Raesene's Ramblings

One of the questions that a Information Security person dreads most is someone from the business asking "Are we secure?".
You can be torn between the urge to explain in detail why that question can't be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or a flippant "yes" which may well come back to haunt you...
One of the reasons why the answer could be so long is the obvious question "Secure from what". A set of controls which may be reasonable tight when faced with a non-targeted threat from malware may be totally inadequate against a motivated knowledgeable insider threat.
So, perhaps one way to help is to break down the "secure" question a bit in to categories of threat.
For example: -

• Non-Targeted Threats
• Internal Targeted Threats
• External Targeted Threats

This way you can classify your controls as to how well they target each threat category, giving a better picture as to what level of risk your organisation is actually running.
Non-Targeted Threats
First off is probably the easiest one, "Non-Targeted Threats". This category includes a lot of the "traditional" threats to your security and is also probably the easiest one to mitigate, as the attacker isn't intelligently looking for a way to attack you they're just randomly interested in getting access to assets.
Examples of this category of threat are

• Malware - Most malware isn't targeted and is just looking to compromise a machine (any machine) for the purposes of using its resources or getting access to information held on it or entered into it (eg, users banking credentials).
• Laptop Thefts - The majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold.
• Internet Attacks - A large portion of "script kiddy" style attacks again, aren't targeted at a particular company, they're just looking to compromise servers on the Internet for (mis)use.

Looking at these sample threats, we can see that it's likely that more automated controls will be effective against them. We don't need to be absolutely flawless in our execution of security to defeat them but we need to be "good enough" that the attack moves on to someone else.
So controls which are likely to be effective in this space could be :-

• A-V/Anti-Spyware - Whilst there's a diminishing return on these as attackers work harder to bypass them, signature based A-V still adds a lot of value in cutting out the "noise" of malware attacks
• Patching - Again we're not dealing with attackers who are likely to use a zero-day exploit here, so vendor patching will likely be an effective control to mitigate some of these threats.
• Laptop encryption - Whilst it could be argued that this isn't a perfect control (with the cold boot http://www.freedom-to-tinker.com/?p=1257 attacks that have emerged), it's likely to be an effective control for a random laptop theft.
• Network (and Web Application) Firewalls - Until recently you could have argued that non-targeted attacks rarely use application level techniques, the recent mass SQL Injection attack (doubtless the first of many) show that firewalling at the network and application level is necessary to keep you safe('ish) on the Internet.

So far, so good. Next up we'll look at the trickier area of Internal Targeted Threats.

I've been reading quite a few posts about Microsofts COFEE toolkit which seems to be designed to help forensics investigators get evidence from (presumably windows based) PCs.
It's amazing to see how many sources on the Internet took the original article here from the Seattle times and came to the conclusion that this was some magical box of tricks that would instantly bypass windows security, as opposed to just being a useful collection of forensics tools, examples of this response are here, here, here and here
Luckily someone at the Seattle Times did some follow-up with Microsoft to confirm that it's actually just a collection of forensics tools and doesn't bypass windows security here

Recently there have been some clarifications around a couple of sections of the PCI-DSS, in particular one on section 6.6 .
This update has created some comment and articles but none of the ones I've read has focused on the main point, as far as I can see...
Previously there were two options for satisfying Section 6.6

• A Code Review (either manual or tool assisted) of in-scope web applications, or
• Placement of an appropriately configured Web Application Firewall to protect the application

Now (unless I'm reading this incorrectly) there's an additional one
Completion of a manual or assisted web application vulnerability review...
The confusing part is that this third option isn't split out but is listed under the "application code review" section.
My feeling is that this'll affect a lot of merchants (and vendors) if they were planning on either spending money on WAFs or Code reviews and will now use a standard web application review (which they may already be undertaking as part of other security work....)
Another interesting point which I don't know the answer to is whether a single review which covered both penetration testing techniques and web application assessment techniques could be used to satisfy 6.6 and 11.3...

I was thinking about a story I saw recently about the recent update to the british banking code
There's a lot of discussion about Internet banking users potentially being liable for fraud if their PCs aren't "secure", as a result of this update.
The code says "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."
This leads to comments of "I use Mac|Linux I don't use A-V does that mean I'll be liable"
So what we have here is, failure to communicate...
The BBA appear to be correlating having basic software security packages installed with being secure. What I expect happened is that they needed to give some kind of shorthand guidance and that was the best they could come up with.
The problem is that without more detailed guidance fraud teams in banks may use this as the definition of secure and treat anyone who falls outside it as being at fault, which would put a lot of the more Internet security savvy people in the "not secure" bucket.
Personally I run Linux at home and I don't use A-V as there's no credible threat that it would mitigate for me....

http://news.bbc.co.uk/1/hi/business/7334249.stm
This time HSBC have lost 370,000 sets of personal details from insurance customers. One thing that puzzles me in the reporting of this story is the statement that
although the data on the disc was protected by a password it had not been encrypted
How do you password protect something without encrypting it ?! Any software I'm aware of that does password protection will at very least use some form of rudimentary encryption (eg, old versions of winzip or office) or in most cases (pgp, modern office/winzip versions) perfectly acceptable levels of encryption for most scenarios...

http://www.networkworld.com/news/2008/031308-database-expert-oracle-behind-microsoft.html?fsrc=rss-security

Interesting to see someone have a shot a putting numbers on how far Oracle are behind Microsoft in the database security arena (well secure features as opposed to security features anyway). The number that they come up with is 5 years...
Assuming that nothing turns up soon it actually looks like SQL Server 2005 will go through it's whole product lifecycle without a published vulnerability. Secunia are currently showing it affected by 0 vulnerabilities.

There's a new portal over at www.infosec-scotland.com thats been started up to provide information about upcoming security events in Scotland (and the wider UK). There's a calendar of events available and some links to relevant sites.
If you've got any events you'd like to get added to the calendar, just send an email over to Events@Infosec-Scotland.com

The February meeting of the scottish OWASP chapter went pretty well on the 28th.
We had Steve Moyle doing a presentation on Database security (slides can be found here )
I picked up some interesting ideas from his presentation. Firstly the idea that relational databases have a fundamental flaw when it comes to security, which is that the channel used to control them and the channel used to access the information they contain, are the same. This allows for someone who should only have access to information in the system to easily attack it as well.
The other thought which occurred to me when I was listening to the presentation was that any IDS/IPS style device which wants to block "malicious" traffic going to a system needs to parse the information it's seeing in the same way as the protected system otherwise there's a risk that quirks of rendering will introduce false positives or negatives.
It's something I was talking to a WAF vendor about recently, as I was asking them whether their product rendered JavaScript when looking for malicious traffic, as there's a specific problem with the idea of self-modifying JavaScript, looking innocuous in transit but then being malicious when executed

There's a couple of good security events coming up in Scotland which should be a great chance to meet some of the security community up here and also hear some good speakers!
On the 28th of February, there's an OWASP Scotland meeting with Dr Steven Moyle of Secerno doing a talk on Database Security. There's more information and the address to RSVP to on the OWASP Scotland Mailing list
Next up on the 27th of March is the latest Securetest Edinburgh RANT with Graeme Marsh from Deloittes doing a talk on "Plugging the Gap - Information Leakage in Organisations". For more information and to RSVP for this one go to this page on SecureTests site.

There's a post over at the Microsoft %41%43%45%20%54%65%61%6d blog about their new Hello secure world resource.
When I saw this I thought I'd go over to the site and take a look around, as Microsoft have released some great information about developer security in the past and it's an area of interest for me at the moment..
But then I ran into a complete roadblock getting to the site! To view it you have to have the latest version of Silverlight installed! Unfortunately I think that won't work for a lot of users, either due to corporate builds not having deployed silverlight yet (and hopefully decent security policies in place to stop users self-deploying software) or due to platforms issues (admittedly a small proportion of linux fans like myself), although that said it's likely to be an increasing problem for some content, as a lot of mobile devices run Opera which isn't supported by silverlight from what I can see...
I understand that Microsoft are keen to get people looking at some of their new technology, but it's a shame that this kind of resource is limited in such a way that a decent proportion of their target audience won't be able to use it.... Perhaps a limited HTML version could be made available so people without access to silverlight