Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

$$$$ vs industry objectives?! Oh yeah!

It’s all BS and I am happy for you to pull me up on it!

We’ve followed the WAF business since day 1! We’ve been there at the start of F5 products for example…BUT…..they’ve never wanted us to test them….we’ve tried and asked many times! (Wonder why?…..) So if anyone wants to promote them, ask the questions?!?! Maybe others did BUT we did not hear about it We just got the impression they were scared of letting us “test” the “system”.

Ooooh Yeah….we love pen testing against WAFs. Not one to this day has saved a site we have tested! While SG helps with product, we always acknowledge that product alone solves little.

Another DD rant you’re probably thinking. As usual, open to flames!

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; “The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Nobody expects an Australian inquisition….

Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone!

Police are apparently going to “use their discretion” to impose fines or gaol. Now that’s scary.

So what does this have to do with security? Well firstly, haxor dudes will need to check their black t-shirts before they go out to ensure no subtle anti-pope or anti-Christianity messages are printed on them. “If in doubt, don’t go out” should be the motto to all.

Aside from that, why stop there. Lets draw a really long bow here and give System Administrators the power to become Bastard Operators From Hell and manipulate users for fun and profit.  All companies obviously have lots of protections against that happening …obviously…

It would be fun and most importantly, profitable to move these regulations into IT. “System Administrators now have the power to dock 10% from the pay of any worker who calls the help desk with an annoying or invalid issue. They should use their discretion to apply this rule only when necessary.”

Let the IT Security dudes become real security dudes and allow for batons and wrestling holds on those that don’t comply with company policies. Send in the special PCI security team with “extra powers” that override any internal policing for organisations that refuse to comply with the PCI DSS. Oh….this is now getting ridiculous…..it’s been a long day.

Does the church allow for pre-sin confessions? Always wondered that. Anyway, packing away my heavy metal t-shirts and donning the hair cream, short back and sides and then 3 Hail Marys for me.

Surely the NSW Government knows that the Chaser dudes are in semi-retirement? Or do they know something we don’t?

http://www.networkworld.com/news/2008/070108-mcafee-spam-experiment.html?page=1
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/01/MNFH11HHOU.DTL

Probably covered best here by the boys at Zero Day at ZDNET US:
http://blogs.zdnet.com/security/?p=1390

I need to think up some out-there research project that we can undertake through Beast or Buddha. Any suggestions?

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium!

Recent update on SAFECode.

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Present day, what you need is a relatively inexpensive FPGA and the help of rainbow tables (http://www.hackaday.com/2007/08/11/cccamp-2007-gsm-a5-cracking). Now all you need to do is sit outside any business and listen to their conversations in real time, (or any business competitors).

This applies to any technology that has previously been unable to be examined by the public. We’re seeing the same scrutiny to a lot of wireless devices in the past couple of years as the price of the technology has dramatically dropped. I’m picking on wireless examples here because they’re easy. The point I’m making here isn’t that the GSM encryption is crap but rather to promote the fact, that by making technology more accessible, it has a lot of unintended consequences.

The Internet started out like that, under the assumption that only a few people could get online and get connected to each other. All technological advancements have started with functionality and features as drivers. Recent ones have been introduced well after security was considered a major issue (and we should have known better), and we knew that we were developing everything on the Internet - on a system and protocols that are inherently insecure.

We’re not changing. We are not learning from the lessons of the past. More short and long term pain to come - no doubt about that, regardless of what the major security vendors feed us. Name a few new technologies today that we have faith and trust in that are secure now, and we believe will continue to be. Any in the former category at all before the latter is even questioned?

So they [vendors] talk about “clouds”, hitting the bad guys “at the source”, and a plethora of other BS plans that have no substance to them whatsoever.

Any solutions to even basic security issues need a starting point and a significant change to current thinking and even then, it will takes years to see the impacts of this. (I don’t want to say paradigm shift :-)).

But, we’re not seeing anything changing right now. We’re hearing talk and that’s about all! We’re not seeing new thinking and radically new implementation of security into technologies being released! So how can we honestly expect anything is going down a path of effective and significant change? There is nothing in the near future but more pain, but most of us know that already.

</rambling>

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:

From the PCI DSS:

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of
the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.
(Note: This method is considered a best practice until June 30, 2008, after which it becomes a
requirement).

Okay, taken on face value, it does seem like a big addition to the PCI DSS - code review and/or WAF requirement. But, if you review the requirement against the “intent” so to speak (and that is key to understanding this), and marry that up to the information in “Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified” (Feb 2008), in my opinion, really not much has changed.

PCI DSS Requirement 6 already talks about secure coding practices, review and testing. Requirement 6.5 is reasonably clear on this. PCI DSS Requirement 11 covers web application penetration testing which you would expect would test for application vulnerabilities, as discussed in 6.6. (I don’t know too many web application penetration tests that don’t look for web application vulnerabilities). Given this has to be done yearly or when the environment changes significantly, and based upon intent and what is allowed under “Application Code Reviews” as defined in requirement 6.6, if you’re compliant now, you’re covering the intent of 6.6 already. So the first part of requirement 6.6 is superfluous.

Now given PCI DSS requirement 11.3 has not gone away, and as a compliant organisation, you are doing it, there is no reason for installation of a WAF from a compliance perspective! Sure, add one if you want to the rest of your security suite, but think about it clearly if your reasons are compliance only. I don’t see the need. So all this debate about WAFs in the context of the PCI DSS……waste of time?

Keen on your thoughts.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media!

Related post.