Slashdot Mirror

• Independence PCI DSS auditors are permitted to audit companies where the auditor sold, installed, configured, or has rights to the security software being used. Also, if the auditor disagrees with the client, the client is free to hire a more pliable auditor with no one the wiser.
• Scope The standards permit the client to limit the scope of the audit to defined systems and their components using defined methods. If the client doesn't want to pay for penetration tests, the auditor doesn't do them.
• Completeness A typical PCI DSS audit uses the client's system and security documentation as the starting point. The responsibility for gathering other evidence is limited. There is no requirement to do any network scanning (like with NMAP) or to go sniffing for undocumented wireless entry points, so there may be elements of the system not documented and not tested. This sounds like the case discussed here.
• Validation PCI DSS auditors are not responsible for verifying that the client's controls worked as intended. There is no mandate for penetration testing, war driving, or independent virus scanning.

Even if the auditor had done his job (not really clear from the articles), that to me would not demonstrate that the customer data was safe.

Links:
Congress is not happy, either.
PCI DSS Validation Standards
PCI DSS audit procedures

So much for my lunch break.

I'm not aware of any flaws in recent memory (except for the ARDAgent flaw mentioned above, which IS a fundamental flaw in all *nix based operating systems) that attacked the basic security infrastructure in the OS. The vast majority of the security fixes I've seen have been related to coding defects

So lets look at the idea that security vulnerabilities are related to OS popularity... What happens if how about you compare the reported vulns in OSX with the reported vulns in Linux? Admittedly reported vulnerabilities are a relatively weak metric, but given that OSX and Linux share security models and a great deal of code, it's likely that pretty close to an apples-to-apples model.

Let's go to Jeff Jones blog (he works for MSFT but he's been reporting his research on vuln counts for a couple of years) and see what we find.

Here's a recent example. In Q1 2008, Red Hat had 13 "High" severity vulns that they patched (he only counts announced vuln fixes, silent patches aren't counted). Ubuntu had 17 "High" vulns that they patched, which is a comparable number.

OSX Leopard patched 28 "High" vulnerabilities in the same time period. OSX Tiger patched 25 "High" vulnerabilities in the first quarter of this year.

Given that OSX is more popular than Linux, it appears that there is a good corrolation between the popularity of the OS and the number of fixed vulnerabilities in the OS.

On the other hand, what happens if you include Windows XP and Vista to the mix?

Hmm... Vista has had 9 "High" severity vulnerabilities patched in the first quarter. And Windows XP? 11.

This discrepancy means one of three things:
        1) The premise that OS popularity is related to the number of reported vulnerabilities is false or
        2) Windows is inherently more secure than OSX or Linux or
        3) The premise is true and the low reported vuln count in Windows is because Windows popularity has forced Microsoft developers to learn how to secure their operating system against the hackers but the folks who write software for OSX and Linux haven't yet.

Personally I suspect it's #3.

I'm not aware of any flaws in recent memory (except for the ARDAgent flaw mentioned above, which IS a fundamental flaw in all *nix based operating systems) that attacked the basic security infrastructure in the OS. The vast majority of the security fixes I've seen have been related to coding defects

So lets look at the idea that security vulnerabilities are related to OS popularity... What happens if how about you compare the reported vulns in OSX with the reported vulns in Linux? Admittedly reported vulnerabilities are a relatively weak metric, but given that OSX and Linux share security models and a great deal of code, it's likely that pretty close to an apples-to-apples model.

Let's go to Jeff Jones blog (he works for MSFT but he's been reporting his research on vuln counts for a couple of years) and see what we find.

Here's a recent example. In Q1 2008, Red Hat had 13 "High" severity vulns that they patched (he only counts announced vuln fixes, silent patches aren't counted). Ubuntu had 17 "High" vulns that they patched, which is a comparable number.

OSX Leopard patched 28 "High" vulnerabilities in the same time period. OSX Tiger patched 25 "High" vulnerabilities in the first quarter of this year.

Given that OSX is more popular than Linux, it appears that there is a good corrolation between the popularity of the OS and the number of fixed vulnerabilities in the OS.

On the other hand, what happens if you include Windows XP and Vista to the mix?

Hmm... Vista has had 9 "High" severity vulnerabilities patched in the first quarter. And Windows XP? 11.

This discrepancy means one of three things:
        1) The premise that OS popularity is related to the number of reported vulnerabilities is false or
        2) Windows is inherently more secure than OSX or Linux or
        3) The premise is true and the low reported vuln count in Windows is because Windows popularity has forced Microsoft developers to learn how to secure their operating system against the hackers but the folks who write software for OSX and Linux haven't yet.

