Impacted Molars: Misguided Ninja Dudes and PCI Awareness

MESIAL
Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

LINGUAL
The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."

The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

Buzzword Compliance or Compensating Controls

The most recent SANS e-mail letter, this article from Computerworld on pretty minor (all things considered) security incident at federal retirement fund agency.

The voice of SANS (Pescatore in this case) remarked thusly:

This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats.

Pescatore, duuude. Hate the game, not the playa.

First, I don't any of those regulations really apply to the TSP, except as perhaps amusing past-times in the off season.
Secondly, what the hunh??? I really don't get how some users who got their account hijacked through the client side would have to do with a focus on regulations. About a dozen accounts, $35,000 all told. In retirement fund terms, not a whole lot. And they did find out about the incident, it is possible that some account monitoring controls were in place. So maybe the system worked. And cruising around the TSP site, it looks like they are trying to educate their users.

Unfortunately, whatever cred the TSP folks gained is blown in the following quote:

"External penetration testing has demonstrated that our system has not been breached"

Umm... ? I'd like to see the pen-test firm that signed off on that. Maybe next time you should hire some forensic analysts over for a post-incident discussion. They may give you better results.

Just because you don't have heavy super duty NAC/HIDS/NIDS two factor network with buzzwords du jour and a burled walnut interior, doesn't mean that you are so distracted by your BASEL II crossword puzzle that your accounting department doesn't notice some odd ball transfers. It's all about the compensating controls.

Cooler than an iPhone

Immunity's Silica.

From Immunity's page:

Example Use Cases:

Tell SILICA to scan every machine on every wireless network for file shares and download anything of interest to the SILICA device. Then just put it in your suit pocket and walk through your target's office space.

Tell SILICA to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port running Immunity CANVAS Professional.

Mail SILICA to your target's CEO, then let it turn on and hack anything it can as it sits on their desk.

Have SILICA conduct MITM attacks against people on a wireless network.

Use SILICA as you would CANVAS on your desktop - just smaller.

Very cool.