Thursday, December 24, 2009

PCI: An Existential Threat To Security As We Know It ?

I will be joining some very smart folks for a panel on PCI at Shmoocon next year.  Yes, PCI at a hacker con.  No, not a Pointy-Haired-Boss type presentation, but a panel discussion of PCI and its impact on our industry.  This is part of a larger effort to bring compliance issues to a broader audience, focused on PCI but with insights into the larger compliance realm- look for more presentations and some podcasts in the new year.  In this panel I will be joining Michael Dahn, Dr. Anton Chuvakin, and Joshua Corman to discuss everything from the origins of PCI through its unintended consequences and speculation about the future of PCI.

The abstract for this session:

Whether you love it, hate it, or are merely "friends with perks"- compliance is significantly changing what we call security.  PCI has been accused of being the Spawn of Satan by some, and yet it has also been credited with advancing security by others.  This panel of PCI experts, analysts, and victims will discuss and argue the realities of PCI: its origins, goals, and consequences (intentional and otherwise).  PCI is having an impact on priorities, budgets, and personnel, which is being felt throughout the security industry.  Unfortunately, there have been few informed discussions of PCI and compliance issues in the technical ranks of the security community.  This panel will bring PCI subject matter experts with real-world experience to the technical security professional and hacker audience to discuss, engage, enrage, and argue about what may well be an existential threat to information security as we know it.  The diverse viewpoints and experiences of panel members will guarantee a lively and often heated discussion, and will provide a broad base for fielding audience comments, questions, and criticisms.  Bring plenty of Shmooballs to this session, you will need all you can get.

As far as Shmoocon in general- Yes, there will be a Shmoobus.  Maybe more than one.  There will be great talks, great people, much hilarity, etc.  I hope to see you there.



Tuesday, December 1, 2009

CERT spreads marketing BS and misinformation

The US-CERT issued a bunch of new notices today.  And one is BS.  Not complete BS, there is a real problem with the way SOME web-based SSL VPNs break cross-domain security.

I have three primary problems with this, starting with the title, "Clientless SSL VPN products break web browser domain-based security models".  Of course, there is no such thing as a clientless VPN, there are just systems which install the VPN client in your browser (sometimes without user interaction), and a few just use the browser itself as the client.  Most of what I see called "clientless" are actually installing a ActiveX, Java, or other client in the browser.  "Clientless VPN" is a nonsensical marketing term which has no place in a technical discussion.

Next problem, the list of "affected systems" includes systems which are clearly not affected- and while their status is listed as "unknown", the implication is that they may be vulnerable.  For the amount of vetting that went into the list, they could have included Microsoft Word and listed it as "unknown" status.  For example, OpenVPN is listed, but it is an installed application, not web-based- and unless they have completely butchered the description there is no way OpenVPN is vulnerable to this.  Also entertaining is the listing of several Linux distributions, most tagged as "unknown" status, with the notable exception of Red Hat, which is listed as "Not Vulnerable".  Odd they would commit, or even list OSes given the multitude of VPNs which can be configured on a Linux.  Wait, not odd, useless and misleading.

Finally, and most critically, by the time we've peeled back the obvious mistakes and fluff, the full nature and extent of the vulnerability is not clear.  After a bit of de-obfuscation and digging, you can probably figure it out.  Silly me, I thought that was what CERT was supposed to do for us when they issued these notices.

There are two posts on the topic over at Securosis that are worth a read, the first post isn't great, but the comments are.  The second one is a good clarification of the first.