Saturday, April 24, 2010

New version of PCI DSS

When I began to write this I realized that I have not blogged about PCI and all the intricacies of it, I will visit this topic soon.


The PCI DSS would very soon be version 3.0, so what are the changes we can expect? Storefrontbacktalk published an article on the coming changes, some of the changes are:

  • Searching For Cardholder Data. This will require merchants to search for cardholder data on all their networks and systems, it does not have to be in an automated fashion, which may cost a lot but a formal and repeatable manual process.
  • One-Way Hashing Of PANs. This will require merchants to use either truncation (deleting all but the first six digits and last four digits) or a secure one-way hash that cannot be reversed.
  • Tokenization and End-to-End Encryption. PCI council is expected to produce position papers that provide clarifications and guidance on a range of emerging technologies like tokenization and End-to-End Encryption. If you are interested in what tokenization and end-to-end encryption is before these come out, read on.
By employing tokenization, you are essentially replacing the actual card value with a randomly generated number. Obviously, one should not be able to derive the card data from the token value.

End-to-End encryption ensures that all data in transit from the source where the card data originates to the destination where the card data gets stored is encrypted. This may mean all the way from the merchant's POS machine to the server at the processing authority or till where merchant's perimeter (or for that matter merchant's liability) ends.

Friday, April 23, 2010

Symantec released their 2009 Internet security threat report. 


One interesting aspect for India is that it found a significant growth of malicious activity in countries such as Brazil and India, a big jump for India from its 11 place in 2008. The top five most malicious countries, ranked in order, are: the United States, China, Brazil, Germany and India, according to the report. The report also said that in 2009, india also accounted for 15 percent of all malicious activity  in the Asia-pacific/Japan (ApJ) region, an increase from 10 percent in 2008. For specific categories of measurement in the ApJ region, india increased rank in malicious code, spam zombies and phishing hosts from 2008. its high ranking in spam zombies also contributed to india being the third highest country of spam origin globally. 


As we have seen throughout 2009, the report states that web-based attacks associated with malicious PDF files skyrocketed during the year. According to Symantec, the number of attacks targeting PDF viewers such as Adobe Reader accounted for 49 percent of the Web-based attacks observed for the year, more than four times the 11 percent observed in 2008. 

The report is available here

Sunday, April 18, 2010

Web Application threat mapping



If you are in the web application security area, you must be aware that there are multiple references you can use for highlighting the various threats but did you ever wanted to show a common reference point?


Folks at the web application security consortium has come up with just that, a mapping of the various classification references, which are WASC Threat Classification's Attacks and Weaknesses with MITRE's Common Weakness Enumeration, MITRE's Common Attack Pattern Enumeration and ClassificationOWASP Top Ten 2010 RC1 (original mapping with OWASP Top Ten from Jeremiah Grossman & Bill Corry) and SANS/CWE and OWASP Top Ten 2007 and 2004 


The mapping is available here.

Apache.Org attack

I wrote about the dangers of URL shortening services, here is a real world attack on the Apache.org web site.


On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]
Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.

The incident report issued by the Apache team is here

Friday, April 9, 2010

Updates

Few happenings around the information security space

A newly released report "Shadows in the Cloud", details the the inner workings of complex cyber espionage network, that was systematically stealing sensitive documents/correspondence from the Indian government, the United Nations, as well as Dalai Lama's offices. The complete report is here.


########################


Fydor, the Nmap guy is requesting everyone to participate in a short survey to share your favorite security tools (open source or commercial). Winning tools will be posted to SecTools.Org, following are the prizes


Ten respondents will receive their choice of a signed copy of Nmap Network Scanning, a four-DVD Nmap Movie Pack, or the top-secret mystery prize! Five of the winners will be chosen based on insightful survey comments, and the other five from a random drawing.


The link for the survey is here.





Friday, April 2, 2010

Restrict administrator rights to prevent exploits

Principe of Least Privilege and the use of least privilege account in a system can prevent majority of malware and other threats. As a key defense-in-depth strategy, one of the best practice control that must be implemented in corporate desktops is to restrict what user can do on the system, specifically restricting administrative privileges. I wrote about this while discussing the Clampi virus.


You are not yet convinced? Do you need some stats to prove this point and convince the IT management? Then read on,

Removing administrator rights will better protect companies  against the exploitation of:  

  • 90% of Critical Windows 7 vulnerabilities reported to date 
  • 100% of Microsoft Office vulnerabilities reported in 2009 
  • 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009 
  • 64% of all Microsoft vulnerabilities reported in 2009







These are some of the key findings from a report published by Beyondtrust. The full report is available here.