Saturday, 15 March 2008

Frugality: Make no expense but to do good to others or yourself; i.e., waste nothing

Frugality: Make no expense but to do good to others or yourself; i.e., waste nothing.

Off overseas and I have to be Frugal. The wife will make up for this in the shops. I do not expect to go well in this target either.

As for last week:

"Resolution: Resolve to perform what you ought; perform without fail what you resolve."

I completed the SANS courseware reading and the book chapters (though one of them was 80 pages). I am up with the writing tasks for my own book.

I am behind with the prac exams. I achieved about 50% on this one.

I racked up 37 breaches of things I set myself.

I had a resolution to start writing last saturday by 10am. I started at 12.30pm. The joint resolution was over 6 hours writing and a completed chapter. Two completed chapters by Sunday Night. I made this with less sleep than I planned and missed the sleep resolution of 6 hours min.

I resolved to drink less coffee. At 6 cups per day average - a big failed here. (Though better then the 15 I used to do). I resolved less calories. I had a few breaches but was ok as I also made the Gym each day as planned.

Friday, 14 March 2008

Off for the week

My wife and I are flying off to the Americas - so for the next week, expect things to be quiet...

Problems with resets

When a user forgets their password on most e-commerce sites, there generally exists a reset function allowing them to reset or create a new passphrase. The question here is, if you require users to have eight characters or more in their password, why would you allow such a common reset function?

The answer is simplicity. We don't want to make things difficult for the customer. This is a valid concern, however, how many customers do we expect to retain if their credentials are compromised.

Some of the more common secret questions include:

  • What type of vehicle was sure first car?
  • What is your favourite colour?
  • What is the name your pet?
  • what is your mother's maiden name?
The issue with these is quite simple. They provide very small key spaces. If we look at these one by one we can see just how small they actually are. First what type of vehicle was your first car can be entered with a key space based on a selection of approximately 30 major manufacturers. In fact, if we know something more about the user this can be narrowed down further but at worst, most of our accounts will yield to the equivalent of a one character password.

Next, how many colours are there? this is a confusing question in a way as we are not looking at how many colours actually exist but how many common names of colours exist. The fact that your computer displays 16 million or more colours is irrelevant. Ask yourself how many of those can you action in name. In fact, there are seven main colours that people are likely to choose out of a possible choice (dependent on their vocabulary) of between 20 and 100. By selecting a "key space" of 20 we would account for at least 95% of the population. After all do any all the accounts on a system just the majority of them.

The name of your pet is another common question that has a simple answer. The majority of people used the same names for their pets and on top of this they are generally easy to discover as they may be blogged, stored on social networking or otherwise easily available. Our key space would be expected to be in the order of between 20 and 30 names to cover about 90% of the population.

the last secret is a little bit more difficult, excepting of course if your mother had Smith, Jones or Wright as a last name for instance. In this case the secret name space is larger, however, it is still simple to compromise. It is generally not that difficult to find out someone's mother's maiden name. The increasing use of genealogy networks, blogging and other means make targeted attacks extremely simple.

When setting secret questions, it is essential that multiple questions are selected. Have the client create three or four secret question and answer combinations. Randomly assign two of these at the time of reset. Rather than a simple recovery from a single short question, as least adds an element of randomness and makes it more difficult to compromise.

Even taking into account a random selection of 4 questions, our key space is still only in the order of 200k characters (most of which are dictionary words). We're still only looking at something simple but least it is a marked improvement on the single question and 1 in 20 guessing exercise.

Thursday, 13 March 2008

PCI and HackerSafe

It is stated that the "online "PCI Wizard" making PCI compliance more affordable and more reliable for merchants of all sizes. This service is only available through McAfee and includes expert step-by-step guidance allowing you to quickly meet all PCI requirements".

How do they configure a sites policies?
"The PCI standard requires you to maintain an Information Security Policy. Our example policy and implementation guidelines greatly simplify the overall compliance process."

Why bother with the truth. Section 12 requires that NOT ONLY is the polcy created, but that it is also put into effect. As a quote from a policy made using this service "12.9.5. Company X does not use IDS, but if it does recieve any such alerts it will act on them". Please explain to me how this is compliant with PCI-DSS?

How do they test wireless? How do they set encryption on a database?
Self assessment. The issue is that I am YET to see one that was completed correctly using such a service.

It's a kind of magic.

HackerSafe is an external vulnerability testing service. If it is stated as such and they admit the limitations my issues with the service would be moot. However the reality is different.

