Yvette Du Toit (E&Y - UK/ZA) featured on the latest ITSecurity Pubcast and spoke about her role in CREST. SensePost were invited along, and i showed that while i have a face for radio, i do not have the voice for it.. Ahh.. some day ill find my niche..
The United States committee on Homeland Security's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology recently held a hearing to determine if "the Payment Card Industry Data Standards Reduce Cybercrime?"
Risky Business played snippets of the hearing under the apt title: "Washington spanks PCI DSS" - Like most episodes of RB, its well worth the listen..
One of the "merchants" giving testimony made his point quite succinctly. The credit card companies require us to keep card details, and shift the burden of fraudulent transactions to the merchant. There are much better ways to handle transactions, but the current method is a cheap way for the CC vendors to shift the burden and the risk to the merchants who historically had no alternative.
Online theft of credit card details reached ridiculous proportions, and so the payment card industry had to react, but they reacted by shifting the burden (and the risk) to the merchants. Now im all for people securing their apps and networks, but when you listen to merchants complaining it becomes pretty clear that the credit card industry is threatening punishment for behavior with one hand that it is actually incentivising with its other.
Now merchants (who are no saints) were willing to grudgingly go along with this cost, but when cases like heartland pop up (guys who PCI certified ok while they were busy bleeding card info to evil hax0rs) - the merchants start baying for blood.
The InfoSec Companies: Many infosec companies saw PCI as a chance to sell more services. They rallied to the PCI flag because anything that sells more services is a good thing. This would kinda be ok (mildly excusable) if they were using PCI to sell existing services (that were created to make customers secure) but the problem got worse when PCI compliance became the goal in and of itself. Now you have a bunch of people eager to sell something to a semi captive market. The situation is built for check boxes that obey the law but miss its essence..
But this isnt new? Its not.. But listening to the merchants testifying you get the sense that they have had enough. The payment card industry has tried to fix the problem the (relatively) cheap way, by shifting the pain to the merchants but its quite clear that this approach is not going to work... it becomes clear that to fix the stolen CC problem, we are going to have to (finally) change the transaction model..
The infosec market isnt going away, but i suspect that the credit-card model we currently use, will. Now this should not scare the infosec companies who have been pointing out that compliance does not equal security, or those companies that have built a reputation working on companies and applications that care about security. For those who have built a business model on checking boxes and handing out compliance stamps, my prediction is that the writing is on the wall..
Its like building a company on the Y2k hype.. Sure you might make a whack load of money for a while, and sure there actually are problems that need solving, but sooner or later the dates going to tick over from 1999 and if all you had was the hype, then im hoping for your sake that you took the lease (not buy) option on your company assets..
*caveat-1 - SensePost holds both PCI QSA and PCI ASV certifications (because we need to make sure we understand the space). *caveat-2 - Predictions in general should be left to prophets, this posting should be taken less as prognostication, and more as prose to warn against building a business model on shaky foundations..
The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:
"Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs."
to the art captured by Garett Gee:
(Alex Sotirov && Dino Dai Zovi)
As usual this sparks loud debate on both sides. Ross Thomas from SophosLabs came out loudly against Miller for being "so breathtakingly cavalier about the safety of my data and the privacy of my personal information" (sic)
Personally i must confess that i find Rosses reasoning pretty dodgy, but i recall having a similar discussion at 04h00 in the morning with singe in a Las Vegas food court..
PS. oh.. almost forgot, it doesnt matter which side of the argument-line you fall on, you have to give props to Internet Security's latest rockstar - the hax0r known as Nils for his elite browser trifacta [Safari|IE8|Firefox]
PPS. Oh.. can we please stop people talking about how the machines were hacked in X seconds. It makes a good headline, but its annoying..
(aka - Whoot! we are almost famous!!)
Of course we would be lying completely if we said it wasn't cool to make it into the top 10 (and doubly cool to make it twice in the top 10!)..
Im sure there will be lots of people complaining about the judging / wishing their favourite attack made the list.. but for now.. its still pretty cool :>
I watched Marcus Ranums "Cyberwar is Bullshit" talk. A talk that was truly wince-worthy! While the talk will make you scream at the screen a few times, it is worth watching just to see the Q&A section after the talk.. It's quite clear that Ranum gets owned more thoroughly than his online gallery did.
Roberto Preatoni of WabiSabiLabi fame confronts Ranums simplistic views of cyber warfare with some pretty straight forward questions, to which Ranum is forced to concede "You got me there".
Another question from the audience included more lashings - with an added underhanded "USA lost in Vietnam without nuclear weapons" comment thrown in for good measure.
Overall, i think Ranum enjoys being contrarian.. I think over the last few years he has become famous for it.. But i think to completely bull@#$@# cyberwar, while setting such narrow definitions for what constitutes a war skates dangerously close to the thing that Ranum often complains about - Sensationalist topics shrouded in geek mystique that get eaten up by the popular press.. The talk was disappointing.. Ranum is indeed much better than this..