Most of you have probably read about Julie Amero at this point. This is the case of the teacher convicted of 'impairing the morals of a child' for allowing her students to view pornographic pop-ups on the computer. There are a lot of obvious things wrong about this trial, but in the sources and blogs that I've read, there's something missing. Why isn't there a lawsuit against the school, school district, or who ever is responsible for administration of that computer?

If you take the comparison of regulatory requirements around basic information security in other industries, running an extremely outdated computer in a public place with no protection against spyware/malware would fail every time. The fact is, while Julie Amero may not have behaved perfectly given the situation, she never should have been put in that situation. Was she appropriately trained on what to do when pornograhpic pop-ups appear on the computer? I doubt it. If this occurred in a corporate environment, would you blame the user?

You may have noticed that a remote exploit has been found in the venerated OpenBSD. Since this is only the second remote code execution condition found in 10 years, it warrants some attention, certainly. It had to hurt a little to increment that counter from "one" to "two" on the openbsd.org page.

What's interesting about this vulnerability, however, is that it's specific to IPv6. The Department of Defense has put some significant momentum behind IPv6 adoption, and this OpenBSD vulnerability got me thinking about how many untested implementations of IPv6 are out there. I imagine that as IPv6 gets rolled out, security researchers will find it an interesting avenue for exploit. Depending on how adoption occurs, we're likely to see a rash of IPv6 based exploits.

Don't get me wrong, it's not that there aren't IPv6 vulnerabilities out there, but ultimately, the attackers go where the target space is richest, and that isn't IPv6 today.

Do you remember this add campaign from Sun Microsystems? "The network is the computer." It was supposed to herald a fundamental shift in the architecture of the personal computer. In many ways, it's come true, though perhaps not quite the way Sun intended. The individual computing machine functions in many ways as an access terminal to the Internet or corporate network. For many people, working without a connection simply isn't possible. Even more so, personal use of computers is inextricably tied to an Internet connection. This ubiquity of connectivity has exponentially expanded the target surface for attacks, which also drives the discovery of vulnerabilities, which further drives the security industry. Ok, so nothing new there.

Enter Web 2.0. As tired as we might be of this eMarketing iTerminology, it's useful in this context. The 'web' is that first paragraph. 'Web 2.0' is the user-contributed, public-built web. It's Wikipedia, YouTube, MySpace, the Blogosphere, Google Desktop, and a whole bunch of other sites and tools that allow users to interact with and store content outside of their control. This could be called, generically, Software as a Service. The term SaaS isn't usually taken to include some of the consumer applications like MySpace, but I think it should. They are SaaS just as much as Salesforce.com might be, though with very different business models. The introduction, and adoption, of Google's suite of business tools falls squarely into this category as well.

For users, this SaaS revolution means greater collaboration, features, etc. For security, this means a whole new world of platforms for exploit. At this point, the security industry understands the computer fairly well. We can all get our hands on the existing platforms (mostly) and play with them. With SaaS, it's a different ball game, where there are lots of balls and they're difficult to see.

Let's move to something a little more concrete. So far, we've seen exploits of the Web 2.0 platform that leverage it as an attack vector to get at the traditional computing device. The very simple example of a bad link in the German wikipedia that pointed to a malicious website is a good first start. The attacker just used a highly visited site to propagate a link. This escalates nicely to the recent MySpace worm. The worm came in the form of a Quicktime video that loaded spyware onto the users computer, but also compromised other MySpace accounts via a fake navigational link and fake login page. The evolution here is that the attacker used the platform of MySpace for propagation. The end result of installing spyware was still present, so we're still talking fundamentally about exploit of the traditional computing device.

These platforms aren't alone in having vulnerabilities. Google Desktop has some. Wordpress apparently had a backdoor. Interestingly, I learned early on that the only way to ensure a clean system after compromise is a clean re-install. How exactly do you perform a clean re-install of a hosted Wordpress system? There's even virtual terrorism in Second Life to contend with.

The next evolutionary step in this process is the exploit of the Web 2.0 platform as an end in itself. Financial access can be a big motivator here. The profit motive is what drives exploit more and more, and profit has to be tied back to concrete financial transactions. There's a very understandable business motivation to facilitate those transactions in more places and via more means, but as those transactions are facilitated in more contexts, the target surface grows not only in size, but in attractiveness as well. Think about eBay and PayPal. Now think about MySpace and PayPal, or MySpace and your bank.

Ultimately, the risk is that we in the security industry fail to follow the mindset of the attacker. If we continue to focus on the existing target surface of the individual computer, we'll miss a shift in tactics and incur a sizable loss. There are some darks spots in these terms, and some bright spots as well. Anton Chuvakin points out that some of the disclosure issues we've settled (more or less) in the traditional information security space are not at all the same for the Web 2.0 platform. This is complicated by the fact that one can't grab a pirated copy of flickr or facebook, install it in your garage, hack on it, and report vulnerabilities anonymously. It's harder, though certainly not impossible, to force the disclosure issue in this context. On the other hand, there's the counter-point of the "Month of MySpace Bugs," which takes the very clear and positive step of treating MySpace as a real platform for exploit.

