Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Re: InfoSec's Waterloo and it's implications (Paul D. Robertson)
2. Re: Ok, so now we have a firewall, we're safe, right? (Paul D. Robertson)
3. Re: Transitive Trust: 40 million credit cards hack'd (Vin McLellan)
4. Re: Strange Pix behavior. (Martin =?iso-8859-2?Q?Ma=E8ok?=)
5. Re: Transitive Trust: 40 million credit cards hack'd (George Capehart)
6. RE: Transitive Trust: 40 million credit cards hack'd (Bill Royds)
7. RE: Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
--__--__--
Message: 1
Date: Sat, 18 Jun 2005 12:01:39 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Vin McLellan <vin@theworld.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Re: InfoSec's Waterloo and it's implications
On Sat, 18 Jun 2005, Vin McLellan wrote:
> Whatever comes next is bound to be noisy and authoritative.
You forgot "and ineffective!"
We need a "Security is hard" Barbie doll on every executive's desk.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 2
Date: Sat, 18 Jun 2005 12:08:06 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: Fritz Ames <fritzames@earthlink.net>, Ben Nagy <ben@iagu.net>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
On Thu, 2 Jun 2005, Marcus J. Ranum wrote:
> Paul D. Robertson wrote:
> >I'm betting a beer that you're wrong.
>
> I'll see your beer and raise you 5.
>
I checked, and I have the non-wireless kind. The manual that came with it
told me if I was interested in security, I could find out more on their
Web site, and let me know I'd be getting their premium firewall. It did
ask me to go through the CD that was enclosed for more info- but I didn't
want to break the shrink-wrap (since I'm trying to avoid DSL from that
particular provider.)
I'm tempted to try to get copies of the manual and CD for the wireless
kit, but last time I mentioned DSL to them, they slammed my line (which is
how I ended up with the DSL kit.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 3
Date: Sat, 18 Jun 2005 13:02:07 -0400
To: firewall-wizards@honor.icsalabs.com
From: Vin McLellan <vin@theworld.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>, <hugh-list@thoughtballoon.com>
Subject: [fw-wiz] Re: Transitive Trust: 40 million credit cards hack'd
Marcus wrote:
>40M credit cards hacked
>Breach at third party payment processor affects 22 million Visa cards and
>14 million MasterCards.
>http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
>
>This sounds like (yet another) classical example of "transitive trust gone
>wrong." Visa/MasterCard trusted a 3rd party to hold their data and - oops
>- the trust was misplaced.
><snip> <snip>
>I figure Paul and I and the other "security graybeards" can let this kind
>of thing keep happening for a few months more and then we can start
>turning on the big, blinking neon lights that say "We Told You
>So." Transitive trust is a *HARD* problem in security. Always has
>been, always will be. But today's businesses convinced themselves that
>they could basically ignore it - mostly because the obvious stuff like
>patching and vulnerability management was more obvious and accessible.
Maybe the security lessons to be drawn from the dissemination of valuable
data throughout the enterprise can be passed on to those who seek to do the
same thing in an even larger arena?
The Department of Justice, in its eternal push for more surveillance
options, has apparently just proposed regulations or legislation that would
require ISPs to concentrate and retain the data generated by their
customers in one place, so that it is convenient for the DoJ and other
lawmen to access a complete record of online behavior.
On Dave Farber's "IP" list, Hugh-list <hugh-list@thoughtballoon.com> just
posted a thought-provoking note that explored one of the unexpected
consequences likely if such legislation were enacted.
Hugh wrote:
>>So if I understand this, the DoJ would like to set up one-stop shopping
>>for identity thieves ( and terrorists ) who would be able to get an
>>internet user's credit card info, a record of what they buy from and from
>>who they buy it, any online airline ticket sales, a record of blogs,
>>email, dating services and whatever else an ISP's customer does online.
Sound familiar?
>>One of the ways the credit card companies detect fraud is by noticing new
>>and unusual behavior. Armed with the info they get from an ISP's retained
>>data, fraudsters can pick the identitys of people with a history
>>consistent with the fraud they wish to perpetrate.Now in addition to old
>>fashioned credit card fraud a crook or terrorist could even more
>>successfully impersonate their victim.
