Now that I have a bit of down time here in Thailand and am trying to give my liver a well deserved day or rest, although a bit late, I wanted to provided an update to a previous posting regarding the demise of KisMac.
The primary developer, Michael Rossberg had decided to halted the project due to restrictive changes in German law. Well, I'm happy to report that this project has been relocated to a site in Switzerland and by the looks of things, is alive and well. The new site is here and the old site has been replaced with some interesting political commentary. It will be interesting to see if Mr. Rossberg continues to commit code to the project or not.
Thursday, August 30, 2007
PCI - Lost in Interpretation
Several people commented on my previous PCI postings and have recommend that when implementing PCI DSS, it should be done in the spirit and intent of the spec, and not necessarily in accordance with the exact wording.
The primary point of my posts were that the spec is vague in many areas and should be rewritten or clarified.
The argument of "Use the spirit, not the letter" is only good until I squander thousands of dollars for a failed PCI audit because the Auditor was not interpreting the requirements in the same "spirit" as I was.Things of this nature should be specifically spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when State Governments (Texas and Minnesota) start adapting this Spec as State Law. I believe its only a matter of time before some poor shmuck fails an expensive PCI audit and drags this into the court system. And with it now becoming a government mandated requirement, its inevitable that without improvement, interpretation is going to ultimately fall in the hands of judicial courts that lack the proper technical background.
The primary point of my posts were that the spec is vague in many areas and should be rewritten or clarified.
The argument of "Use the spirit, not the letter" is only good until I squander thousands of dollars for a failed PCI audit because the Auditor was not interpreting the requirements in the same "spirit" as I was.Things of this nature should be specifically spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when State Governments (Texas and Minnesota) start adapting this Spec as State Law. I believe its only a matter of time before some poor shmuck fails an expensive PCI audit and drags this into the court system. And with it now becoming a government mandated requirement, its inevitable that without improvement, interpretation is going to ultimately fall in the hands of judicial courts that lack the proper technical background.
Green Screen of Death?
(Standard Disclaimer: As always, views, opinions, and actions expressed in this post are solely mine and in no way reflect that of my employer. Additionally, in no way is this meant to reflect negatively on Thailand, its people, or its government.)
Thailand's Internet Filtering Gone Awry
While browsing my companies website, I noticed that alot of pages were failing to render properly. After a bit of digging, I noticed some strange behavior. Some of our CSS and Javascript files are being blocked.
For instance, the following HTTP request:
GET http://www.revolutionhealth.com/stylesheets/65919/common.css HTTP/1.1
Host: www.revolutionhealth.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Paros/3.2.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.revolutionhealth.com/omag/?ipc=B00145
Cookie: (Cookies Removed!)
Cache-Control: max-age=0
Returns the following 302 HTTP Redirect:
HTTP/1.0 302 Moved Temporarily
Server: squid/2.5.STABLE11
Mime-Version: 1.0
Date: Wed, 29 Aug 2007 10:27:00 GMT
Content-Type: text/html
Content-Length: 0
Expires: Wed, 29 Aug 2007 10:27:00 GMT
Location: http://w3.mict.go.th/ci/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy
X-Cache: MISS from 192.168.0.1
Connection: keep-alive
This of course redirects us to what is apparently locally known as "The Green Screen of Death". It seems that the local ISP used by my hotel, PROEN Internet (while a mistake, is ironically enough is listed as one of Google Badware Sites!), is filtering all web traffic through a caching/ filtering Squid proxy server.
So all requests which pass through this service appear as:
GET / HTTP/1.0
Host: (Removed)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 192.168.0.1:8080 (squid/2.5.STABLE1), 1.0 proxy:8080 (squid/2.5.STABLE11)
X-Forwarded-For: 192.168.0.198, 202.151.184.194
Cache-Control: max-age=259200
Connection: keep-alive
And in my case are coming from 202.151.191.38 as seen by:
Aug 30 04:03:22 10.54.54.254 Aug 30 2007 04:03:30: %PIX-5-304001: 202.151.191.38 Accessed URL (Removed):/
Squid is running on port 8080 of this machine, but use is limited by source IP address.
