geeks.com comprimise

The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.

A few items that concerned me about the disclosure are…

Genica Corporation dba Geeks.com
1890 Ord Way Oceanside, CA 92056
January 4, 2008

[snip]

The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.

Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.

Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…

Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery

The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.

3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions

I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.

SSH on a Non Standard Port

I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

— snip —

Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

“security through obscurity is no security at all” Says the broken record.

I believe heavily in security metrics because numbers are awfully hard to argue with.

In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

One would have to statically define the port range as most port scanners quit far before 51234.

At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

— snip —

This Week in Links: 12/31/07 – 1/6/08

Best of 2007

Tech

Security

Privacy

Apple

Busy as all get out

Sorry I havn’t posted in a week.  I have been working on some gigantic project funding requests at work.  They are eating all of my home and work time.  Once this is over with things will normalize and I will post again.

And who uses the term “as all get out”?!  I hate that term.  I’m now a self-loather.

Acronyms will be the death of me.

You can use NSM (Netscreen Security Manager) to manager your Netscreen firewalls.

You can use <a onclick="javascript:pageTracker._trackPageview('/outgoing/www.opennms.org/index.php/Main_Page');" href="http://www generic actos.opennms.org/index.php/Main_Page” target=”_blank”>OpenNMS to monitor your servers.

You can use NSM (Network Security Monitoring) to monitor your network.

From now on you’re Bob, you’re Fred and you’re Julio… I hope you all can play nice together.

Electronic or Computer Log Categories

I have been working on various SIEM (Security Information and Event Management) and log retention policy related projects lately. Through these projects, and others that I did as a security consultant, I have developed a list of log categories (or log types).

Surprisingly, I have found little to no authoritative document that provides such a list.

I have read through various RFCs, The NIST SP 800-52 Guide to Computer Security Log Management and a large number of other documents. And still not found a comparable list.

Because of the lack of existing lists I wanted to post what I have come up with in hopes that it will help others seeking out the same information, or at least generate conversation and point out other resources or types that I may have missed.

  1. Audit Trails: logs that document application or OS changes made and/or specific actions taken by a user. Also includes “object access/change” logs… This would include output from change management systems and system integrity logs like tripwire produces
  2. Event Logs: internal system or application events that are not specific to a user or user generated
  3. Traffic/Access Logs: web server hit logs, contain url accessed, visitor ip, browser, ect.
  4. Filter device Logs: allow/denies from: firewall, ips, acl enforcing routers, ect.
  5. Exception Logs: error logs
  6. Network Traces: packet captures, flow data, ect.
  7. Authentication Logs: login/log out/invalid logins and session tracking
  8. Physical Access Logs: visitor log, biometric/badge/token door logs
  9. Transaction Logs: database generated
  10. Data Logger: statistical or numeric data. Data center environmental monitors, web hit counters, manufacturing equipment output data, ect.

Obviously some systems would lump data from multiple categories into one physical file. This is where a good parser or SIEM product would come into play.

These categories also only include log data that would generally be ‘computer generated’ and are to be considered top level categories. Many different sub categories may exist under each.

Vista makes CNET’s “Top Ten Terrible Tech Products”

For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

A priest a rabi and a chicken

I had this posted a long time ago but removed it while interviewing with the DoD. I just didnt think that they would find the same humor in it that I did. 🙂

The LAPD, the FBI, and the CIA are all trying to prove that they are the best at apprehending criminals. The President decides to give them a test and releases a rabbit into a forest and each of them has to catch it.

The CIA goes in. They place animal informants throughout the forest. They question all plant and mineral witnesses. After three months of extensive investigation they conclude that rabbits do not exist.

The FBI goes in. After two weeks with no leads they burn the forest, killing everything in it, including the rabbit and they make no apologies. The rabbit had it coming.

The LAPD goes in. They come out two hours later with a badly beaten bear. The bear is yelling: “Okay, okay, I ‘m a rabbit! I ‘m a rabbit!”