April 2008 Archives

I've been reading quite a few posts about Microsofts COFEE toolkit which seems to be designed to help forensics investigators get evidence from (presumably windows based) PCs.

It's amazing to see how many sources on the Internet took the original article here from the Seattle times and came to the conclusion that this was some magical box of tricks that would instantly bypass windows security, as opposed to just being a useful collection of forensics tools, examples of this response are here, here, here and here

Luckily someone at the Seattle Times did some follow-up with Microsoft to confirm that it's actually just a collection of forensics tools and doesn't bypass windows security here

Recently there have been some clarifications around a couple of sections of the PCI-DSS, in particular one on section 6.6 .

This update has created some comment and articles but none of the ones I've read has focused on the main point, as far as I can see...

Previously there were two options for satisfying Section 6.6

• A Code Review (either manual or tool assisted) of in-scope web applications, or
• Placement of an appropriately configured Web Application Firewall to protect the application

Now (unless I'm reading this incorrectly) there's an additional one

Completion of a manual or assisted web application vulnerability review...

The confusing part is that this third option isn't split out but is listed under the "application code review" section.

My feeling is that this'll affect a lot of merchants (and vendors) if they were planning on either spending money on WAFs or Code reviews and will now use a standard web application review (which they may already be undertaking as part of other security work....)

Another interesting point which I don't know the answer to is whether a single review which covered both penetration testing techniques and web application assessment techniques could be used to satisfy 6.6 and 11.3...

I was thinking about a story I saw recently about the recent update to the british banking code

There's a lot of discussion about Internet banking users potentially being liable for fraud if their PCs aren't "secure", as a result of this update.

The code says "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."

This leads to comments of "I use Mac|Linux I don't use A-V does that mean I'll be liable"

So what we have here is, failure to communicate...

The BBA appear to be correlating having basic software security packages installed with being secure. What I expect happened is that they needed to give some kind of shorthand guidance and that was the best they could come up with.

The problem is that without more detailed guidance fraud teams in banks may use this as the definition of secure and treat anyone who falls outside it as being at fault, which would put a lot of the more Internet security savvy people in the "not secure" bucket.

Personally I run Linux at home and I don't use A-V as there's no credible threat that it would mitigate for me....

http://news.bbc.co.uk/1/hi/business/7334249.stm

This time HSBC have lost 370,000 sets of personal details from insurance customers. One thing that puzzles me in the reporting of this story is the statement that

although the data on the disc was protected by a password it had not been encrypted

How do you password protect something without encrypting it ?! Any software I'm aware of that does password protection will at very least use some form of rudimentary encryption (eg, old versions of winzip or office) or in most cases (pgp, modern office/winzip versions) perfectly acceptable levels of encryption for most scenarios...