Entries Tagged as ''

Windows password hint?

Windows allows users to set a password hint. A user can set this hint to be the same value as their password (on XP SP2, not tested on others). Wrong.

Then I came across this (Vista SP1+):

http://support.microsoft.com/kb/946042

In summary: Setting a hint is now mandatory, but wait, if you don’t want to use it just type in something meaningless.

Two wrongs do not make a right! That would be three lefts.

Tags: sillyness, software by Dave
No Comments »

IDA Pro on the iPhone.

This popped up in my inbox today:

http://hexblog.com/2008/07/ida_on_iphone.html

0×417765736f6d6521 Another reason to get one ;-)

Tags: reverse engineering by Dave
No Comments »

CIS Benchmark Tools Suck.

There, I said it.

Tell me:

  • Why some checks have to be answered manually? (where some = too many)
  • Why the “cis value” and the observed system state(s) are NOT displayed in the report? (you have to dig through an XML file for them, pah!)
  • Why is said data not presented in detail, i.e. showing partial failures as opposed to simple traffic lights? (I understand clarity and a violation is a failure, but detail could be supplied IN THE DETAILS SECTION!) 
  • Why referencing to external sources is rubbish? (it’s nice to cross check, even if the NSA did write it)
  • Why are they written in Java? (don’t get me wrong, I’m a Java fan boy as much as the next, but sometimes a JVM is not available and installing it is just not gonna fly!)
  • Why are they NOT maintained? (e.g. rule checks relating to pre-service-pack “original” state; OK, this might be forgiven as an update standard is probably required before tool updates can occur, but the staleness is merely moved up the chain to something more important: it’s origin!)
  • And WHY SOME RULES ARE ACTUALLY WRONG? (e.g. SafeDllSearchMode is default ON in Windows 2003, yet the tool reports this as failed as it can’t find the registry key *sigh*)
Unfortunately, the CIS tools detract from the overall high quality of the standards themselves. However, they’re better than nothing.
I would like to see more maintenance. I would also like to see the rule file made more manageable (e.g. provide a UI for value tweaking, rule editing). Clearly, somewhere right now a wheel is being reinvented.

Tags: security management, software by Dave
1 Comment »

A short note on entropy.

Something popped up today regarding estimation of entropy in relation to session IDs. Here’s the example:

  • Given a session ID of length 24 and with a character set of 26, what is its potential entropy?
I’m putting this here as a reminder, as I had forgotten and had to look it up. 
The standard formula for entropy is H = log_base2(a^b), where a = the alphabet in use and b = the length of the token. In this instance a = 26 and b = 24, and when we apply the result of these to log base 2 we get ~112.8106. So, we have approximately 113 bits of available entropy.
Of course, that’s just a calculation. Often the implementation is quite different.

Tags: cryptography by Dave
No Comments »

Why does everyone hate the PCI DSS?

Just before I took a break, Hannaford was reported to have been compromised, resulting in the exposure of sensitive user data. Doh. However, the interesting aspect of this story (let’s face it, there are many breaches of personal data) was the fact that Hannaford were confirmed as being PCI DSS certified. One can imagine the shockwave this sent through the media and industry a like … a PCI company being pw0n3d? Oh no!

OK. Perhaps there was no shockwave, but what I did observe was the usual “PCI is useless” rants from a number of industry experts, bloggers, and the happy drunks that frequent my local watering hole. It seems everyone and their dog took the opportunity to slate the PCI for continuing to promote a standard that offers no real security and that it’s actually having anegative impact.

I find it odd that a (large? Who knows, statistics are not strong in the security industry … we need a new disaffected_with_security_standard metric, surely …) number of security professionals position the PCI DSS as a waste of time and nothing more than a gimic to leech more money. If only it solved all of our problems, wouldn’t that be grand?