The conclusion, of course, only comes in time, but now is when we as an industry should start defining the rules with which we will inter-operate with these platforms.

Yesterday I saw a presentation from a sales rep of PointSec at a local ISSA meeting. Aside from the fact that it was, I suspect, largely a straight copy of their standard sales deck, there were a few interesting points, the most interesting of which weren't really made in the presentation, but more made about the presentation. He talked a lot about data loss, data value, and the cost of data recovery. The interesting thing is that the usage of these very distinct terms was haphazard. Data loss, specifically the loss of data via equipment loss, was highlighted to emphasize frequency; "These things occur all the time!" Data value was highlighted to emphasize severity; "And they are very serious!" Finally, the cost of data recovery was presented as the usual 'infinite brand damage' metric; "And one loss could drive your company out of business!" It's a favorite of mine, incidentally.

There are several problems here. First, he never quite manages to connect the data loss to data compromise, i.e. the fraudulent use of stolen data. I'm not saying the connection doesn't exist, but that the focus on loss over compromise is misleading. Data compromise is a serious problem that seems underreported, probably because it's hard to measure. That doesn't mean it isn't important to measure. Secondly, data value isn't the same as cost of recovery, or at least it's not reported as such. Look at this recent incident in Alaska. They lost a $38 billion file, but the cost of recovery was closer to $200,000.

And last, but not least, there's the 'infinite brand damage' metric. Let's look at a few examples via a three point analysis. For these purposes, the 'date of incident' is the date it became public. Stock prices are at the close of the market around the same date in the appropriate month. I picked four relatively high profile incidents, but there are more.

TJX (1/17/2007)
Stock Price 3 months before incident (October 2006): 28.97
Stock Price today (March 2007): 26.46
Stock Price 6 months after incident: N/A

Ameriprise AMP (1/29/2006)
Stock Price 3 months before incident (October 2005): 37.10
Stock Price 3 months after incident (April 2006): 49.04
Stock Price 6 months after incident (July 2006): 44.54

Choicepoint CPS (2/15/2005)
Stock Price 3 months before incident (November 2004): 44.01
Stock Price 3 months after incident (May 2005): 37.16
Stock Price 6 months after incident (August 2005): 43.22

ADP (7/6/2006)
Stock Price 3 months before incident (April 2006): 46.78
Stock Price 3 months after incident (October 2006): 47.47
Stock Price 6 months after incident (January 2007): 48.76

Using stock price as an indicator, one can conclude that either the brand damage isn't very significant or these four companies worked very hard at recovery. Clearly, I can't measure the direct increase in money spent on brand recovery by each of these organizations, but also clear is that none of them were irreparably damaged by their respective incidents.

The thing is, brand damage is driven by public perception. The more data loss disclosures that occur, the more the public perceives them as normal and, in turn, the less likely becomes the risk of brand damage. This is why (appropriate) punitive damages are an important part of the regulatory environment. The public can only react in a significant way to outliers in the incident arena, and if data loss is normal, then the fear of public reaction is not a valid incentive.

*UPDATE*
With perfect, yet unplanned, timing: "Data from TJX Security Breach Fuels Fraud Scheme"

As you may have noted, nCircle recently introduced our Certified PCI Scan Service, which means that we achieved certification as an Approved Scanning Vendor from the PCI Security Standards Council.

One of the requirements of PCI is that we score vulnerabilities according to their standards. You can read about them in detail here, but the gist is this table from the Technical and Operational Requirements for ASVs:

Anything scoring a 3 or greater constitutes a non-compliant system and therefore a non-compliant customer. As of June 30, 2007, PCI is changing the scoring criteria to use CVSS instead of their ranking system, as noted in the same Technical and Operational Requirements for ASVs. The use of an external standard is an improvement, but I'm confused about one particular note in the requirements (pg 4-11):

Does anyone else read that last bullet point as saying that Denial of Service conditions will no longer constitute a non-compliant system? In the current ranking system, DoS falls clearly into category 3, which is non-compliant. Is PCI following OpenBSD or vice versa?

Flixster wants you to give them access to your email accounts so that they can invite everyone from your address book to join Flixster. They do this by asking you to provide them with the password for those accounts. Read here and here for details. This is bad. Very bad.

The argument in favor of this tactic is that it's simply good marketing and good usability.

Joe Greenstein, founder, said in an interview, "We make it easy to invite your friends. Other sites don't provide good ways for people to spread the word. And, we tried to build a really compelling site."[source]

I have several problems with this approach. First of all, I don't want any company that begins their terms of service with a picture of a monkey and "I can't believe you really clicked on this. What are you trying to find out?" storing any password of mine. Of course, they also "reserve the right, at our sole discretion, to change, modify, add, or delete portions of these Terms of Service at any time without further notice." Does this little guy really inspire confidence?

I think that's the obvious issue. The less obvious problem is that Flixster is teaching users bad habits. Handing out your password(s) is not a good thing to do. The security industry and organizations have been trying to educate users on this point as much as possible. Users should be wary of third-party sites asking for login information. Flixster shouldn't make that activity normal. Somewhere out there, someone is looking to fund a startup called Bankster that will happily help you manage all your bank accounts.