No comment necessary for this one. (Crowne Plaza, Houston, TX)
Tuesday, August 28, 2007
Tuesday, August 21, 2007
PCI DSS
Compliance standards like Payment Card Industry Data Security Standard (PCI DSS) help define a minimum set of controls that need to be in place to protect some form of information. In the case of PCI you have card holder data. I have been subjected to working with PCI a lot lately. What I have noticed is that companies are not using PCI (and other standards) to augment their security program, but are building their security program to these minimums.
The approach one should take with compliance programs is to apply them as constraint requirements against their security program. Implement a real security program and along the way make sure you hit the checkmarks for the standard you will be audited against. I believe one actually ends up with a stronger security posture by taking this hybrid approach.
This all may seem like common sense, but you would be surprised at the companies that get this 100% backward.
Tip: Want to know what level of compliance your organization has to be? Compliance levels are owned and decided upon by the card companies themselves. For instance if you accept Visa and do less than 20,000 transactions per year you are level 4.
For more information on PCI DSS:
https://www.pcisecuritystandards.org/
The approach one should take with compliance programs is to apply them as constraint requirements against their security program. Implement a real security program and along the way make sure you hit the checkmarks for the standard you will be audited against. I believe one actually ends up with a stronger security posture by taking this hybrid approach.
This all may seem like common sense, but you would be surprised at the companies that get this 100% backward.
Tip: Want to know what level of compliance your organization has to be? Compliance levels are owned and decided upon by the card companies themselves. For instance if you accept Visa and do less than 20,000 transactions per year you are level 4.
For more information on PCI DSS:
https://www.pcisecuritystandards.org/
Monday, August 20, 2007
Santizied input vs sanitized output
In a recent visit to a website I found a xss and sql injection vulnerabilities in which the search capability of the site didn't properly sanitize user input. I reported this to the website owner and they promised to fix it and did the very next day. The problem with the fix. Their coders sanitized the output of the keywords, not the input, so all of the other places on that same page they used those keywords was another injection point using a slightly modified input string.
So if the developer had listened to the original suggestions of input validation they wouldn't have had this secondary issue. I still think that sanitizing output is probably a good idea to avoid any race conditions between time of check and time of use(TOCTOU) in case the value can be manipulated in some other way that might avoid your magical input validation / sanitization.
Example:
http://www.________.com/search/?search=&query=%22%3E%3Cscript%3Ealert%28%22ESRL%22%29%3B%3C%2Fscript%3E%3C
Resources:
Reviewing code for XSS issues at OWASP
GNUCitizen XSS DB
XSS Cheat Sheet (rsnake)
So if the developer had listened to the original suggestions of input validation they wouldn't have had this secondary issue. I still think that sanitizing output is probably a good idea to avoid any race conditions between time of check and time of use(TOCTOU) in case the value can be manipulated in some other way that might avoid your magical input validation / sanitization.
Example:
http://www.________.com/search/?search=&query=%22%3E%3Cscript%3Ealert%28%22ESRL%22%29%3B%3C%2Fscript%3E%3C
Resources:
Reviewing code for XSS issues at OWASP
GNUCitizen XSS DB
XSS Cheat Sheet (rsnake)
Team Tapeworm
Even though we got a lowly 5th place in the LosT@Con mysterybox challenge, our team (tapeworm) got listed on the front page of defcon.org.
Other stats of interest from the posting
"Total teams to complete the challenge: 13
Percentage of teams to complete the challenge: 52%
Total Boxen weight (combined): 821.128 lbs ;)"
Other stats of interest from the posting
"Total teams to complete the challenge: 13
Percentage of teams to complete the challenge: 52%
Total Boxen weight (combined): 821.128 lbs ;)"
Friday, August 10, 2007
Reading the signs
I have been away from home for 2 weeks and in a foul mood because of it. This actually made me laugh when I got to my gate in Houston (IAH).
This made me think. What was the root cause of this crap on the gate board? Was it bad hardware, software bug, l337 h@x0r or just a stupid user at the terminal? How does one efficiently differentiate what is a security incident and what is something else. There is no situation that I can presently think of where a piece of code, hardware or user not performing as expected that does not impact the security of an organization. What is the order of operation an admin should proceed with troubleshooting? Should they consider whatever problem that is encountered to be a security incident and work backwards from there or should they consider it just a problem and until it is proven to be a vulnerability or threat against the company proceed as if it were security related?
Any thoughts?
This made me think. What was the root cause of this crap on the gate board? Was it bad hardware, software bug, l337 h@x0r or just a stupid user at the terminal? How does one efficiently differentiate what is a security incident and what is something else. There is no situation that I can presently think of where a piece of code, hardware or user not performing as expected that does not impact the security of an organization. What is the order of operation an admin should proceed with troubleshooting? Should they consider whatever problem that is encountered to be a security incident and work backwards from there or should they consider it just a problem and until it is proven to be a vulnerability or threat against the company proceed as if it were security related?