Personally I suspect it's #3.

Yep.

The forensic report is linked to on this page and is scathing about the IT staff.
They did the handover and didn't even notice that the antivirus wasn't working and that their SMS update system wasn't working.

It should be policy to handover computers with clean image and with updates.

The local university does a DOD wipe of all hard drives in systems before they sell them as surplus, ensuring no data leaks out in a $30 P3 system.

The local public school district (K-12) can not (by policy) allow a hard drive to get into thehands of anyone outside the shcool district. When we decommision/recycle a computer we DOD wipe the hard drives, remove them from the system, and then, if we don't need to use the drives as spare parts for other machines, they are sent out to be destroyed.

This is nothing unusual - at the previous poster indicated, this is a good IT practice and ensures that no data leaks out of the organization http://www.csoonline.com/read/030103/briefing_data.html.

Do even need hackers? the on-board entertainment system on some plans have very poor software on them and there have been story on Slashdot about how easy it is to crash them.
http://blogs.csoonline.com/node/151
http://it.slashdot.org/article.pl?sid=07/02/20/2231228
http://www.gregladen.com/wordpress/?p=1134

Just an update--we checked with Grossman, and it turns out he doesn't use IE at all. He uses Firefox as his "promiscuous" browser and obscure old versions of Netscape and Safari as the secondary ones. Story here: http://www2.csoonline.com/blog_view.html?CID=33422.

"they are called "zones" .. there are 5 but only 4 visible) .."

Why don't you just make four more secure and make four be the top number and make that a little more secure .."

Quote ..

Nigel: ...the numbers all go to eleven. Look...right across the board.

Marty: Ahh...oh, I see....

..

Marty: Why don't you just make ten louder and make ten be the top... number... and make that a little louder?

Nigel: These go to eleven.

Yes because open source has proven it is faster at getting fixes out the door. Oh wait, it has't

http://blogs.csoonline.com/days_of_risk_in_2006

Different it may be, but certainly for the better I'd say, and as my previously supplied link suggested - the "learning curve" has been vastly over-stated. Having upgraded a long time ago, I too found myself hunting for the odd feature here & there, but nothing the help system can't highlight in a matter of seconds and overall a far more intuitive interface. Either way, I'm not alone on this opinion.

And sorry, but personally the whole "M$ Windoze security suck0rz!" thing is frankly so out of date. There was a time when it was true, but not any more.

http://blogs.csoonline.com/windows_vista_6_month_v ulnerability_report

Yes I know it's only "reported" bugs, so I'm not about to say Windows is certainly more secure, but I think it's a strong argument for how it's at least equal to that of it's OS sibling.

I can't be bothered RTFA, but has anyone linked this to prices for metals? Of course it's probably only worth a few roubles, refined...

The closest correlate in recent news was the theft of a bronze sculpture from Henry Moore's estate in London (in reality, priceless; but worth about five million pounds on the art market, worth a few thousand on the metals market. It's been melted down by now, for a certainty).

Metal road signs, street fittings, even fire engine nozzles are being stolen in the UK and US for the same market. Unless something cools China's demand for raw material to build crap for Western markets, it can be guaranteed that manhole covers, electric wires, train rails, and all other metal objects will not remain unsecured in public places.

Another nail in the coffin of a civilised way of life. Thanks, free market capitalism!

Really. The AC is right; there can be no general solution. See also this article; search for Turing.

The approach you suggest, of "search for X, Y, and Z known bad things and don't allow them" is also a loser. For more on that, see Gödel, Escher, Bach, especially the part about "This record cannot be played on record player X."

1. A Microsoft Employee
2. A Blogger

Well obviously, since Vista is far more secure than other operating systems, working MS security must be pretty boring. You basically just make sure the most secure OS on the planet... stays secure.

Bor-ing.

Now the REAL excitement comes from fixing the OS security on Lunix (free as in worthless) or OSX (OitSux!!!). They literally have more bugs than people to fix them: just look at the amount of "disclosed/unfixed" in the chart!!

It's always more fun and excitement fixing stuff that's totally broken. When you do security for Microsoft, you are basically just maintaining what is already the best. Very thankless: when you are #1, the only direction is down. But at least you can have the knowledge that everyone else is at least a decade behind an operating system your company put out in 1995.

And you sir, are no different, just the other side of the coin - a product of some MS bashing Linux shill...

Shill? Almost nothing was said in the way of a Linux promotion. M$ bashing? The obvious facts of the matter where merely being stated, you can Google such things for your self if you'd like.

As for the article, feel free to read the debunking here.