However, when the proxy server sees something that it does not like, it redirects to the http://w3.mict.go.th/ci/blocked.html site. An IIS 6 webserver hosted by Thailand's Ministry of Information and Communication Technology (ICT).
So, the obvious questions become:
- How are the block lists generated and maintained?
- Is it controlled by a central authority or is supplied as part of a commercial product?
- What is the process to report and remove false positives?
- Is any dynamic and/or keyword filtering being utilized, or is it solely based on a list of URLs?
- Is participation mandatory for all ISPs or is it elective?
**I know there are several ways to bypass this including Tor (which is also blocked in Thailand), various anonymous proxies, tunneling web traffic over SSH to a remote machine, etc. This post is not about that, so please don't post circumvention methods. I am much more interested in sharing knowledge of the system's design and operations.
Wednesday, August 22, 2007
Monkey-House goes to Thailand
In just a few short hours I will be making that ever so long flight back to Thailand. From August 23rd until Sept 6th, I will be pounding the pavement in Bangkok in search of gainful employment. If anybody out there is looking for a security guru or experienced network admin based in Bangkok, please feel free to contact me. Additionally, if there is anybody in the area that is interested in a BangSec - CitySec meeting, please let me know.
Wednesday, August 08, 2007
VMWare Fusion
Looks like VMWare has taken its MAC OSX Virtualization platform out of beta and is now shipping a finished product.
Although I am fairly happy with Parallels, I like the idea of being able to run pre built VM images and I am sort of intrigued by some of the new Fusion features such as:
Create powerful multi-core virtual machines
Although I am fairly happy with Parallels, I like the idea of being able to run pre built VM images and I am sort of intrigued by some of the new Fusion features such as:
Create powerful multi-core virtual machines
Only VMware Fusion gives you the ability to leverage the power of the dual-core processors found in most Intel-based Macs with exclusive support for VMware Virtual SMP technology.
Although the price war I hoped for didn't happen, the are current offering a $20 rebate.
More PCI Woes
Another major complaint of mine is that the defined scope of the PCI DSS 1.1 spec does not scale very well for today's modern architectures. The applicable scope is defined as:
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
This is all well and good for most traditional networks, however they fail to account for key components of modern networks. Take for instance the following examples:
(Warning, rant below!)
So surely there must be some way I can do more than whining to help address these short comings in the PCI DSS spec. Of course there is! For the low low fee of $2,000 USD, I too can pay the PCI Security Standards Council to *allow* me to help them. For some odd reason, this just seems a bit backwards to me.
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
This is all well and good for most traditional networks, however they fail to account for key components of modern networks. Take for instance the following examples:
- Virtualization - What happens when the machines that accept and process card holder data are virtualized? Do PCI requirements extent to every virtual machine that these machines may share hardware with? If your virtualization software allows for real time transitioning of machines across a virtulization cluster, is every machine in the cluster now subjected to PCI? What if administrative authentication to the virtualization management console is controlled by your internal Active Directory structure? Is that now also within scope?
- Service-Oriented Architecture/ Enterprise Service Bus - The big trend in modern web applications is to provide a type of service-oriented architecture. A key component of this is whats known as an enterprise service bus (ESB). The ESB is used to connect all the machines in your production architecture to facilitate the passing of data. So, if the web server that accepts the card holder data utilizes the ESB to transfer that data to the processing server and/ or a fulfillment application, does that mean that the ESB and every machine which touches it are now subjected to the PCI requirements?
(Warning, rant below!)
So surely there must be some way I can do more than whining to help address these short comings in the PCI DSS spec. Of course there is! For the low low fee of $2,000 USD, I too can pay the PCI Security Standards Council to *allow* me to help them. For some odd reason, this just seems a bit backwards to me.
PCI Shortcomings
Often times I run across security recommendation from security individuals that plainly have no operational experience. While in theory they sound good, they don't really work from an operational standpoint. Much to my dismay, it appears that these same sort of individuals played a large role in composing the PCI DSS 1.1 spec.
There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:
10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?
For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?
Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?
There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:
10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?
For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?
Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?
Subscribe to:
Posts (Atom)