[SecurityRatty] tag: basics

SQL Server stored procedures tutorial: Write, tune and get examples

Tue, 22 Jul 2008 09:09:46 +0000

This SQL Server stored procedures tutorial covers three areas for simplifying database development. A stored procedure, sometimes called the work horse of the database, also provides an important layer of security between the user interface and database. But the process of grouping T-SQL statements to create stored procedures can be complex. In our tutorial, learn the basics for writing stored procedures followed by methods for tuning them, and, finally, browse our collection of stored procedure examples – for checking database and log file sizes and monitoring long-running jobs and much more.

Are Stolen Credit Card Details Getting Cheaper?

Tue, 15 Jul 2008 11:36:12 +0000

What is shaping the prices of stolen credit card details? The investments the cybercriminals or real life scammers ( through credit card cloning or ATM skimming) put into the process of obtaining the details, or can we even talk about investments being made where an experienced scammer has just purchased 1GB of raw credit cards data from a novice botnet master who isn't really aware of the actual value of his "botnet output"?

Depends on which economic theory you believe in, or whether or not you'll take the "bottom-up approach" or the "top-down" one. And since I'm not aware of the existence of "the invisible hand of the underground market" and centralized power to increase the supply or decrease it to boost prices for the stolen credit card details, also indicating the existence of underground cartels putting everyone in a "price taker" position.

The basics of demand and supply for anything underground will always apply unless of course, The more they want, the cheaper it gets, the less they want, the higher the price on per credit card basis gets, since the investment on behalf of the malicious party that originally stolen them is virtually the same, and he can theoretically break-even in every single case since the credit card details were obtained efficiently. It's up to the seller to follow or entirely ignore economic behavior, and do what they feel like doing with this good which must on the other hand reach its market liquidity as soon as possible, else it becomes obsolete. The current market model can be further explained as a good example of competitive equilibrium :

"Competitive market equilibrium is the traditional concept of economic equilibrium, appropriate for the analysis of commodity markets with flexible prices and many traders, and serving as the benchmark of efficiency in economic analysis. It relies crucially on the assumption of a competitive environment where each trader decides upon a quantity that is so small compared to the total quantity traded in the market that their individual transactions have no influence on the prices."

This can be easily explained in a single sentence - it's a mess and every participant is doing whatever they want to, so generalizing on the prices charged for stolen credit card numbers would be unrealistic, since it's the price a single seller with no real impact on the "average" market price for the same good. As for the average market price itself, it would be hard to measure it depending on the quality of the sample you want to rely on, since this is a type of market where sellers don't have to report price changes in their goods for the purpose of statistical research.

A recently released report by Finjan, with whom I've been on the same page of several high profile incidents so far, touches this very same topic :

"Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming "commoditized" - account details with PIN codes that once fetched $100 or more each might now go for $10 or $20. In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world."

Excluding the presence of price discrimination for a while, as well as open topic offers in the lines of "how much for X amount of Y?" answered as "how much are you willing to pay?", it's all a matter of the seller in a particular situation.

Furthermore, in real-life market there's always the scarcity problem, however, in the underground market there's no shortage of resources despite the ever growing wants of the buyers. Generalizing even more, take for instance the butterfly effect of a price change in petrol, and result of which is inevitable increase of prices in every single aspect of your life, but in the underground market mostly due to the malicious economies of scale achieved, a price increase in renting a botnet would have no effect in the prices charged for the stolen credit card details obtained through the infected hosts. How come? Basically, the price and resources for malware infection are prone to decrease, if we take a malware infected host as a static foundation for the basis of any upcoming cybercrime activities using it.

Perhaps the most disturbing part is that the market for stolen credit card details is so mature, and its entry barriers so low these days, that the confidential data that cannot be efficiently obtained through real-life means like credit card cloning or ATM skimming on a large scale, is now purchased online for the purpose of abusing it in real-life by embedding the valid information into plastic cards.

What makes a WAN different from a LAN and MAN?

Wed, 09 Jul 2008 10:02:40 +0000

Learn the basics of networking in this expert explanation of the differences between WANs, LANs and MANs -- how they connect and which protocols they use.

PCI DSS compliance: The basics

Thu, 03 Jul 2008 07:08:19 +0000

PCI DSS requires merchants to employ basic application security techniques in order to be in compliance. Here is an overview of PCI DSS and requirement 6.6.

Security risk analysis basics for solution providers

Thu, 26 Jun 2008 07:16:41 +0000

It can be a challenge for most businesses to objectively assess their own security posture. Solution providers who can perform a security risk analysis provide a valuable service to these clients by recommending how to improve upon current security strategy based on threat and risk. This first installment of our Hot Spot Tutorial on security risk analysis services introduces solution providers to the concepts of a security risk analysis.

Security Briefing: June 5th

Thu, 05 Jun 2008 06:48:11 +0000

Damn these infernal mornings.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1st Source Bank replacing debit cards after security breach | Network World
Microsoft Warns Of Bug In Apple’s Safari | CRN
Going Back to Basics To Fight Botnets | Top Tech News
EU security agency warns over insecure printing | The Register
Information at thieves’ fingertips | Times Union
McAfee Names The Most Dangerous Domains | Information Week
IBM Complimentary Security Health Scan | Bitpipe
‘Hacker’ left child porn images on computer, lawyer insists | The Toronto Star

Tags: News, Daily Links, Security Blog, Information Security, Security News

Wireless LANs -- 'CCNA Official Exam Certification Library, Third Edition,' Chapter 11

Thu, 29 May 2008 14:06:39 +0000

This chapter examines the basics of WLANs to help you prepare for the CCNA exam. In particular, the first section introduces the concepts, protocols, and standards used by many of the most common WLAN installations today. The chapter then examines some basic installation steps. The last major section looks at WLAN security, which is particularly important because the WLAN signals are much more susceptible to being intercepted by an attacker than Ethernet LANs. The chapter also includes a helpful "do I know this already" quiz, to determine whether you need to read the full chapter or can move ahead to the exam preparation section.

SDL Training

Thu, 29 May 2008 11:22:00 +0000

Hi everyone, Shawn Hernan here. Being a security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsoft’s SDL process reflects that reality. The process is structured so that you really do have to look at each piece before you can sign off. But sometimes when others want to emulate the success of the SDL, they want to skip steps. They try to boil the SDL down into its component parts, like training, or tooling, or security response. Maybe the most common form of that mistake is training, but you see that same thinking applied to code scanning, security response, and just about every phase of the SDL. “Let’s just train everyone, and all our security problems will go away.” If only it were so easy. I’d like to take a few minutes to try to explain why it’s not really that easy from my own experience.

Have you ever sat in a corporate training? Some are good, some are bad, but did you ever say, “man I can’t wait for training today.” What about mandatory training? What about mandatory training in a subject that you really don’t think is your area? What if you had to do it every year, and got harassed if you didn’t do it? What if you were, say, an audio engineer and were dragged into a security class?

I ran the SDL training program at Microsoft for a long time, and developed and taught a big chunk of the training. I spent hundreds of hours in front of thousands of developers, testers, and program managers. I got some really good reviews (and a few bad ones) on the classes I offered. And I tried to do a lot of things to try to make the trainings interesting. I handed out dozens of fresh peaches in an early class on fuzz testing, for example. The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach.

But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they weren’t going to go back to their offices and spend weeks applying the lessons from the class, setting aside other things that are causing present and immediate problems in favor of something that is far off into the future.

You have to work at getting people’s attention – especially as it relates to security and privacy. From time to time, I would see people reading their mail in class, and I would point to them and ask them a question. That did not endear me to the audience as much as the peaches, but embarrassment is always fresh and in season. J

One student wrote of one of my classes, “the basics for secure design - could be replaced by non-anonymous site-wide exam with open material.” He was not alone, I assure you.

Is that an indication that our training, or any training, is pointless? Hardly, but training alone is not a change agent.

Richard Derwent Cooke wrote, “It is a first principle of Change Management that people will act in what they perceive as being their best interests.”

At best, training can provide people with insight into what they need to do to solve a security problem if they believe that solving that security problem is in their best interests.

To be effective, training needs to happen in an environment:

· Where expectations are clearly set (the SDL sets specific minimum requirements).

· People have appropriate incentives and consequences (security is a great career path at Microsoft, and nobody wants to be the one holding up a ship schedule for failure to meet a security requirement).

· Where tools and resources to accomplish the goals are available (we build a whole variety of tools that map to the SDL requirements).

· Where management models the behavior (recall the original BillG TWC memo).

· Where the environment reflects and supports the values presented in the training (apparent in everything Microsoft does).

Don’t make the mistake of thinking that a bunch of training, even really high quality training done periodically, will result in actual behavior change. It won’t. You have to build an environment where people perceive solving security problems as being in their best interests. You have to make security their problem – not in the sense of passing the buck, but in the sense of changing their behavior so they will bring security problems to you.

To illustrate further, I’ll cite two examples. First, fuzz testing. Fuzz testing has been a success story here at Microsoft. Tools arise spontaneously to solve new fuzzing challenges, written by people who believe the challenges are their challenges. There are people who feel ownership for our fuzzing strategy and on-going research and science, there are specific goals and requirements, we have training (remember the peaches?), and internally developed fuzzers have won prestigious awards within the company, handed out by members of the executive staff, and all of this gets revisited periodically as part of the SDL.

