PCI DSS Requirement 10.7 Changelog

Four years ago I wrote about changes between versions of the PCI DSS with an example of subtlety from Requirement 10.7. This came up again today, so here’s an updated table:

Requirement 10.7:

DSS 1.0 DSS 1.1 DSS 1.2 DSS 2.0
An audit history usually covers a period of at least one year, with a minimum of 3 months available online. Retain audit trail history for at least one year, with a minimum of three months online availability. Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).

Risks of High SPF Sunscreen

Sometimes I hear people explain firewall effectiveness in terms of SPF ratings on sunscreen. I like the concept but it also tempts me to pull out the annual Environmental Working Group (EWG) suncreen hall-of-shame. The EWG offers nuggets of wisdom such as this:

Sky-high SPF products may protect from sunburn, caused primarily by UVB rays, but they leave children vulnerable to skin-damaging UVA rays. Without the warning signal of sunburn, children stay in the sun too long, and UVA damage builds up. Parents who see a high-SPF label on the bottle may think it’s safe to allow their kids hours of sunburn-free beach time, but risks associated with sun exposure begin in childhood and accumulate over a lifetime.

So the next time you tell me the firewall is like 70 SPF, I might ask A or B (e.g. are you just blocking the noise or also the attack). Here’s another good example:

Consumers who shell out the bucks for pricey SPF-labeled moisturizers rarely get the sun protection they expect. There are plenty of sun care products that sell for less than $3 per ounce and offer better sun protection than those that cost up to 90 times more.

This quote is probably my favorite:

The front of a Lavera sunscreen box claims the product is “effective immediately” and there is “no need to wait.” But the side panel warns, “apply… 15 minutes before sun exposure.” Which is it?

Buyer beware. Don’t judge a firewall by its cover.

This day in history: 1862 Robert Smalls Pilots the Planter to Freedom

On this day in 1862, 150 years ago, Robert Smalls commandeered an armed American Confederate ship in Charleston in order to emancipate himself and several others from slavery.

Smalls was hired in 1861 as a deckhand on Planter, the transport steamer serving Brigadier General Roswell Ripley, commander of the Second Military District of South Carolina. Smalls later became its pilot. In the early morning hours of May 13, 1862, while the white crew was ashore, Smalls, then 23, commandeered Planter, loaded with armaments for the rebel forts. With his wife, children and 12 other slaves aboard he gave the correct whistle signal as he passed each rebel fort. He then sailed toward Onward, the nearest Union blockading ship. As Onward prepared to fire on the approaching rebel ship, it raised the white flag of surrender. As Planter came alongside the Union ship, Smalls, elegantly dressed in a white shirt and dress jacket, raised his hat high in the air and shouted, “Good morning, sir! I have brought you some of the old United States’ guns, sir!”

Smalls then served the Union Navy, including duty as the first black captain of a U.S. vessel, and convinced the Union Army to accept black soldiers in August of 1862.

He later became a respected Republican politician in South Carolina where he created the first state law in the United States for free and mandatory public education.

Last Call at the Oasis

A new movie on the issue of water quality is set to appear in theaters tomorrow:

Illuminating the vital role water plays in our lives, exposing the defects in the current system and depicting communities already struggling with its ill-effects, the film features activist Erin Brockovich and such distinguished experts as Peter Gleick, Alex Prud’homme, Jay Famiglietti and Robert Glennon.

This comes just in time to highlight the latest research on nuclear fallout from Japan, which now is being detected on the West Coast of North America as reported in Environmental Science and Technology: Canopy-Forming Kelps as California’s Coastal Dosimeter: 131I from Damaged Japanese Reactor Measured in Macrocystis pyrifera.

Projected paths of the radioactive atmospheric plume emanating from the Fukushima reactors, best described as airborne particles or aerosols for 131I, 137Cs, and 35S, and subsequent atmospheric monitoring showed it coming in contact with the North American continent at California, with greatest exposure in central and southern California. Government monitoring sites in Anaheim (southern California) recorded peak airborne concentrations of 131I at 1.9 pCi m−3

“Greatest exposure” translates to rates 500% higher near Los Angeles than the rest of the coast. For many years now I have been researching methods of using dehumidifiers to source water. The military been developing some amazing technology that can pull water out of the air in the desert, or reclaim water from exhaust pipes in vehicles. Imagine having a drinking fountain in your dashboard. In San Francisco each building, or even each dwelling, would simply produce their own water from absorbing moisture out of the fog, powered by the sun or the wind, as I mentioned in my presentation at last year’s BSidesLV.

