PCI DSS & PA DSS version 2.0

Slowly but surely, PCI (Payment Card Industry) standards are getting more and more mature. As it stands today, PCI SSC (Secure Standard Council) maintains 3 security standards:

• Payment Card Industry Data Security Standard (PCI DSS)
• Payment Application Data Security Standard (PA DSS)
• PIN Transaction Security (PTS)

Those who expected the council to release a minor updates of PCI DSS and PA DSS (i.e. version 1.2.1 to version 1.3) and now dreading the “oh mighty” version 2.0 can rest at east as the majority of the changes are no more that clarification and restructure of the standards.

The biggest change is to the Approved Scanning Vendor (ASV) program where vendors, who previously could offer simple vulnerability scanning services, are now required to adopt a more comprehensive approach. The scanning vendors will be required to educate their employees by going through PCI SCC training and certification process, work closely with merchants and service providers through remediation and rescanning, and provide their customers with standardized report and Attestation of Scanning Compliance (AoSC). Not only that, the vendors are expected to include environment discovery and verification of the scanning scope with the customer. From a security standpoint, those are welcome changes...

Future of the Information Security Expert

From the beginning of time, there were individuals and groups who had something which other desire. The object of desire changed throughout the centuries reflecting the state and the norms of the human society at the time, but there was always a need to safeguard the object of desire.
Association between information and power exists from Biblical times, and therefore the need to for information security. One of the means to protect information is encryption which is defined by the Oxford dictionary as an action of “convert (information or data) into a cipher or code, especially to prevent unauthorized access”. According to Fred Cohen (1995) “cryptography probably began in or around 2000 B.C. in Egypt, where hieroglyphics were used to decorate the tombs of deceased rulers and kings”. Base on that, we can safely assume that the need to protect information, such as intellectual property, financial data and medical records, will remain in the near future. Therefore, a position information security expert will exist as well to make sure information remains confidential, accurate and available.
The skill set of the information security expert will have to evolve with the information itself and the methods to store and access the information. For example, if previously information was captured on a printed material and storage required physical security, today information security experts are dealing mainly with electronic date. In addition, methods used to access the information, both legitimate and methods used by malicious users, will have impact on the role of information security expert. For example, number of attacks conducted through web applications increased significantly from 2000. It is further confirmed by the Cenzic (2008) report stating that “the percentage of Web application vulnerabilities went up to a staggering 80 percent”. The same could be said about the training required – it will have to evolve to provide information security experts with the required skill set.
Automation of the information security will have a major influence on the role of information security expert. If previously, network based scans and attacks were conducted manually, today numerous tools such as Nessus, nmap, nCircle and SAINT automate the task. The same trend happens with the web application security. Security tools are catching up with the industry to provide automated tools to identify (and exploit) web application security vulnerabilities. Naturally, automated tools will have their limitation and that is where information security expert will have to fill in the gap. As of today, assessments such as analysis of logical application flow could not be done by a computer, due to a need to understand the application, until it (computer) could pass a Turing test.

Bibliography

• Cenzic 2008, Web Application Security Trends Report Q3-Q4, 2008 [online], Available at: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf [accessed October 08, 2010]
• Cohen F. 1995, A Short History of Cryptography [online], Available at: http://all.net/books/ip/Chap2-1.html [accessed October 08, 2010]
• Oxford Dictionaries. April 2010, encrypt [online]. Oxford University Press. Available at: http://oxforddictionaries.com/view/entry/m_en_us1244009 [accessed October 08, 2010]
• Stanford Encyclopedia of Philosophy 2008, The Turing Test [online], Available at: http://plato.stanford.edu/entries/turing-test/ [accessed October 08, 2010]

Microsoft Security Development Lifecycle (SDL) - Version 5.0

Microsoft has release it's fifth version of Secure Development Lifecycle document. It provide guidance and illustrates the way Microsoft applies the SDL to its products and technologies. In addition, it includes security and privacy requirements and recommendations for secure software development at Microsoft. It addresses SDL guidance for Waterfall and Spiral development, Agile development, web applications and Line of Business applications.

It can be downloaded from http://go.microsoft.com/?linkid=9724944.

Screen for more productivity

Today, majority of people are using Windows but what I’m going to talk about is Screen.

Screen is a GNU utility that allows you to use multiple windows (virtual VT100 terminals) in Unix/Linux. Although, if you have a console access, you could spawn multiple terminals, there are two features I would like to highlight.

First, is the fact that screen stays active, even when SSH session is terminated. All processes initiated will keep running and could be re-attached once SSH connection is re-established. Furthermore, since screen session initiates a separate process rather than login session, it is more resource efficient.

In addition, using Screen, it is possible to share processes between multiple users and/or protect using password. For example, you create a screen session and run a command. Another person would be able to list existing screen sessions (screen –ls) and attach a session to their terminal (screen –r). Of course, that is not very secure, therefore it is possible to protect the screen session using user password.

jmarkh@ubuntu-01:~$ screen -S nmap
[detached]
jmarkh@ubuntu-01:~$ screen -S nessus
[detached]
jmarkh@ubuntu-01:~$ screen -ls
There are screens on:
15833.nessus (10-04-08 10:52:20 AM) (Detached)
15813.nmap (10-04-08 10:52:10 AM) (Detached)
15620.pts-0.ubuntu-01 (10-04-08 10:29:38 AM) (Detached)
3 Sockets in /var/run/screen/S-jmarkh.

Here are some commands/shortcuts that could be used with Screen (note that every screen command begins with Ctrl-a):

Ctrl-a c	Create new window (shell)
Ctrl-a k	Kill the current window
C-a C-x	Lock this terminal.
Ctrl-a w	List all windows (the current window is marked with "*")
Ctrl-a 0-9	Go to a window numbered 0-9
Ctrl-a n	Go to the next window
Ctrl-a Ctrl-a	Toggle between the current and previous window
Ctrl-a [	Start copy mode
Ctrl-a ]	Paste copied text
Ctrl-a ?	Help (display a list of commands)
Ctrl-a Ctrl-\	Quit screen
Ctrl-a D (Shift-d)	Power detach and logout
Ctrl-a d	Detach but keep shell window open

The man pages for screen are quite readable and make a good tutorial.

man screen

The WASC Threat Classification v2.0 is Out

The WASC Threat Classification v2.0 was released two days ago. It is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users.
For more information, http://projects.webappsec.org/Threat-Classification.

MasterCard SDP Program Changes

MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. Tha main change is the fact that from 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
For a more detailed information, please refer to http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

Backtrack Applications for Your Ubuntu

This post is for those among us who use Ubuntu as they main operating system and would like to install their favourite forensic and/or information security tools.

First step is to create a .list file for the Backtrack repository: sudo echo http://deb repo.offensive-security.com/dist/bt4 binary/ > /etc/apt/sources.list.d/backtrack.list

Then, we need to download and import the GPG key wget http://repo.offensive-security.com/dist/bt4/binary/public-key && sudo apt-key add public-key

Finally, update the sources: sudo apt-get update

Just keep in mind Backtrack is Backtrack and Ubuntu is Ubuntu. Don't try to make Backtrack out of Ubuntu.

SHODAN - Computer Search Engine

SHODAN is a search engine that allows you to find servers/routers/etc. It scans the Internet and indexes the headers that come back. What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it

To demonstrate, let us find an FTP server in China with anonymous access. To do that, I typed FTP port:21 country:CN. In response, SHODAN gives a list of systems matching the criteria:

Running an FTP command with a IP address from the list confirms that the server exists:

Please remember that it is illegal (in most countries) to scan and/or fingerprint a system without proper authorisation from the owner. Considering SHODAN capabilities, one should consider a question of ethical aspects of the "cloud hacking".

URL: http://shodan.surtri.com/

PCI SSC "Ask the Council" Webminar

This session will offer a brief update on PCI SSC initiatives, followed by a live Q&A session with opportunities to address Bob Russo, PCI SSC General Manager, and other members of the PCI SSC team. The updates will cover:

• Community Meeting outcomes
• Next steps in the lifecycle process
• Recently published Council resources

Questions many also be submitted in advance through the online registration tool.

To register for the Tuesday, December 8, 2009 session, please use the following link:
http://register.webcastgroup.com/l3/?wid=0801208094997
To register for the Wednesday, December 9, 2009 session, please use the following link: http://register.webcastgroup.com/l3/?wid=0801209094998

The webinars will be recorded and available for download on the Participating Organization’s area of the Council’s Web site for those Participating Organizations who cannot attend any of the sessions.

For more information, please refer to https://www.pcisecuritystandards.org/pdfs/pr_091130_open_mic.pdf

OWASP Top 10 -2010 RC

Open Web Application Security Project (OWASP), an open-source application security project, has published a release candidate version of the OWASP Top 10 Project for comments and feedback. You can download it from http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf.

It was always perceived that OWASP Top 10 is about 10 most common weaknesses in web applications; this release makes it clear that OWASP Top 10 Project is about Top 10 risks. As a result, OWASP reshuffled the order of the items on the list since now it is based on the estimate risk, instead the frequency of the associated weakness. In addition, there are two new items: ADDED: A6 –Security Misconfiguration ADDED: A8 –Unvalidated Redirects and Forwards REMOVED: A3 –Malicious File Execution REMOVED: A6 –Information Leakage and Improper Error Handling.

Please review and contribute your thought and comments.