By contrast, I’ll choose a less successful area – defect estimation. On my own volition, I created (based mostly on some excellent material from Microsoft Research) and taught a class called “Defect Estimation and Management” and added it to the SDL curriculum. Microsoft is a great place to work in that regard. It was pretty close to the best-reviewed class I taught. But, we have not yet been able to establish a set of tools to estimate security defect density effectively, and establish a fair set of expectations, incentives, and consequences, or even decide what we should do if we had the data. We discovered some things, though. For example, based on what I observed (which should not be construed as rigorous research), it does not appear as if the density of general defects correlates closely with the density of security defects. And Microsoft Research found higher code coverage in testing correlates with higher bug rates in the field.

And so even though people like the idea of defect estimation, and we’ve got some interesting and surprising data, we’ve not yet been successful in changing people’s behavior. Generally speaking, an individual test manager does not feel that establishing a high quality estimate of their defect density is in his or her best interests, as compared to, say, improving the time in which an established series of tests can be performed .

We need to build an environment that has the tools, training, rewards and incentives, and expectations and consequences to change people’s behavior. Not that we’re not trying. But training won’t solve it alone, nor would tools, trophies, rants, testing, code review, or some edict from on high. The SDL is as much about changing the culture and influencing the behavior of individual engineers as it is anything else.

I’m convinced that Microsoft’s SDL process works because it addresses the end-to-end problem - from training through servicing, and provides a complete environment where people feel ownership of their part of the security problem and have the resources to solve it.

So the next time you find yourself sitting in some mandatory training, remember the lessons of the SDL (and most of the research on human performance management): training alone won’t cut it. If you want real behavior change, there have to be things outside the lecture room to influence people to change their behavior.

Storage area network basics every SQL Server DBA must know

Thu, 29 May 2008 07:38:34 +0000

Storage area networks mean better management and improved performance for your SQL Server environment – but only if people in charge understand them. In this tip, SQL Server expert Denny Cherry explains concepts such as the importance of selecting your RAID level and storage tiers and he also disproves the myth that SANs are 'magical devices.'

Physicians and medics

Mon, 26 May 2008 16:12:12 +0000

My thanks to Mike Rothman who last week gave me credit for “fighting the good fight”. I’d like to think he’s right — it has been a bit of a struggle over the years, I’d like to think I’m winning (or at least managing a draw) as I continue the struggle, and I’d like to think it’s worthwhile. Mike does seem to continue to question the pragmatism of my approach though, which is what this post is about.

Don’t get me wrong. I greatly admire the work Mike does and wish he and his book had been around when I started out as a CISO. Would have saved me significant pain and suffering. On the other hand, if I’d had Mike’s P-CSO I might have become complacent and ended up believing that’s all there was to being a CISO. Not that I think Mike is advocating complacency — he’s not. I also don’t think he discounts risk analysis concepts. He’s simply focused on helping that component of our profession who’s just getting started or who faces other practical constraints in dealing with our very complex problem space. His is a necessary and highly valuable contribution, and he provides it in an entertaining way that’s too rare.

Let me set this discussion in a medical analogy context. If I was in the middle of nowhere or didn’t have the resources for a physician, then a medic who’s skilled in lifesaving basics would do just fine. However, if the situation called for a deeper understanding of the complex, sometime subtle health considerations, then I’d prefer a physician. Someone who didn’t say; “Boy, this anatomy and physiology stuff is complicated. I’m just going to stick with ‘The hip bone is connected to the back bone…’” My physician may, of course, choose to follow a pragmatic, commonly-used course of treatment, but they’d be able to do so with a deeper understanding of the problem space, greater (but not perfect) certainty that the course of treatment would work, and a better ability to explain to me, the patient, why I had to swallow this bitter pill, undergo the knife, or have this long tube snaked into one of my orifices.

Yes, I realize that physicians sometimes get it wrong, sometimes get wrapped up in fancy and even unnecessary procedures, and can drive up costs. That’s just as true as what can happen at the other end of the spectrum — the shaman who operates entirely by superstition, faith, FUD, and intuition. The point is, there’s absolutely a need for both medics and physicians (and levels in between). We, as professionals, can choose where we want to be within that continuum. With this in mind, a few things to consider are:

In the heat of battle, when resources are limited, or when it just makes sense, physicians always have the option of behaving as medics and sticking with the bare essentials (the reverse isn’t true). In fact, the best physicians I’ve encountered are pragmatic in their approach but have the deeper knowledge to leverage when need arises
Medics might effectively deal with 80+% of our problems, but that remaining ~20% can be critical
A person can start out as a medic and then become a physician later, as need and resources dictate
Physicians tend to be paid more

Bottom line — knowledge and understanding are never a bad thing, but it requires extra effort to acquire them. And, as Mike points out, the simple approach is often good enough and may be all we can hope for given our individual circumstances. For myself though, I prefer a deeper understanding of our complex problem space. I want to be able to answer the hard questions about why and how. But that’s just me.

BTW - I was amused at Mike’s characterization of risk analysis as Black Magic, as this phrase would also have been used in the past to describe medical and scientific concepts/practices we take for granted today.