MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. Tha main change is the fact that from 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
For a more detailed information, please refer to http://www.mastercard.com/us/sdp/merchants/merchant_levels.html
Friday, December 18, 2009
Sunday, December 13, 2009
Backtrack Applications for Your Ubuntu
This post is for those among us who use Ubuntu as they main operating system and would like to install their favourite forensic and/or information security tools. |
First step is to create a .list file for the Backtrack repository:sudo echo http://deb repo.offensive-security.com/dist/bt4 binary/ > /etc/apt/sources.list.d/backtrack.list |
Then, we need to download and import the GPG keywget http://repo.offensive-security.com/dist/bt4/binary/public-key && sudo apt-key add public-key |
Finally, update the sources:sudo apt-get update |
Just keep in mind Backtrack is Backtrack and Ubuntu is Ubuntu. Don't try to make Backtrack out of Ubuntu. |
Labels:
Assessment,
Backtrack,
Hacking,
Security,
Ubuntu
Monday, December 7, 2009
SHODAN - Computer Search Engine
SHODAN is a search engine that allows you to find servers/routers/etc. It scans the Internet and indexes the headers that come back. What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it
To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:
Running an FTP command with a IP address from the list confirms that the server exists:
Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".
URL: http://shodan.surtri.com/
To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:
Running an FTP command with a IP address from the list confirms that the server exists:
Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".
URL: http://shodan.surtri.com/
Labels:
Cloud,
Egine,
Ethical,
Exploit,
Fingerprint,
Penetration,
Scan,
Search,
SHODAN,
Vulnerability
Friday, December 4, 2009
PCI SSC "Ask the Council" Webminar
This session will offer a brief update on PCI SSC initiatives, followed by a live Q&A session with opportunities to address Bob Russo, PCI SSC General Manager, and other members of the PCI SSC team. The updates will cover:
To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998
The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.
For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf
- Community Meeting outcomes
- Next steps in the lifecycle process
- Recently published Council resources
To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998
The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.
For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf
Friday, November 20, 2009
OWASP Top 10 -2010 RC
Open Web Application Security Project (OWASP), an open-source application security project, has published a release candidate version of the OWASP Top 10 Project for comments and feedback. You can download it from http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf. |
It was always perceived that OWASP Top 10 is about 10 most common weaknesses in web applications; this release makes it clear that OWASP Top 10 Project is about Top 10 risks. As a result, OWASP reshuffled the order of the items on the list since now it is based on the estimate risk, instead the frequency of the associated weakness. In addition, there are two new items:
|
Please review and contribute your thought and comments. |
Labels:
2010,
OWASP,
Project,
Release Candidate,
Top 10
Tuesday, November 10, 2009
Ubuntu 9.10 Is Out!
Ubuntu 9.10 (nicked named Karmic Kuala) is out and it has number of security improvements (over the previous version) that I would like to highlight:
|
A full list of Ubuntu security features can be found at https://wiki.ubuntu.com/Security/Features. |
Tuesday, October 20, 2009
Information Disclosure at it Best!
Wanted to share this example of OWASP Top 10 2007-Information Leakage and Improper Error Handling vulnerability. Considering the amount of resources available (OWASP Top 10, SANS 25, etc) freely on the Internet, I am quite surprised to see those appear as often as they are. |
Labels:
Data Leakage,
Information,
OWASP,
SANS,
SQL Injection,
Vulnerability
Tuesday, September 29, 2009
New Microsoft Security Essentials
Microsoft has announced the launch of the free anti-malware Security Essentials. It uses the Dynamic Signature Service, a Microsoft technology that ensures users are protected by the most current virus definitions available without having to wait for the next scheduled download. In addition, it is designed to run quietly in the background and limits CPU and memory usage. Unfortunatly, it is a still in beta and available to customers in the United States, Israel, China and Brazil only. |
Although I think that the age of the "Signature Based" security is over and the furure lays with concepts such as profiling (AppArmor), labeling (SELinux and Solaris Trusted Extensions) and Mandatory Access Control, that is a still welcomed edition to the information security domain. |
Thursday, September 17, 2009
Security Development Lifecycle Tools from Microsoft
Microsoft has released two additional tools to supplement secure development life cycle (SDLC) tools portfolio which includes well known AntiXSS, FxCop and Cat.NET. |
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to verify that required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place. |
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors. |
Both tools (and others) are available to download for free from the Microsoft Security Development Life cycle Tools Repository. |
Labels:
Analyse,
Code Review,
Flaw,
Fuzz,
Microsoft,
SDLC,
Source Code,
Tool
Tuesday, September 15, 2009
How we protect you... Yeah, how?
Seriously, I don't get it. It is 2009, the network firewalls have been here fore more that twenty years and people (information security professionals, no more no less!) still make those amateur assumptions that they will solve all their security problems. |
I've been reading HSBC's "Security guarantee" on their website (http://www.offshore.hsbc.com/1/2/international/internet-banking/how-we-protect-you) which states that they use the most advanced security systems and software to protect customer accounts including:
|
Now that is secure, is not it? Well, no… Since application has access to the database, a skilled hacker would use encryption to bypass network firewalls (since firewall can not inspect the encrypted traffic) and user name/password fields could be used perform phishing, Cross Site Scripting (XSS) and SQL injections (diagram above). |
In a year 2009, application security should be on the CISO agenda and network firewalls should be left to network administrators. Web applications should be protected by Web Application Firewalls (WAF), by constantly reviewing the source code to detect vulnerabilities and by training software architects and developers. |
Tuesday, September 8, 2009
Flash Cookies - Yammy!
For some reason, everybody talks about flash cookies! But those are not much different to a traditional browser cookies we all know and love (to hate). The differences are that they are not controlled through a standard "privacy" setting of Internet browsers and they are less known (sadly, even to a Information Security specialists). |
So where do you find those nasties and what to do about them? |
To find these flash cookies all you have to do is to look for .sol extension in the following directories:
|
There are number of alternatives to treat the problem:
|
And there is legal twist to this story as well. Apparently, usage of Flash cookies is illegal in UK according to Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003.: "Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment: * is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and * is given the opportunity to refuse the storage of, or access to, that information." |
Thursday, September 3, 2009
AntiXSS v3.0
For years, (security aware) software developers were using OWASP ESAPI (Enterprise Security API) as a security framework to validate input/output to prevent Cross Site Scripting (XSS). Although it supports Java, Python, PHP and .NET among the others, only Java toolkit is mature enough to be used by the enterprises in production environment. |
Now .NET users have Microsoft Anti-Cross Site Scripting Library to help protect applications from XSS attacks. In addition, enterprises may find Security Runtime Engine very useful since it has the ability to protect legacy applications from XSS attacks without having to change too much code. |
Monday, August 17, 2009
Malicious Facebook application
. |
Facebook had it share of a limelight (http://www.scmagazineuk.com/Warnings-made-over-malicious-Facebook-application/article/146596/) following bad publicity that hit Twitter previously. The way I see it, Facebook developers can try to develop a more secure application that will make attacks such as those more difficult, but unless people change their attitude towards their own private information nothing will stop hackers from obtaining it and using it for their own benefit. |
As an organisation that owns the data, you can deploy smart perimeter security devices (Web Application Firewalls, Intrusion Prevention Systems, Network Access Control, Content Inspection, etc.), anti-malware software on your servers, perform rigorous patching and even use behaviour inspection databases. But, unless you address the core of the problem, which is lack of security awareness, and educate users (be those internal employees, software developers or the actual consumers of your services) those will have only a limited impact on the level of the security. |
Now, the real questions is whose responsibility is it, anyway? As a Facebook user myself, I would expect Facebook to tell me right from wrong... |
Saturday, August 15, 2009
Whose Responsibility is it Anyway?
Yesterday, SC Magazine published an article about PCI DSS compliance responsibility (http://www.scmagazineuk.com/Whose-responsibility-for-compliance-is-it-anyway/article/146476/) which I found very amusing. Why? Well, how come when you give something that is dear to you, you don't consider whom you give it to? |
From a user prospective, if you don't think twice before you give away your private information, you have no one to blame but yourself. As a merchant or a service provider, you need to make sure that information that was given to you by the end user stays secure throughout data lifecycle and if you share it, it has to be someone who can provide at least the same level of security as you do. |
PCI DSS requirement 12.8 is there to enforce that. Right now, merchant and/or service provider is not required to use only PCI DSS certified service providers but it is their responsibility to maintain a register of all third parties that have access to cardholder data, to have a proper contract in place (which includes acknowledgement by the third party of their responsibility for securing cardholder data) and review the associated risk regularly. |
Labels:
Compliance,
Data,
PCI DSS,
Responsibility,
Security
Wednesday, August 5, 2009
IBM has announced the acquisition of Ounce Labs
IBM has announced the acquisition of Ounce Labs, a provider of enterprise source code security testing (http://www.scmagazineuk.com/IBM-announces-acquisition-of-Ounce-Labs/article/140881/).
Earlier (I think last year), they acquired AppScan and now Ounce Lab; although both provide slightly different capabilities (source code security vs. web application vulnerability) it seems that IBM wants either to eliminate the competition or to have a single leading product in application security space. Would be interesting to see how it plays out...
Earlier (I think last year), they acquired AppScan and now Ounce Lab; although both provide slightly different capabilities (source code security vs. web application vulnerability) it seems that IBM wants either to eliminate the competition or to have a single leading product in application security space. Would be interesting to see how it plays out...
Labels:
Acquisition,
AppScan,
IBM,
Ounce Lab,
Review,
Security,
Source Code
Subscribe to:
Posts (Atom)