Wired has a good article covering the fact that 2007 was the worst year on record when it comes to the amount of credit card and social security numbers disclosed to third parties.
Seriously people wake up. PCI might be nice and it might set a baseline and all that nice stuff. It is still way to slow and eats way too much budget to be effective. Sure we all need to be more secure but the people that know how to make a company more secure actually work there, not someplace else.
This is my list of the Top 10 security stories of 2007. Since I am a Web Application Security guy this list is slanted in that direction for sure. If you think something should be in my list that I missed post a comment!
10. Penetration Testing Goes Prime Time – No this is not a Tiger Team fan site! I liked the show and looking forward to more episodes and hopefully a few that go more on the computer side.
9. iPhone Hacking Reveals Security Press Whores – I knew this was going to happen and it is really kinda silly. A new device comes out and it is going to have problems. Yes they are cool hacks but you could still smell the press whoring dripping off of some of these.
8. Cross Site Request Forgery Goes Mainstream – Creating an article that diggs itself was just the start. PDP discovered a way to backdoor Gmail accounts via XSRF in April. XSRF has been around for a while under a few different names. Expect big scary things from it in the future.
7. PCI tip toes into Web Application Security – PCI has flirted with Web Application Security with it’s standard for a while. That flirtation continued with the nebulous and specific section 6.6 which says check our code or get a web application firewall. This is a best practive that will be made a must do in 2008. I hope they make it clear by then.
6. McaFee buys another network scanner to kill – In October McaFee announced the acquisition of ScanAlert. I covered my thoughts here. McaFee still has money and needs to diversify from their core AV business. I suspect more news in 2008.
5. Web Application Space Consolidates – First IBM acquires Watchfire, then in a fit of jealous rage HP acquires SPI. Neither of these seems to be spectacular valuations but I am sure the founders made out OK. This leaves Cenzic has the only pure play desktop scanner out there. They are clearly going insane, with there lame attempt to cash in on the virtualization craze. (I still laugh when I read that release.) It remains rather unclear where HP and IBM are going although it seems likely that SPI will end up part of Mercury and Watchfire will end up part of Rational. If the products remain as standalone offerings though is unclear.
4. Full Disclosure Dies – 2007 will go down as the year full disclosure died. Crappy treatment from vendors and now web site owners has driven the good guys out and the only people left are the bad guys that are in it for the money. Which leads to…
3. Russian Business Network gets more light shone on it – Scott Berinato wrote a great series of articles covering the shadowy world of the Russian Business Network and the groups it supports. Amazing stuff and blows my “kids from russia” quip out of the water. These guys are good and for real and are raking in the big bucks.
2. Web Application Security continues to rise – I have been in this space for 10 years now and it seems to have gained more exposure this year than the previous 9 combined. A full track at BlackHat, tons of coverage in the security media, and a general understanding from the CIO crowd makes 2008 look like a breakout year.
1. TJ Max leaks most credit cards in history – Really could there be any other #1. This article gives a good overview of how bad it really was inside TJMaxx. Sadly TJMaxx still had issues well into the year. They finally paid up to make it all go away.
Well there is my list of the top security stories of 2007. If you have any to add post them in the comments.
That was not what I expected but that is mostly due to my definition of penetration test being way too narrow. Tiger Team ends up being a “It Takes a Thief” knockoff with a tech twist. In my book that makes for some good TV. I really enjoy “It Takes a Thief” which is basically two reformed thieves breaking into peoples houses. I always thought it would be cool to do that with businesses, since really most homes have pretty weak defenses. Clearly it was a great idea since that is what Tiger Team does.
If you are looking for the latest cutting edge computer hacking techniques you are not going to get them in this show. The computer angle is only mentioned in passing and in very general terms. This makes sense because most people watching this are not going to understand or even care. They do use some good tech hacks though. They plant a remote control trojan in Episode 1 and in Episode 2 use a wireless cam and get into the customers servers by posing as PC repair people.
Otherwise it is a throughly entertaining lesson in the frailties of physical security. They break into some insanely security conscious places ( a super high end jewelry store and a rare auto dealership) and make out with the goods. This is a real wakeup call for everyone and pretty much mirrors what I said in my pen test vs assessment post. Not many organizations can withstand a direct focused attack, either physical or electronic on there resources.
I hope to see some more of these, they are a blast to watch.
This is part of my occasional series on security consultants and how best to employ them.
Security consulting operations come in the standard small, medium and large sizes. Small shops are less than 30 consultants, medium 31-200, large 201+.
Small shops: Sometimes known as boutique firms or lifestyle firms (since the people that run them take jobs when they want and only when they want) can be excellent resources within their specialities. Typically these are 1-5 person shops that are fairly niche focused, maybe they specialize in Web Application Security, secure development, or PCI audits.
Advantages: If you are using them in an engagement that is their speciality you are going to get a lot of bang for your buck. Prices are generally in line with normally hourly rates but try to get them to make a fixed cost bid. Most of the smaller shops are terrible at estimating and you have a lot of leeway once you get them in to push a little scope creep on them, all within reason of course. Don’t forget these people have to eat and they might not have another gig lined up after yours.
Disadvantages: Scheduling and resources. Small shops can easily get stretched. They can generally only handle 1 or 2 engagements at the same time. If they are a lifestyle shop they like to take long vacations. If you need a time sensitive service, like incident response or forensics, it might be better to go with a larger shop or at least have a backup plan if your small shop is not available.
Medium Shops: In my opinion the medium shops are the best balance between flexibility, resources and mailability. They typically employ at least 3-4 people for any given service they are offering so you get some decent coverage. Quality stays fairly high top to bottom. They will employ junior people but they are not likely to send them out solo.
Advantages: Good flexibility, reasonable prices and good access to people resources.
