I was recently engaged to help remediate some exposures found during the preparation for PCI DSS compliance reporting. They had run an external vulnerability scan with Nessus so that they could find exposures and fix them before the “official” scan was run.

Several vulnerabilities were found that would have caused the organization to fail their external vulnerability scan. Many of the vulnerabilities were due to an open port on the server. Several cross-site scripting vulnerabilities were found. Sample code from one of the installed applications was publicly accessible.

As we were working through these issues, a common theme came up.

How do we fix Issue X so that we pass the scan?

Now think about that a minute… Approaching the vulnerabilities with this attitude is kind of like fixing a flat tire with Fix-A-Flat. It may work, but you should still have the tire looked at by a professional.

Here’s a specific example from the vulnerability scan. Port 8080 was publicly available on the web server. Several vulnerabilities were found on 8080. It was suggested that we just block 8080 at the firewall. Sure that would work to keep the problems from being found in the external vulnerability scan. But is that the right fix? No.

The right fix was to harden the server by shutting down any unneeded services and to block an unneeded ports on the firewall and uninstall the sample code from the server and institute change control on servers and firewalls and ……

My final recommendation? Take steps to think beyond compliance requirements. Checkboxes and automated scans are helpful, but nothing replaces good analysis and testing. Meeting compliance requirements is a good starting point, but don’t omit really knowing the risks your organization faces.

- Dan

Some days are more interesting than others.

Monday, August 29, 2011

Interestingly, I found nothing of real interest on the Internet today! Let’s see if Tuesday is any better…

Tuesday, August 30, 2011

More research on global warming. I doubt Al Gore supports it. – Sun Causes Climate Change Shock

According to Al Gore, climate change skeptics are racist. That’s an interesting leap of logic. – Perry Vs. Gore

Wednesday, August 31, 2011

Leaders should be willing to communicate, even when it is not required. This looks like a lesson that Cook has learned from Jobs. – Like Steve Jobs, Apple CEO Tim Cook Also Responds to His Email

APOD – Roll Cloud Over Wisconsin – We had one of these pass through Manhattan a year ago. My youngest son took a picture of it. View it here.

Determining the root cause can be difficult. Read this – How to perform a root cause analysis?

Thursday, September 1, 2011

This looks like Keynesian economics to me – Non Sequitur for 9/1/11

The best quote from this article, “The way children are grouped, which now occurs by their “date of manufacture,” no longer makes sense.” – Schools need help in raising today’s children, says education advocate

Pretty cool pictures of lightning here

Small businesses have a problem. They often have no money to implement appropriate security controls. They should read this tweet from Russell Eubanks

Friday, September 2, 2011

I’ve always wondered about the Magic Eraser. Now I know… – How do magic erasers get rid of stains?

’tis the beginning of the new school year. My mind is on things like…

Doing more with less
Maximizing results while maintaining effort
Reasonable protection

So, here are the links of the week.

Monday, August 22, 2011

Since my youngest is starting college today, this is of interest – Back to School: 15 Essential iOS Apps for Students

Tuesday, August 23, 2011

I really hope this is true. Maybe it would help Verizon lower their prices! – Sprint To Sell the iPhone 5 [REPORT]

Trying to achieve privacy and security in an open wireless network. Looks like some promising research – Baking Security Into Open WiFi Networks

Wednesday, August 24, 2011

If you don’t have the time to do your own research (and very few of us do), there are many sources to help guide us in network security. Just one source is the NSA. Take a look at this guide that was referenced recently in a SANS NewsBites newsletter. – Best Practices for Keeping Your Home Network Secure

With winter coming, I’m hoping that someone I know will get one of these – Knit Vulcan Hat

This is not good for the reputation of being secure by default – Mac OS X Lion fails to check passwords when authenticating via LDAP

Have you read The Edge of Disaster by Stephen Flynn? Yesterday’s earthquake reminds me of examples from Flynn – Aging East Coast Infrastructure a Concern After Quake

Thursday, August 25, 2011

As they say in Star Trek Land, all good things… – Steve Jobs, Apple CEO, steps down

Universities seem to be a ripe environment for personal information to be lost. It’s interesting that an individual in the article blames Google for changing the way they find servers and documents. I think the real question should ask why are the universities not doing a better job of protecting the personal information of the students and staff, and why are they not aging information out of their systems. – Yale Social Security Numbers Exposed In Latest Case Of ‘Google Hacking’

If you use Facebook, you need to read this Guide to Facebook Security.

