Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: Transitive Trust: 40 million credit cards hack'd (Paul Melson)
2. RE: Transitive Trust: 40 million credit cards hack'd (Behm, Jeffrey L.)
3. RE: Transitive Trust: 40 million credit cards hack'd (Paul Melson)
4. RE: Transitive Trust: 40 million credit cards hack'd (Behm, Jeffrey L.)
5. RE: Transitive Trust: 40 million credit cards hack'd (Brian Loe)
6. RE: Broken Analogies (was: Transitive Trust) (Brian Loe)
7. RE: Transitive Trust: 40 million credit cards hack'd (Paul Melson)
8. RE: Transitive Trust: 40 million credit cards hack'd (Stetser Dan Contr Det 4/LAN)
9. Re: Transitive Trust: 40 million credit cards hack'd (Kevin)
10. Re: Equifax Canada (Mark Teicher)
11. Re: Equifax Canada (Mircea MITU)
--__--__--
Message: 1
From: "Paul Melson" <pmelson@gmail.com>
To: "'Behm, Jeffrey L.'" <BehmJL@bvsg.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
"'David Lang'" <david.lang@digitalinsight.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 09:19:33 -0400
The problem with that strategy being, you assume that there's only one bear.
PaulM
-----Original Message-----
True, Marcus, but not everyone _does_ use 2 factor auth. So, at this point,
it can be effective. You don't gotta outrun the bear, just the guy next to
you.
--__--__--
Message: 2
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 08:29:13 -0500
From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: "Paul Melson" <pmelson@gmail.com>,
"Marcus J. Ranum" <mjr@ranum.com>,
"David Lang" <david.lang@digitalinsight.com>
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>
And you (and others) assume there's only two runners.=20
I still think I'll make an attempt to out run the bear and
be as tough a target as I can afford, and hope the bear is
smart enough to pursue the easy targets.
The point is, don't make yourself the _easy_ target, when there are=20
things you can do that the other (easier targets) aren't doing.
When there are enough bears and few targets, everyone will get
attacked, but don't lightly toss aside the benefit of making
yourself as hard a target as you can afford. Right now, there
are still plenty of honey-soaked targets for the bears to enjoy.
I'm not necessarily saying this is a completely fail-safe way to
secure your environment, but from what I have seen of other
environments, at least the honey isn't dripping off you and
leaving a trail for the bear to easily follow. Let it drip off
the other guy(s).
Jeff
-----Original Message-----
From: Paul Melson
The problem with that strategy being, you assume that there's only one
bear.
PaulM
-----Original Message-----
True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
point,
it can be effective. You don't gotta outrun the bear, just the guy next
to
you.
--__--__--
Message: 3
From: "Paul Melson" <pmelson@gmail.com>
To: "'Behm, Jeffrey L.'" <BehmJL@bvsg.com>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
"'David Lang'" <david.lang@digitalinsight.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 10:16:22 -0400
It's a failed analogy all around, though. In the case of bear vs. runner,
one bear can only maul one runner at one time. I've got screens and screens
worth of alert data that show that a single e-bear can chase and maul
thousands of runners at the same time.
I agree that doing something is better than doing nothing. I also agree
that 2-factor AAA is viable and definitely worth the effort and expense for
some organizations (including mine). But if your goal for securing your
organization is to be better than you think your "neighbors" (whether
they're in physical, logical, or market proximity) are, then all you can
hope to achieve is to not suffer a compromise at the same time in the same
way as your neighbors.
As far as making my network a "hard target" in the military sense (Google
for "hard target interdiction" or HTI), no thank you. :)
PaulM
-----Original Message-----
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
And you (and others) assume there's only two runners.
I still think I'll make an attempt to out run the bear and be as tough a
target as I can afford, and hope the bear is smart enough to pursue the easy
targets.
The point is, don't make yourself the _easy_ target, when there are things
you can do that the other (easier targets) aren't doing.
When there are enough bears and few targets, everyone will get attacked, but
don't lightly toss aside the benefit of making yourself as hard a target as
you can afford. Right now, there are still plenty of honey-soaked targets
for the bears to enjoy.
I'm not necessarily saying this is a completely fail-safe way to secure your
environment, but from what I have seen of other environments, at least the
honey isn't dripping off you and leaving a trail for the bear to easily
follow. Let it drip off the other guy(s).