Any thoughts?
Sunday, August 5, 2007
Mystery Challenge Complete
Our team finished the LosT@Con mystery challenge at Defcon 15 in 5th place. We completed it in 25 hours and 6 minutes.
The challenge required completing many different tasks.
1. Riddle solving
2. Crypto
3. Lockpicking
4. Social engineering. From what we understand we were the only team that got the maintenance of the hotel to assist with our quest. We were unable to pick the bottom lock soooo we used a drill press. I heard some teams were able to pick it, but I can not confirm that.
5. Constructing a circuit to read a message sent via a led..mmm soldering
6. MORE riddle solving.
..oh and dialing a phone with 1337 skills.
We were told the team has a guaranteed place in next years mystery challenge so we can bypass any pre-qualification round that might be setup, or at least I hope we can.
The challenge required completing many different tasks.
1. Riddle solving
2. Crypto
3. Lockpicking
4. Social engineering. From what we understand we were the only team that got the maintenance of the hotel to assist with our quest. We were unable to pick the bottom lock soooo we used a drill press. I heard some teams were able to pick it, but I can not confirm that.
5. Constructing a circuit to read a message sent via a led..mmm soldering
6. MORE riddle solving.
..oh and dialing a phone with 1337 skills.
We were told the team has a guaranteed place in next years mystery challenge so we can bypass any pre-qualification round that might be setup, or at least I hope we can.
Saturday, August 4, 2007
Defcon Mystery Box - Phase 1 Complete
At 1:30 AM (not sure what day this is...no really I don't know) it was only Tim, myself and one stranger that decided to wander in and help. This was 12.5 hours after we received the first box. A small purple box containing clues.
1. A pad of paper with 1x21 written in it
2. An alphabet missing the letter e. Letters were printed on little books and were circular cut outs
3. A clue sheet with 185 (or 184 I don't remember) characters of cyphertext.
Lessons learned. Trust your instinct. The reason it took us so long was that we were using the wrong program (algorithm) to decode the text. If we had used the proper one it would have saved ohhhh about 6-8 hours of number crunching madness!
We can't get our hardware box or phase 2 box until morning because LosT has gone to bed.... will post screenshots, etc after the contest is done so I don't leak any info, but then again who the fuck reads this thing anyway?
1. A pad of paper with 1x21 written in it
2. An alphabet missing the letter e. Letters were printed on little books and were circular cut outs
3. A clue sheet with 185 (or 184 I don't remember) characters of cyphertext.
Lessons learned. Trust your instinct. The reason it took us so long was that we were using the wrong program (algorithm) to decode the text. If we had used the proper one it would have saved ohhhh about 6-8 hours of number crunching madness!
We can't get our hardware box or phase 2 box until morning because LosT has gone to bed.... will post screenshots, etc after the contest is done so I don't leak any info, but then again who the fuck reads this thing anyway?
Monday, July 30, 2007
Viva Las Vegas
Today is a good day. I'm home for once on a Monday.
Today my BASIC stamp from Parallax arrives. Software is so boring anymore that I'm starting to dive back into hardware. I never did know enough about analog electronics so mixing up the stamp with some other assorted parts should be fun.
I would love to someday put together a hardware WEP cracking device. All of those ap scanners out there that tell you when you have signal should also have a button that cracks the wep key for those wep protected ap's.
Tomorrow I head to Vegas for BlackHat / Defcon. From what I can gather from the speakers and topics this year should be pretty mindblowing. I'm especially interested in take 2 of Intranet hacking via the web browser. Naughty javascript, spank(). I'm interested to see if they bring up the HTML 5 spec and the global storage and sql support...
Today my BASIC stamp from Parallax arrives. Software is so boring anymore that I'm starting to dive back into hardware. I never did know enough about analog electronics so mixing up the stamp with some other assorted parts should be fun.
I would love to someday put together a hardware WEP cracking device. All of those ap scanners out there that tell you when you have signal should also have a button that cracks the wep key for those wep protected ap's.
Tomorrow I head to Vegas for BlackHat / Defcon. From what I can gather from the speakers and topics this year should be pretty mindblowing. I'm especially interested in take 2 of Intranet hacking via the web browser. Naughty javascript, spank(). I'm interested to see if they bring up the HTML 5 spec and the global storage and sql support...
Tuesday, July 24, 2007
Defcon 15 - Mystery Challenge
I have never participated in a contest at Defcon. This year at Defcon 15 I will join four other individuals on a team to participate in the LosT@Con Mystery Challenge. Should be an interesting time considering all the forum banter and pictures I have seen from last years. I will post after the contest is over to tell how we did.
Subscribe to:
Posts (Atom)