Feed on
Posts
Comments

Today I found an interesting blog entry regarding the Nintendo Wii and their model of doing business offering interactions on a completely different level then others have before.

This got me thinking and I had to comment regarding the implications regarding their business model when looking from a security point of view. Just to make sure that you read the piece I just continue the discussion here. 😉

Of course I cannot say that this or that is right, merely observe something that could be the case. But of course there are several other cases where security is used as part of doing business using social networks, word of mouth and other “modern” ways of communicate a message. Advertising is one obvious area that is surrounded with several laws and regulations an still there are obvious breaches, more or less sanctioned by the company, of the laws when a company wants to promote a message. You have most possibly seen then as fun advertising for different consumer products or show the company in a social context that it is not allowed to legally use. (I try to keep away from lawyers so no company is mentioned.)

The interesting stuff is that even if the advertising is always followed by several statements and official reprimands for some this or that manager it is very seldom that someone actually looses his/hers job. The reprimands is often a way to circumvent the laws and the fines connected to it.

So by deliberately breaking the law and blame a low level manager the companies get media attention and the message is out. This is of course not the best way to use security but this is one point when security plays a big part in the business. By breaking the laws or make it possible for others to break the law you instantly create a new way of advertising.

So expect several newspapers to get hacked during the following weeks displaying only a link to my blog. 😉

I had a very interesting and partly agitated discussion with a firewall vendor just recently regarding the future for firewalls when looking at security. From his point of view firewalls was the ultimate in security tools with increasingly better protection every year. Even if I understand his argument my argument was more regarding the needs for interaction with the surrounding environment making the firewalls be more like a punch card then the protection they are meant to be.

From a Jericho perspective the firewall is only part of the sanitation in security. You still need it, if not for your security, then at least for keeping the script kiddies at bay. The determined attacker would not be stopped by the firewalls. Against him/her there is a need for other protection.

So I concluded the discussion that firewalls is a sanitation object as is virus protection and that the future for security lies in a Jericho implementation of security.

Today I had an interesting experience too many have had before me. When I opened my mailbox I had a rather rude mail stating that my web hotel had been hacked. It seemed that I was luckily enough to not have been affected but still as I am not aware of the disaster recovery routines of my web hotel all passwords has to be changed.

This shows one interesting fact when we look at security architecture that I have mentioned before: Trusted computing base. Often you define TCB as the services you trust and do not trust. What is seldom done is handling the explicit and implicit trust that exists. You could for example trust your accounting system to be secure as it is often patched, exists on a safe subnet and are only allowed to be accessed by trusted systems. Still you could miss the application doing the backups that has an auto update function that recently was found to be insecure. Boom! There you go, an open way for a hacker to enter your systems.

So when working with TCB, take all details in account no matter how small. Sometimes it could be like rolling a stone up a hill, but in the end of the day, the stone stays on top of the hill, not on top of you.

I was on vacation in Turkey just recently and just for fun brought all my credit cards with me just to see how the shops respond to cards. I could state that the tourist shops in Turkey are 100 % PCI DSS compliant because they do only accept cash. In every store I was pointed to several “Exchange shops” where I could use my card for fetching money.

And here the fun begins. Several shop owners offered themselves to take my card and fetch the money. I should only give them the pin code. One wanted even to have my CVC code. Same pattern showed itself at the “Exchange shop” where you could not reach the ATM yourself but had to give the clerk your card and pin code and then they went into another room and fetched the money from the ATM. They even had forms where you should fill in card number, pin code and CVC.

I spent a few hours during my vacation and as many as 10% of the customers gladly filled in the complete form and gave it to the clerk along with the card. I took my time and spoke to a police man who was patrolling the streets but on very bad English he explained that it was not an illegal practice and if the tourists wanted to use that kind of service it was there problem.

I took a 10 minute walk to an ATM that was unsupervised, checked for skimming equipment and got my Euros there instead.

In San Francisco a guy has been arrested for manipulating and changing the WAN at his work. Apparently the newly employed security manager noticed that unauthorized changes were made and called in the police who after a few weeks found the guilty person. By the looks of it the city has to replace hardware for 150 000€ just because they cannot login to the systems.

What we have seen here is a very simple failure in operations security that very often happens. Surveillance of systems is seldom made and if logs are collected it is the same personnel who administers the servers that review the reports. Separation of duties, anyone?

When looking at automated datacenters, a few weeks of noticing an error would be disastrous. I have taken part in such projects as a security engineer and one of the most important rules is to have actions taken directly, automatically blocking such attempts and restoring the changes.

Hopefully, San Francisco will recover from this. You should not put all your trust in one person.

The world has changed. Gone are the days when a virus could be fun. Now it is terrorism, bank robbery, fraud and other not so nice incidents happening on the internet. It is business as usual for organized crime. What have started to disturb me just a tiny bit is the attacks on information infrastructure that actually could cost people’s lives. Latest was a article where some hackers had defaced a website for a Russian nuclear plant stating that evacuation was in effect. As far as I know nothing actually happened but what if people actually had started to panic?

I could understand the amusement of hacking a high profile company and deface them just to show that you can. That has been done for ages. What I do not understand is the fun in creating disinformation aimed at scaring the public. If the goal were to be to empty a part of a city and to commit large scale theft is one thing but just scaring the public is just plain stupid. You get more media attention with a fun statement then with a scaring message.

Still it is a valid threat to include in the risk analysis. What happens if the information on the website is wrong? Is there a liability? Are the costs for information the public? Good will costs? And of course, will there be liabilities if society is affected?
Information is power. One who owns the information owns the power. Do you own your information or are you 0wned?

When I am out in the world telling my customers about security I always point out that the threats have changed during the last years. It is not an adolescent trying to hack anymore, it is organized crime trying to steal your money. In a Swedish article today a bank had a break-in not in their online bank on the web but in their automatic phone banking. By brute forcing the pin codes the criminals was able to get access to and move a lot of money from the banks customers to other accounts and then out of the bank.

This is a very clean example of where the security architecture has not been created with all access ways in mind. When looking at the ways to access information you have to make sure that you have equal authentication on all access ways. It is sadly rather common that there are either backdoors or someone just not thinking enough.

In an article today in a Swedish newspaper there was an interesting story about a rather large site that was used to test CVV-codes. Someone was able to make test purchases for small amounts and test the CVV-code. As the CVV code is only three digits it is rather simple to brute force the CVV-code.

Currently this is not handled in PCI DSS but still it is regarded as very good practice to make sure that the card is blocked after three attempts to make a purchase. Allowing infiniate numbers poses a threat for all.

I was recently asked by Andy Mulholland, Capgeminis global CTO, to write a blog entry for the Capgemini CTO blog. Here is a link to it http://www.capgemini.com/ctoblog.

I had a really interesting conversation with a customer a few days ago regarding databases on a web server. Their security department said that no databases was allowed to reside on any web server are and had to be protected behind firewalls. Therefore they had consolidated all databases into a database farm and only allowed access to the web servers that needed databases to function.

Even if I at the first glance approve of such a setup it is always important to look at security from a CIA perspective. In this case availability is severely affected and threatens the whole website.

Introducing sanitation:
It is time to introduce sanitation within security architecture. Even if the wording has been used several times during the last years it is very seldom it has been used in conjunction with security architecture.

SA handles several parts of the architecture. One is handling the security demands that are put on any kind of process or application. This is more or less ordinary architecture work. But due to the large amount of vulnerabilities that exists just due to the fact that you have a server connected to a network it is important to include sanitation within your architecture as well. Another way of phrasing it is security baseline and hardening but that are the engineering terms not commonly used within architecture.

I will collect different frameworks and guides regarding this and try to connect the different engineering frameworks with security architecture all with applying Confidentiality, Integrity and Availability.

« Newer Posts - Older Posts »