why? Why should the airlines collect and maintain biometric records of their passengers? We currently have the federal government stopping to check for both citizen/visa status as well as customs inspection at all ports of entry. Why can't we just turn some of those booths around the other way?

The DHS is already collecting fingerprints and taking pictures of people that visit the country. Why should the airlines duplicate the entire infrastructure costs that are associated with this program? The costs would include the purchase of fingerprint scanners, computer systems, programs, databases, and storage as well as an interface into the federal government system. The cost for putting these systems into each international airport will be huge, and will have to be duplicated by each airline.

This is the ultimate "pass the buck" program. The Bush administration and the DHS shouldn't place this undue burden on the airlines who will, in turn, pass the costs onto the consumer... that is, if the airline stays in business and continues to fly internationally.

Reference Links:
http://www.fcw.com/online/news/152938-1.html
http://www.dhs.gov/xtrvlsec/programs/editorial_0525.shtm
http://en.wikipedia.org/wiki/US-VISIT_(United_States_Visitor_and_Immigrant_Status_Indicator_Technology)
http://www.smartbrief.com/news/gtg/storyDetails.jsp?issueid=A917B6BE-4A3A-4AA2-8BA1-CC8DD722D6AB&copyid=3082D538-D0AE-403E-973B-C434F4C20BA3
http://federaltimes.com/index.php?S=3597239
http://www.isn.ethz.ch/news/sw/details.cfm?ID=19140
http://biometrics.gov/

Security Karma

IT pros name security top concern, security pros say huh?

Happy Labor Day

Password reset unsafe! Personal information easy to discover!

TSA takes security to the slopes, travelers run into trees

10 < 8,000,000

Original Story

The Internet is broken

Seriously now, we're starting to spoil them

Why Red Hat should be ashamed

Related Articles

Best Western refutes breach claims

Related Articles

Congress to DHS - Terror Watch List needs major overall

Related Articles

Over 8 million Best Western records stolen and sold to Russian mob

They have the technology, but no security

Related Articles

a wii haiku

TSA ninja strikes, renders nine planes helpless.

To cert, or not to cert, that is the Question:

Squirtle: squirting browser-based NTLM site on your intranet

Continental expands paperless boarding pass effort

PCI DSS update (1.2) pre-released and boy howdy it's about time!

Hack the Vote

Using credit cards at airport kiosks is as safe using them anywhere else... which isn't saying much.

Airlines warn customers of infected ticket invoices

Preaching to the choir

NIST releases three new security guidelines

Are Security Devices Making Us Lazy? : Part 1 : Introduction

Should the Airlines be Forced to Fingerprint Passengers?