Tuesday 29 January 2013

Segregating the CDE

Working on a new PCI DSS implementers course and looking at examples of implementing segregation of the Cardholder Data Environment (CDE) from the corporate network to reduce the scope of applying the PCI DSS.

The PCI SSC say "Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment." however this is not mandatory but does offer many organisations a means of simplifying gaining compliance with the PCI DSS.

However the standard says on scoping and segregation.
  • If there is a system on a network that does not store, process, or transmit card data, but that system is able to reach machines that do store, process, or transmit cardholder data, then the system is in scope.
  • If the server is unable to see or connect such that no user on the system could traverse to any systems that store, process, or transmit card data, then the system is out of scope.
This leads to a question what is in scope and what is out of scope, especially on a corporate network where domain controllers, time servers are supply services to all corporate devices including the those within the CDE scope.
 
As an example I will look at the use of time servers, this is as requirement 10.4 states that all critical system clocks and times should be synchronised.
 
We could implement this by putting a time server within the CDE that for example receives the MSF signal from the Anthorn radio station run by the National Physics Lab in the UK. However other critical systems in a organisation should also be synchronised. A time server can be placed in the untrusted corporate network outside of the CDE but will need to provide the services to the CDE whilst maintain compliance with the PCI DSS and by providing a service to the CDE it should be in scope and part of the CDE.
 
This can send you around in circles, however requirement 1.2 states "Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment." this allows us to configure the firewall protecting the CDE to allow services from the time server through to the CDE providing the firewall and the traffic itself is suitable protected and filtered so that only the time service from the time server is allowed through.
 
 

We also need to meet the intent of the PCI DSS "no user on the system could traverse to any systems that store, process, or transmit card data" this will mean that any server providing a service should be hardened to standards as such as those from the following organisations.
  • SysAdmin Audit Network Security Network (SANS)
  • National Institute of Standards Technology (NIST)
  • Center for Internet Security (CIS).
We also have requirements 1.4 which prohibits direct public access and has two sub requirements.
  • Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic
  • Restrict outbound traffic from payment card applications to IP addresses within the DMZ.
Therefore in our example if we are using the Network Time Protocol to update time servers, the time server in the CDE can not directly connect to a public time server, but will have to use an interim time server in the DMZ which then would access a public time server on the Internet. This demonstrates some of the techniques that can be used in building and design a secure segregated network for the PCI DSS.



Monday 28 January 2013

Tools Update (28 Jan 13)

My slightly irregular update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/ & http://tools.hackerjournals.com

DNSChef 0.2.1
http://packetstormsecurity.com/files/download/119681/dnschef-0.2.1.tar.gz
DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet.


SQLSentinel
https://github.com/karonte691/sqlsentinel
SQLSentinel is an opensource tool that automates the process of finding the sql injection on a website. SQLSentinel includes a spider web and sql errors finder. You give in input a site and SQLSentinel crawls and try to exploit parameters validation error for you. When job is finished, it can generate a pdf report which contains the url vuln found and the url crawled. SQLSentinel is not an exploiting tool. It can only finds url Vulnerabilities

News

Backtrack to be Reborn as Kali Linux
http://cyberarms.wordpress.com/2013/01/26/backtrack-to-be-reborn-as-kali-linux-the-best-pentest-distro-ever/
interesting news from the Backtrack development team. Backtrack is in the process of a major overhaul and will be reborn into a new distribution named Kali!

Tuesday 22 January 2013

Tools update (Jan 22nd)

My slightly irregular update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/, http://tools.hackerjournals.com/

CORE Impact Pro 2013
http://www.coresecurity.com/content/core-impact-overview
CORE Security released CORE Impact Pro 2013, the latest version of its vulnerability assessment and penetration testing software, that allows organizations to proactively test IT infrastructure and identify exactly where and how an organization’s critical data can be breached

Friday 18 January 2013

Law & Ethics

Came across a interesting article today "How computer hacking laws make you a criminal" which discuss the actions of Bill Gates and Steve Jobs and compares them to Aaron Swartz. Not wanting to get into discussions overs Aaron as I don't know sufficiently the background the article piqued my interest in Law and Ethics on which I have previously blogged.