And you do know that Jeff Jones is an M$ employee right? Shill in deed...

Fantastic sleuthing! here I was reading the article like a chump:

Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.

Here is the original report http://blogs.csoonline.com/windows_vista_6_month_v ulnerability_report
and the secunia link for Vista : http://secunia.com/product/13223/?task=statistics

Then read the actual report: http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Re port.pdf

It sounds bad because the person who posted it to Slashdot, and Slashdot's editors, want it to sounds bad. Are you new here or something?

You don't.

In the U.S. robbery and assault are almost always prosecuted under state [local] law. When the feds do have jurisdiction in such cases, the hammer comes down. Bureau of Prisons - Quick Facts

If your contributions to the P2P nets ends in prosecution it will be for one very simple reason:

You were an arrogant litle prick who thought that geek-hood was a lifetime "get out of jail free" card. 50th Conviction Landed in Piracy Crackdown

Thanks, I got that one, that's the bit with the pictures. What I can't get is page two of http://csoonline.com/read/040107/fea_spam.html the actual article itself. I've even tried in an unmodified IE, no dice.

Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)

In the case of the one bug that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)

Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.

Considering Vista has been out since November of last year, its security record so far as been extremely impressive.

Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.

Keep an eye on this and specifically this.

Only 11 patches released for 36 vulnerabilities on the same day. http://blogs.csoonline.com/red_hat_launches_rhel5_ and_11_security_advisories

If his goal is to protect ebay users, why doesn't he work with ebay security, privately?

Given what has happened to other people who have found or disclosed vulnerabilities, that is probably more of a risk than attacking the site.

This has been discussed on Slashdot before.

Some interesting comments from Bruce Schneier and Marcus Ranum (and Microsoft too) on the debate. http://www2.csoonline.com/exclusives/column.html?C ID=28088

In this case, he would have been better off just telling people it could be done IMO.

CSO Online told people about it in February 2006. Slate told people about it in February 2005. Senator Schumer told people about it in February 2005. Security expert Bruce Schneier told people about it in August 2003.

We're more than a little beyond "telling people" being productive.

Worse, apparently a proof of concept isn't enough. The TSA is busy trying to presecute the messenger, but they still haven't fixed the core problem. I'd sadly forced to conclude that the TSA will not fix a real threat to airline security until terrorists successfully exploit that threat. While honest people are stuck measuring their shampoo out of fear of a deeply implausible liquid-bomb threat, anyone with access to a printer and a reasonably plausible state ID can get into the "sterile" area of the airport. (I find it darkly humorous that the boarding pass vulnerability makes the cost of getting 30 ounces of liquid explosives onto a plane just 10 fake boarding passes for almost no cost and 10 evil conspirators.)

He crossed the line from researcher to (potentially) criminal when he published a tool on the web that had no other purpose than to make it possible for others to circumvent security.

The purpose was to shame the TAA into fixing a problem which was widely known and publicized: August 2003 by security expert Bruce Schneier, February 2005 in Slate , February 2005 press release by a US Senator, February 2006 article in CSO Online . The TSA has been ignoring the problem for over three years. Bad guys have known about the attack for at least three years, possibly longer. For all we know bad guys are using it right now; we have no way of knowing. Even without Soghoian's program, it was really, really trivial to exploit; all you need is a very basic understanding of HTML, enough to change one name to another, to execute the attack Schneier described in 2003. The media has been letting the TSA continue to ignore this. If Soghoian had simply published a "I can make fake boarding passes and get into the "sterile" area of an airport he would have gotten an article or two and nothing would have changed. By providing a working exploit things just became that much harder for the TSA. News coverage exploded. Finally something will happen.

The TSA has proven itself grossly incompetant. There is little to no oversight and zero public accountability. Drastic measures were necessary, as rational measures have clearly failed. The really sad thing is even in the face of such a drastic failure, they're not fixing the core problem.

The battle is not lost. Some online casinos fought and won the battle.
Read here here.

as a user we not suppose totally depend on the software to avoid this phishing stuff. we can take a carefull step to prevent this phishing from happen to ourself. i'll shared with you all the step that will help you avoid becoming a victim of these scams:- 1. Be suspicious of any e-mail with urgent requests for personal financial information. 2. Don't be fooled by e-mails with upsetting or exciting (but false) statements that try to get you to react immediately. 3. If you suspect the message might not be authentic, don't use the links within the e-mail to get to a webpage. 4. Don't fill out forms in e-mail messages that ask for personal financial information. 5. Communicate information such as credit card numbers only via a secure website or the telephone. 6. To make sure you're on a secure Web server, check the beginning of the URL in your browser address bar. It should be "https" rather than "http." The "s" stands for secure. 7. Consider installing a Web browser toolbar such as EarthLink's ScamBlocker to alert you before you visit known phishing fraud websites. 8. If an e-mail message is not personalized, assume it's not a valid message. 9. Log in to your online accounts regularly, and check bank, credit and debit card statements to ensure that all transactions are legitimate. 10. Ensure that your browser is up-to-date and security patches have been applied. credits:- http://www.csoonline.com/read/090104/briefing_phis h.html

Or someone can start giving USB drives to your employees, pose as a remote contractor over the phone and get a password, target a custom AIM virus/trojan, use a telescope through an open window, etc.

