Search This Blog

Monday, June 20, 2005

firewall-wizards digest, Vol 1 #1618 - 12 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Equifax Canada (Keith A. Glass)
2. Re: Transitive Trust: 40 million credit cards hack'd (Darren Reed)
3. Re: Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
4. RE: Transitive Trust: 40 million credit cards hack'd (Behm, Jeffrey L.)
5. RE: Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
6. Whitepaper release: Risks of Passive Network Discovery Systems (Ofir Arkin)
7. Re: Equifax Canada (R. DuFresne)
8. RE: Transitive Trust: 40 million credit cards hack'd (Richards, Jim)
9. Re: Transitive Trust: 40 million credit cards hack'd (Adam Shostack)
10. RE: Transitive Trust: 40 million credit cards hack'd (Paul D. Robertson)
11. Re: Equifax Canada (Paul D. Robertson)
12. RE: Transitive Trust: 40 million credit cards hack'd (Eugene Kuznetsov)

--__--__--

Message: 1
From: "Keith A. Glass" <salgak@speakeasy.net>
To: "Paul D. Robertson" <paul@compuwar.net>,
"Adrian Grigorof" <adi@grigorof.com>
Cc: firewall-wizards@honor.icsalabs.com
Date: Mon, 20 Jun 2005 14:04:28 +0000
Subject: Re: [fw-wiz] Equifax Canada

> -----Original Message-----
> From: Paul D. Robertson [mailto:paul@compuwar.net]
> Sent: Monday, June 20, 2005 12:53 PM
> To: 'Adrian Grigorof'
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Equifax Canada

> We have to stop treating security as a service industry in companies an=
d
> start treating it as a fiduciary repsonsibility. The firewall *should*=
be
> a hurdle to business, and business should be happy to have that hurdle-=

> make it over and you should have some level of assurance that you're do=
ing
> better than average, plow through it and you should be penalized.

Back when I ran the firewalls (20+ of them, several different types) at S=
EC's EDGAR project, I remember the moaning and wailing from submittors (y=
ou could either individually make EDGAR filings as a corporation, OR ther=
e were a bunch of companies that specialized in EDGAR filings. . . ).

ALL complained when we upgraded firewalls. All IMMEDIATELY stopped whini=
ng when we pointed out that if you wanted that "insider" financial inform=
ation released to self-selected portions of the public prior to official =
release, we could always leave things the way they were. . . .

Keith
nowadays, doing firewalls for the DoD

--__--__--

Message: 2
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Tue, 21 Jun 2005 00:41:13 +1000 (EST)
Cc: firewall-wizards@honor.icsalabs.com

Have a read of this:

http://physicsweb.org/articles/world/17/2/2/1

and think about what the implications might be for computer security,
given how research seems to work.

Darren

--__--__--

Message: 3
Date: Mon, 20 Jun 2005 10:55:54 -0400
To: Darren Reed <darrenr@reed.wattle.id.au>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: firewall-wizards@honor.icsalabs.com

Darren Reed wrote:
>http://physicsweb.org/articles/world/17/2/2/1
>and think about what the implications might be for computer security,
>given how research seems to work.

All I can say is "ArrrrrGGGHHHHH!!!"

Are these early indications of: "Memory full: close some applications and try again."??

mjr.

--__--__--

Message: 4
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Mon, 20 Jun 2005 11:25:53 -0500
From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: "Marcus J. Ranum" <mjr@ranum.com>,
"David Lang" <david.lang@digitalinsight.com>
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>

On Sunday, June 19, 2005 4:40 PM, Marcus J. Ranum spake:

>David Lang wrote:
>> 2. require authentication that isn't fully contained on the=20
>> remote system (i.e. a token or one-time password, a digital
>> certificate with a passphrase is NOT good enough)
>>
>That doesn't work, either. If you assume that the endpoint is insecure
>(and it is, so that's a safe assumption) the 2 factor authentication
works
>only because it's harder to bypass than a password. If everyone was
>using 2 factor authentication, you can bet hacker toolkits would be
>full of nasty rootkits and malware that stole live sessions, or typed
>keystrokes into live sessions once they came up (transparently, of
course)
>
>mjr.=20

True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
point, it can be effective. You don't gotta outrun the bear, just
the guy next to you.

Jeff

--__--__--

Message: 5
Date: Mon, 20 Jun 2005 13:06:01 -0400
To: "Behm, Jeffrey L." <BehmJL@bvsg.com>,
"David Lang" <david.lang@digitalinsight.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>

Behm, Jeffrey L. wrote:
>You don't gotta outrun the bear, just
>the guy next to you.

That's the strategy that's gotten us where we are today.

It works great assuming the bear count remains a constant and the
bears don't suddenly all come equipped with overdrive. It also
assumes that bears exercise reason in selecting their targets.
Next-gen malware breaks all of those assumptions.

mjr.

--__--__--

Message: 6
To: firewall-wizards@honor.icsalabs.com
From: Ofir Arkin <ofir@sys-security.com>
Date: Mon, 20 Jun 2005 22:57:08 +0300
Subject: [fw-wiz] Whitepaper release: Risks of Passive Network Discovery Systems

--Apple-Mail-2--743692500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

I am pleased to announce the release of a new white paper titled:
"Risks of Passive Network Discovery Systems"

From the abstract:
This paper sheds light on the weaknesses of passive network discovery
and monitoring systems. It starts by defining passive network
discovery, and goes over the advantages and disadvantages of the
technology. It then demonstrates why passive network discovery cannot
live up to its expectation, and is unable to deliver the promise of
complete, accurate and granular network discovery and monitoring.

The white paper can be downloaded from:
http://www.insightix.com/technology-whitepapers.asp

Yours,
--
Ofir Arkin
CTO
Insightix Ltd.
http://www.insightix.com
--Apple-Mail-2--743692500
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 10px;">I am pleased to =
announce the release of a new white paper titled:</SPAN></FONT><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
10px;">=A0</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 10px;">"Risks of Passive =
Network Discovery Systems"</SPAN></FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 10px/normal Monaco; min-height: 14px; =
"><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><FONT class=3D"Apple-style-span" =
face=3D"Monaco" size=3D"2"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 10px;">=46rom the abstract:</SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Monaco" =
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
10px;">This paper sheds light on the weaknesses of passive network =
discovery=A0</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Monaco"=
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
10px;">and monitoring systems. It starts by defining passive network =
discovery, and goes over the advantages and disadvantages of the =
technology. It then demonstrates why passive network discovery cannot =
live up to its expectation, and is unable to deliver the promise of =
complete, accurate and granular network discovery and =
monitoring.</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 10px/normal Monaco; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Monaco" =
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
10px;">The white paper can be downloaded from:</SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" color=3D"#0000FF" =
face=3D"Monaco" size=3D"2"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 10px; text-decoration: underline;"><A =
href=3D"http://www.insightix.com/technology-whitepapers.asp">http://www.in=
sightix.com/technology-whitepapers.asp</A></SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 10px/normal Monaco; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
10px;">Yours,</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
10px;">--</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Monaco" =
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
10px;">=A0</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 10px;">Ofir =
Arkin</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
10px;">CTO</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 10px;">Insightix =
Ltd.</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" color=3D"#0000FF" face=3D"Monaco" =
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: 10px; =
text-decoration: underline;"><A =
href=3D"http://www.insightix.com">http://www.insightix.com</A></SPAN></FON=
T></DIV></BODY></HTML>=

--Apple-Mail-2--743692500--

--__--__--

Message: 7
Date: Mon, 20 Jun 2005 16:45:01 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Adrian Grigorof <adi@grigorof.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Equifax Canada
Organization: sysinfo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 20 Jun 2005, Adrian Grigorof wrote:

> Apparently this was caused by "improper use of a customer's access codes and
> security password". Can Equifax force its customers (basically all the
> credit institutions and many others) to use a method of authentication
> stronger than a user id/password combination? To quote a recent post from
> Marcus J. Ranum:
>
>> How many of you could tell your customers *that*?! People scream
>> and whine over the idea of putting firewalls in (still) - now, attempting
>> to enforce a local policy against a business partner - that's patently
>> ridiculous. Right? Well, technically it's NOT ridiculous, but everyone
>> has basically blown it off.
>
> It is surely cheaper to call 600 customers once a year (ok, make that twice
> a year) than enforcing an expensive authentication infrastructure. Is it not
> a basic principle in IT security that the cost of securing same data should
> be less than what that data is worth?

But are the worth of the data here merely relational to the cost of
contacting those clients whose information was compromised? Maybe to the
company, but, I'm willing to bet the clients consider this data much more
vauable then that, I would, and their costs, the clients is not yet
ended, esepcially if their victims of identity theft...

> It is true, they loose some credibility

Which is another sense of the value and loss incurred in this case, an
additional loss.

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCtyrQst+vzJSwZikRAn+bAJ0UrxJTDPgpxsoDKSrw3dsO8c7TBgCgsiQv
w9Lp8G2y6xCBJNwAv6aqmJU=
=lT0C
-----END PGP SIGNATURE-----

--__--__--

Message: 8
From: "Richards, Jim" <jim.richards@dot.state.wi.us>
To: "'Behm, Jeffrey L.'" <BehmJL@bvsg.com>,
"Marcus J. Ranum" <mjr@ranum.com>,
David Lang <david.lang@digitalinsight.com>
Cc: Firewal Wizards <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Mon, 20 Jun 2005 15:51:39 -0500

The problem with that analogy is that the bear will be much more motivated
and persistent when the runner is coated in honey (or credit card
information).

