[SecurityRatty] tag: seal

Links List 9.29.08

Mon, 29 Sep 2008 23:00:14 +0000

Trade shows, trade shows and more trade shows. VMworld and Interop dominated the stage a couple of weeks ago and then there was the annual Oracle blowout in SF last week. Has anyone gotten any work done lately?? (image from cdye1)

Does Oracle run the world? I would have to say no but Raj (Larry Ellison is his idol) and the 40,000 Oracle customers that descended upon SF last week might beg to differ. What do James Carville and Mary Matalin have to do with enterprise software? Pretty much nothing, except for the fact that they delivered the opening keynote for Oracle OpenWorld. (And that’s the only and last politically-oriented thing you’ll hear from me as we run up to the election). For a surprisingly funny and extensive photo gallery of the eye-popping event, check out cdye1’s photostream on Flickr.

But UB40, Elvis Costello and Seal aside, Oracle OpenWorld did offer training, certifications, and always entertaining speeches by Ellison. Ben Worthen’s favorite – “Larry Ellison’s Brilliant Anti-Cloud Computing Rant” delivered to analysts on Thursday. From Ben’s slightly-edited excerpt:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?

“We’ll make cloud computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. That’s my view.”

So did everyone catch that? Cloud computing is complete gibberish and idiocy, but apparently Oracle’s already been doing enough around it to advertise the fact. I will have my cake and eat it too!

We’ve been pumping out the posts from the shows we went to – let me tell you, live-blogging is hard when you’re trying to share apparently miniscule amounts of bandwidth with 14,000 other attendees – and we have even more to share as we step back, contemplate and describe how some of the announcements, info and especially roadmaps fit into our overall picture over here at ScienceLogic.

For example, we released the results of our annual industry IT survey last week. Twice a year – at FOSE (for Government IT) and at Interop NY (for enterprises) – we take advantage of the fact that we have a big beautiful booth at these shows and offer a fabulous ScienceLogic t-shirt in return for a couple of minutes time with attendees living the problems we try to solve. Instead of telling people what their problems and priorities are, we like to ask.
Interop NY Survey - Trends and Challenges
Detailed Reports on Trends and Comparison to Government IT

And I just had to share this one because it is so bizarre. Are VMware and Paul Maritz guilty of plagiarism? You have to check this out to get even part of the picture. Apparently this guy has posted his slides (we know they are from VMworld 2007 because it says so in the lower-right-hand corner…) which prove that the “virtual datacenter operating system” idea was his idea a year before it showed up on Maritz’s keynote this year. Hmmm. And then after posting all these slides and making all the connections between his presentation and Maritz’s, he says he’s just kidding about the plagiarism. Can anyone sort this out and let me know?

I’ll tell you who wasn’t kidding when I went by their booth at VMworld – a certain chargeback vendor and VMware “partner” who was quite shocked two months ago when they walked into a meeting with VMware about future roadmap. Apparently, the slides they saw (preview of VMware’s announcement re adding extended chargeback capability within vCenter management services) were mighty might similar to slides they had given in a presentation to VMware about their own roadmap. Coincidence? I’ll let you decide. And I’ll also say, their strategy to combat this – support for Hyper-V coming early in 2009.

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Privacy Policies: Perception vs. Reality

Thu, 04 Sep 2008 09:15:54 +0000

New paper: "What Californians Understand About Privacy Online," by Chris Jay Hoofnagle and Jennifer King. From the abstract:

A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.
These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations. Drawing upon earlier work, we conclude that because the term "privacy policy" has taken on a specific meaning in the minds of consumers, its use should be limited to contexts where businesses provide a set of protections that meet consumers' expectations.

Interview with Paul Cannon, Mozy Software Engineer

Wed, 16 Jul 2008 11:00:49 +0000

Mozy Awesome Process
Sometimes people come up to me and say, “Paul, how is it that Mozy has created such an unrelenting output of Awesome?”

Today I have been authorized to share with you some of the unique facets of the Mozy Awesome Process that until now have been tightly controlled trade secrets of Mozy, Inc. It all starts with giant robots (virtually perpetual sources of raw Awesome). We attach them to special Awesome Siphons of our own design and pipe the yield directly into our engineers’ development workstations. Further, peripheral Awesome needs are farmed from old He-Man reruns, a roomful of ninjas wailing on electric guitars, and our captive Happy Fun Ball.

The crude Awesome is skillfully transformed by Mozy engineers into powerful software and hardware configurations, then carefully inspected and regulated according to a host of eldritch acronyms: SWAGs, PMQs, PRDs, and the ever-inspiring CFRRCs. Once a successful creation is stamped with the Seal of Acronymic Approval for Mozy (SAAM), it is subjected to final endorsement by the mystical, revered Mozy Leprecorn*. Finally, a highly trained team of Box Monks put the new Awesomery into place in the Mozy systems, where it becomes available to you, the user.

Our rigorous Awesome Enforcement Policies and Magical Oversight have brought us to what we believe is the most Awesome-efficient development process in the world of backup software.

Be safe,
Paul Cannon
Mozy Software Engineer

*Leprecorn (noun): a rare but phenomenal creature; half Unicorn, half Leprechaun, and all magical.

Visit Mozy now for a great reliable online backup service, I use it myself.

Vote for Mozy
Lifehacker is currently holding an online backup showdown. Show your love for Mozy. Vote now.

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

Online intruder makes off with SwimwearBoutique.com customer data

Sat, 26 Apr 2008 20:22:24 +0000

Technorati Tag: Security Breach

Date Reported:
4/16/08

Organization:
Swimwear Boutique ("SWB")

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, email address, SWB account password, and credit card information

Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.

Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.

We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.

These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?

We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.

We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.

SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.

We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.

Notification letters will be sent out on April 23, 2008.

Affected customers also can contact us for more information at 1-866-SWIMWEAR.

In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.

We are committed to helping our customers affected by these criminal acts.

We deeply regret that a valued customer like you may have been affected by the criminals.

Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.

A tip for online consumers:
Check out PayPal's Virtual Debit Card. "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.

Past Breaches:
None

Personal information of 103,000 doctors from 11 states posted to web site

Mon, 03 Mar 2008 06:19:48 +0000

Technorati Tag: Security Breach

Date Reported:
2/27/08

Organization:
Health Net, Inc.

Contractor/Consultant/Branch:
Health Net Federal Services

Victims:
Doctors in eleven states*

*The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.

Number Affected:
103,000

Types of Data:
Names, Social Security numbers, work addresses, and national insurance identification numbers.

Breach Description:
Heath Net Federal Services inadvertently posted sensitive personal information to a publicly accessible web server. The breach affects as many as 103,000 doctors from eleven states.

Reference URL:
WEAU Channel 13 News
WDTN Channel 2 News
Radio Iowa news story

Report Credit:
WEAU Channel 13 News

Response:
From the online sources cited above:

Health Net Federal Services representatives told us Wednesday night the company notified 103-thousand doctors in eleven states that their personal information was openly posted on a company website.
[Evan] I assume that this was a publicly accessible web site, but this isn't clear.

The company is a government contractor that deals with health insurance for military families and veterans.

The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.

Director of Communications, Molly Tuttle, says the information was accidently posted to the website for about two months, and involved doctors who had filed a claim with the company between September of 2005, and September of 2006.
[Evan] I wonder how it was detected. Two months is plenty of time for search bots to index the site if it was publicly accessible.

The mistake was attributed to human error and software problems.
[Evan] Both?

Health Net Federal Services is now paying for a year's worth of credit monitoring for the doctors involved, and is not aware of any circumstances where the personal information of any doctor has been obtained or used illegally.
[Evan] Monitoring for one year, Social Security number for life.

"Protecting the privacy of our providers’ personal information is a critical priority at Health Net Federal Services. Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included social security numbers of a limited group of network and non-network providers.

Since that time, Health Net has sealed this data gap, notified the providers whose data was potentially accessible, and reported the incident to our customer.
[Evan] What "data gap"? They didn't "seal" the employee that made the mistake, did they?

In an abundance of caution, Health Net hired outside IT security experts to test our security measures and found them sound.

We regret any alarm this may have caused

Some doctors have complained in emails obtained by NewsCenter 13, that credit monitoring for a year isn't enough.

Commentary:
In the WEAU article, the Medical Director for the Western Division of Marshfield Clinic, Dr. Greg Burnett mentions how the clinic is pushing for the use of national insurance numbers (NPIs) instead of Social Security numbers and other personal information. This is a great idea! Today, doctors are required to give their personal information to insurance companies.

Also, Burnett now says in light of the recent online mistake, Marshfield Clinic is trying to decide if ending the business relationship with Health Net Federal Services, would better protect its doctors in the future.

According to the report there were two causes to this breach, "human error and software problems". It's hard to believe that it was both at the same time. Humans will always be humans, and we will always make mistakes.

Past Breaches:
January, 2008 - 5,000 Health Net employees affected by stolen laptop

Using EV Certificates OverStock.com Sees Less Shopping Cart Abandonment

Thu, 14 Feb 2008 11:00:00 +0000

(Source: Verisign) Overstock.com deployed the VeriSign Secured Seal and VeriSign® Extended Validation SSL Certificates to further enhance customers' confidence when transacting on its Web site. As a result of the enhancement, site visitors with browsers that support the new certificate now abandon their shopping cart 8.6% less than other site visitors.

'Hacker Safe' seal: Web site shield, or target?

Mon, 21 Jan 2008 21:00:00 +0000

More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert, a vendor that scans the sites of its clients daily in search of security vulnerabilities.

PCI certification on Websites

Thu, 04 Oct 2007 20:00:00 +0000

A reader recently asked me about obtaining a seal of compliance for websites that have passed a PCI audit. This is an interesting topic, because many merchants have expressed interest in this. Currently, there is no official seal or website logo for merchants that are PCI DSS compliant. However, there are a number of popular seals that web merchants may use to represent good security practices. These include:...