If you can't secure a wireless network to the point where there are much bigger security issues than someone attempting to wardrive it, you shouldn't be defining a company's construction plans.

Let's face it, the ONLY platform vulnerable to attacks of any kind, is MS. As seen in this article.

Hmmm.... oh yes, let's not forget that there aren't ANY kind of security notices concerning anything on linux.

Nope, definitely NOTHING about linux, or Mac OSX for that matter.

Nope, all those systems, in fact, antyhing but Windows is absolutely bulletproof. Yeap.

So, who's going to jump on the bandwagon with me and bash Microsoft because it's cool? Nevermind that these other products have flaws too, we'll just bash MS so much that no one will ever know we have problems over here with *nix systems and with MacOSX.

/sarcasm OFF

It is so easy to blame someone else when people fail to keep their system updated and use a little common sense.

IMO, the big problem with Microsofts' automatic updates is that often you will get a new EULA that you have to agree to in order to get the update. I just did a fresh WinXP install that already had SP2 on it. There were a ton of post-sp2 updates and during those updates, I had to agree to a new EULA if I wanted to be patched. It is pretty sad that MS uses their auto update to force users to new licensing agreements.

My personal favorite was Jonathan Linden, better known as Johnny Rotten from the popular punk band, the "Sex Pistols." He was detained because "Linden" is phonetically similar to "Ladin."

Your favorite, huh? To bad that it never happened. Several stories have noted that the airlines use software which uses and algorithm derived from an indexing system known as "Soundex" first used in the 1880 census, and that the last name of Johnny Lydon of Sex Pistols fame, has the same value under this system is Laden, of terrorist fame. However, Johnny Lydon has never been detained because of this.

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2 003/06/08/MN253740.DTL

http://www.csoonline.com/read/010104/briefing_name .html

When informed of Total Information Awareness, Congress loudly and firmly killed it, but the NSA did it anyway in secret.

This is a scandal of first order. The goal is unconstitutional, the attitude is nuamerican and the means are illegal. This is the kind of shit we fought the Cold War to avoid. I'm furious and you should be too.

As the American Taliban tightens it's grip on your reading, conversations and whereabouts, the terrorists win. A few bandits flying into buildings, even the destruction of an entire American city is not an excuse to destroy the things this country stands for. A few more slips down the slope and you wont be able to tell the difference between the Axis of Evil and home.

"It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."

Credit Card Breach Exposes 40 Million Accounts
Bank Of America Loses A Million Customer Records
Pentagon Hacker Compromises Personal Data
Online Attack Puts 1.4 Million Records At Risk
Hacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time'
Laptop Theft Puts Data Of 98,000 At Risk
Medical Group: Data On 185,000 People Stolen
Hackers Grab LexisNexis Info on 32000 People
ChoicePoint Data Theft Widens To 145,000 People
PIN Scandal 'Worst Hack Ever'; Citibank Only The Start
ID Theft Hit 3.6 Million In U.S.
Georgia Technology Authority Hack Exposes Confidential Information of 570,000 Members
Scammers Access Data On 35,000 Californians
Payroll Firm Pulls Web Services Citing Data Leak
Hacker Steals Air Force Officers' Personal Information
Undisclosed Number of Verizon Employees at Risk of Identity Theft

this is a really cool story about how a company handled a DDoS attack by organized crime.

Read this for how it is done:

http://www.csoonline.com/read/020106/caveat021706. html

There's an excellent story about this sort of thing here (via another tech site with a digging-related name).

Instead of optical bugs in homes, where a resonable and constitutional expectation of privacy exists, we should take Keith Henson's suggestion and put cameras on those with _no_ expectation of privacy--the police and elected officials! Maybe that would slow down the corruption.

For details of this "little brother is watching" turnabout on 'domestic spying' see these links:

http://www.csoonline.com/read/090402/edge_badge.ht ml
http://www.outlander.com/badgecamera/social_effect s.htm
http://www.holysmoke.org/kh/kh620.htm

Tyranny, by whatever name it calls itself, ust be fought by those in it's grip.

Decidedly well said, and I agree with the sentiment, as long as resources exist to implement them. Web development has been my gig for nearly the last 10 years, so I do feel I've got a decent grasp on typical web setups.

In general, maybe 99% of web servers have no protection against a DDoS, and probably 90% of them have at best a software firewall running on the box itself. The enterprise systems (ecommerce) I work on have load balancing switches, multiple servers on the back end, redundancy on all levels (including Internet access, power supply, and all other back end systems). But even we don't have good DDoS protection. Our hardware and Internet connections are pretty high end, so it would take a *massive* DDoS to take us down, but I'm pretty confident that there are people out there with botnets who could manage it (never underestimate the power of 250,000 broadband-connected compromised computers).

There is really *little* you can do to protect yourself from a DDoS, unless you have the infrastructure to absorb the DDoS. There was an article about how a central-american gambling site beat out a DDoS attack (the DDoSers were holding the site for ransome for like $50,000 or something). They ended up needing to proxy their website through a really huge ISP, set up advanced firewall rules to differentiate legitimate traffic from the DDoS traffic, and in the end it cost them $1 million to protect against a $50k extortion effort. (Just found the link: http://www.csoonline.com/read/050105/extortion.htm l )

I had the unfortunate experience of having been on the receiving end of a DDoS (fortunately without any extortion attempt, though I wouldn't have been able to pay it anyhow) on my project site (lotgd.net). About 25,000 unique IP's were requesting random pages on my site, each every 4 minutes. I was pretty helpless to protect against it for the first couple of days, because it was a personal site on a server I rent, my ISP offered no DDoS protection at the time, and I hadn't been able to find any pattern other than that the requests came 4 minutes apart per IP address (plus or minus about 10 seconds). That's about a total of 100 requests per second [on top of my existing user traffic, which is generally about 25 requests per second], and my project is very database heavy.

I couldn't really keep a database of how often each IP address accessed the site on average, because I was already under a heavy enough load, and 25,000 deny entries in my firewall at a time would also lend a heavy load (software based firewall on the web server [iptables]). Further, the IP's kept changing (either someone was only dedicating a small portion of their overall botnet to me at a time, or they mostly had computers that had dynamic IP's). Over the course of the ~2 weeks that the attack took place, there were a total of 1.7 million unique IP's (only ever almost exactly 25,000 at a time, plus or minus a few percent). Obviously I needed an adaptive solution, because a reactive one (where I identified IP's manually or with a script and added them to the firewall) would probably typically have missed the window where I was actually being attacked by any given IP.

The *only* way I was able to beat it is by identifying a few IP's that were obviously attackers, and using a network sniffer to watch their traffic and noticing one thing that was wrong in their IP headers (which I could only do because I happen to know what IP headers should look like). It wasn't even technically wrong, it was just different from all the legit traffic. Then I was able to add a simple firewall rule that fixed the issue, but if the attackers had corrected this, I would have been screwed unless I invested in additional infrastructure. I paid a really hefty bandwidth bill that month (about 4x average usage overall), and I never found out who was attacking me (no one ever sent me an email, but because my site is a gaming site that has specific

I thought the same thing at first.

No, that is apparently correct, though I had never seen that acronym before and had to look it up to be sure:

http://www.csoonline.com/glossary/term.cfm?ID=969

Chief Information Security Officer (CISO)

The position of CISO is relatively new in most organizations. The CISO should be providing tactical information security advice and examining the ramifications of new technologies. In most corporations the CISO reports to the CIO or CTO. The CISO role does not usually include responsibility for physical security, risk management and business continuity, which are more often delegated to the CSO.

> You blame Microsoft (sorry it was an easy target)!

Incidentally, Schmidt was Chief Security Officer at Microsoft prior to his stint at the white house. Perhaps his belief that security is primarily a coder-level responsibility relates in some way to the security level of Microsoft's products while he worked there.

Here is a link to some good information on the IT related aspects of relief being provided by the Red Cross to the New Orleans area.

Oops, wrong thread.

Yeah, also, TFA discusses that in depth.

http://www.csoonline.com/read/050105/pay_3583.html

yeah, also tfa discusses that in depth

http://www.csoonline.com/read/050105/pay_3583.html

If it truly was a collection agency that contacted her, it's a simple matter for her to send a letter right back to them demanding verification of the debt.

That's a very good point and worth repeating. It'd be a total circus watching the debt agency trying to prove the debt, and next to impossible. Especially if the lady can prove a reasonable doubt, and that shouldn't be too hard to do.