I would be glad to take your contributions toward the purchase of the Nelson Bible Reference Bundle from Logos.

Friday, August 26, 2011

Khan Academy looks to provide a series of academic videos. It is heavy on math and science. Take a look and see if it could help your student. – Khan Academy

Along the educational lines, I came across this article talking about Skype’s initiatives to connect teachers. Examples are given. If you are an educator, you should evaluate this to see if there might be application for you. – Skype Launches a Dedicated Network for Teachers

You’ve got to read this – Keynesian Economics vs. Regular Economics. If you get blocked by the WSJ paywall, then google “Keynesian Economics vs. Regular Economics” and find the cached copy from Google. Either way, it really helps understand what is driving the Obama administration.

Here’s this week’s list o’ links that I found interesting…

Monday, August 8, 2011

This has some very serious implications – Black Hat hacker details lethal wireless attack on insulin pumps

This is on my to-do list of things to watch – Off Topic: Creating Metasploit Exploit Modules Step By Step (Tutorial!)

Every system and/or network administrator should become familiar with these tools – 15 Incredibly Useful (and Free) Microsoft Tools for IT Pros

Not long ago I wrote about choosing an Android or iOS tablet. Here is an article discussing low-cost options – What $300 or less buys in a tablet

Tuesday, August 9, 2011

I’ve found the Windows Secrets newsletter useful for several years. You probably will, too. They have a free edition and a paid edition.

Wow. This is sobering and awe-inspiring. You’ve got to take the time to work your way through each installment as it is published. – World War II in Photos

From Dave Hoelzer… You Might Be Compliant… But Are You Secure??. This isn’t a new post, but it is still relevant. I’ve been thinking about this very thing as I work through the PCI DSS.

Here are some things I’ve found interesting this past week…

Monday, August 1, 2011

10 things I learnt from Daily Shooting – http://shoottokyo.com/daily-shooting/

I thought I had a great idea, then I found that someone else is already aggregating government contract opportunities. This is but one place I found – State & Local Government and Contract Opportunities – http://www.govcb.com/

Some people do find them valuable. – Do Facebook Ads Bring Customers? – http://www.inc.com/howard-greenstein/do-facebook-ads-bring-customers.html

I bought an external drive that was listed at USB 3.0 and compatible with USB 2.0. The first thing I noticed was a difference in the cable. So I headed to Wikipedia – http://en.wikipedia.org/wiki/USB_3.0

Tuesday, August 2, 2011

Years ago, I had a friend who was always providing strange facts. Seems like that friend has been replaced by the Internet. – What lives Inside Your Navel? – http://news.discovery.com/human/belly-button-organisms-110801.html

From the Freakonomics folks… – What Does Your Web Browser Say About Your I.Q.? (Hint: I.E. Users Won’t Like the Answer) – http://www.freakonomics.com/2011/08/02/what-does-your-web-browser-say-about-your-i-q-hint-i-e-users-wont-like-the-answer/

This is pretty interesting – Getting Bin Laden – http://www.newyorker.com/reporting/2011/08/08/110808fa_fact_schmidle

I enjoy reading what David Pogue writes. – The Perils of Copy Protection – http://www.scientificamerican.com/article.cfm?id=the-perils-of-copy-protection

Wednesday, August 3, 2011

What if he had succeeded? – Swedish man caught trying to split atoms at home

Thursday, August 4, 2011

Some days I just feel old. Dilbert doesn’t help. – http://dilbert.com/strips/comic/2011-08-03/

I don’t agree with some of this, but it is worthy of thought – White-hats are on the side of law, but not order

I’ve been using BackTrack 4 and a separate install for Nessus. Nessus is installed in BackTrack 5. Here’s how to begin using it. – Enabling Nessus on BackTrack 5 – The Official Guide

This is almost enough to make me subscribe to GigaOM Pro just so I can read more information – A sneak peek into Google’s servers and energy efficiency

Friday, August 5, 2011

Some folks I know can relate to this – Are You a Programmer?

