Visa released to the public just a couple weeks ago a report on common vulnerabilities found in U.S. Small Merchants. Not exactly a short list. The could have at least put it in order of the PCI DSS Requirements:

• SQL injection
• Misconfigured web applications
• Lack of segmentation between cardholder data environment
• No firewall configuration
• Insecure remote management access
• Use of RDP/Terminal services on internal network
• Packet sniffers
• Keyloggers
• Backdoors
• Excessive permissions
• Use of shared, default credentials or common passwords
• Administrative accounts not protected
• Databases not hardened
• Unauthorized user ability to modify applications (troubleshoot, capture full track data, use risky protocols)
• Reliance on 3rd party service providers for POS installation and management

The report also details the U.S. Contact/Contactless Acceleration Plan and the 2012 “PCI validation relief for merchants that adopt dual-interface terminals”.

The end of December 2011 marked a significant milestone for IE6 measurement. The U.S. finally has dropped below 1% usage.

Things even are looking good for bright red China, which still sits over 25% (4% of the world) but has dropped a whopping 10% in under a year.

It is possible that measurement methods may be skewed by proxies and bogus tokens but the more likely story is that China is on a browser support time-line that can’t seem to get past an OS introduction date.

This reminds me of a time years ago when I was called in by a huge software-as-a-service provider and asked how to get SSLv2 through a PCI DSS assessment. “Why would you want to do that” I asked. “We have a lot of IE6 users” was their reply.

My response was twofold. First, I questioned whether IE6 data and SSLv2 data was trusted. Browsers can negotiate down to SSLv2 but that does not mean they were incapable of running SSLv3 or better. Perhaps if they dug into the data they would find a different picture and see far less IE6. Second, I recommend to post a warning banner to any IE6 user to upgrade their browser within a set time-frame or with a count-down clock. Even something like an orange warning banner would be nice.

Their counterpoint was that IE6 came out in 2001, which still was within Microsoft’s threshold of customer support. A little research revealed that Microsoft, despite being forced by government decree to un-bundle the browser, never changed their story on IE6 support as inseparable from the Operating System life-cycle. Since the OS was still supported, and the browser was bundled “as part of”…

Versions of Internet Explorer 6 that shipped as a part of the operating system or its associated service packs will continue to follow the support lifecycle of the operating system.

That certainly complicated the situation. Windows 2000 (Service Pack 4), for example, was still under extended support until 2010.

Support for Windows 2000 ended on July 13, 2010

Windows XP also shipped with IE6. Rather than get pulled into that complex and political issue of the Microsoft antitrust lawsuit, I scaled back and presented a more focused response.

SSL v2.0 was released in early 1995 but was so horribly flawed and subject to MITM that v3.0 was released by 1996. So they were told to remove v2 not just because it is older then 1996, and not just because the PCI SSC DSS says so, but because it was a long-time known risk to their users.

Fortunately, that trisect seemed to convince them and it was then just a matter of creating a redirect and warning for anyone who tried to negotiate only at SSLv2. It would have been far more interesting to tackle the problem of IE6 but that was seen as an issue between Microsoft and their users instead of something content providers could drive.

The map above with a steep drop the year after support officially ended seems to support that theory.

Lesson learned? Depends on how you look at it. As Microsoft says they are in celebration of a decline in IE6 they also are exiting the antitrust agreement with the U.S. Government and going right back to bundling the browser into their OS.

The final remnants of that decree lapsed earlier this year, and now Microsoft is wasting little time in returning to its past strategy: A pre-release version of Windows 8 shows an OS that is deeply intertwined with Internet Explorer 10, with it impossible to uninstall the browser from the OS at this point in Microsoft’s development process.

Perhaps Microsoft is going to push hard to get the Chinese to migrate to Windows 8 so they will record IE 10 usage statistics well into 2022, by which time they can terminate support and campaign for help with a sudden and rapid decline…

Forbes has published an article called “The Seven Habits of Spectacularly Unsuccessful Executives“. These are great conversation starters and topics of investigation, especially when auditing/interviewing executives in charge of enterprise security and/or risk management.

1. See themselves and their companies as dominating their environment
2. Identify so completely with the company that there is no clear boundary between their personal interests and their corporation’s interests
3. Think they have all the answers
4. Eliminate anyone who isn’t completely behind them
5. Consummate spokespersons, obsessed with the company image
6. Underestimate obstacles
7. Stubbornly rely on what worked for them in the past

Ross Anderson and Frank Stajano, in a paper called “It’s the Anthropology Stupid!“, suggest that the study of human culture is necessary to understand insecure behavior and protect virtualization from risk.

And what about mistakes? They matter much more than targeted attacks. […] Mistakes are often caused by getting the context wrong, so if we’re going to make them less likely, our designs should be better at synchronising the user’s mental model better with that of the machine. […] …secure virtualisation isn’t just about ensuring that the right VM in the laptop talks to the right VM in the cloud. It’s about ensuring that the right VM in the laptop (or the cloud) talks to the right VM in the user’s brain. It’s not primarily about the outside attacker, but the insider: and the critical question is which insider.

The point they’re making is that each group and subgroup is defined by its controls. Have you ever shown up to a party wearing the wrong costume?

Something you have, something you know, or something you are will matter when assessing whether you are in the right place at the right time. A gap (mistakes) can easily form between the implementation of segmentation in virtualization technology and its translation to a view or knowledge of the segmentation by a user.

I get asked all the time now “can you give us a reference architecture for segmentation”? This is like asking an anthropologist for a guide to what costume you should wear to the party. Does the outside observer really get to set the insider behavior? Automation without accounting for variables in behavior may only push these gaps wider.

The line of reasoning in this paper reminds me of a movie released in 1968 by Stanley Kubrick as echoed in my 2011 BSidesLV Presentation: A Cloud Odyssey.