Jeremiah Grossman: Which mountain would you rather climb?

Jeremiah Grossman: Which mountain would you rather climb?.

Jeremiah Grossman discusses web application vulnerability scanning strategy.

Some Web application vulnerability scanners, dynamic and static analysis, are designed for comprehensiveness over accuracy. For others, the exact opposite is true. The tradeoff is that as the number of “checks” a scanner attempts increases causes the amount of findings, false-positives, scan times, site impact, and required man-hour investment to grow exponentially. To allow users to choose their preferred spot between those two points, comprehensiveness and accuracy, most scanners offer a configuration dial typically referred to as a “policy.” Policies essentially ask, “What do you want to check for?” Whichever direction the comprehensiveness dial is turned will have a profound effect on the workload to analyze the results. Only this subject isn’t discussed much.

In other words, you can dial down the vulnerability scanner to achieve regulatory compliance or dial it up and put them in the hands of a skilled web application security analyst to mitigate the risks of web application exploits.

Nart Villeneuve — RX-promotion: A Pharma Shop

Nart Villeneuve — RX-promotion: A Pharma Shop.

More than 65% of spam consists of “pharmaceutical spam” sent through a variety of well known spam botnets such as Rustock and Cutwail. These spam messages use multiple shop brands and sell a variety of drugs, especially Viagra. These pills, sometime fake pills, are shipped to buyers from pharma manufacturers, often in India or China.

Nart discusses in detail the pharmaceutical spam affiliate network process which is about as sophisticated as Amazon’s.

Financial Cryptography: Ernst & Young called to account — should Audit firms be investigated for their role in the crisis?

Financial Cryptography: Ernst & Young called to account — should Audit firms be investigated for their role in the crisis?.

How is it possible that not a single audit firm rang the alarm on any of the financial services clients they were auditing leading up to the financial meltdown of 2008?

Andrew Cuomo, Attorney General for the State of New York, has sued Ernst & Young for its role as Lehman Bros’ auditor.

For me, the big question remains: if we can’t expect an audit firm to pick up any signs of trouble, what can we expect of them? Perhaps we could save our money and do our due diligence another way?

The Only Trust Models You’ll Ever Need « The New School of Information Security

The Only Trust Models You’ll Ever Need « The New School of Information Security.

What is this “trust’ meme all about? Easy – it’s the other side of the risk coin.”Yet another hypothetical construct.”

IF YOU USE QUALITATIVE RISK STATEMENTS

Trust = Opposite of Risk

So “Low Risk” becomes “High Trust”.

IF YOU USE RISK SCORING WITHOUT MEASUREMENT SCALES

Trust = 1/Risk

So The larger the risk score, the smaller the trust score.


Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes

Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes.

While we may never know for sure the originator of Stuxnet, Jeffrey Carr presents a credible, if circumstantial, alternative originator to the common assumption of Israel or the United States – the People’s Republic of China (PRC) – for the following reasons:

  • Vacon’s frequency converters are manufactured in Suzhou China.
  • In March, 2009, Chinese Customs arrested two Vacon employees.
  • The genuine digital certificates used by Stuxnet where stolen from RealTek Semiconductor, a Taiwanese company with a subsidiary in Suzhou, China.
  • China has direct access to Windows source code.

The article also discusses what China’s motives might be. You definitely want to read the whole article as well as Carr’s whitepaper.

Network Security Blog » Customer information stolen

Network Security Blog » Customer information stolen.

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.

So what is the value to the hackers? Martin sums it up nicely:

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

PS: Walgreen’s customer email list was compromised. Again, no big deal, just email addresses. But as Martin said above, a valid list of email addresses is a great starting point for phishing scams.

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes.

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes..

Last week, the FTC issued a report recommending Congress implement Do-Not-Track legislation to help protect consumer privacy. This week, Microsoft detailed Do-Not-Track” options in the upcoming Internet Explorer 9. Coincidence? Doubtful.

No way Microsoft slammed out the code from scratch in a few short days because the FTC made some recommendation. The IE team clearly saw ad blocking as a good idea despite what they told us before and had ad blocking, errr I mean Tracking Protection, ready to go. Only they might not have had the juice to include it because of the aforementioned road blocks.

Will Mozilla make AdBlock Plus a standard feature of Firefox? AdBlock Plus is the top download in the Privacy & Security category with overd over 100 million downloads. It has over 8 million daily active users and a 5 star rating with over 2,000 reviews.

Will Mozilla try to match or exceed Microsoft? How will Google react?

Are we going to see a major shift in Internet advertising so it’s more akin to email marketing?

I think we’re witnessing the beginning of a whole new chapter in the ongoing browser war. Now we must ask, when and if Mozilla is going to add the functionality of their #1 extension natively into their browser? How can they now not do so? Can Firefox’s market-share position afford Internet Explorer to be more advanced in privacy protection features? We’ll have to wait and see what they say or do. I’m hopeful they’ll come around as Microsoft did. Even more interesting will be how Google reacts. AdBlock is their most popular add-on as well. The bottom line is these are very good signs for everyone on the Web.

Network Security Blog » Connected systems: The NTP server is connected to the SQL DB

Network Security Blog » Connected systems: The NTP server is connected to the SQL DB.

Scoping is one of the most subjective parts of doing a PCI assessment.  What I consider to be a ‘connected system’ and what someone else considers to be the same can sometimes be substantially different.

Martin McKeay points out that not only is PCI scope subjective, but it’s also changing. Martin expects major changes from the Scoping Special Interest Group early next year.

From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability

From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability.

Security, and therefore Compliance, in the cloud is a shared responsibility. In other words, no IaaS or PaaS cloud vendor can provide complete compliance since the cloud providers’ responsibilities end at the hypervisor. You, the application provider, are responsible for securing the VM and the applications/data therein.

In the case of an IaaS cloud provider who may achieve compliance from the “concrete to the hypervisor,” (let’s use PCI again,) the customer in turn must have the contents of the virtual machine (OS, Applications, operations, controls, etc.) independently assessed and meet PCI compliance in order that the entire stack of in-scope elements can be described as compliant.

Thus security — and more specifically compliance — in IaaS (and PaaS) is a shared responsibility.

Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study

Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study.

Intel commissioned Ponemon Institute report says that one in ten laptops are lost or stolen during the typical three life cycle. The billion dollar number comes from the estimated $49,000 cost associated with each lost laptop incident. While you may disagree with that number, it’s surely higher than simply the cost of the laptop itself.

According to the study only 30% of laptops are encrypted!!

From the InfoWorld article, Corporate America’s lost laptop epidemic:

One way Intel works to ameliorate the problem internally is by letting its workers put their personal information on the computers. People are less cavalier about the security of their laptops when they have their own data on them, said Malcolm Harkins, Intel’s chief information security officer.