Jim Richards
Computer Security Officer
Wisconsin Department of Transportation

-----Original Message-----
From: Behm, Jeffrey L. [mailto:BehmJL@bvsg.com]
Sent: Monday, June 20, 2005 11:26 AM
To: Marcus J. Ranum; David Lang
Cc: Firewal Wizards
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

On Sunday, June 19, 2005 4:40 PM, Marcus J. Ranum spake:

>David Lang wrote:
>> 2. require authentication that isn't fully contained on the
>> remote system (i.e. a token or one-time password, a digital
>> certificate with a passphrase is NOT good enough)
>>
>That doesn't work, either. If you assume that the endpoint is insecure
>(and it is, so that's a safe assumption) the 2 factor authentication
works
>only because it's harder to bypass than a password. If everyone was
>using 2 factor authentication, you can bet hacker toolkits would be
>full of nasty rootkits and malware that stole live sessions, or typed
>keystrokes into live sessions once they came up (transparently, of
course)
>
>mjr.

True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
point, it can be effective. You don't gotta outrun the bear, just
the guy next to you.

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 9
Date: Mon, 20 Jun 2005 16:56:50 -0400
From: Adam Shostack <adam@homeport.org>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: "Behm, Jeffrey L." <BehmJL@bvsg.com>,
David Lang <david.lang@digitalinsight.com>,
Firewal Wizards <firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

On Mon, Jun 20, 2005 at 01:06:01PM -0400, Marcus J. Ranum wrote:
| Behm, Jeffrey L. wrote:
| >You don't gotta outrun the bear, just
| >the guy next to you.
|
| That's the strategy that's gotten us where we are today.
|
| It works great assuming the bear count remains a constant and the
| bears don't suddenly all come equipped with overdrive. It also
| assumes that bears exercise reason in selecting their targets.
| Next-gen malware breaks all of those assumptions.

I like to say that that works only until bears get machine guns.

Adam

--__--__--

Message: 10
Date: Mon, 20 Jun 2005 18:59:51 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: "Behm, Jeffrey L." <BehmJL@bvsg.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>,
David Lang <david.lang@digitalinsight.com>,
Firewal Wizards <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

On Mon, 20 Jun 2005, Behm, Jeffrey L. wrote:

> True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
> point, it can be effective. You don't gotta outrun the bear, just
> the guy next to you.

That assumes (1) a single bear OR (2) that you can outrun the bear in the
time it takes it to disable the other target.

Autonomous malcode changes that equation, as does semi-random targeting.

Now, personally, I'm all for making most of the current crop of attacker
tools outdated, not because I think it'll make us safe, but because it'll
force attackers to keep up, and I'd rather they not be provided the
option of being lazy if we all have to work too. But more importantly,
two factor authentication starts to provide a really good base for
accountability- and THAT is what we *need*. The only problem is that the
m0r0ns will all want "soft tokens" to lower the attacker's bar again.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 11
Date: Mon, 20 Jun 2005 19:07:32 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: Adrian Grigorof <adi@grigorof.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Equifax Canada

On Mon, 20 Jun 2005, R. DuFresne wrote:

> But are the worth of the data here merely relational to the cost of
> contacting those clients whose information was compromised? Maybe to the

The value of the data to the custodian of the data is a lot less than it
is to the attacker or person who's data it is.

> company, but, I'm willing to bet the clients consider this data much more
> vauable then that, I would, and their costs, the clients is not yet
> ended, esepcially if their victims of identity theft...

Nope, their clients aren't really the folks they're keeping the data on...

> > It is true, they loose some credibility
>
> Which is another sense of the value and loss incurred in this case, an
> additional loss.

But it doesn't really matter to their clients.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 12
From: "Eugene Kuznetsov" <eugene@datapower.com>
To: "'Richards, Jim'" <jim.richards@dot.state.wi.us>,
"'Behm, Jeffrey L.'" <BehmJL@bvsg.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
"'David Lang'" <david.lang@digitalinsight.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Mon, 20 Jun 2005 19:24:59 -0400

> >(and it is, so that's a safe assumption) the 2 factor authentication
> works
> >only because it's harder to bypass than a password. If everyone was
...
> The problem with that analogy is that the bear will be much
> more motivated
> and persistent when the runner is coated in honey (or credit card
> information).

There's an interesting thought here, one that really takes us into the realm
of epidemiology or toxicology. Bears aside, what is the expected, normal
rate of such incidents? Is it getting worse? Better? Risk factors?
Correlation?

Anyone know of any papers that try to think of computer security incidents
like "[awful-disease] clusters"?

P.S. As for outrunning bears, I don't think I like that analogy much,
especially in a complex regulatory environment, automated attack tools and
increasing emphasis on using compromised machines or data as merely a link
in a chain of malicious activity, rather than an end in itself.

P.P.S. Credit card theft is actually one of the least terrifying or damaging
things that can happen.

\\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
\\ DataPower Technology, Inc. : Web Services security
\\ http://www.datapower.com : XML-aware networks

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)