[SecurityRatty] tag: pa-dss

Palo Alto's performance holds steady as security measures increase

Sun, 05 Oct 2008 20:00:00 +0000

In August, we tested Palo Alto Networks' PA-4020, the first fully application-aware firewall to be commercially marketed. When we attempted to test performance on the PA-4020 we ran into a hitch: Palo Alto's application identification logic discovered that we were using Spirent test tools.

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

An "Aw3s0me" Offer?

Tue, 05 Aug 2008 12:52:53 +0000

Yes, it's time for our regular "sites to avoid" update with regards URLs related to this ring of sites asking for MSN login details. Yesterday evening, I received this via MSN:

Interestingly, this is the first site I've seen promoted on MSN related to this where the site being pushed isn't asking for your login details. Instead, it cycles through a bunch of adverts & promotions instead. Rather worryingly, the domain has been flagged for Phishing.

Click to Enlarge

In what might be a departure for these websites, there appears to be "real" Whois data listed for the URL, as opposed the "privacy protected" details I seem to remember being used for all the others.

Registrant Contact:
   TST Management, Inc
   Jeff Fisher

   Edificio Magna Corp. 5th Floor, Office 511
   Ave. Manuel Maria Icaza y Calle 51
   Panama City, Panama 0000
   PA

I'm sure there'll be another chapter in this ongoing saga soon.

Cost/Benefit Analysis of Airline Security

Mon, 21 Jul 2008 01:53:15 +0000

This report, "Assessing the risks, costs and benefits of United States aviation security measures" by Mark Stewart and John Mueller, is excellent reading:

The United States Office of Management and Budget has recommended the use of cost-benefit assessment for all proposed federal regulations. Since 9/11 government agencies in Australia, United States, Canada, Europe and elsewhere have devoted much effort and expenditure to attempt to ensure that a 9/11 type attack involving hijacked aircraft is not repeated. This effort has come at considerable cost, running in excess of US$6 billion per year for the United States Transportation Security Administration (TSA) alone. In particular, significant expenditure has been dedicated to two aviation security measures aimed at preventing terrorists from hijacking and crashing an aircraft into buildings and other infrastructure: (i) Hardened cockpit doors and (ii) Federal Air Marshal Service. These two security measures cost the United States government and the airlines nearly $1 billion per year. This paper seeks to discover whether aviation security measures are cost-effective by considering their effectiveness, their cost and expected lives saved as a result of such expenditure. An assessment of the Federal Air Marshal Service suggests that the annual cost is $180 million per life saved. This is greatly in excess of the regulatory safety goal of $1-$10 million per life saved. As such, the air marshal program would seem to fail a cost-benefit analysis. In addition, the opportunity cost of these expenditures is considerable, and it is highly likely that far more lives would have been saved if the money had been invested instead in a wide range of more cost-effective risk mitigation programs. On the other hand, hardening of cockpit doors has an annual cost of only $800,000 per life saved, showing that this is a cost-effective security measure.

From the body:

Hardening cockpit doors has the highest risk reduction (16.67%) at lowest additional cost of $40 million. On the other hand, the Federal Air Marshal Service costs $900 million pa but reduces risk by only 1.67%. The Federal Air Marshal Service may be more cost-effective if it is able to show extra benefit over the cheaper measure of hardening cockpit doors. However, the Federal Air Marshal Service seems to have significantly less benefit which means that hardening cockpit doors is the more cost-effective measure.

Cost-benefit analysis is definitely the way to look at these security measures. It's hard for people to do, because it requires putting a dollar value on a human life -- something we can't possibly do with our own. But as a society, it is something we do again and again: when we raise or lower speed limits, when we ban a certain pesticide, when we enact building codes. Insurance companies do it all the time. We do it implicitly, because we can't talk about it explicitly. I think there is considerable value in talking about it. (Note the table on page 5 of the report, which lists the cost per lives saved for a variety of safety and security measures.) The final paper will eventually be published in the Journal of Transportation Security. I never even knew there was such a thing.

Teen Hacks PA School Computer, Gets Tax Info

Tue, 03 Jun 2008 06:23:32 +0000

A 15 year old student managed to hack into a school computer in Pennsylvania. He got his hands on 2005 tax return information for 41,000 which sent a town meeting for a loop.

From DailyLocal dot com:

Borough police arrested a 15-year-old Downingtown West High School freshman on May 21 and charged him with theft by unlawful taking or disposition, computer theft, unlawful duplication and computer trespass.

District administrators learned about the intrusion on May 9, when a student told Downingtown West’s principal that another student might have personal information, Griffin said. But 71 school employees did not learn their 2005 W-2 forms were copied until May 16, and Griffin said this was because district officials had to first perform “due diligence.”

According to police, the data files contained more than 41,000 adult taxpayers’ names and personal information, including Social Security numbers, and more than 15,000 students’ names and personal information. The school district sent out letters to 16,595 residences about the incident.

Eldredge said he received the school district’s letter but believes it’s a dead issue.

“For me, I’m comfortable that nothing was done with the information,” Eldredge said.

But, not everyone felt the same.

“I have a tremendous objection to anyone but the county having this information,” West Bradford resident Susan Singer said. And if there are instances of identity theft, “I will be more than outraged,” she said.

ID theft can scare the best of us at the worst of times.

Article Link

Comcast.net not Hacked, DNS Records Hijacked

Fri, 30 May 2008 03:58:46 +0000

Two days ago in a show off move, the Kryogenics team managed to change the DNS records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this incident only served a defaced-looking like page, and denied email services to Comcast's millions of email users for a period of three hours.

The message they appear to have left at the first place, is actually hosted on third-party servers and reads :

"KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven"

Comcast's changed whois records looked like this, and were restored to their original state approximately three hours later :

Administrative Contact:
Domain Registrations,
Comcast kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk 69 dick
tard lane dildo room
PHILADELPHIA, PA 19103
US 4206661870 fax: 6664200187

The hacked page was loading from the following locations :
freewebs.com/buttpussy69
freewebs.com/kryogeniks911
defiants.net/hacked.html

Comcast's comments :

"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."

Network Solutions comments :

"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."

"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.

With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.

15-year-old "hacks" Downingtown Area School District

Sun, 18 May 2008 17:54:02 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Downingtown Area School District

Contractor/Consultant/Branch:
None

Victims:
Staff members and county taxpayers

Number Affected:
"71 teachers" and "several thousand tax payers"

Types of Data:
W-2 forms, Social Security numbers, and home addresses

Breach Description:
"DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district. Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9."

Reference URL:
CBS Channel 3 News
The Philadelphia Inquirer

Report Credit:
CBS Channel 3 News

Response:
From the online sources cited above:

DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district.

Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9.
[Evan] I hope school district officials are embarrassed. Do you think that this kid used exceptional skill? I would guess that the school information was a pretty easy target.

Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students.
[Evan] The information was "distributed to other students"? Ouch. Why does the school possess personal information belonging to several thousand tax payers?

The files apparently contained salary information and social security numbers.

Police said the students involved in the incident have been identified and the data was safely recovered.
[Evan] Were all copies of the data safely recovered? How would you be certain? Once information has been compromised, how do you un-compromise it? I don't think you can.

The district is working to determine how far the breach reached and secure their network from future abuse.
[Evan] People like to put information security into a nice little package. You can't. It's more than that, and the solutions to the school district's information security problems are more than determining the extent of this breach and securing their network.

Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft.
[Evan] This may or may not be true, but what about the other students that received copies?

As a precaution, all staff members were notified of the incident and told to check their personal data.

"We are still early in the investigation and cannot provide further details," Lt. Steven J. Plaugher of the Downingtown Police Department said in a statement last night. "No arrests have been made at this time."

"We just determined a week ago what happened," said Patricia McGlone, spokeswoman for the district. "The school board will go forward with a disciplinary hearing, which will be separate from the police investigation."

It is unclear if the student will face charges.

The incident marks the second time private information has been obtained by a student at the school. Officials said a student was charged after hacking the system in December 2007.
[Evan] This should be a sign, eh? Two incidents in six months. Do you suppose the district determined "how far the breach reached and secure their network from future abuse" in that case too?

Commentary:
This breach reminds of the "Students breach Williamsville Central School District security" posting we made on April 15th. I think these two cases are very similar. School districts across the country seem to collect and poorly protect unnecessary personal information.

Past Breaches:
Unknown

A Small Rant About Conference/Journal Papers and Timestamps

Mon, 12 May 2008 16:18:00 +0000

Why is it that most/all papers published in Journals and/or as part of conferences never have a date/timetamp attached?

Its rather a bit frustrating to read a paper you've been sent, or had a link for, only to have no idea when/where it was published...

Just Friday I was pointed at an article by Dan Geer - http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=436

Awesome article, but you won't see any real date information on it. January/February Edition on the ACM Queue. Which year? Hmm, can't tell can you, at least not from that page. Hell, the date at the top is the date you loaded the page, not the date of the article. More than a little frustrating.