Disadvantages: Increasingly are becoming part of traditional VAR shops so they might be prone to push product on you. Can still run into resource issues if something big comes. Also are prone to the bait-and-switch where they pitch the rockstar and the new kid shows up to do the actual work.
Large Shops: Have hundreds if not thousands of consultants and a bill rate to match. Incredible appetite for large and lengthy engagements. I did time at EDS and let me tell you they are pretty evil, at least when I worked there. We would get a long term contract, then hire the cheapest talent we could find. They would then proceed to screw things up and cause other problems and we would then point out that fixing those problems was outside the scope of the contract! Cha-ching!
Advantages: No one gets fired for going with IBM, EDS or PWC. You will have a lot of people show up day 1.
Disadvantages: Masters of the bait-and-switch, the business model they run practically make it a requirement. Not usually the home of subject matter experts. All those people that show up day 1 need a place to sit.
Who are you favorite security consultants and why?
This should be fun to watch, kinda like watching a train wreck. “Tiger Team” is a new “reality” series where the follow a security team as they try to break into some corporations network/property and make off with the goods.
I am going to go out on a limb and say they always get in. I don’t know any of the principles but unless they are total idiots I would suspect they could get into any corporation. Why? Companies are generally not well equipped for a focused, no holds barred non-time limited attack. See my rather obtuse rant on penetration test vs assessments.
I got pinged about talking to a producer about something last year, I wonder if this was it. I will admit it would be a blast to really do this for a living but I am not sure it will make good TV.
I will be recording the first episode though. I don’t think CourtTV has high hopes as they are showing it Christmas Day at 11 PM not exactly a prime time spot.
Not underground like the Russian Business Network but not as well known as some people think. These sites and conferences will be well known to some but I am amazed that everyone does not know about them. You are uber cool if you know about them all!
2600 – An oldie but a goodie. 2600 is not professional by any stretch but the technical content is generally top notch. They often go far off the beaten path as well with articles about hacking POS systems and HVAC systems.
Sla.ckers.org Full Disclosure Forum – The Slackers Full Disclosure forum has quickly become the place for disclosing vulnerabilities in web sites. The biggest thread is the Cross Site Scripting disclosure thread titled simply “So it begins”. If your company has a site on the web you should monitor this forum to try to get a little bit of a head start should a vulnerability be disclosed on a web site you are in charge of.
XSSed.com – Similar to the Slackers full disclosure list but focuses on XSS (Cross Site Scripting) One nice feature is you can sign up for alerts so if someone post an XSS vulnerability on a domain you own, you will get an email. Perhaps someone at Yahoo should sign up.
Full Disclosure List – Pretty much the bleeding edge of vulnerability disclosure. Traffic is decreasing as more and more 0 days go private. Still a good list to watch for when the few remaining good guys disclose.
BlackHat Security Conference – This conference has been around for a long time but still maintains a high speaker quality. You are guaranteed at least one major disclosure or media frenzy per show.
CanSec West – From our good brothers to the north. Great, technically focused content. Has lately become as good, perhaps slightly better than BlackHat in content, still lacks in the vendor sponsored party category though.
OWASP – Since I helped found it I have to plug it. I left a long time ago and those that have come since me have built a great resource for those interested in Web Application Security.
Security Catalyst – I just joined this forum a couple of months ago. This site stands out on this list because it is not technically focused but deals more with the challenges of being a security manager/engineer. Great resource for asking those nagging compliance questions.
Google Hacking Database – Google “hacking” has been around for a while but it still works quite well. Again if you have a web presence you need to be doing these searches on your domains before someone else does.
CGI Security – The mother ship of Web Application Security news and resources. Home of the XSS FAQ. I know it is in my blogroll but really who looks at that?
and a bonus site!
Security Bloggers Network – A collection of some of the finest security blogs on the planet! OK yes I am part of this network but if you only subscribe to one feed this is the one. Nothing really makes it past this group of security bloggers. Subscribe to the RSS Feed
Some kids at Santa Clara high students hacked into school’s computers. The kicker, they where found because they wrote down the passwords and left them in the library, pretty much just like in WarGames. They then used there access to look at test questions and their fellow students homework.
WarGames was a seminal moment in my life (1983!! I am grumpy AND old!) After viewing it I knew I wanted to be involved with computers and with computer security in particular. There is a scene at the beginning of the movie where the main character (played by Matthew Broderick) gets sent to the office on purpose so he can steal the passwords to the schools computer that are written under the secretaries desk drawer.
If you have not seen WarGames you owe it to yourself to stick it in your NetFlix queue.
I was somewhat surprised to read this post from RSnake about how good PCI is for business. I have to disagree with him. While I agree that PCI sometimes sets a floor for a minimum is also sets a ceiling for a vast majority of organizations.
PCI compliance has become the must have for any organization that deals in credit card data. I do think it is admirably that they are trying to shape things up but the process is doomed to fail because of the glacial pace at which it moves. I meet with some of the early PCI people in 2000 and told them they need to include Web Application Security in the standard. They are stared at me like deers in the headlights. They had no idea what I was talking about. Now 7 years later they have some very half hearted and non-specific language in the standard about protecting and assessing your web application. Look at the requirements for network scanning, quarterly!?!? Are you kidding me! It is OK to have a huge gapping hole for 3 months?
So here is the rub . Organizations are spending most if not all of there security budget to become PCI compliant and that leaves practically nothing left over to secure the things that are not covered. Large organizations will have the budget to go above and beyond the standard but the SME market will struggle to just meet the standard that forces them to implement practices that may or may not make them more secure, often at a significant cost. Leaving them exposed in other areas not covered in the standard.
I liked the show and looking forward to more episodes and hopefully a few that go more on the computer side.