This is pretty cool – Steelers coach sells Mercedes to team cafeteria worker for $20

We, too, have seen an increase in the cost of detection and recovery following an incident – The cost of cyber attacks is up 56%, study reveals

Many people claim creativity. How many of these characteristics do you possess? – 9 Attitudes of Highly Creative People

Things I found interesting this past week…

Monday, July 25, 2011

Now, if only Washington could resolve the debt ceiling and budget cuts issues… – Agreement in place; players will vote once document is done – http://www.nfl.com/news/story/09000d5d820f4c7f/article/with-agreement-in-place-players-will-vote-once-document-is-completed

This is one reason why I choose to use a Mac – McDonalds Wi-Fi Guide

Once again, those British newspapers tell us what we already know. I would have almost expected this in The Onion – Monday mornings so depressing you won’t crack a smile until 11.16am – http://www.telegraph.co.uk/news/newstopics/howaboutthat/8658968/Monday-mornings-so-depressing-you-wont-crack-a-smile-until-11.16am.html

Here’s another list of mistakes we make in information security – The 5 biggest IT security mistakes – http://www.networkworld.com/news/2011/072511-security-mistakes.html

Tuesday, July 26, 2011

By correlating information from disparate sources, you can infer much. This article shows that it is not just Google, Twitter and FaceBook that have private information about us, but the credit card companies do also. Seems like the privacy horse left the barn sometime in the 1980s… – Amex knows what you do not – http://www.stephencolman.com.au/blog/2011/07/14/amex-knows-what-you-do-not/

We’re hurting, but someone else is hurting worse. That always makes it better, right? – Apple COO Says iPads Are Hurting Mac SalesBut, he adds, they’re hurting Windows even more – http://technology.inc.com/2011/07/26/apple-coo-says-ipads-are-hurting-mac-sales/

Wednesday, July 27, 2011

Years ago, an old friend give me advice similar to #10 – 10 Public Speaking Tips For Introverts – http://www.psychologytoday.com/blog/quiet-the-power-introverts/201107/10-public-speaking-tips-introverts

Another interesting perspective for my job-seeking friends – A Simple Strategy for Acing a Job Interview – http://blogs.cio.com/careers/16404/simple-strategy-acing-job-interview

Thursday, July 28, 2011

And now for some good news from Arlan at Farm Futures – Unemployment claims drop

This would seem – Restaurant Breach Leads to Fraud – http://www.bankinfosecurity.com/articles.php?art_id=3899

Google+ is forcing Facebook to advance in many ways. This is new – Facebook for Business – https://www.facebook.com/business

I enjoy the photography tips and ideas from Kent Weakley. This one is especially important for the non-professional photographer who primarily uses the lens that came with the camera body – 5 Ways to Max Out Your Kit Lens – http://kentweakley.com/blog/5-ways-max-out-kit-lens/

BibleReader on iOS is one of the most used applications I have on my iPad2. I learned some things from these videos – BibleReader 5 Video Tutorials & Reviews – http://olivetree.com/learningcenter/br5/

Friday, July 28, 2011

Brian Krebs has some good advice here – Is Your Voicemail Wide Open? – http://krebsonsecurity.com/2011/07/is-your-voicemail-wide-open/

It feels good to reminisce a little about the Good Old Days – MS-DOS Turns 30: PCMag’s Original Interview With Bill Gates – http://www.pcmag.com/article2/0,2817,2389282,00.asp

No surprise here – Most organizations do not follow security best practices, survey finds – http://www.infosecurity-us.com/view/19737/most-organizations-do-not-follow-security-best-practices-survey-finds/

It’s July and folks are starting to think about Christmas?? That must be the case, because I’ve had two people in the last week ask me what tablet they should buy their spouse for Christmas. My standard answer is …

It depends

Let me make it clear that I try to remain relatively agnostic when answering that question. You see, I currently run an Android cell phone, use an iPad2, have a 2006 model MacBook, and am writing this post on a Windows 7 desktop computer. I have used Windows Mobile cell phones and an iPhone 3. I have virtual machines running a variety of Linux distributions.

