ihack ? iam has posted a highly amusing and detailed analysis of Web Laundry (In)Security

Ok, now we just need to guess the write 7 password. The password is 24 bits… That gives us 16,777,216 attempts to brute force it. At 4 attempts per card that will take 4,194,304 cards or 2,097,152 cards on average… There must be an easier way… My next idea was to sniff the traffic between the reader and card to get an idea of what kind of data is being passed back and forth, then after wading through the paper above, implement the algorithm to crack the cipher itself. Then I found this little diddy in the datasheet

[…]

Surely you would think the engineer(s) implementing this weren’t negligent enough to leave the default password… you would be wrong.

This is very much along the same lines as my presentation at The Next HOPE on Keypad Entry Systems. Start with the most basic tests and you will be surprised how quickly things fail, even things sold as “Unmatched Security and Cutting Edge Technology”.

Pay them just $195 and the Cloud Security Alliance (CSA) says they are willing to certify you as competent.

The CSA is perhaps most infamous for a remap of other standards to its own. Not satisfied with existing maps of NIST, ISO, HIPAA, FISMA, PCI, etc. they happily added a new column to the mix and called it…the CSA cloud control matrix. This immediately begged the question why be ISO or PCI certified when you can be CSA instead? Why adhere to Requirement 10 of PCI DSS when you can now adhere to CSA 15? Who needs ISO 6 when you have CSA 5?

They said it was to make things easier but now it sounds more difficult. I mean they might be implying that it is so hard that without a test you could be considered incompetent. Oh, wait, never mind. I just read the test, administered by Cosaint, is to demonstrate a “rudimentary understanding of cloud security“.

Marketing questions should be expected:

In which three ways can we distinguish cloud computing from traditional outsourcing?

The universal customer perspective is also on the test:

What is the key aspect of a cloud provider’s SAS 70 Type II audit statement a customer should review to determine if it meets customer requirements?

However, my favorite section of the test is on cloud grammar:

Why do communications between multiple virtual machines often evade tradition security monitoring systems?

If you do not know english well enough to find this obvious flaw…no CoC for you!

Who can resist this bargain? The test sounds like a no brainer! Act now because pricing goes up to $295 in 2011.

Just to clarify the CSA seems to refer to it as the Certificate of Cloud Security Knowledge (CCSK) test but also the CSSK, while elsewhere I found it called a CoC test.

The latter of the three just rolls off the tongue, so to speak. If they are lucky, everyone might want their CoC. A CCSK, on the other hand, has the unfortunate overlap with clear cell sarcoma of the kidney, the second most common kidney tumor in children. I do not think anyone really wants CCSK.