Tuesday, January 1, 2008

Bobbear: Information on Money Laundering Fraud

I'm going to be digging into this site.  Hat tip to the F-Secure blog for this site.

Money Laundering Fraud

PCI PA-DSS draft does away with requirement for persisting credit card data

One of my biggest beefs with the security technology industry and even with auditors and legislators has been to mindlessly push encryption as the solution to data theft problems.

To quote Bruce Schneier again:

The ultimate solution.  Well, the payment application vendors, supposedly prodded by the likes of Visa and Mastercard, have been recording varying levels of details about payment transactions for 18 months.  Thus, the credit card companies have been part of the problem here and with this requirement change, they can become part of the solution for once.  They have a great racket...
I did a very detailed decision tree previously that I'll have to get out there for helping design systems with privacy in mind decide what they should store and if they do store it, how long to store it and how to protect it.  The flow starts with the question:  Do you really need to store this data?  If yes, the next question would be:  For how long?  If you start with encryption, you miss out on even asking these questions which could result in _more security by design_ and _lower risk_.

It all depends on your threat model whether encryption solves your problem or not.  If the data theft is due to an application or business logic flaw, then encryption is unlikely to do anything for you (e.g. an XSS attack can reveal encrypted data just fine...)

Group drafts rules to nix credit-card storage


I've wanted a good operational definition for when you should use URI or URL and so here's my attempt:


URI refers to a resource.  e.g. urn:isbn:0-395-36341-1 for a book by ISBN

A URL is a type of a URI that provides additional information that URIs don't necessarily provide (but they can):

  • URLs tell WHERE you can obtain a particular representation of a resource -- hence the "Locator" in the name.
    • e.g., you use HTTP or FTP to access this server at this address and this specific resource (GIF file, PHP page, etc.)

A resource with a given URI could have multiple different URLs.  The same ISBN URI above can be found at Amazon or many other online URLs, for example.

Ajaxian » URI vs. URL: What’s the difference?

Uniform Resource Identifier - Wikipedia, the free encyclopedia

Caja: Capability model for javascript

This could be one of the coolest things to come along in a while.  I heard it mentioned at OWASP and then just found an article on Financial Cryptography about it as well.

FYI, wikipedia article on Capability-based security

Links » Caja: Capability Javascript
...rather than modify Javascript, we restrict it to a large subset. This means that a Caja program will run without modification on a standard Javascript interpreter - though it won’t be secure, of course! When it is compiled then, like CaPerl, the result is standard Javascript that enforces capability security. What does this mean? It means that Web apps can embed untrusted third party code without concern that it might compromise either the application’s or the user’s security.

Computer failure causes closure of Seattle downtown transit tunnel

This one boggles the mind.  I had to send it for publication in Risks. 

The Risks Digest Volume 24: Issue 93
Computer Failure Causes Closure of Seattle Downtown Transit Tunnel
The tunnel was opened, and then closed again the next day due to continued problems:

Bus tunnel closure continues
from Sound Transit, Metro and General Electric Transportation, which
was contracted to install the electrical and computer systems, were
trying Wednesday evening to figure out what caused a connection between
the tunnel and the control center to fail Monday, work Tuesday, and
then fail again.

The tunnel's electrical systems, which control the lights and
ventilation, are working, Sound Transit spokesman Bruce Gray said. But
the disruption prevented Metro's control center from remotely running
the systems. For safety, Sound Transit and Metro decided to keep the
tunnel closed.
It is supposedly open again:

RPIN - View News Release
        Downtown Seattle Transit Tunnel open Thursday morning (Dec 27th)

Avoiding URI comparison security bugs in windows APIs

This post is directly related to some work I'm going to be doing so I was happy to stumble across it in my feed reader. 

Bottom line:  Use IUri::IsEqual. 

Future extra credit:  use Reflector to find out what .Net methods for URI comparison there are and if they marshal to the good or bad methods mentioned here...

