[SecurityRatty] tag: club

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Supper Club Cancelled

Thu, 21 Aug 2008 03:54:34 +0000

General illness and people working from home expecting the tube strike to go ahead. Well schedule another for after the holiday season (end of September).

London Security Supper Club Update - Its Next Thursday not Friday !

Fri, 15 Aug 2008 04:33:00 +0000

Doh! I goofed. It’s next Thursday the 21st at Belgo Centraal in Covent Garden. Belgian beer, “steak frites” and security chat. We have limited seats so if you only think you maybe able to make it or it’s “possible” you will pull out at the last minute you can just turn up for beers. Probably [...]

Security Supper Club Next Friday 22nd

Tue, 12 Aug 2008 07:59:06 +0000

We are holding a security supper club next Friday at Belgo Centraal, Covent Garden. Belgian Beer, Steak Frites and security chat. It doesn’t get better. Leave your cars at home and get the train. I have a table for 10 reserved and 3 definite’s (Bob, Yeomans and me). If you want to join us mail [...]

Black Hat wrap up - secure@microsoft, booth babes and bloggers

Fri, 08 Aug 2008 10:46:21 +0000

You can read plenty of other blogs about some of the great presentations at Black Hat. So I thought I would take another angle and talk about some of the other stuff that may be important to you.

1. secure@microsoft.com – This years hottest party was again the Microsoft party. This year it was at the LAX club in the Luxor. As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they “were one the list”. I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party. As I wrote earlier, Microsoft is trying really hard on security. But I couldn’t help but notice the irony of this grainy, lousy picture of the DJ booth at the party. If you can, notice the computers that the secure@microsoft.com DJs are using. That’s right they are Macs!

2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant. Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year. A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement. I personally don’t like exploiting woman to make that statement, but I understand. However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them. Come on guys! You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class. These girls looked like street walkers and do you and your company no favors. Is that really the image you want to promote? Grow up!

3. The Security Bloggers Network – We are back! With the end of the Black Hat show, the SBN is going back to being the SBN. The old logo is back and our promotion with Black Hat is at an end. However, I want to personally thank so many of you SBN members who blogged about Black Hat. The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community. Our network delivered big time with them and they are already thinking about ways we can work together next year. I will keep you all posted on that.

We have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons. Next time we will work with the network members more closely in doing these affiliations. Also, for any show like this we need to have an official bloggers get together. Not because we don’t want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us. Security bloggers are big time. We have a great community of people who get together. Lets make it better.

I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.

Anyway, another year of Black Hat is in the books. It was a good one and I can’t wait until next year!

When the shoe is on the other foot

Wed, 06 Aug 2008 06:16:46 +0000

About to head over to morning sessions of Black Hat (OK, it started at 8am, but that is just an uncivil time for Las Vegas). Before I do, let me give you a quick recap of my first night on Black Hat. I didn’t get in until 10pm and got to my hotel about 11. Looked up a few security twits and saw that Mitchell Ashley, Martin McKeay, JJ and Ryan Russell were at the Cleopatra Barge at Caesars. I headed over there and met up. The night was on!

We had a quick drink and then headed over to the club Pure, where Fortify was having a party. Some how or another JJ, Ryan and I got to the VIP entrance and were headed in. Martin had to go upstairs and change out of his shorts. Mitchell that Colorado country bumpkin was not allowed in because he was wearing sandals. What to do? Leave Mitchell outside, all of us not go in? I went back to my old club hopping days for the answer. I went in with JJ. Went to the bar, took off my shoes and gave them to JJ. While I stood there in socks, she brought the shoes out to Mitchell, who put them on and got in the club. Watching JJ sneak out the shoes and Mitchell walk in holding his sandals was pretty funny. But it worked. We got away from the Fortify party as it was way too crowded. We found ourselves in my favorite part of Pure, the Pussycat Doll Lounge. Five minutes later out came the Pussycats. They put on a very hot show that had us all dancing and shouting.