My opinion is slightly different. Yes, I agree that the PCI DSS is not a perfect standard. Yes, I do find some of the requirements (or absence of others) odd. And seeing repetitive and sometimes strangely conflictive (depending on interpretation) goals is a little confusing, nay frustrating. However, I do look upon it as a set of security requirements (12 in all) that companies must address in order to meet contractual (legal) obligations set by the Brotherhood of the PCI. The goal? To improve security, yes! But this is perhaps more likely a consequence than the primary goal - in reality the PCI have attempted to shed some of their liability. Of course, prior to PCI VISA and Mastercard had their own programmes. Amalgamating the two made sense for their customers. Prior to these standards becoming the PCI DSS, I can’t remember there being any significant hullabaloo.

So, the PCI get to offload some liability and the world must surely get secure systems? No. Do we deserve such security? Perhaps, but maybe the companies and the QSAs should take some responsibility, too? QSA capabilities are occasionally brought into question and the approach of the PCI group’s approach to vetting, approving, and revoking QSA status has been criticised. But the companies on the front end, those poor little lambs, seem to have been forgotten or forgiven. If the PCI DSS did not exist, who would be held responsible for security? I find blaming the PCI DSS on the security failings of an organisation laughable. Perhaps the QSA could be at fault (partly), but the complexities of meeting strategic and operational goals, and the whims of certain company members, can often lead to reprioritisation, refocusing, and reaping the related rewards. As certification is only measured on a periodic basis (and quite often focuses on controls, rather than the practical aspects), surely the PCI DSS is not the source of all evil in the universe?

Should the PCI DSS be improved to meet the various expert opinions? Maybe. But I don’t think the PCI can be accused of ignoring the industry (i.e. they are strong supporters of theOWASP, which is a good thing!). Should the quality of the QSAs be further tested or made more stringent? Maybe. I don’t have any data relating to any overall perception of quality relating to the QSAs - other than they are certified through a reasonable process and that once they are certified it must mean they are in some way competent, at least sufficiently to deliver the QSA service. Should companies operating under the PCI DSS manage their security above and beyond the requierments of the standard? Yes. This I can state with confidence: these companies have many legal responsibilities and waving around a standard and shouting “Compliant!” is not the end of the journey (although journey seems to be so last year … I think now finally supposed to be baked in. Good thing Bruce sold his company already!).

In summary, I think the PCI DSS is fine for what it is: a set of security standards that companies, which deliver card processing services, must adhere to. Let’s not be too harsh on them. It’s very easy to point the finger and say “I told you so”, but another thing is defining a standard to suit a large and diverse grouping of companies (their client base) and to ensure that the up-take of such an initiative is practical. Who knows, maybe by PCI DSS version 5 everyone may have moved on to criticising Google for making the Web 4.0 (Beta) insecure. Perhaps Microshhoo!buntu will be able to offer them some emotional support.

In other PCI related news, clarifications for some of the key points within the standard have been released:

  • Information Supplement: Requirement 11.3 Penetration Testing
  • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

The first provides a useful clarification for pentesting outfits and companies relating to “who” is authorised to perform a penetration test (under 11.3). The good news is that most peoples interpretation was correct: anyone! There are some guidelines that go with this.The second provides, again useful, clarification on how one might meet the objectives stated in 6.6. However, it should also increase the sale of WAFs ;-)

Ah, WAFs … something else I could probably sit on the fence about :p But I wont indulge, yet. Besides, plenty of people have already commented on the good, bad, and ugly of such devices.

Tags: security management by Dave
No Comments »

Setting your (virtual) stall out.

Some light hearted repition that claiming to be “secure” (especially 100% secure) can lead to a negative return on one’s marketing efforts.

For example, make bold statement:

Reap negative rewards:

Whilst security through obscurity is not recommended, making oneself a target should also be avoided. Perhaps this was not the reason, but it does lend itself to nicely joined dots.

Tags: pw0n3d by Dave
No Comments »

The origin of the species.

According to Ferbrache [1], virus development began on an Apple II. Little did these researches know that Apple would be able to turn this early blemish into a powerful marketing tool for future generations of Mac products … I guess every cloud does have its brushed steel lining.

[1] http://portal.acm.org/citation.cfm?id=573893

Tags: malware, security history by Dave
No Comments »

Akhilleus, meet Mr. Tortoise.

Welcome to the site. Things will be a bit slow to start, but we’ll get there eventually … or maybe not. I guess that’s the paradox.

Tags: Uncategorized by Dave
No Comments »