To put it mildly, I have some personal preferences, but mostly care about using a product that works.

When talking to most people, I avoid any discussion of the technical and marketing merits of one product over another. Sure, we could discuss the encryption found on iOS. Or, we could discuss the malicious apps that have found their way into the Android Market. Or, we could talk about more developers writing for Android (or, iOS depending on which industry pundit you read). Or we could discuss the merits (or problems) of the protections used by Apple before they let an app be included in the App Store. Or, we could get into a deep philosophical discussion of whether iOS is closed or open and whether Android is any different.

Most people simply care about 2 things – cost and usability.

Cost is really a non-issue when considering the choice for a tablet. If someone really wants a low-end tablet, they can get a Nook and flash cyanogenmod onto it. That makes a remarkably usable tablet for around $250. The difficulty I see with recommending this option is that most consumers simply lack the technical know-how to successfully do this. Another low-cost option is one of the Android tablets with a resistive screen. These are generally under-powered, and the entire user-experience is painful. They just do not meet expectations.

To achieve the expectations that almost everyone has, you need to be prepared to spend $500+ for a useful tablet. The low-end WiFi-only tablets for both Android and iOS/iPad2 start there. A recent circular from Best Buy shows the Toshiba Thrive for $479. That is only $20 less than the comparably equipped 16GB iPad2. The way I see it, cost is a non-issue when making a decision.

So, if cost is not a significant differentiator, then how about the user experience? Here’s what I tell inquirers…

• They are both similar with how applications are started. You press the application icon and the application starts in the foreground.
• Both are multi-tasking. To see running applications on iOS, you double-press the only button on the front of the unit. To see running apps on Android, you long-press the Home button. With both you can quickly go to another running application. Note that there are some folks who will argue that one or the other is better with multi-tasking. I don’t know a single non-technical consumer who really cares!
• Both have a way to download more apps onto the device. Both processes work well. There are similar apps for both platforms.
• Both devices can be used quite effectively.

But, there are some differences…

• If Flash websites are important to them, then they should look to the Android platform. iOS does not support Flash. In my experience this is becoming less and less of an issue for most people.
• iOS devices (iPad and iPhone) currently require a connection to iTunes running either Mac OS X or Windows in order to set up the device. This will no longer be an issue once iOS 5 is released later this year. But for now Android is the only one that is truly stand-alone.
• It seems to me that the iOS interface is simpler and more understandable for the non-technical user. Android makes use of pop-up menus throughout, and iOS generally does not.
• Deleting an application from iOS is simpler than deleting from Android. On iOS you simply long-press an app and it starts jiggling with a red X. Press the red X and the application is gone. On Android, you have to press the Menu button on the home screen, then choose Settings. After that, select Applications and then Manage Applications. Select the application you want to delete and then choose Uninstall. It’s a pretty cumbersome and non-user friendly process.
• iOS versions are released regularly to all iPad/iPhone/iTouch devices as a result of the hardware coming from the same manufacturer. New Android units can be found with Android v2.2. Others have v2.3. Most tablets are now selling with v3. But, it is up to the device manufacturer to ensure that the lasted Android software is available for specific hardware.
• All iOS devices look and feel the same. Many Android hardware manufacturers are customizing the Android experience rather than using stock Android. It becomes confusing for the consumer to have to understand the various versions.

I find it interesting that almost everyone I know that is a hard-core Microsofty is also a hard-core Android fan.

So in the end I tell people that unless Flash support is a Killer App for them, they probably would be satisfied with either one.

And, then they always ask me my preference. I tell them that I bought my wife an iPad and she has not been disappointed.

Have fun!

- Dan

Here are the stories I found interesting this past week.