After that we went to my usual late night spot at Black Hat, the Augustus cafe for breakfast. We met up with the Mogul and Hoff, who joined us. By now it was like 2:30am Vegas time (5:30 east coast time) and it was time for bed. I am staying at Paris, so had a nice walk but they did give me a LeMans suite which is very nice. I still get a little confused by rooms with bidets, but it is fun.

Well off to Black Hat for some learning!

Another fantasy fulfilled

Sat, 02 Aug 2008 19:25:01 +0000

My Grandmother always told me that a lucky person can count the really good friends they have on one hand, but a small amount of good friends far outweigh having many acquaintances. That was proven to me once again this weekend. Ever since before I had my 2 sons, I had dreams of taking my children to both a Pittsburgh Steeler game and a NY Yankee game. Last year I had a chance to take Landon and Bradley to Pittsburgh and see a Steeler game. With this being the last year for the old Yankee Stadium, I wanted to take the boys to see the Yankees at home and in the old stadium.

Getting tickets to a game at Yankee Stadium is not cheap. In looking around StubHub, for a hundred bucks a ticket (which is all I was willing to pay), the best I was going to do was out in the bleachers somewhere. But I figured it was better than nothing and was going to go for it. That was when I called my best buddy from college Tyler to see if he wanted to go with us. Tyler still lives in NY, actually he has an apt in Trump Palace and works in advertising for a large company, handling one of the very biggest accounts. When I told him what I was looking at buying he said to hold on and let him see what he could do.

Well Tyler came through big time. Not sure which vendor he got them from, but we had 6th row box seats behind third base, tickets to the Stadium Club, free parking (didn???t use it as we took the subway) and to top it off, Tyler was staying at his friends place and insisted we stay in his place at Trump.

The boys and I had a blast hanging out in the city, going to Dylan???s candy store, the Empire State Building and then heading up to the Stadium. I am sure it will be a time both they and I will never forget. Like the commercial says:

1. 3 round trip airline tickets from Florida to NY ??? $750.00

2. 1 night in a hotel in NYC - $400.00

3. 3 field box seats to a Yankee game - $1000.00

4. A fried like Tyler to make it all happen for free (I used miles for the airfare) and give the kids this kind of memory??? PRICELESS!

Thanks Tyler!

Another fantasy fulfilled

Sat, 02 Aug 2008 18:44:26 +0000

Getting tickets to a game at Yankee Stadium is not cheap. In looking around StubHub, for a hundred bucks a ticket (which is all I was willing to pay), the best I was going to do was out in the bleachers somewhere. But I figured it was better than nothing and was going to go for it. That was when I called my best buddy from college Tyler to see if he wanted to go with us. Tyler still lives in NY, actually he has an apt in Trump Palace and works in advertising for a large company, handling a one of the very biggest accounts. When I told him what I was looking at buying he said to hold on and let him see what he can could do.

Well Tyler came through big time. Not sure which vendor he got them from, but we had 6th row box seats behind third base, tickets to the Stadium Club, free parking (didn’t use it as we took the subway) and to top it off, Tyler was staying at his friends place and insisted we stay in his place at Trump.

The boys and I had a blast hanging out in the city, going to Dylan’s candy store, the Empire State Building and then heading up to the Stadium. I am sure it will be a time both they and I will never forget. Like the commercial says:

1. 3 round trip airline tickets from Florida to NY – $750.00

2. 1 night in a hotel in NYC - $400.00

3. 3 field box seats to a Yankee game - $1000.00

4. A fried like Tyler to make it all happen for free (I used miles for the airfare) and give the kids this kind of memory– PRICELESS!

Thanks Tyler!

Simple oversight at TNS Infratest exposes participant information

Wed, 09 Jul 2008 19:37:10 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Taylor Nelson Sofres plc (TNS)

Contractor/Consultant/Branch:
TNS Infratest

Victims:
Survey participants

Number Affected:
41,000

Types of Data:
"Name and address, date of birth, email address and phone numbers", "Some of the data included monthly income, education, bank account information, health insurance data, and which credit cards are used"

Breach Description:
"The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants."

Reference URL:
Chaos Computer Club e.V.
The Inquirer

Report Credit:
Chaos Computer Club e.V.

Response:
From the online sources cited above:

TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private data records of its survey participants, the Chaos Computer Club (CCC) has revealed in its official organ Die Datenschleuder.

As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures.

Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
[Evan] This type of development mistake too common. The vulnerability is very easy to find by good pen testers and the bad guys. Actually, I am surprised that we don't hear about more of these types of breaches.

Besides name and address, the data records included date of birth, email address and phone number.

Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
[Evan] Clearly this is some very sensitive information, all provided by people completing surveys.

"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident.
[Evan] Mr. Engling is dead on. I couldn't have said it better myself.

"As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued

This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations.

The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices).

It is obvious here that data security only plays a minor role in companies.
[Evan] Very sad, but very true. Too many organizations still take the wrong view of information security as a "cost center" instead of a business driver. Well designed and managed information security programs, the ones that are aligned with the business and not IT, can actually provide value to the business.

"Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.

The press team of the Chaos Computer Club is available for questions at the following addresses:

presse@ccc.de (preferred)
0700-CHAOSFON (0700 - 24267366)

Commentary:
TNS is a large company, a large company with resources to hire good management, programmers, and information security personnel. What is the excuse for making such a significant, yet simple oversight? There are a number of controls that could have reduced the risk of this occurring.

One a secondary note, but no less important in my opinion. It seems that people (in general) provide too much information willingly, without understanding what the risks could be. Personally, I rarely complete surveys that ask me for personally identifiable information (name, address, etc.). I suggest that you give some serious thought to providing any of your personal information. Ask yourself if you trust the organization collecting your information. If so, question what your trust is based on. Do NOT hesitate to ask questions and err on the side of caution.

Past Breaches:
Unknown

Googles Culture of Yes

Mon, 23 Jun 2008 11:21:46 +0000

Recently, Eric Schmidt gave quite an inspirational speech at the Economic Club of Washington. It was so interesting; I wanted to share this with you in case you missed it. The entire speech is rather long but here’s the section on Google’s Culture of Yes.

After hearing his speech, I thought about how Eric and Google are impacting the digital revolution after so many others have tried unsuccessfully over the last 25 years. He has led the company through a period of explosive growth from $1 Billion to over $16 Billion in the past year, while keeping the young, fun, irreverent culture intact. Considering the meteoric rise of Google’s popularity in a reasonably short period of time, to the point that the company name is now actually a verb!

The point that I found enlightening was his summary, which you can scroll to at the 26 - 30 minutes timeframe in the presentation, where he shared an interesting glimpse into the culture of Google. “Creating more luck, giving yourself more at bats, being out there… to think big and inspire a culture of YES.” The culture of Yes inspires people to aim higher and be ambitious in their reach and goals.

That is a very interesting point in which I really believe. If there is one thing that all companies and especially small companies struggle with because of natural resource constraints, it is building a strong culture of Yes. We have tried to do this from the very inception of ScienceLogic, but it continues to get harder and harder the larger the business grows. To consistently inspire a principle of Yes, without agreeing to every idea that flows across my desk is amongst the most challenging parts of our daily jobs. However if I could create the perfect scenario, we would intuitively strive for a principle of Yes and inspire our associates and our ecosystem of partners and customers to use this simple concept to confidently go forward.

Eric says, “It is possible to build a culture around innovation. It is possible to build a culture around leadership, and it is possible to build a culture around optimism.” Google is a great example, but by no means the only example. I agree with Eric’s summary and hope to lead ScienceLogic according to these very basic but essential principles. “Let’s be revolutionaries. Let’s take this opportunity, this huge change that is before us with technology and let’s change our businesses, our communication and the way we interact on some new principles that reflect the very best in America.”

ShareThis