IEBlog : URI Comparison Functions
Investigating URI parsing related issues in various products, I’ve run across many instances of code erroneously attempting to compare two URIs for equality. In some cases the author writes their own comparison and seems to be unaware of URI semantics and in other cases the author delegates to a Windows provided function that doesn’t quite work for the author’s scenario. In this blog post I’ll describe some of the unmanaged URI comparison functions available to Win32 developers, and a few common mistakes to avoid.

Beware of 5-star software ratings

There are so many sites that allow downloading and rating software; you have to find the few that you can trust and use those.  And use multiple sources of information to validate the ratings. 

Beware of Five-Star Vaporware - Security Fix
U.K. computer programmer Andy Brice was proud of the awards and accolades his software had won from his peers online. That is, until he noticed that pretty much everyone else's software received the same "5-star" rating and high praise from various software directories and download sites.

Curious about just how thorough the sites are at reviewing software, Brice submitted a fake program that did absolutely nothing.

On the horrible new wiretapping law

Susan Landau - A Gateway for Hackers - washingtonpost.com
Current administration policy is replete with examples of quickly enacted efforts whose consequences led to the opposite effect. (Beware of what you wish for . . . .) With Congress caving last week, the National Security Agency no longer needs a Foreign Intelligence Surveillance Act (FISA) warrant to wiretap if one party is believed to be outside the United States. This change looks reasonable at first, but it could create huge long-term security risks for the United States.

California limits use of E-voting systems, but does not go far enough

It was unclear from my cursory read of the materials whether machines will require voter verifiable paper audit trails.  At least the Sequoia and Diebold machines must have their ballots hand-counted so it does sound like all-electronic voting is dead for those machines at least.

The full details are available here:  http://www.sos.ca.gov/elections/elections_vsr.htm

Read Rebecca Mercuri's comments in Risks on this announcment:  California Voting System Hacking Report

My favorite gem:

...let's just throw more money atadditional security mechanisms and training while we all pretend that we'reconducting legitimate elections. Good job, guys, thanks for letting the CASoS off the hook.

Here's a novel thought: why not just throw this crap in the junk heap whereit belongs, vote on paper, and let the citizens do the counting? Maybe foranother $1.8M some State can get a team of PhDs to validate that conclusion.

California Puts Limits on Use of E-voting Systems
California Secretary of State Debra Bowen has mandated tough new
security standards for the state’s e-voting systems and curtailed their
planned use after an independent review of the technology.

“Citizens do not have confidence that elections have been
fairly decided, because they don’t have faith in the integrity of the
tools,” Bowen said during a teleconference on Aug. 3.

The state will allow e-voting machines made by Diebold
Election Systems Inc. and Sequoia Voting Systems Inc. to be used only
under strict conditions. Polling stations won’t be able to have more
than one of those systems in place, and county registrars will have to
take steps such as reinstalling the software and firmware for the
devices and resetting their encryption keys.

Bowen mandated similar security measures for Hart InterCivic
Inc.’s e-voting systems, but without the single-machine limitation. She
decertified products from Election Systems & Software Inc. after it
was late in providing researchers with access to them. The ES&S
systems are being evaluated now and could be approved for use in next
year’s presidential primary, she said.

E-voting systems were used by one quarter to one-third of California voters in last November’s election, Bowen said.

But during a state-sponsored review of the machines and their
source code, a team of penetration testers found 15 security problems,
including the ability to exploit flaws in Windows.

The team reported that it was also able to overwrite
firmware, bypass system locks, forge voter cards and install a wireless
device on the back of a Diebold server.

Dspam cvs binaries and patches available for debian/ubuntu

I finally have my patches and binaries for the latest version of dspam cvs available at my oz.net page for download. There have been upwards of 30 patches applied to dspam 3.8.0 in the cvs version that fix all kinds of bugs so it is nice to be able to run the latest and greatest. It is likely to be more stable than the 3.8.0 binaries out there even for bleeding edge... Lots of memory leaks fixed as well in this version.

You can follow similar instructions from my previous post:

Postfix + DSPAM 3.8.0 + Ubuntu if you want to build this from scratch.