Monday, July 18, 2011

If you are still trying to figure out what to do with your iPad, read this – Top 5 Business Uses for the iPad – http://www.openforum.com/articles/top-5-business-uses-for-the-ipad

Tuesday, July 19, 2011

I can honestly say that I’ve never, ever thought about this – How to avoid being eaten by lions – http://bbcearth.posterous.com/how-to-avoid-being-eaten-by-lions#

Let’s see if there is any relationship between this and being eaten by lions – The Contagious Smell of Fear In Information Security – http://blog.zeltser.com/post/7787134857/smell-of-fear-in-infosec

This obviously takes a great amount of work and attention to detail. I love the statement “Effective remediation means, identifying the “right” programs to patch, Stefan Frei, research analyst director of Secunia, told SCMagazineUS.com on Thursday.” – Report says firms must rethink patching strategy – http://www.scmagazineus.com/report-says-firms-must-rethink-patching-strategy/article/207478/

Wednesday, July 20, 2011

I’m trying Real Hard not to make a cynical comment about this – Bill Gates To Reinvent The Toilet – http://mashable.com/2011/07/19/bill-gates-reinvent-toilet/

Another example of small actions having a much larger impact – Scientist: Tae Bo workout sent skyscraper shaking – http://news.blogs.cnn.com/2011/07/19/scientist-tae-bo-workout-sent-skyscraper-shaking/

But they don’t really say Why? – Apple iOS still rules, but Windows 7 Phone edges Android in user satisfaction – http://www.networkworld.com/news/2011/071811-smartphone-preferences.html

Thursday, July 21, 2011

It is important to be aware and observant – How to Avoid Being a Victim of ATM Skimming – http://www.walletpop.com/2011/07/18/how-to-avoid-being-a-victim-of-atm-skimming/

I enjoy reading David Pogue. Here’s his take on OS X Lion – Upgrading to Lion Means Embracing the iPad – http://www.nytimes.com/2011/07/21/technology/personaltech/the-usual-apple-upgrade-big-steps-forward-a-stumble-backward-state-of-the-art.html

Have you always wondered why there are so many standards in electronics, etc? – How Standards Proliferate – http://xkcd.com/927/

Friday, July 22, 2011

The space shuttle program starts and ends with Star Trek – Shuttle Era Ends – Atlantis Welcomed Home To Star Trek Voyager Theme – http://trekmovie.com/2011/07/21/shuttle-era-ends-atlantis-welcomed-home-with-star-trek-voyager-theme/

Do you suppose this dude has Little Man Syndrome? – Man Etches Name in Sand, Visible from Space – http://news.discovery.com/space/big-pic-hamad-abu-dhabi-space-graffiti-110721.html

For the job seekers – Hacker hunters: Join the cyber security job boom – http://tech.fortune.cnn.com/2011/07/22/hacker-hunters-join-the-cyber-security-job-boom/

… and those job seekers need to understand this – The business-security disconnect that won’t die – http://www.csoonline.com/article/686591/the-business-security-disconnect-that-won-t-die

Last week I came across the PCI Calculator from StillSecure. I’ve since downloaded it and spent a bit of time with it.

What are my impressions?

I was expecting some sort of tool to help me with tracking and maintaining PCI compliance. I obviously read the StillSecure description and created a fictional meaning in my own mind!

What I did get from StillSecure is a tool that is useful in helping to create budgets for the PCI compliance testing. It allows for using Gartner benchmarks for estimating costs for level 1-4 merchants by contracting the StillSecure PCI Complete service.

While I am not currently looking for a service to do PCI work, it is interesting to see the estimated savings. This is an option that I need to remember for the future.

As far as I know, I don’t know anyone at StillSecure, nor do I have any vested interest in the company. But should the time come when I need help with PCI compliance, the numbers in the PCI Calculator would make me want to include them in the RFP list. I guess that’s what a sales tool is supposed to do.

Keep yourself safe!
-Dan

(I had some computer problems, so this is getting put up a couple of days late.)

Here are some interesting links from the past couple of weeks…

Tuesday, July 5, 2011
This is a welcome change in attitude – Apple to allow license-free virtualization with OS X Lion – http://www.engadget.com/2011/07/04/apple-to-allow-license-free-virtualization-with-os-x-lion-devel/

This is an interesting project – A month of sunrises over Chicago – http://vimeo.com/25999231

Wednesday, July 6, 2011
I found this analysis interesting – This Is The Connected States of America – http://www.good.is/post/this-is-the-connected-states-of-america/

I’m not really surprised to see this – Atlanta cheating scandal renews school reform debate – http://www.cbsnews.com/stories/2011/07/05/eveningnews/main20077025.shtml?tag=cbsnewsLeadStoriesAreaMain;cbsnewsLeadStoriesHeadlines

Although I’m not a fanboy of Facebook, this seems like a natural progression – Call Your Friends Right From Facebook – http://blog.facebook.com/blog.php?post=10150223135777131

Thursday, July 7, 2011
It takes work to make your web application security – Protecting your web apps from the tyrrany of evil with OWASP – http://www.troyhunt.com/2011/07/protecting-your-web-apps-from-tyranny.html

Inc. has some good basic information on communication – How to Communicate in a Crisis – http://www.inc.com/guides/how-to-communicate-in-a-crisis.html

We’re told to do patches. But what if we can’t? – “There’s a Patch for that” (or maybe not) – http://isc.sans.org/diary.html?storyid=11170

Sometimes you have to pay for customers – Microsoft gives $250K to University of Nebraska to Use Office 365 – http://venturebeat.com/2011/07/05/microsoft-gives-250k-to-university-of-nebraska-to-use-office-365/

Friday, July 8, 2011
The Droid 3 from Motorola looks like a sweet phone – http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5676&deviceCategoryId=1

I’ll be downloading this – PCI Calculator from StillSecure – http://www.stillsecure.com/pcicomplete/calculator.php

First the Pope, and now the President – Obama tweets for first time – http://holykaw.alltop.com/obama-tweets-for-first-time

This reminds me of Death By PowerPoint – Three Powerpoint slides to avoid – http://scotteblin.typepad.com/blog/2011/07/three-signs-that-your-slide-deck-stinks.html

Printer produces personalized 3D chocolate – http://www.bbc.co.uk/news/technology-14030720

Tuesday, July 12, 2011
For all my job seeking friends – 99 interview tips that will actually work – http://passivepanda.com/interview-tips

How many can you count in this picture? – The Perseus cluster of galaxies – http://apod.nasa.gov/apod/ap110712.html

I wonder how many industries have significant issues with employee theft, and what other solutions have been found – Pizza Hut saves dough with biometrics – http://planetbiometrics.com/article-details/i/708/

I’ve got mixed feelings about this – Light bulb ban draws fire – http://money.cnn.com/2011/07/11/news/economy/light_bulb_ban/index.htm?iid=HP_LN

Get ready for ‘Manhattanhenge’ on July 13 – http://news.discovery.com/space/get-ready-for-manhattanhenge-july-13-110712.html

One Neptunian Year! – Hubble’s Neptune Anniversary Pictures – http://www.nasa.gov/mission_pages/hubble/science/neptune-circuit.html

Wednesday, July 13, 2011
U.S., Russia Make Cyber Security Pact – http://www.itbusinessedge.com/cm/community/news/gt/blog/us-russia-make-cyber-security-pact/?cs=47806

Thursday, July 14, 2011
Pentagon Discloses Largest-Ever Cyber Theft – http://www.foxnews.com/politics/2011/07/14/pentagon-discloses-largest-ever-cyber-theft/

Friday, July 15, 2011
Metasploit is the Hot Thing right now – Metasploit Payloads Explained – https://infosecisland.com/blogview/14893-Metasploit-Payloads-Explained-Part-1.html and https://www.infosecisland.com/blogview/14894-Metasploit-Payloads-Explained-Part-1-Continued.html

Another information security framework that I need to take a look at – OWASP Mantra – http://www.getmantra.com/

You should actively protect your identity. One way is to monitor your credit reports. The government passed a law in 2004 that requires the big three to provide an annual free report. – Free Annual Credit Report Law – http://idtheftcenter.blogspot.com/2011/03/federal-annual-free-credit-report-law.html

Another example of 3D printing – 3D Printer – http://www.youtube.com/watch?v=ZboxMsSz5Aw