The issue is twofold;

  1. “HackerSafe” implies to the average user of the service that it is Safe from Hackers.
  2. There is no requirement or need for other services. This service states that you will be compliant with PCI-DSS if you have no vulnerabilities. This is false and misleading.

The Australian Trade Practices Act (1974 - SECT 75AZC) mirrors many others in other juristictions and is similar to other provisions in the UK, EU and US.

It states:

False or misleading representations
(1) A corporation must not, in trade or commerce, in connection with the supply or possible supply of goods or services, or in connection with the promotion by any means of the supply or use of goods or services, do any of the following:

  1. falsely represent that goods are of a particular standard, quality, value, grade, composition, style or model, or have had a particular history or particular previous use;
  2. falsely represent that services are of a particular standard, quality, value or grade;
  3. falsely represent that goods are new;
  4. falsely represent that a particular person has agreed to acquire goods or services;
  5. represent that goods or services have sponsorship, approval, performance characteristics, accessories, uses or benefits they do not have;
  6. represent that the corporation has a sponsorship, approval or affiliation it does not have;
  7. make a false or misleading representation about the price of goods or services;
  8. make a false or misleading representation about the availability of facilities for the repair of goods or of spare parts for goods;
  9. make a false or misleading representation about the place of origin of goods;
  10. make a false or misleading representation about the need for any goods or services;
  11. make a false or misleading representation about the existence, exclusion or effect of any condition, warranty, guarantee, right or remedy.

So lets look at the issues.

  1. "HackerSafe" consittutes a service under thge provisions of the act.
  2. "HackerSafe" represents that it is a service that offers a 99.9% effective protection. In fact the quote is "HACKER SAFE - HACKER SAFE certified sites prevent over 99.9% of hacker crime." This is a represntation that the "service is of a particular standard, quality, value or grade". This is false. This is a breach of the act. This is an illegal claim.
  3. "HackerSafe" represents that their service has certain performance characteristics, and benifits (see 5 above). The claim is "HACKER SAFE sites are tested and certified daily to pass the Payment Card Industry (PCI) Data Security Standard requirements". This is a claim to benifits that they do not have. This is a false claim and illegal.
  4. I can go on - but this is enough for this post.

Claim - HACKER SAFE - HACKER SAFE certified sites prevent over 99.9% of hacker crime.

This is a blatently false claim. Scan Alert came into existance in a period where computer crime existed. This claim asserts that they have single-handedly stopped 999 in 1000 computer crimes. This would have to mean that -

  • The external scan is stopping internal attacks,
  • Fraud using computers has been curbed and significantly,
  • computer crime is on the decrease.

The US DOJ has statistics on crime. This is available here.

The statistics do not match the claim. There is no statistical correlation to the claim and the facts. This claim has to be rejected at ANY level of statistical accuracy. Basically this is puffery at best and an outright misrepresentation. This is illegal under the Australian Trade Practices Act.

Claim - HACKER SAFE sites are tested and certified daily to pass the Payment Card Industry (PCI) Data Security Standard requirements


As I stated in my last post, the PCI-DSS requires that several internal controls are in place. "HackerSafe" does not test internal controls. This there is a logical disjoint in their statement. This is at best a misrepresentation and a lie.

So, at the end of this they are spreading false belief in a secure system. They create delusion. They are doing the industry a misservice. Marketing lies are lies. There is no distinction. We may be used to puffery, but this does not excuse it.

Wednesday, 12 March 2008

A call to use “Hacker Safe” scanning services.

McAfee’s “Hacker Safe” states that it they will “certify our merchants to the PCI standard”. This is an amazing claim for a remote scan service. It is amazing in that the PCI standard is not just about vulnerability scanning that is rather about security. I find it interesting how a remote vulnerability service can claim that they will ensure you have compliant security policies, that the database they never check is encrypted, but the firewall has been validated internally and externally, and that user awareness training has been conducted. On top of this, the idea of claiming that a site is secured to PCI-DSS requirements on wireless when you don’t verify wireless in your test is astounding at best.

To quote Queen, “it’s a kind of magic”. This is the only way can see that it could work. Maybe they waved their fingers, so some magic words hey presto… security magic.

For this reason I would call all vendors that are not PCI compliant to use Scan alert.

After all, they claim you will be compliant if you pass the scan. Why bother actually doing all the costly expense work to become compliant when you can pay a small fee and set up filters.

