Podcasts

1. Misunderstanding.

Don't treat PCI DSS as a purely technical standard. A few minutes browsing through it and you'll know why -- there is a stack of technical requirements.

Usually, however, it's hard to meet the technical requirements without first taking care of policy issues. For example, it's a bit backwards to install new firewall when you don't yet have configuration standards.

The trick for achieving compliance is to read the PCI DSS backwards. Start at requirement 12 and have your risk management framework in order, then your policies, then procedures, configuration standards, then implement it, and audit it.

Don't let a technical manager own your PCI compliance responsibilities. The path of least resistance is down, and generally the most difficult challenges for compliance are within the business and business process -- not technology. Make sure PCI lands on the desk of someone who has the authority to enforce it throughout the organisation.

That said, of course the staff responsible for PCI DSS Compliance need to have a full and complete knowledge of the standard. Someone with "just enough" knowledge of the standard can be dangerous and wind up costing you more than you bargained for.

2. Misinterpretation.

The requirements and the priorities of the standard are well laid out by the PCI council, but it is important to fully understand the scope of compliance within your business. If you have card data used across many systems, you cannot be compliant as an organization until ALL cardholder systems are compliant.

Many fall into the trap of investing too much time and resources into deciding on the minimum effort required in order to achieve compliance. It buys time from the banks, but it's not a long term approach.

This distortion of the intent of the standard is not only damaging to compliance, but can distract from the security of your organisation as a whole. Apply PCI in accordance with the "spirit" of the rules.

3. Validation.

Validation is not compliance, and compliance is not validation. While organisations that come under PCI DSS must be fully compliant at all times, validation is periodic and its rigour depends on the size of the merchant.

If you are genuinely compliant, staying that way will not be hard, and passing a validation check won't be difficult. If you've cut corners to do the absolute minimum, ongoing validation is when your poor approach will bite you on the ass. Also remember you could be asked to validate your compliance at any time -- especially after a security incident.

4. Cause.

The specific requirements of the PCI DSS are nothing extraordinary, rather they are generally considered to be best practice. If you're not compliant, you really have to ask why.

For each and every point, find out what the root cause of non-compliance is. Is it poor risk management? Lack of resources? Legacy systems? While this can be an overwhelming task at first, if it's performed from a top down approach (as suggested in the first point) it will pay dividends.

5. Framework.

An ad-hoc approach simply does not work. Tying it all together into a framework is the only way to achieve continued compliance. This must cover and have support from all aspects of the business that PCI touches. This can be everyone from HR, project managers, data entry staff, receptionists, etc. Have a plan and work to it.

6. Beware Snake Oil.

You may have noticed the discussion of specific products has been avoided. That's deliberate. There are endless combinations of products that can be used to achieve compliance, but there is no specific product that is required for compliance. If anyone suggests otherwise to you, vendor, QSA, consultant etc -- you are best to politely escort them from the building.

Declan Ingram works for Securus Global, a Sydney-based security consultancy. He has a pwnie-tail and likes to fly aeroplanes dangerously.

The idea was simple. We'd install a bunch of anti-virus products and see who could modify existing viruses to sneak them past detection engines. There'd be beer and banter, a fun afternoon. It wasn't really a scientific contest -- most of the functionality of the scanners was actually turned off. We'd only test the CLI-based signature and heuristic components of the suites.

I'm one of those poor, poor souls who's been forced to repeatedly deploy appalling, sub-standard, anti-virus shit in enterprise environments over the last few years. Sick of trying to fight a virtual wildfire armed only with the IT equivalent of a warm leaf of lettuce, my friend Rich and I decided to stage RaceToZero as a form of protest.

We'd show the world just how awful antivirus software had become. The world would finally understand our pain.

When we announced the contest, some AV commentators and journalists went virtually lost their minds. The first RaceToZero contest, held at DEFCON XVI in Las Vegas last year, was indeed a tad on the controversial side.

Some commentators seemingly expected the headless horseman of the Apocalypse to come riding through the casino when the contest began. Kasperky antivirus founder and CEO Eugene Kaspersky actually compared the Race To Zero with bank robbery and the distribution of narcotics to children. In the minds of some, we were showing the bad guys how to do stuff they couldn't have learned on their own.

Others were a tad friendlier. They saw RaceToZero for what it was -- a bit of fun designed to demonstrate the ineffectiveness of signature-based antivirus technology as a sole method of defence against modern threats.

Either way, we didn't expect the publicity we got last year. In the words of George Carlin, the whole thing turned into a "huge, prick-waving dick fight". A circus, if you will.

So we're doing it again.

To live up to our critics we had planned a HERF gun making contest (hai2EugeneK) but decided on slipping viruses past AV products again instead. The friendly team from OffensiveComputing.net provided the samples we used last year and this year will be taking over the running of the competition.

RaceToZero is still my baby, but I'm happy to send it off to temporary but loving foster care.

OffensiveComputing.net's extensive knowledge of malware, reverse engineering and all things anti* will definitely lift the contest to another level. It won't be as half-assed as last year, (it's more likely to be fully-assed) and may actually produce some results that can be seen as useful benchmarking for endpoint security products.

The Anti-Malware Testing Standards Organization (AMTSO) has published guidelines for dynamic testing and RaceToZero will stick to them.

That means getting all fancy and scientific. As much fun as the last contest was, we didn't really prove much. This time we're trying to create a methodology that might actually tell the people responsible for buying endpoint security something useful, like which products did better.

That's right, vendors, you really should be scared now. We're going to empirically show the world how useless you are, instead of just heavily implying it.

While this balanced, unbiased testing of behavioural AV engines is happening, there will be a live scoreboard so that contestants and spectators alike can see how well the teams are doing and how effective each engine is at detecting the threats.

Another upgrade to the contest is automated unpacking and analysis of samples submitted by contestants, which will be validated against the contest guidelines.

Over the coming weeks more information will become available on the RaceToZero Website and the DEFCON Forums, we look forward to seeing all past and future contestants in Vegas again this year!

bogan \\m/

Bogan is security engineer and researcher from .nz. He is also instrumental in the organisation of Kiwicon, New Zealand's real-deal security conference. In his spare time bogan likes cooking, wearing black and admiring a good burnout.

Thanks to a stellar effort by Gold (his real name, no kidding) at Evolved Development, we've been able to put together what we hope will be Australia's premier information security news site.

Along with the regular Risky Business podcast, Risky.biz will host:

• The Risky.biz blog:
  • We hope to have several dozen contributors from various sectors of the infosec community on board within the first few months. Get the inside scoop straight from the horse's mouth. Giddy up! Nyeeeeeeah!
• News articles:
  • We also plan to publish news articles written by professional journalists in the blog feed. They will be labelled NEWS:
• Risky Business 2, or RB2
  • Risky Business 2 is our new, second podcast. In Risky Business two you'll hear talks as recorded at various conferences, as well as single-shot interviews recorded by Risky.biz staff and freelance contributors. The RSS feed will include sponsored content, but it'll be clearly labelled.
• Forums
  • Once you sign up for an account you can join the conversation!
• Video
  • This section will take a little while to get rolling, but we plan on bringing you video features from interviews to HOWTOs.
• Webinars
  • Within a couple of months we'll be rolling out a new site section called "The Pitch", a monthly Webinar hosted by security vendors who want to make sweet, sweet love to Risky.biz readers, listeners and viewers.

The Risky Business podcast first launched in February, 2007, and has published 100 editions, along with special content recorded at conferences like AusCERT, GovCERT, Kiwicon and Ruxcon.

We hope we can make a red-hot go of this site in 2009, despite business conditions being, err, sub-optimal. Speaking personally, I look forward to getting to know you all through our forums. So what are you waiting for? Sign up and let's get started!

Patrick Gray
Managing editor
Risky.biz

Risky Business is brought to you this week by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

This week's feature is all about wardialling. H D Moore pops in to discuss his latest project, WarVOX.

WarVOX is a wardialler with a difference -- instead of trying to connect to any modem that may be found when you're dialling, WarVOX just records a snippet of audio when the line answers, then analyses it to see what it is.Risky Business is brought to you this week by Check Point Software and hosted, as always, by Vigabyte virtual hosting.

This week's feature is all about wardialling. H D Moore pops in to discuss his latest project, WarVOX.

WarVOX is a wardialler with a difference -- instead of trying to connect to any modem that may be found when you're dialling, WarVOX just records a snippet of audio when the line answers, then analyses it to see what it is. Think of it as nmap for the PSTN.

Juniper Networks Senior Security Research Manager Steve Manzuik is this week's news guest, and Steve MacDonald checks in for this week's sponsor interview.

If you'd like to comment on anything you've heard on Risky Business, or suggest something you'd like to hear on the show, you can call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

We'll be sure to include your comments in next week's show!

The music heard at the end of this week's show is by Peregrine. Buy their stuff! See their shows!

This edition of Risky Business is sponsored by Sophos.

On this week's show we take a look at a recent survey [pdf] released by Oracle in conjunction with the Independent Oracle User Group.

It found 11 percent of Oracle administrators had never applied a critical patch. In fact, 70 percent of Oracle DBAs surveyed were at least three months behind the patch release times.

How did we get here? Securus Global's Declan Ingram pops in to discuss the possible root cause of such startling data. Race To Zero organiser and master chef Simon Howard also shares his thoughts on database host security.

Paul Ducklin pops by for this week's sponsor interview. We ask Paul how endpoint security providers like Sophos can be expected to battle 0day threats such as the recent PDF and Excel flaws.

If you'd like to comment on anything you've heard on Risky Business, or suggest something you'd like to hear on the show, you can call Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free).

We'll be sure to include your comments in next week's show!

UPDATE: Due to a production glitch in the original podcast recording, certain audio snippets (music, bumpers) were incorrectly rendered. The file has been fixed and replaced!

Yeah yeah, we've all heard about the threat from social networks -- employees post juicy information that attackers can hoover up during reconnaissance. But what if a determined attacker actually infiltrated the social network that exists between your employees? What if they then used that trust to phish for VPN passwords?

That's what the guys from the Snosoft research team claim to have done in a recent customer engagement, with spectacularly successful results. You can read their post here.

Melbourne-based CSO Adam Pointon joins us to discuss the idea.

This week's show is sponsored by Microsoft. Mike Reavy of the MSRC pops in this week to explain Microsoft's exploitability index, and Adam Boileau joins us for the week's news.

This week's edition of Risky Business is brought to you by the fine folks at Check Point Software. They've been making firewalls since 1645!

On this week's show we take a look at the issue of mobile security. You'll hear an excerpt from Fionnbharr Davies' talk at Ruxcon in which he outlines the horror that is an iPhone turned against its master.

After that we check in with Rick Howard, the director of iDefense Labs' in the USA. Despite every vendor under the sun predicting the birth of the mobile hacking age since the year 2000, Rick says 2009 is shaping up as the real deal.

Steve MacDonald from Check Point also swings by for this week's sponsor interview -- the topic? Firewall optimisation software. It's hot right now. So hot. Hot like Hansel.

Risky Business will be late next week -- expect it to be up on Friday. If you'd like to leave feedback for our audio mailbag, you can ring:

Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)

This week's podcast is sponsored by Tenable Network Security and hosted by Vigabyte virtual hosting.

On this week's show we chat to the head of iDefense Labs, Rick Howard. He joins us to discuss the threat posed to organisations from disgruntled ex-staff. Layoffs have been ramping up, and we've already seen two high-profile incidents involving cranky admins burning down the house, or at least trying to.

Rick also chimes in with his predictions for 2009.

In this week's sponsor interview we chat to Tenable Network Security's CEO Ron Gula, who'll fill you all in on the new, whiz-bang bundle containing Immunity Inc's CANVAS exploitation tool and Tenable's own Nessus software.

This week's news is huge. Munir Kotadia joins us from a small resort island off the coast of Malaysia to discuss the headlines. No joke. Bastard.

You can find the link to the phpbb.com hack here.

Donations to the bushfire relief fund can be made to the Red Cross here.

And don't forget to leave feedback at our voicemail boxes:

Sydney 02 8569 1835 or USA +1 877 688 8417 (Toll free)

This week's edition of Risky Business is brought to you by Sophos and hosted, as always, by Vigabyte virtual hosting.

On this week's show we ease back into the year by chatting with Neohapsis founder and CTO Greg Shipley about the ineffectiveness of security technologies and the rise of DLP.

Munir Kotadia stops by with this week's news, and Paul Ducklin from Sophos talks Conficker.

If you're interested in the CERT advisory on Autorun mentioned in the news, you can find it here.

And while it's not mentioned in the show, there's an interesting PDF the team at GOVCERT.NL put together on the md5 SSL thing. Grab it here.

If you'd like to leave some feedback for the Risky Business audio mailbag, call the following numbers and speak your mind! You might just hear yourself on next week's show...

Australia: 02 8569 1835
USA (Toll free): +1 (877) 688-8417

This week's edition of Risky Business is a bit different -- we take a look back over the big stories of 2008 and highlight the best work we saw over the last 12 months.

You'll laugh, you'll cry... you'll hurl.

This is the final Risky Business for the year, with normal programming returning in February. The final edition of Risky Business for the year is brought to you by Tenable Network Security, makers of fine information security software.

So in addition to this week's 20-minute year-in-review special, this week's podcast also includes an interview with Tenable's CSO, Marcus Ranum, in the final sponsor segment for the year.

This week Marcus and Patrick discuss the woeful state of Internet browser security.

NOTE: There is talk in that segment of a Firefox 0day that could have amounted to nothing. Well, it did -- turns out it was a null pointer dereference bug, which means it's probably not exploitable... unless you're Mark Dowd.

A big merry Christmas and thank you to all listeners who helped make Risky Business a success in 2008!