>>
>>You want to buy 8 tones of ammonium nitrate or a thousand gallons of
>>diesel fuel and have it delivered to the corner of a field in a remote
>>location? What better way than to have the credit card info and address
>>of a farmer who makes these transactions on a regular basis?
>>
>>Want to get on an airplane to Washington DC but you are on one of those
>>pesky no fly lists? Just grep the convenient ISP retained records for
>>airline ticket sales to Washington DC, match those sales to members of
>>online dating services, find someone who has the "paperless ticket" for a
>>flight you want and looks like you, mug them on their way to the airport,
>>and there you are at the gate, with a ticket and a photo ID.
Does SANS, or the Computer Security Institute, or some other entity, ever
try to offer the voice of the front line InfoSec troops in response to this
sort of proposal?
Suerte,
_Vin
--__--__--
Message: 4
Date: Sat, 18 Jun 2005 19:16:20 +0200
From: Martin =?iso-8859-2?Q?Ma=E8ok?= <martin.macok@underground.cz>
To: 'Firewall Wizards List' <firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] Strange Pix behavior.
On Thu, Jun 16, 2005 at 01:00:20AM -0700, Jim MacLeod wrote:
> It's invalid to ACK a RST, and would provoke yet another RST.
No, it's not invalid (in some scenarious). Yes, it would provoke yet
another RST.
ACKing RST is one of the countermeasures against recently debated TCP
weakness (sequence number approximation bug) where the attacker spoofs
RST packets and breaks (usually long-lived) established connections
(like BGP).
IIRC you can ACK the RST packet when it does not fit exactly into TCP
sequence but somewhere inside the (TCP) window. The provoked next RST
reply should fit exactly into sequence so this time you know the RST
was not spoofed.
(Just a side-note, sorry for the noise)
Martin Ma�ok
ICT Security Consultant
--__--__--
Message: 5
Date: Sat, 18 Jun 2005 18:56:09 -0400
From: George Capehart <capegeo@opengroup.org>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Marcus J. Ranum wrote:
> 40M credit cards hacked
> Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards.
> http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
>
> This sounds like (yet another) classical example of "transitive trust gone wrong."
> Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust
> was misplaced.
>
> I figure Paul and I and the other "security graybeards" can let this kind of
> thing keep happening for a few months more and then we can start turning
> on the big, blinking neon lights that say "We Told You So." Transitive
> trust is a *HARD* problem in security. Always has been, always will be.
> But today's businesses convinced themselves that they could basically
> ignore it - mostly because the obvious stuff like patching and vulnerability
> management was more obvious and accessible.
>
> The shift away from mainframe computing to departmental and distributed
> in the 80's resulted in a massive dissemination of data. Instead of data
> being held in one place in the enterprise, it's available for anyone with a
> password who can open an SQL session and make a local table to
> play with in Excel/Access. So private and sensitive data was scattered
> to - essentially everyone with a password. Now that the horse has left
> the barn, and trotted a few miles down the road, a great deal of attention
> is being paid to the latch on the barn door. To make matters worse, the
> "permissive 90's" and the "outsourcing of 2001" dramatically expanded
> both the vulnerability footprint of most enterprises at the same time as
> their trust boundaries balooned toward the effectively infinite.
>
> Here's a position to ponder: it's probably too late to secure enterprise
> data, in all practical senses of the term "secure." What's "Plan B"?
> Is there a "Plan B"?
>
> "We told you so."
Heh. Just wait until Web services get widely deployed . . . No one is
even thinking multiple trust boundaries yet . . . much less how to make
systems operate across them. All the lessons we learned from the DCE,
CORBA, Kerberos, SESAME, et al. (about what happens when one crosses
trust boundaries (/*within* the organization*/) are about to be learned
all over again, but with a much larger population . . . It's going to be
a mess . . . And there will be no Plan B because no one has a clue what
they're getting into . . . I gave a talk at OWASP last year that
touched on this and, out of an audience of a couple of hundred people,
only a handful showed that they'd understood the magnitude of the problem.
Cheers,
/g
--__--__--
Message: 6
From: "Bill Royds" <broyds@rogers.com>
To: "'George Capehart'" <capegeo@opengroup.org>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Sat, 18 Jun 2005 19:46:07 -0400
The problem is that people have never truly analysed trust in a systematic
mathematical way.
Trust is assumed to be a transitive property when it obviously is not. If Alice
Trusts Bob and Bob trusts Charles it is not true that Alice should or would
trust Charles. Trust is not even transitive. We seem to see it as a simple
relationship when it is not even well understood at all. There has recently been
some theoretical work on trust algebras (see
http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf or
http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but
little of it has filtered into actual practice. Yet we are building whole
financial edifices on completely flawed understanding of how to use distributed
trust. We need to at least develop some systems that do it right so developers
have some way of learning how to create viable systems that can have distributed
security.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of George Capehart
Sent: Saturday, June 18, 2005 6:56 PM
To: Marcus J. Ranum
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Heh. Just wait until Web services get widely deployed . . . No one is
even thinking multiple trust boundaries yet . . . much less how to make
systems operate across them. All the lessons we learned from the DCE,
CORBA, Kerberos, SESAME, et al. (about what happens when one crosses
trust boundaries (/*within* the organization*/) are about to be learned
all over again, but with a much larger population . . . It's going to be
a mess . . . And there will be no Plan B because no one has a clue what
they're getting into . . . I gave a talk at OWASP last year that
touched on this and, out of an audience of a couple of hundred people,
only a handful showed that they'd understood the magnitude of the problem.
Cheers,
/g
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 7
Date: Sat, 18 Jun 2005 21:07:45 -0400
To: "Bill Royds" <broyds@rogers.com>,
"'George Capehart'" <capegeo@opengroup.org>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Bill Royds wrote:
>The problem is that people have never truly analysed trust in a systematic
>mathematical way.
Actually, they have. There are a lot of folks who were thinking of
this stuff back when I was learning to walk. There are excellent
papers and research on the topic; Ken Thompson's Turing Award
Lecture ('on trusting trust') is a classic many of us are familar
with (http://www.acm.org/classics/sep95/) that describes some of
the transitive trust problems in software. The Orange book guys
and the early designers of multi-level secure systems also
made interesting discoveries on trust (namely "classification creep")
There were several research projects (Truffles and Ficus) that
dealt with trust issues in shared collaborative networked filesystems,
etc. Peter Neumann has written some really interesting papers
(large!) on composable trusted architectures - trusted building
blocks. And so on...
The problem is not that people have failed to think about trust; the
problem is that (once again) computer "scientists" have utterly
failed to examine the good thinking that has gone before them,
preferring instead to pursue the science of producing 3d dancing
pigs and fancy desktop widgets instead of actually thinking about
what they're doing.
>Trust is assumed to be a transitive property when it obviously is not.
Here I get to channel for Peter (since he doesn't follow this list)
Do you mean Trust or Trustworthiness?
Trust is transitive. Trustworthiness is altogether a different proposition.
>If Alice
>Trusts Bob and Bob trusts Charles it is not true that Alice should or would
>trust Charles. Trust is not even transitive. We seem to see it as a simple
>relationship when it is not even well understood at all.
Yup.
> There has recently been
>some theoretical work on trust algebras (see
>http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf or
>http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but
>little of it has filtered into actual practice.
Cool.. Reading now... Looks like their perspective is that Trust
and Trustworthiness are a matter of degree. I think that's a terminology
issue, but I'm kinda sticking with "Trust" as a platonic ideal - the
absolute, uber-Trust 100% Good Stuff. Everything else is "acceptable
risk"
Y'know it occurs to me that one metric by which we might be able
to tell that "computer science" and computer security have matured
somewhat as a field is the eventual acceptance of a body of classical
knowledge that a practitioner must be familiar with, in order to avoid
being laughed at. Other than Denning and Cheswick/Bellovin/Rubin
and maybe Schneier I'm coming up dry. Hmmm...
> Yet we are building whole
>financial edifices on completely flawed understanding of how to use distributed
>trust.
What do you mean "We" kemosabe? ;)
mjr.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment