[SecurityRatty] tag: transparently

The McAfee Secure Standard: Sort Of

Tue, 07 Oct 2008 19:47:00 +0000

I need your help.
I am in receipt of the McAfee Secure Standard, drafted to transparently describe the McAfee Secure service, as promised during my meeting with Joe Pierini and Kirk Lawrence of McAfee some weeks ago. I admit my attitude has soured since last I discussed it here, as the Standard is not yet ready for public release (I last said 2-3 weeks and that was five weeks ago), but bear with me. I can't publish exact quotes from the Standard, as I've promised not to, but let me give you insight on the upside, then the downside.

The upside includes all the transparency we'd hoped for. You'll read the McAfee Secure Standard and know exactly where they stand with regard as to what can be expected of the McAfee Secure Service. My discussions with Joe Pierini have been productive and respectful, he means well, and I believe he will try to drive the greater McAfee leadership to officially incorporate suggestions made in this blog.
I have even had the pleasure of reading a Researcher/Finder Policy that very succinctly describes what researchers can expect when they submit vulnerabilities found in McAfee Secure sites. That's all good stuff and to be applauded.

Now for the downside.

The McAfee Secure Standard will draw a clear distinction between "enterprise" customers and all the Ma & Pa websites who have so loved McAfee Secure / ScanAlert Hacker Safe for conversions.
The most glaring and painful distinction for me is this. While enterprise customers will have a clearly defined time line in which to remediate script injection vulnerabilities like XSS and open redirects, before losing their McAfee Secure badge, the Ma & Pa sites will have absolutely no requirement to fix their XSS issues. XSS vulnerabilities and the McAfee Secure badge will remain consistent on all those sites that care more about "convincing" their customers that they're secure with a McAfee Secure badge; a badge that, by its own pending standard, will contradict what we know to be truly secure.

My views are clear. I have made every effort to convince McAfee that this stance is counter intuitive to good web application security standards. I believe that, in their own way, they are listening. So here's your chance.
1) Is transparency enough?
2) Is holding only enterprise customers accountable acceptable?
3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?
4) What else do you want McAfee to hear, in the form of constructive feedback only?
I will publish all well written, thoughtful comments here. Let's keep it positive and see if we can help convince McAfee that script injection vulnerabilities and McAfee Secure can't exist in the same physical space. Like matter and anti-matter. ;-)
The floor is yours...

del.icio.us | digg | Submit to Slashdot

Oracle Database 11g Release 1: Transparent Solutions for Security and Compliance

Thu, 14 Aug 2008 09:00:00 +0000

(Source: Oracle) The continued emergence of new regulations worldwide combined with the increasingly sophisticated nature of information theft requires strong data security. Oracle Database 11g Release 1 provides the industry's most advanced data security capabilities with security solutions that work transparently with existing applications while addressing mandatory requirements found in regulations.

Meet ratproxy, our passive web security assessment tool

Tue, 01 Jul 2008 12:49:00 +0000

Posted by Michal Zalewski

We're happy to announce that we've just open-sourced ratproxy, a passive web application security assessment tool that we've been using internally at Google. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. (A more-detailed discussion of these features and information on securing vulnerable applications is provided here.) Compared with more-traditional active crawlers, or with fully manual request inspection and modification frameworks, this approach offers several significant advantages in terms of minimized overhead; marginalized risk of site disruptions; high coverage of complex, client-driven application states in web 2.0 solutions; and insight into dynamic cross-domain trust models.

We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research.

To download the proxy, please visit this page. Also, please keep in mind that the proxy is designed solely to highlight interesting patterns in web applications, and a further analysis by a security professional is often required to interpret the results and their significance for the tested platform.

Meet ratproxy, our passive web security assessment tool

Tue, 01 Jul 2008 12:49:00 +0000

UltimateBet cheating goes undetected for almost 21 months

Wed, 04 Jun 2008 06:55:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/29/08

Organization:
Tokwiro Enterprises ENRG*

*"Tokwiro Enterprises Enrg" is a recognized Mohawk owned and controlled, gaming sole proprietorship, presently undergoing a licencing process with the "Kahnawake Gaming Commission" ("KGC"), which was itself established on the 10th day of June, 1996. (Source: www.ultimatebet.com/about-us)

style="font-weight: bold;">Contractor/Consultant/Branch:
UltimateBet

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"hole card information during live play" resulting is financial loss

Breach Description:
"MONTREAL, CANADA (MAY 29, 2008) --- Tokwiro Enterprises ENRG ("Tokwiro"), proprietors of UltimateBet.com ("UltimateBet"), one of the world's largest online card rooms, today announced the results of its lengthy investigation into allegations of unfair play, which was triggered by concerns about an account named 'NioNio'."

Reference URL:
UltimateBet Statement (full statement text below)
CJAD NewsTalk Radio
Card Player
PokerListings

Report Credit:
Tokwiro Enterprises ENRG and Bob Pajich at Card Player

Response:
From the online sources cited above:

Tokwiro Enterprises, the company that owns both Absolute Poker and UltimateBet, today released a statement confirming that cheating had gone on at UltimateBet by people who, according to the release, "worked for the previous ownership of UltimateBet prior to the sale of the business to Tokwiro in October 2006."
[Evan] Shouldn't an information security and risk assessment be conducted as part of the acquisition and integration? If so, then wouldn't a code review of the proprietary software that came with the acquisition be included? This is the proprietary software that really drives the purpose of the site.

The player or players behind the 18 screen names that were identified as being corrupted have not been named.

Tokwiro will refund players their losses once the investigation is complete.
[Evan] I wonder how expensive this will be.

The usernames that were used to cheat are: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.

The cheating was able to take place because the perpetrators had access to what Tokwiro is calling an "unauthorized software code" that allowed the cheaters to see their opponents’ holecards.
[Evan] This "unauthorized software code" use went undetected for almost 21 months!

The cheating took place from March 7, 2006 to Dec. 3, 2007, and it’s not known how much money the cheater(s) illicitly won.

The company refused to disclose the amount of fraudulent winnings, but poker observers have said it runs into the millions.

As soon as the cheating was suspected, Tokwiro said it contacted the Kahnawake Gaming Commission (KGC), the most used online poker regulatory commission, to start the investigation.

Tokwiro is mandated to contact KGC if any suspicious activety might be taking place.

This is the second cheating incident to hit the company since it purchased Absolute Poker and UltimateBet.

The first occurred when it was discovered that several players at Absolute Poker also had access to software that allowed them to see opponents’ holecards.
[Evan] A link is included below

ULTIMATEBET ISSUES STATEMENT REGARDING UNFAIR PLAY

MONTREAL, CANADA (MAY 29, 2008) --- Tokwiro Enterprises ENRG ("Tokwiro"), proprietors of UltimateBet.com ("UltimateBet"), one of the world's largest online card rooms, today announced the results of its lengthy investigation into allegations of unfair play, which was triggered by concerns about an account named 'NioNio'. Tokwiro has worked diligently in cooperation with its regulatory body, the Kahnawake Gaming Commission ("KGC"), and with independent third-party experts to conduct a thorough investigation that included a comprehensive review of hand histories and game data, thorough analyses of software and network security, and audits of its security practices and procedures.

The investigation has concluded that certain player accounts did in fact have an unfair advantage, and that these accounts targeted the highest limit games on the site. The individuals responsible were found to have worked for the previous ownership of UltimateBet prior to the sale of the business to Tokwiro in October 2006. Tokwiro is taking full responsibility for this situation and will immediately begin refunding UltimateBet customers for any losses that were incurred as a result of unfair play.

The fraudulent activity was enabled by unauthorized software code that allowed the perpetrators to obtain hole card information during live play. The existence of this vulnerability was unknown to Tokwiro until February 2008 and existed prior to UltimateBet's acquisition by Tokwiro in October 2006. Our investigation has confirmed that the code was part of a legacy auditing system that was manipulated by the perpetrators. Gaming Associates, independent auditors hired by the KGC, have confirmed that the software code that provided the unfair advantage has been permanently removed.

Throughout the investigation of this incident, Tokwiro's consistent priorities have been:

To permanently remove the ability to engage in unfair play;
To complete its investigation and come to a full understanding of what occurred;
To refund the affected customers; and
To implement measures that prevents future incidents.

The Company said, "We would like to thank our customers for their patience, loyalty and support, as well as for their understanding that we are doing everything we can to correct this situation. The staff and management of UltimateBet are fully committed to providing a safe and secure environment for our players, and we want to assure customers of our unwavering resolve to monitor site security with every resource at our disposal."

Investigation Timeline
These are the key events in the course of the incident.

January 2008: UltimateBet is alerted to suspicions of unfair play on the part of the account "NioNio". Within 24 hours, UltimateBet contacts the KGC to provide formal notice that UltimateBet has initiated an investigation of the incident. UltimateBet subsequently forwarded a copy of all related data to the KGC.
January 2008: The "NioNio" account and related accounts are suspended pending further investigation.
February 2008: Preliminary findings indicate abnormally high winning statistics for the suspect accounts. After discussions with the KGC, UltimateBet engages third-party gaming experts to assist with the analysis.
February 2008: Investigators confirm that the suspect accounts are associated with individuals who had worked for UltimateBet under the previous ownership.
February 2008: UltimateBet discovers the unauthorized code that allowed the perpetrators to obtain hole card information during live play. The code was part of a legacy auditing system that was manipulated by the perpetrators of the fraud.
February 2008: UltimateBet immediately removes the unauthorized code and works with the KGC and with third-party auditors to verify that the security hole has been eliminated.
March 2008: Six player accounts are confirmed to have participated in this scheme. No accounts were deleted at any point, although some account names were changed multiple times. The following account names are known to have been used in the fraudulent activity: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.
May 2008: The investigation confirms that the fraudulent activity took place from March 7, 2006 to December 3, 2007.
May 2008: Gaming Associates certifies that the software code that enabled unfair play was removed from UltimateBet servers in February of 2008.
May 2008: Customers affected by this incident are identified, and plans for corrective action are reviewed with the KGC.

Corrective Actions Taken
The following actions have been taken or are currently underway as a direct result of this investigation.

The security hole identified in UltimateBet's investigation has been permanently eliminated.
UltimateBet is establishing a state-of-the-art software Security Center that consolidates and greatly enhances existing security capabilities. The first release of the new Security Center focuses solely on the immediate detection of abnormal winnings. Gaming mathematicians, poker professionals, and security software developers have all contributed to the specifications for the new Security Center.
UltimateBet customers are no longer permitted to change account names unless they have suffered abuse in chat rooms. Requests for changes must be supported by proof of abuse and must be approved by the Chief Compliance Officer.
In addition to its existing security department, UltimateBet has established a new specialized Poker Security team of professionals dedicated to fraud prevention.
The refund process will begin immediately. The accounts associated with fraudulent activity did not use an unfair advantage in all play sessions. Regardless, UltimateBet is refunding all losses to these accounts.
Accounts related to the fraudulent activity have been disabled, and the individuals associated with those accounts permanently banned from the site.
UltimateBet has worked closely and transparently with its governing body, the KGC and its designated expert auditors, to determine exactly what happened, how it happened, and who was involved, and has taken action to prevent any possibility of this situation recurring.
Tokwiro is pursuing its legal options in regard to this incident.

For further inquiries please contract press@ultimatebet.com

Commentary:
This is potentially a multi-million dollar loss for Tokwiro Enterprises ENRG and its very troubling that this breach went undetected for so long. The software used by the site is proprietary and should really be subject to a significant amount of information security scrutiny.

If I were a player, I think I would be beyond angry. Not just angry about the loss of money, but angry about the loss of confidence and being cheated in general. I personally know people that refuse to play online poker because of the risk posed by poorly secured sites.

Information security of online gaming sites must be a #1 priority for the companies that run them. Seems obvious, but many statements in the information security business seem obvious. Personally, I like the response from Tokwiro. If they follow through (which I assume they would), Tokwiro's actions should go a long ways towards reducing risk and restoring customer confidence.

Check out the comments at Card Player to get some insight into what some players are thinking.

Past Breaches:
Tokwiro Enterprises ENRG/Absolute Poker:
October, 2007 - Online poker cheating blamed on employee