--__--__--
Message: 4
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 10:03:30 -0500
From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: "Paul Melson" <pmelson@gmail.com>,
"Marcus J. Ranum" <mjr@ranum.com>,
"David Lang" <david.lang@digitalinsight.com>
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>
I disagree that it's a failed analogy _all around_, because=20
the e-version can still attack only one target at a time,
it's just much more efficient than a bear.=20
I won't touch the _hard target_ comment. :)
-----Original Message-----
From: Paul Melson=20
It's a failed analogy all around, though. In the case of bear vs.
runner,
one bear can only maul one runner at one time. I've got screens and
screens
worth of alert data that show that a single e-bear can chase and maul
thousands of runners at the same time.
<snip>
As far as making my network a "hard target" in the military sense
(Google
for "hard target interdiction" or HTI), no thank you. :)
--__--__--
Message: 5
From: "Brian Loe" <knobdy@stjoelive.com>
To: "'Kevin'" <kkadow@gmail.com>,
"'Paul D. Robertson'" <paul@compuwar.net>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 11:44:19 -0500
I had no idea anyone was doing this, what an excellent example for future
employers!
> Take for example the SecurID tokens issued by E*Trade and AOL.
>
> Does anybody really believe that E*Trade is giving their
> customers "free" tokens to help protect the user from
> hackers, rather than to protect E*Trade from users who say "I
> didn't make that losing trade, my account must have been
> hacked, refund my losses!"?
--__--__--
Message: 6
From: "Brian Loe" <knobdy@stjoelive.com>
To: "'Ben Nagy'" <ben@iagu.net>,
"'Eugene Kuznetsov'" <eugene@datapower.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Broken Analogies (was: Transitive Trust)
Date: Tue, 21 Jun 2005 11:51:22 -0500
I have to question how much time some of you are spending with the end user.
In the last three years I have yet to meet one (an end user) at any level
(to include phone reps, managers, and two CEOs) that complained about
aggressive protection. This might be because the companies I have worked for
went from 0 protection to 80% in a matter of months, and they remembered why
we were implementing it in the first place. Just the same, given options I
tend to believe that humans will accept protection with minor (and they
really are pretty minor) inconveniences.
One only needs to look at national politics to see this is true, virtually
everyone has given up a great deal of personal liberty in return for a false
sense of security. Our sell is real security, ought to be easier.
> People's mentality will never change while this is the case,
> because all of the cures are worse than the diseases. Take
> any aggressive quarantine style system and apply it
> enterprise-wide and people will start to bitch. They will
> bitch even worse when there is a false positive because the
> perceived usability cost is too high for them. When we start
> getting more malware that trashes the host then I think all
> of these discussions might become more useful.
>
> I'm going to leave aside things like acquired immunity,
> re-infection, and avoidance (people don't tend to kiss those
> suffering from cold sores).
>
> Current worms may _spread_ like diseases, but that's pretty
> much where the useful similarities end, in my opinion.
>
> Oh, and targeted incidents are not like diseases at all -
> they probably are, actually, more like bears. Or maybe
> weasels. I actually think you might be better looking at it
> from an economic modelling approach with supply and demand of
> exploits and risk / reward of targets. There's probably some
> game theory in there too.
>
> Anyway, enough ramble.
>
> ben
--__--__--
Message: 7
From: "Paul Melson" <pmelson@gmail.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 12:54:37 -0400
And here we go...
http://www.thedenverchannel.com/money/4633901/detail.html
-----Original Message-----
Subject: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
40M credit cards hacked
Breach at third party payment processor affects 22 million Visa cards and 14
million MasterCards.
http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
This sounds like (yet another) classical example of "transitive trust gone
wrong."
Visa/MasterCard trusted a 3rd party to hold their data and - oops - the
trust was misplaced.
--__--__--
Message: 8
From: Stetser Dan Contr Det 4/LAN <daniel.stetser.ctr@kaenapt.af.mil>
To: Firewal Wizards <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Tue, 21 Jun 2005 07:58:12 -1000
The Constitution guarentees the right to arm bears doesn't it?
<g>
-----Original Message-----
From: Adam Shostack [mailto:adam@homeport.org]
Sent: Monday, June 20, 2005 10:57 AM
To: Marcus J. Ranum
Cc: Behm, Jeffrey L.; David Lang; Firewal Wizards
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
On Mon, Jun 20, 2005 at 01:06:01PM -0400, Marcus J. Ranum wrote:
| Behm, Jeffrey L. wrote:
| >You don't gotta outrun the bear, just
| >the guy next to you.
|
| That's the strategy that's gotten us where we are today.
|
| It works great assuming the bear count remains a constant and the
| bears don't suddenly all come equipped with overdrive. It also assumes
| that bears exercise reason in selecting their targets. Next-gen
| malware breaks all of those assumptions.
I like to say that that works only until bears get machine guns.
Adam
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 9
Date: Tue, 21 Jun 2005 14:00:24 -0500
From: Kevin <kkadow@gmail.com>
Reply-To: Kevin <kkadow@gmail.com>
To: Brian Loe <knobdy@stjoelive.com>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Firewal Wizards <firewall-wizards@honor.icsalabs.com>
On 6/21/05, Brian Loe <knobdy@stjoelive.com> wrote:
> I had no idea anyone was doing this, what an excellent example
> for future employers!
I'm not sure if this is a sarcastic dig at me, at E*Trade/AOL, or if it
is meant to as a serious comment?
I am not privy to the details, but a close a look at the history of SecurID
token deployment inside AOL could be an educational example of an
employer's deployment of hardware tokens to address social engineering
attacks against support staff accounts...
> > Take for example the SecurID tokens issued by E*Trade and AOL.
> >
> > Does anybody really believe that E*Trade is giving their
> > customers "free" tokens to help protect the user from
> > hackers, rather than to protect E*Trade from users who say "I
> > didn't make that losing trade, my account must have been
> > hacked, refund my losses!"?
The "I didn't make that losing trade" scenario is a big deal for online
trading firms, second only to complaints about how long it took to
execute the customer's odd lot :)
Kevin Kadow
Disclaimer: While I have in the past worked for a trading firm which
was later acquired by E*Trade, I have never been an E*Trade employee
or contractor, and I bear them no ill will. I am a moderator of the unoff=
icial
SecurID users group, http://groups.yahoo.com/group/securid-users/
--__--__--
Message: 10
Date: Tue, 21 Jun 2005 22:03:23 -0400
To: "Paul D. Robertson" <paul@compuwar.net>
From: Mark Teicher <mht3@earthlink.net>
Subject: Re: [fw-wiz] Equifax Canada
Cc: firewall-wizards@honor.icsalabs.com
If we return to the gold standard, or "cash 'n' carry".. Some of these
issues would alleviate themselves. How many people do you know go around
with less than $10.00 in their wallet and just carry plastic. As a society
we have become dependent plastic items with mag stripes on the back. How
many people go to gas stations that only accept cash ?? How many 7-11's
are starting to question if you open up your wallet and pay for your items
in cash?? But yet, still have the markings on the door to get a possible
or potential assailants height.
Pretty soon, one could be punished for cutting up their credit cards just
as the mattress people warn us not to remove the tag.
At 07:07 PM 6/20/2005, Paul D. Robertson wrote:
>On Mon, 20 Jun 2005, R. DuFresne wrote:
>
> > But are the worth of the data here merely relational to the cost of
> > contacting those clients whose information was compromised? Maybe to the
>
>The value of the data to the custodian of the data is a lot less than it
>is to the attacker or person who's data it is.
>
> > company, but, I'm willing to bet the clients consider this data much more
> > vauable then that, I would, and their costs, the clients is not yet
> > ended, esepcially if their victims of identity theft...
>
>Nope, their clients aren't really the folks they're keeping the data on...
>
> > > It is true, they loose some credibility
> >
> > Which is another sense of the value and loss incurred in this case, an
> > additional loss.
>
>But it doesn't really matter to their clients.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>paul@compuwar.net which may have no basis whatsoever in fact."
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 11
Subject: Re: [fw-wiz] Equifax Canada
From: Mircea MITU <mmitu@bitdefender.com>
Reply-To: mmitu@bitdefender.com
To: "Paul D. Robertson" <paul@compuwar.net>
Cc: firewall-wizards@honor.icsalabs.com
Organization: SOFTWIN
Date: Wed, 22 Jun 2005 10:10:10 +0300
On Sun, 2005-06-19 at 21:33 -0400, Paul D. Robertson wrote:
> "For the second time in about a year, the credit reporting company Equifax
> Canada Inc. has suffered a security breach that has given criminals access
> to personal financial information of hundreds of Canadians.
> The latest case came to Equifax Canada's attention several months ago, but
> was made public only yesterday.
> Criminals that breached the firewall gained access to 605 consumer files,
> which contain personal information ranging from names and addresses to
> type of bank loans and credit cards, payment obligations and social
> insurance numbers."
>
> 605 Canadians, that's like 300 Americans, right? ;)
>
> Sounds like someone needs remedial INFOSEC training- sheesh 2nd time in a
> year?
>
You don't get it. It's a feature, not a bug.
They just "got to market six months faster, and saw 14 percent in cost
savings". Now compare this numbers with any INFOSEC benefits.
http://www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=15528
Mircea MITU
Certified Beer & Barbecue Specialist
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment