This week’s Friday Summary is sponsored by Evilsquirrel Enterprises, your World Domination Specialists.
My absolute favorite holiday of the year is Halloween. More than Christmas (possibly because I’m a non-practicing Jew), more than my birthday, and even more than Talk Like a Pirate Day.
Halloween is the ultimate geek holiday. It’s the one time of year we have an excuse to pull out our table saws, microcontrollers, and pneumatics as we build wonderful devices to soil the underwear of all the neighborhood children. I knew I was finally getting it right the first year a group of kids carefully approached our home, then ran off screaming as the motion sensor tripped and the effects kicked in. Between the business and the baby I haven’t really had tine to build anything new this year, but I did finally invest in some commercial-grade fog machines. Fog, light, and sound are absolutely essential for setting a good scene, and go a long way further than any actual decorations.
I’ve previously used the cheap foggers from Party City or the Halloween stores, but never managed to get them to last more than 2 years in a row. I’m hoping this commercial unit will be a bit more reliable… and the 20,000 cubic feet per minute of fog it kicks out can’t hurt.
This is the 13th year, 4th location, and 2nd state for our annual Evilsquirrel party. It’s a bit smaller than the “Squirrel Wars” year where we had 300 people show up and 4 live bands, but that’s what happens when everyone runs off and starts careers and families. Needless to say, my friends and I are all tremendously amused that the whole “squirrel” meme is so big these days. Now we don’t seem quite as weird.
On to the Friday Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich quoted in The Register on Microsoft’s new anti-exploitation tool.
- Adrian on The ABCs of DAM at Dark Reading.
- The Security and Privacy Conundrum. David Mortman spoke last week to the Ohio CIO Forum about security and privacy risks in the cloud.
- Rich and Martin on The Network Security Podcast, Episode 171.
Favorite Securosis Posts
- Rich: Mort’s post on IDM.
- Adrian, Meier and Mort: Most developers don’t know what anti-exploitation measures are, which in an odd way is why Rich’s post to Add Anti-Exploitation to Applications You Didn’t Write is important. We’ve got to start somewhere…
Other Securosis Posts
- Penetration Testing Market Grows and Matures, but Faces Challenges
- Penetration Testing Market Update, Part 2
- Amazon RDS Announced
- IDM: Identity?
Favorite Outside Posts
- Rich: This Wired article on the anti-vaccination movement. It’s an extremely important article, but here’s the money quote for us security folks: “Looking back over human history, rationality has been the anomaly. Being rational takes work, education, and a sober determination to avoid making hasty inferences, even when they appear to make perfect sense. Much like infectious diseases themselves – beaten back by decades of effort to vaccinate the populace – the irrational lingers just below the surface, waiting for us to let down our guard.”
- Adrian: Jeremiah’s post on Black Box vs. White Box. QA professional have used this ‘threshold of stability’ approach for years to gate software releases, but it seems counter-intuitive to security professionals.
- Mortman: Detecting Malice Released Only halfway through and it is completely awesome. Best tech book I’ve read in ages. (I second that -Rich). (Meier thirds it: “Anyone I bring it up to first complains about the $40 eBook, but it’s the best technical book I’ve bought in a while.”)
- Meier: Amazon Lets Shoppers Pay With a Phrase This is just dumb. First we have a phrase that’s verifiably known to be taken and second I bet if someone did research on any web authentication mechanisms that are identified as “PIN” you could map the majority of those users bank PINs to their other PINs. I don’t get it. Oh and, to change your PayPhrase you have to log in anyway. Way to go, Amazon.
- Rich (2): I can’t help myself, I had a tie this week. This article from Ivan Arce at Core Security is a month old, but well worth the read.
Special – Worst Link of the Week
- “Women In IT Security Project Management”. This paper is beyond terrible. Not only is it poorly written (which it is), but it doesn’t make a lick of sense. Case in point – check out this bit from the first page:
In this study, I have tried to determine if IT security project management is a viable career choice for women. If so, do they have what it takes to be a successful IT Security Project Manager? I would like to emphasize that IT profession cannot be generalized based on gender. No conclusion has been drawn to indicate if one sex is better than the other in any of the subsets within IT field.
Isn’t it great how the author, Gurdeep Kaur, simultaneously tells us that she’s going to investigate whether one gender has the ability to do a job, and then claims that you can’t generalize on the basis of gender? You really shouldn’t read the paper, but if you do, it goes downhill from there. The analysis is shallow and suffers largely from citing lots of studies that demonstrate the problem while providing little in the way of solutions. The few suggestions provided are insulting to say the least. I’d quote more but I can’t bring myself to do it. I am amazed that SANS actually posted this to their reading room and granted the author a “Gold Certification”.
Top News and Posts
- China expands cyberyspying. Duh… I hope we are too.
- Is Your Data Really Secured? by Nati Shalom. Some overlap with our Cloud Data Security series, and worth a read.
- CISCO acquires ScanSafe.
- Threat Level’s story on the 2006 Walmart Hack. Hackers foiled by their own installation of L0phtcrack!
- Nice post on Threat Modeling from the Matasano team. Indeed, software would be great if it wasn’t for the users!
- Microsoft’s response: Engineers vs. Ninjas on the Microsoft SDL Blog.
- AV Researcher published AV Tracker tool.
- NSA to run Security Data Center.
- Twitter Phish Yet Again.
- Microsoft EMET.
- More problems with malware on Twitter.
Blog Comment of the Week
This week’s best comment comes from Marc in response to Tokenization Will Become the Dominant Payment Transaction Architecture:
I always thought Chuck E. Cheese was a rat…not a mouse. That being said, I think your example of a video arcade is a good one. I have used the casino chip analogy when explaining tokenization to people. You trade the high value data (cash in the analogy and a CC# in the use case) for some lower value data (a casino chip and a piece of “tokenized” data). The problem I have with tokens though is that they still have value in a certain context. You haven’t sufficiently devalued the original data by making it a “token.” The token can still be used to perform functions, albeit in a more limited context than the original data. And I question the methodologies currently used to generate these tokens. I have yet to see any academic research that establishes that the tokens are truly random or that they are any better than hashed values. What we’ve done is traded one type of attack for one that has yet to emerge (an underground market in valid card data for one that will surely emerge trading valid token data in poorly implemented solutions). Now, coupling a token with a time-based signature or some other authentication value makes these solutions much more palatable because then I can prove the token is being properly used. There are numerous implementation issues in the different token solutions provided in the market today…and not enough discussion of provable security and standardization of those implementations…
Reader interactions
One Reply to “Friday Summary- October 30, 2009”
Compliments to Marc for his response to “Tokenization Will Become the Dominant Payment Transaction Architecture.” I would just like to clarify what tokenization is, and is NOT a bit more precisely.
My company, Electronic Payment Exchange (EPX) is a full transaction cycle credit card processor that first “tokenized” credit card data in 2001 (we think we were the first…long before PCI existed)…and has a patent pending for our unique process of tokenization.
The casino chip analogy is close to accurate. However, unlike a casino chip, which has value in the casino if lost or stolen from the owner, a well-constructed credit cardholder data “token” has no street value at all if accidentally compromised or deliberately stolen from a merchant. The reason is that the actual card numbers are not stored at the merchant’s location (at least with our solution), but rather they are stored in our vault…which must meet the highest level of security standards. Since they are not encryptions, but “GUID” (Globally Unique ID) numbers, the tokens we call “BRICS” cannot be reverse engineered to reveal the card number.
Aside from the security value of tokens, since they totally eliminate the presence of the card data in any form (including encrypted) within a merchant’s system, they should render most of the merchant’s technology environment “out of scope” and thus make PCI Data Security Standard compliance remarkably less burdensome.
Tokenization does, however, have a limitation, which our company addressed with a new service this summer, a hybrid of encryption and tokenization. When the data is swiped in a retail transaction, it remains vulnerable until encrypted for transport by the terminal/virtual terminal to the reader. We close this gap by using a new breed of encrypting card data reader to immediately protect the number. That way, the data is kept encrypted until it is submitted for authorization by us, as the processor, to the card networks. Once the auth response is returned, we issue transaction reference codes (tokens) to our clients in lieu of card numbers.
Thank you for allowing me to participate in the discussion.
charles.crawford@epx.com