Security

PCI Scope and Virtualization

Leave a comment

A strange statement popped out at me in an article called Top 10 PCI Compliance Mistakes.

“PCI DSS 2.0 mandates that even if one VM deals with cardholder data, your entire virtual infrastructure must comply with the standard. The challenge is — the wording in PCI DSS on virtualization is vague and it all depends on the interpretation of the auditors,”

First, your entire virtual infrastructure does not have to comply with the standard if just one VM deals with cardholder data. That must be a misquote. I think what was meant was that a VM with cardholder data brings into scope the infrastructure that supports it (e.g. connected to or hosted on, per the Virtualization Guidelines quoted below). An entire virtual infrastructure can obviously include areas that are unrelated and unconnected to the VM in question. Segmentation is possible.

Second, the PCI assessors (not the same as auditor, but the two terms seem to be interchanged now) always interpret regulations. I say PCI DSS is one of the most prescriptive and therefore least vague. Moreover, it does not all depend on interpretation of the assessors. That is like saying food safety all depends on the health inspector. The Security Standards Council (SSC) for example can clarify or otherwise overrule an assessor’s interpretation.

With that in mind, here are a couple relevant sections.

PCI DSS 2.0:

2.2.1.b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.

PCI DSS 2.0 Information Supplement: PCI DSS Virtualization Guidelines

If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope.

I wrote last year a white paper on PCI compliance mistakes specific to virtual environments that you may find useful: 5 Mistakes Auditing Virtual Environments (You Don’t Want to Make)

I also wrote an earlier post on PCI scope errors.

Security

Podcast for RSAC 2012: Message in a Bottle

Leave a comment

My RSA Conference 2012 Podcast has been posted

Session DAS-302: Message in a Bottle – Finding Hope in a Sea of Security Breach Data

Breach data is now available from a wide variety of sources and perspectives. This session will explore issues like why some industries receive more attention yet see fewer breaches and how to re-frame the insider/outsider threat model given the rise of mules and hybrid attacks.

Security

Stop SOPA

Leave a comment

    Please take a minute to tell your Members of Congress
    you OPPOSE PIPA (Senate 968) & SOPA (HR 3261)

  • Craigslist

    • Try to imagine jack-booted thugs throttling free speech, poisoning the Internet (greatest of American inventions, the very pillar of modern democracy), and devastating one of the our most successful industries. Totalitarian, anti-American, massively-job-killing nonsense.

  • Google

    • Millions of Americans oppose SOPA and PIPA because these bills would censor the Internet and slow economic growth in the U.S.

  • Wired

    • Beyond damaging free speech and the internet, bills like SOPA and PIPA damage industry by reinforcing an untenable faith in the status quo, and an equally untenable fear of innovation. It reveals a mindset that continues to hold back media companies as they vie to compete on the new platforms that have already transformed their businesses, ready or not.

    If that was the only harm in this legislation, we might write it off as another big media business blunder. But this time, it’s more than that. Hollywood’s right to make bad business decisions stops at the point where it threatens our freedom of speech.

  • Wikipedia

    • House Minority Leader Nancy Pelosi (D-CA) expressed opposition to the bill, as well as Representatives Darrell Issa (R-CA) and presidential candidate Ron Paul (R-TX), who joined nine Democrats to sign a letter to other House members warning that the bill would cause “an explosion of innovation-killing lawsuits and litigation.” “Issa said the legislation is beyond repair and must be rewritten from scratch,” reported The Hill.

  • Reddit

    • The vague and technology-ignorant language in this pending legislation opens a huge number of doors for different interpretations. When you take this broad language and use it to grant powers to both the Attorney General and plaintiffs like the MPAA and RIAA, you create a system that is begging to be abused. Given the history of abuse of laws like the DMCA, it has become obvious that institutions like the RIAA can and will stretch laws to the breaking point, often while suffering no repercussions.

  • TechDirt

    • SOPA & PIPA don’t attack the real problem, do nothing to build up the services that do solve the problem, and won’t work from a technological standpoint. And that’s just if we look at the what these bills are supposed to do. The real fear is the massive collateral damage these bills will have to jobs, the economy and innovation.

  • Whitehouse

    • Any effort to combat online piracy must guard against the risk of online censorship of lawful activity and must not inhibit innovation by our dynamic businesses large and small.

  • EFF

    • All censorship schemes impact speech beyond the category they were intended to restrict, but these bills are particularly egregious in that regard because they cause entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under these proposals. In fact, it seems that this has already begun to happen under the nascent DHS/ICE seizures program.

    Censorship of Internet infrastructure will inevitably cause network errors and security problems. This is true in China, Iran and other countries that censor the network today; it will be just as true of American censorship.

  • Text of H.R.3261 — Stop Online Piracy Act (SOPA)
Security

When Google Attacks

Leave a comment

The CEO of Mocality, an online database in Kenya, has written a detailed report on why he believes his company has caught Google engaging in predatory and fraudulent practices.

It starts with a simple sting operation.

We made some changes to the site:

For visitors from the 41.203.221.138 address, we changed the code to serve slightly different content 10% of the time.

Instead of the real business phone number, we served a number that fed through to our call centre team, where the incoming calls would also be recorded. Our team were briefed to act like the business owners for the calls.

We switched the new code on December 21st.

When we listened to the calls, we were beyond astonished.

Basically when their servers saw access to their database coming from Google in Mountain View they swapped in special phone number that went to the Mocality call center. A call then would come from someone trying to sell a Getting Kenyan Businesses Online (GKBO) website. GKBO was just launched by Google last September.

Mocality says they thought this would be a rogue employee case when they started the investigation but their fear has become far more serious.

I did not expect to find a human-powered, systematic, months-long, fraudulent (falsely claiming to be collaborating with us, and worse) attempt to undermine our business, being perpetrated from call centres on 2 continents.

Mocality sting graph

Google’s response, on Google+, has been vague

We were mortified to learn that a team of people working on a Google project improperly used Mocality’s data and misrepresented our relationship with Mocality to encourage customers to create new websites. We’ve already unreservedly apologised to Mocality. We’re still investigating exactly how this happened, and as soon as we have all the facts, we’ll be taking the appropriate action with the people involved.

Mocality’s CEO has updated his complaint to acknowledge the apology. But he is still asking questions. This might be the toughest one for the giant company to investigate

Apparently, the calls were made by a 3rd party vendor. I can see how this was the case for the activity we saw in Kenya, but the Indian activity seemed to come from Google’s own network. I know (from friends who are Googlers) how preciously that network is guarded. How was a 3rd party given access to it?

It begs the old question of Google complaints against attacks said to originate in China. Although the breaches were blamed on software flaws and human failure, it also was hinted in private that Aurora attacks first were related to weak VPN access controls in remote offices passing through a flat network. Mocality may have pulled a thread that will unravel more serious issues with the Google perimeter…