It makes a lot of sense to pull moisture from the air when it is such high humidity and there is no shortage of wind power. This move from ground-based systems avoids numerous pollution issues found in piping water from remote reservoirs and it creates higher resilience to attack or disruption. However, it does not help in cases where nuclear fallout or other risks are drifting through the air.

AC72 wing design

We are only a couple months away from the giant America’s Cup catamaran wings being launched. A team led by American Paul Cayard already has theirs on sea trials. Blue Planet Times explains there was a lot of effort put into design regulation.

The box rule governing the AC72 is one big sandbox, so the engineers get to play. Oracle Racing Team Coordinator Ian Burns explains: “I was involved in writing the rule for the AC72s, and when we addressed the wing, we started with a complicated rule, to limit what a designer could do. We added more and more pieces as we thought of more and more outcomes, and we came to a point where it was so complicated—and it was still going to be hard to control, because the more rules you write the more loopholes you create – that we reverted to a simple principle. Limit the area very accurately, and make it a game of efficiency.”

Here’s the basic box rule for the AC72:

Hull Length: 22m (72.18 feet)
Maximum Beam: 14m (45.93 feet)
Wing Height: 40m (131.23 feet)
Maximum Draft: 4.4m (14.44 feet)
Displacement: 5900kg (13007 pounds)
Wing Area: 260 sqm (2798 square feet
Jib Area: 100 sqm (1076 square feet)
Gennaker Area: 400 sqm (4305 square feet)
Crew: 11@92kg/per (203 pounds)

Cayard’s description of the latest engineering challenges to make those numbers work is not your usual scuttlebutt.

“We have 38 hydraulic cylinders. We want to avoid running hydraulic piping to each of them, because that would be heavy, so we have electrovalves embedded in the wing to actuate the hydraulics. But if you had two wires, positive and negative, running to each electrovalve, your wing would look like a PG&E substation, and that’s heavy too, so we use a CAN-bus [controlled area network] with far fewer wires. Still, it’s incredibly complex.

“We wind up with lot of hydraulics,” Cayard says, “and the America’s Cup rules don’t allow stored power, so two of our eleven guys—we think, two—will be grinding a primary winch all the race long. Not to trim, but to maintain pressure in the hydraulic tank so that any time someone wants to open a hydraulic valve to trim the wing, there will be pressure to make that happen.”

Ok, so there’s thousands of hours in design of these wings but there’s something deeply ironic about a 72 foot catamaran with a 130 foot wing that can sail faster than the wind but can’t generate enough power to manage hydraulics without two crew constantly grinding a winch. It seems like a legacy mindset. A big part of the old America’s Cup boats was to be staffed with powerful yet heavy crew who can muscle the boat around. These boats surely call for lighter more nimble crew. What if someone even figured out a way to efficiently use the wind to generate power…?

Perhaps Luca Devoti said it best. These boats are pure racing machines that have power to burn. They should have no shortage of energy at their disposal, or they may even have a reason for absorbing excess.

You have to change completely your way of thinking: the boat is sailing from the moment the wing comes out of the shed because the wing can fly away at any moment.

The trick, as explained in the following video, is to make the wing secure yet light; to keep it as uncomplicated as possible to reduce risk and reduce response time. Most of all, it sounds like the designers want to hurry-up and make up for 20 years of lost time by borrowing technology and efficiency study lessons from the A-Class and C-Class catamaran fleets:

$200M Sea Shadow Sent to the Chopping Block

The LA Times has posted an amusing story on the current GSA auction for a giant invisible catamaran.

Sea Shadow

…the U.S. Navy, which — after five years of trying and failing to donate the stealthy Sea Shadow to a museum — is now selling the ship for scrap metal in an online auction. All bids must be in at 3 p.m. Pacific time Friday. But there’s a catch. To win the auction, the successful bidder must agree to dismantle and scrap the Sea Shadow within six months…

What if you are a museum? Suddenly it is not good enough to be a museum?

Obviously the ship’s stealth is limited, otherwise the government would not be able to know what you did with it after winning the auction, right?

This is my favorite part of the story.

“On a typical night of testing, the Navy sub-hunter planes made 57 passes at us and detected the ship only twice,” he wrote. “A typical warship was a very high reflector of radar — a radar profile equal to about fifty barns. Our frigate would show up a hell of a lot smaller than a dinghy.”