It was interesting to see that people who are considered to be hero's of the computer industry started by misusing computers doing actions that would be considered criminal in today's world, the reported actions of Bill Gates and Steve Jobs in the article did not fall under the hacker ethics outlined by Steven Levy or within the views of Richard Stallman on free and open access, I know selling of pheaking boxes can be construed a providing free access, but it was circumventing payment for service for self enrichment.

The actions of Aaron did to me, seem to fit within the hackers ethics of Steven Levy


  • Sharing
  • Openness
  • Decentralization
  • Free access to computers
  • World Improvement

The method used of getting the information from JSTOR may of been dubious in causing problems with performance of servers but his intention was about openness and free access to information.

I agree with the article in that computer misuse laws are not framed fairly and do not consider the background and intent behind the offence. Cyber criminals can steal millions in monetary value and get less punishment that a criminal in the real world committing a similar offence and there are case of cyber criminals getting higher tariffs compared to real life criminals for similar offence.

There is a need in my opinion for the law makers to consider the cyber world and make laws with sensible tariffs that fit in today's world. Cases where cyber criminals can face life in prison for just accessing computers does not fit with murders getting shorter periods. Protection of our personal information needs to be taken seriously and suitable tariffs are required.

Monday 14 January 2013

2012 ADSL Summary (part 1)

There were a total of 4966 incidents recorded in the log files of my ADSL router during 2012, these came from 666 different IP addresses. These were from 24 different countries, the table shows countries ranked by number of IP address origins with the number of attacks listed as identified from the log files, the countries are not necessarily the source of the attack but the IP address used was registered within that country.

Country IP Origins Attack Origins
Turkey 474 480
China 130 4162
United States 18 156
South Africa 8 8
United Kingdom 6 47
Azerbaijan 4 4
France 4 25
Germany 3 25
Japan 3 11
Ukraine 2 2
Malaysia 1 1
India 1 1
Pakistan 1 1
Hong Kong 1 1
Russia 1 1
Canada 1 6
Switzerland 1 1
Egypt 1 1
Thailand 1 1
Greece 1 1
Cyprus 1 1
Netherlands 1 16
Saudi Arabia 1 12
Sweden 1 2
Totals 666 4966

Tools Update (14 Jan 2013)

My slightly irregular update at the moment on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/, http://tools.hackerjournals.com/


Burp Suite Professional 
http://portswigger.net/burp/downloadfree.html
v1.5.04
This release adds an in-tool repository for the new extensibility APIs. The Extender / APIs tab lists all of the interfaces available in the current build of Burp, and lets you browse these and save the interface and Javadoc files locally.

Android Pen Test tools
http://seclist.us/2013/01/droid-pentest-tools-released-a-list-of-android-apps-for-penetration-testing.html
is a list of android apps for penetration testing

12 Interesting Penetration Testing Linux Distros
http://www.slashgeek.net/2013/01/10/12-pentest-linux-distro/
An article on Slashgeek about PenTest Linux distros

Friday 4 January 2013

Legal process behind cyber crime conviction

Came across an excellent article from Sophos "How a regular IT guy helped catch a botnet cybercriminal" about the legal process and investigation that goes on when prosecuting a cyber criminal.

The first paragraph struck me for make it very obvious that evidence of a crime has taken place is required, to such a level that in a court of law it "beyond all reasonable doubt"

 "It's not enough for the authorities to discover who is behind a malware attack. To secure a successful conviction, it's also necessary for victims to report that a crime has taken place."

The whole article is a good description of the process law enforcement go through in order to gain a conviction and shows the problems when cyber crime occurs across national borders so easily but police investigations are limited by national jurisdiction. It also show how long the process can take to complete with the initial malware being identified in Nov 2006, the conviction took place in March 2008, this was with the criminal making it easy by using his real name for registering a domain name and for setting a billing contract.