Why do state my disbelief? Well real world experience helps. As I have demonstrated in research, external vulnerability scans find very few if any vulnerabilities when compared with a proper, competent audit. The service only goes to prove my claim In the field.

Why would you want to go with a service that probably won’t find much if anything leaving you noncompliant? Because they claim to find and stop nearly all attacks. They make a promise claim that you will be compliant. The consequence is that when Visa comes knocking you’ll have another party to join into the lawsuit. Why worry about Ashley making site secure when you can join a party and add a cross-claim?

So what is actually the problem?
Well, the reality is that nearly all the sites I have seen the run the “Hacker Safe” logo are not secure. On top of that they are not compliant with PCI in any sense of the word. The problem is that an external scan just does not show this. None of the sites that I have seen running the “Hacker Safe” logo use and IDS, monitor their logs, maintain their logs adequately riven patch effectively.

A number of sites I’ve seen actually filter the addresses that they are being scanned from. Yet they still bear the logo. This does not mean that they actively filter everything from HackerSafe, just that they are selective. In particular, I know of one site that has gone to a fair bit of effort creating access control lists, web filters and a variety of controls designed to bypass the checks made by HackerSafe. In fact, the effort that they had gone to enabled to ensure that HackerSafe does not remove their certification exceeds the level of effort that would be required to stop the problem in the first place.

It is quoted that “since Hacker Safe checks the server daily if it finds a vulnerability that is not corrected within 72 hours your seal is removed until the problem is fixed”. I find this amazing as well. I have seen a site running this logo with a regular patch process. The process is regular as it occurs every three months. Once every three months the patches that are considered at the site to be “acceptable” are installed. This site is running on IIS. I would ask how often patches come out from Microsoft IIS on Windows 2000)? I seem to remember the more than quarterly.

So again, use scan alert. I want to see a class action from people when their non-compliance with PCI comes to fruition. I want to see the actions from consumers.

Tuesday, 11 March 2008


Sploggers are one of the most common sources of plagiarism on the Internet. A small number of resolute and capable Sploggers can steal content from thousands of different sites, scraping RSS feeds from them and stealing the content. The change is that many “black hats” have taken up the art. The profit motivation of Sploggers is obvious, how they make a profit is less perceptible.
Splogs were certainly not intended for humans to view. Human-visited Splogs are high risk with little prospective gain. Rather, Splogs consist of links to other sites which are more often than not long junk domains burdened with keywords and metatags. The idea is to have search engines pick up their site. A Splogger’s site will typically consist of nothing but keywords and metatags loaded into the HTTP header with a small amount of random text (usually copied from another site) and numerous diverse groups of text ads arranged to look alternatively like search results or regular links. When time the site is ready to be used, over 90% of the site consists of ads from Adsense or a comparable service.

With sufficient spam links to the site, it is anticipated that the Splogger will rank highly in the search rankings and be besieged by visitors to those sites who they expect will click on the links (Note: According to most SEO experts and my own research, this does NOT work. You can only expedite getting listed, not drastically improve your ranking, thus hundreds of junk posts are a waste). It is hoped that the targeted visitors will subsequently click on the ads, either out of curiosity or due to the mistaken belief that they are regular links. Splogging is a classic example of black hat search engine optimisation (SEO) that merely involves extensive plagiarism to make it work.

The expression “splog” was popularized in August 2005 when it was termed publicly by Mark Cuban. The name was used a sporadically prior to this in describing spam blogs back to as a minimum, 2003. The “art” developed from many linkblogs that were attempting to manipulate search indexes and others attempting to Google-bomb every word in the dictionary.
It has been estimated that about one in five blogs are spam blogs. These fake blogs waste disk space and bandwidth as well as pollute search engine results, ruining blog search engines and are detrimental to a blogger’s community networking.Google's search engine uses PageRank, which is susceptible to link flooding, especially from highly weighted bloggers.

RSS abuse
Full content RSS feeds make the splog problem worse .As an RSS feed simplifies the coping of content from genuine blogs. Splog RSS feeds pollute RSS search engines, and are reproduced and propagated throughout the Internet.

A number of splog reporting services have arisen, allowing Internet users to report splog with plans of offering these splog URLs to search engines so that they can be excluded from search results. These services started with Splog Reporter. Some of the main services include:

  • SplogSpot which actually maintains a large database of Splogs and makes it available to the public via APIs,
  • A2B blocks web server IP addresses that splog URLs resolve to.
  • A Feed Copyrighter plugin (for WordPress) allows for the automatic addition of copyright messages to feed, so Splogs can be easily spotted and reported by visitors or through
  • Google search.
  • TrustRank attempts to automatically find Splogs.
  • Blogger has implemented a system that can detect Splogs and then force them to take a
  • Captcha 'spell this word' test.

Monday, 10 March 2008

Unnecessary Services

It is essential to always ensure that servers are hardened (i.e. patched and unused services removed) prior to having a system “go live”. The auditor’s role is to verify that any new system is configured against the baseline standard. A default install of nearly any Operating Systems leaves a vast number of services running which, at best, are feasible to never be used, or at worst, leave ports open to external break-ins. The first stage in removing unneeded services is to work out which services are running on a host and to decide which are essential services needed for the operation of the system. UNIX is no different. In fact, the primary difference with UNIX is that although it starts with many enabled services, it can be quite simple to turn these off and configure the host as a bastion running only a single service.

In many cases it is also possible to further restrict the individual services on the host. Many services are configurable with access control conditions or lists to further restrict the services needed on a host. A good example of this would be restricting access via SSH to an administrative LAN using the SSH server configuration directives. Client systems and desktops as well as Servers and network devices come installed with excessive services enabled by default. It is important to remember that this not only makes the system more secure but increases a systems efficiency and thus;

  1. Makes the systems better value for money (increases ROI),
  2. Makes administration and diagnostics on the host easier.
In this pursuit, netstat is one of the most effective tools available to the auditor. This tool lists all active connections in addition to the ports where programs are listening for connections. Simply use the command “netstat -p -a –inet” for a listing of this information. Note however that many versions of UNIX did not support the “netstat –p” option. Consequently on the systems it may be necessary to use other tools in order to find process information.

Turning Off Services in UNIX
This process will vary dependant on the version of UNIX or Linux being run. Most settings are contained within configuration files though some UNIX’s (such as HP-UX) have a registry system. Always ensure that you have thoroughly investigated the system that you are going to audit before you start the audit.

Controlling Services at Boot Time
Before we get into how services are started, will brief look at how their underlying stack may be configured. The reason for this is that individual services will be impacted through the underlying configurations. The file, “/etc/sysctl.conf” is common to the majority of UNIX systems. The contents, configurations and men are processing will vary across systems. The sysctl (System Control) configuration will in the majority of cases control the system configurations that of prime importance to the auditor. All of the options listed below may not be found in this file, but they may be included in one format or another.
  • ip_forward: This option lets the IP stack act as a router and forward packets. Multiple interfaces are not required for this functionality.
  • accept_source_route: This setting configures the operating system to accept source routed packets.
  • tcp_max_syn_backlog: This setting allows the configurations of the maximum number of SYNs in the wait state.
  • rp_filter: This setting provides basic IP spoofing protection for incoming packets.
  • accept_redirects: This setting configures the network stack to accept redirect messages and allow them to alter routing tables.
  • tcp_syncookies: This setting provides syn-cookie based protection against syn flood DOS attacks.
  • send_redirects: This setting controls whether or not the system can generate redirect messages.
  • accept_redirects: This setting is a secondary control used to configure redirect acceptance behavior.
The auditor should create a script to test these settings. The benefits are twofold:
  1. The settings may be initially tested against an agreed baseline standard, and
  2. The settings may be tested over time such that a system may be compared to its baseline standard and also a change log.

Sunday, 9 March 2008

Sunday and something is a little fowl...

Boo Hiss I know the pun is bad. These are a few of my chickens. And here is one of my giant mutant carrots. Ignore me. I am the dopy looking guy in the photo holding th carrot.This weekend has become a write-off. I lost a few hours of time I do not have due to a flat tyre. This should not be an issue - barring the fact I had no tools in the car. I should have tools in the car - hence why I was also a little "pissed" today. A couple weeks ago I had the tyres replaced on the car. I did not think to check that they would not take my tools from under the spare...

Well live and learn. You would think that stealing a few second hand tools would be beyond people, but I guess not. Well I am home. Thanks to "Tyre Weld" (TM). I keep a couple cans of this in the car at all times. This at least had me make a servo where I was able to have a loan of a few tools and change the tyre.

New tyre needed after setting a record 2 weeks tyre life. I did this as I could not change it and had to drive with a semi-flat tyre and now the side wall is damaged.