That’s good news. The test success suggests that stealth technology in use today has come a long way from $200 million invested in 1985. Perhaps stealthy floating sea barns would now appear to be oar-sized? What’s a unit smaller than a dinghy? Life preserver?

More to the point, who in the world uses barns as a measure of size, especially when looking for something floating on the water? Perhaps it comes from people who think differently than the average person; people who use very precise and technical language to present their view of the world. People like this:

“I am amazed that it’s up for auction and a museum didn’t take it,” said Sherm Mullin, retired head of Lockheed’s Skunk Works. “But when I stop to think about it for about 10 microseconds, it becomes apparent to me that ships are difficult to take care of — a lot more difficult than airplanes.”

10 what? I would not even qualify 10 microseconds as a stop. That’s more like a yield in my mind. A speed bump at best.

Personally I would consider making bids for it but sadly it only comes with one microwave oven. I’d want at least a camp stove if I’m going to spend over $100K on a yacht. Although, I bet that microwave can cook food faster than anything on the market. Tuna in 10 microseconds anyone?

VMware Workstation 8.0.3 and the troubles with Ubuntu 12.04

DO NOT UPGRADE to Ubuntu 12.04 (yet).

I’ve had nothing but trouble with this distribution for a week now. I was going to write a giant long post about all the time I’ve spent getting it to be stable but here’s the bottom line: it’s not (yet) ready for public consumption. I have been regularly building linux systems since 1994 and this release has been the most frustrating ever. I would not have an issue if this were 12.04 alpha or even beta and I went into it knowing that my systems would hard lock, but this is supposed to be the release candidate. Yuck.

It started with attaching an external monitor. Something that might seem so simple and common made the system freeze completely (I now hate compiz, unity, etc.). Turns out this has been a known problem for a few years, lurking in the compiz bugs. Then, after a few unexpected hard stops from my external display crashing the system, my encrypted home directory suddenly went lockdown and my key no longer worked. So I was locked out of my files with an unstable display.

Scream Auction
Sotheby’s sells a 1895 prediction of the Ubuntu 12.04 user experience

I enjoy hacking into an encrypted directory as much as anyone (the silver lining to this story is that encryptfs-recover-private makes it a no-brainer) but this was not a week where I had the time to spare working just to get access to my files. I thought I was going to have a stable (e.g. secure) upgrade when I clicked “yes” to the update manager prompt…alas, upgrading/patching to the latest vendor “stable” release is not always a good idea.

Perhaps when I cool down I’ll give more details on how I’ve removed all the unity gunk and returned myself to classic Gnome on Ubuntu 12.04 (and probably am now en route to switching to Mint), but in the meantime here is the trivial step I did, thanks to Weltall, to get the VMware Workstation 8.0.3 network interfaces to work with Ubuntu 12.04:

Since the Ubuntu wiki is so far out-of-date, note the warning from ArchLinux

VMware Workstation 8 and Player 4 only support kernels up to 3.0. Any later requires patching of the VMware modules.

Download vmware802fixlinux340.tar.gz from Weltall’s blog

Then untar the file
$ tar -xvf vmware802fixlinux340.tar.gz

Edit the version check in the file patch-modules_3.4.0.sh so you can change the line “vmreqver=8.0.2” to “vmreqver=8.0.3”

Then run the patch
$ sudo ./patch-modules_3.4.0.sh


Updated to add: This has been tested also with Workstation 8.0.4; follow the same steps but use vmreqver=8.0.4. As noted in the comments below you may get the error “/usr/lib/vmware/modules/source/.patched found. You have already patched your sources.” Delete the .patched file and then run the script again.

$ sudo rm /usr/lib/vmware/modules/source/.patched


Also updated to add:

A reliable fix for the dual screen crash is related to changing the driver for input devices using evdev (xserver-xorg-input-evdev) — the kernel event delivery mechanism that handles multiple keyboards and mice as separate input devices.

The new flawed version that ships with Ubuntu 12.04 is 1:2.7.0-0ubuntu1. Downgrading to version 1:2.6.99.901-1ubuntu3 from January 2012 is stable. The changelog shows only minor differences in the new version:

* Fix horizontal scroll direction (LP: #932439)
– Add 0005-fix-horiz-scrolling.patch from upstream
* Bump lintian standards version to 3.9.3

But clearly a fix in 1:2.6.99.901-1ubuntu3 went missing.

The Power of Cracking Passwords

Ivan Golubev’s blog points out that power supply and heat dissipation can impact the speed of brute forcing passwords with graphics cards.

Apparently lowering GPU core frequency resulting in “closer to estimations” performance. My first guess was that there is internal throttling in 6990 and so overheating causing performance drop. I’ve even posted in official forum about this but some more experiments reveals that I wasn’t totally true. Answer was pretty simple:

[…]

Yep, by default it isn’t enough power provided for 6990 to make it work with 100% performance

[…]

…make sure you have proper cooling and PSU as looks like official 375W TDP can easily became 450W and this means A LOT of heat you’re need to deal with somehow.

The Radeon HD 6990 graphics cards have dropped to under $400, which is very tempting, but only for air-cooled. So the cost of reaching peak brute-force performance levels of 10 billion passwords per second with ighashgpu really must be measured in terms of cost of liquid cooling and clean supply of power (around $4,000 for a complete system). It’s a nice example of how security is tied to energy and efficiency. Golubev actually provides a spreadsheet of performance per dollar but it doesn’t mention environmental factors that support peak performance.

To put this all in perspective, a strong mixed upper-lower case alphanumeric with symbols password that is 8 digits long on a Microsoft OS could take around 20 days to crack for less than $5,000. Since password change cycles are usually 90 days…

Police Solve Stolen Lamborghini and Related Cases

The SF Chronicle has reported an interesting case of a teenager arrested by police for a string of bank robberies and an attempted homicide. Although the 17-year old suspect went to great lengths to jam electronic signals while in a stolen luxury car, he apparently did not take very much precaution against simple video surveillance. It might be fair to say an obsession with avoiding capture did not mix well with what sounds like vanity and jealousy.

The detectives started only with reports from witnesses that a black-clad motorcyclist had been seen waiting at a nearby gas station before five shots were fired into a pickup truck parked on Evergreen Avenue in Mill Valley. Landon Wahlstrom and his 17-year-old girlfriend were sitting inside and ducked, according to the report.

BiLT HelmetSurveillance video at two gas stations where witnesses said they had seen the motorcyclist showed the apparent suspect. The helmet had “Bilt” written on it. That led investigators to a Cycle Gear retail store in San Francisco, which sells that model helmet. Surveillance video and transaction records showed the suspect buying not only the helmet but a dark visor, a black cloth face and neck protector, a black leather vest and black gloves.

The female victim was shown the video and identified Wade, from whom she had admitted buying fake identification cards and counterfeit driver’s licenses.

Americans are so used to labels being displayed on the outside of everything that the suspect probably did not even notice the BiLT sticker or realize it’s a unique form of identitication. Cracking the case is related to the luxury car, which was stolen from a dealership last year. Ironically it had been stored with the dealer by its owner, a celebrity cheft who was concerned it might end up in a chop-shop in San Francisco. Ok, pun intended. Once police identified the suspect on the motorcycle and realized the connection with the car they engineered the suspect into revealing the location of a 2008 bright yellow Lamborghini Gallardo. They simply used the girl’s identity to ask for a date in the car. He fell for it and invited police to a storage locker in Richmond where they found everything they could want stored together.

The cache in the steel locker was a potpourri of gadgetry, disguises and guns. Investigators found a dismantled AK-47 assault weapon, an assault-type shotgun, electronics that can interfere with cell phone frequencies and a list of scanner codes for a variety of California law enforcement agencies. Inside the Lamborghini were three UHF signal jammers for cell phones and two radio signal jammers.

Most troubling of all, though, was the discovery of a full San Francisco Police Department uniform, including a badge and duty belt and some bags, containers and a mask.

“The mask resembled one which was reportedly worn by a suspect or suspects in a series of recent, unsolved bank robberies in Northern California,” stated the report, which was prepared by Marin Sheriff’s Detective Greg Garrett.

The uniform is definitely troubling and likely will bring charges of impersonation. The mask, however, is an odd detail. I leave it to you to figure out why he would store a used mask instead of destroy it, let alone put it with the evidence from other unrelated crimes to make it easy to link them all together.

VMware Security Update: Accelerated Release of Patches

VMware Security has posted an announcement that patches are being made available immediately.

VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

For example, ESXi 5.0 P3 has a Security Patch Needed.

Apply security patch available at http://www.vmware.com/patchmgr/ download.portal under Bulletin ESXi500-201205401-SG.

That patch has the following explanations:

Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.

[…]

Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

[…]

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

Their announcement also has a FAQ with reference to recent events:

In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.

the poetry of information security