Ok, rant mode off. The next post will probably be about the article above.

Stolen General Internal Medicine laptop exposes nearly 12,000

Mon, 05 May 2008 08:17:36 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
General Internal Medicine of Lancaster (PA)

Contractor/Consultant/Branch:
None

Victims:
Patients*

*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"

Number Affected:
"nearly 12,000"

Types of Data:
Names, addresses, telephone and Social Security numbers

Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."

Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster

Report Credit:
General Internal Medicine of Lancaster (PA)

Response:
From the online sources cited above:

EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?

A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17

"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.

office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.

After that process was completed, the office planned to burn the paper records.

no medical information about patients was compromised.

The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.

East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.

An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.

Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.

Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.

"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.

General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.

Anyone with questions is urged to call General Internal Medicine at 397-2738.

Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.

I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.

Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.

Past Breaches:
Unknown

$160 Billion Robotic Army Network Passes First Big Test. Kinda.

Wed, 30 Apr 2008 00:00:00 +0000

A van full of insurgents speeds through the desert. They do not notice a series of networked ground sensors that have begun tracking their every move.

Hovering somewhere overhead, a tiny robot points its camera at the van and takes note of its color scheme and markings. An even bigger drone, thousands of feet above its hovering kin, maintains a God’s-eye vigil on the whole hunt.

Everything these robots see is radioed to monitors thousands of miles away -- and into the targeting systems of a B-52 bomber winging, silent and nearly invisible, several miles overhead.

This scenario, played out at a remote Nevada facility last week, was the first major test of the Army’s $160-billion, 20-year plan to build a high-tech family of networked robots and hybrid-electric armored vehicles. The “Future Combat Systems” program, co-managed by Boeing and consultants SAIC, aims to equip roughly a third of the Army with 14 new vehicle types that are connected constantly to a vast communications net.

The theory behind the FCS is that dispersed, intelligent robotic systems plugged into a universal communications network can help small numbers of U.S. troops riding in new vehicles to control huge swaths of terrain. Any ship, airplane or tank fitted with the FCS network devices will be able to see everything the others see.

The SkyNet-like network and dynamic coordination “is the most important thing,” Brigadier General James Terry says.

This is “a big deal for joint fires,” Army spokesman Paul Mehney told Wired.com.

“Joint fires” is mil-speak for getting all the military services to share info and coordinate their attacks. That kind of teamwork is a big factor in the U.S. military’s combat prowess. And if FCS works out as planned, the five U.S. military branches will team up better than ever.

Did the test work? Kinda.

The robots spotted the van; their targeting data bounced to a nearby unit of specially-equipped Humvees, then across the network to an Air Force intelligence cell in Langley, Virginia, then back to the B-52 -- all in just seconds. The bomber simulated dropping a guided bomb to “destroy” the van.

The Nevada test proved it was possible, according to Mehney.

But one critic says the test essentially was rigged -- that the conditions were too easy.

“There is ‘works’ and then there is ‘works,’” John Pike, an analyst with Globalsecurity,org, told Wired.com.

“A considerable fraction of the FCS network hardware does not currently exist,” Pike said. And the integration of that hardware that does exist has been touch-and-go.

In February, when testers “flipped the switch” for the first time on the network radios, there was a collective sigh of relief that the radios even worked -- this according to one FCS insider who spoke on background.

Last week’s desert test comes at a critical time for Future Combat Systems. Mounting criticism from the GAO plus the growing cost of fixing and upgrading the Army’s current war-weary vehicle fleet -- $120 billion over 10 years, according to the GAO -– has put the squeeze on the futuristic program. “It is not yet clear if or when the Army and [its contractors] can develop, build, and demonstrate the … network,” the Government Accountability Office reported in March.

One powerful congressman, nominally a supporter of FCS, has proposed injecting extra money into the program in order to rescue some of its technologies before canceling the rest.

Rep. John Murtha (D-PA), chair of the defense appropriations subcommittee, promised an extra $20 billion this year for FCS, provided the Army could use the money to wrap up the program quickly. “We need to accelerate FCS if we ever want to see anything accomplished,” Matt Mazonkey, a Murtha staffer, told Wired.com.

The Army is still preparing its response to Murtha’s query, Mehney said. Regardless, the service’s position on FCS has never wavered. The Army says that FCS is on-budget, on-schedule, and with continued funding will deliver on its promises to connect the ground service to itself and to all the other military branches.

And to ensure smooth progress despite a combined $900 million budget cut last year, the Army this month asked Congress to “re-appropriate” $250 million of other Army funds into FCS coffers.