Episode 247 – Silverlight, PCI DSS 2.0, WATOBO, .VN & Geocities Torrent

[podcast]http://isdpodcast.com/podcasts/InfoSec Daily Podcast Episode 247.mp3[/podcast]
ISDPodcast Episode 247 for November 1, 2010.  Tonight’s podcast is hosted by Rick Hayes and Keith Pachulski.  Tonight’s topics are Silverlight, PCI DSS 2.0, WATOBO, .VN & Geocities Torrent

Announcements:

BSidesDelaware:

When: Saturday November 6, 2010
Where: Wilmington University, New Castle Campus
320 N. DuPont Highway, New Castle, DE 19720
Cost: Free – RSVP is REQUIRED for entry!
Eventbrite: http://bsidesde-Wiki.eventbrite.com
Schedule – CFP is open

Center for Applied Cybersecurity Research

Malicious USB Talk
November 18, 2010, Noon
Location: Law 335 at IU in Bloomington Indiana

Lunch is provided!

MyHardDriveDied.com Data Recovery Class:
http://www.myharddrivedied.com
Washington, DC – December 6th – 10th
Use the Discount Code: isdpodcast for a $300 discount.

SANS Cyber Defense Initiative 2010
Washington, DC,
Marriott Wardman Park
Dec 10-17, 2010
http://washingtontechnology.com/calendar/2010/12/sans-cyber-defense-initiative-2010.aspx

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Stories of Interest:

News: http://mashable.com/2010/10/29/microsoft-silverlgiht-html

Despite its past efforts to shape Silverlight into the leading cross-platform runtime for the web and the desktop, Microsoft now says that its strategy and plans for Silverlight “has shifted.”

ZDNet’s Mary-Jo Foley spoke with Bob Muglia, the president of Microsoft’s server and tools business about the lack of focus on Siverlight at the company’s Professional Developers Conference this week.

Muglia’s response was pretty telling. Although he reaffirmed Microsoft’s commitment to making Silverlight the development platform for Windows Phone, he noted that the cross-platform solution Microsoft sees going forward is HTML.

Speaking with Foley, Muglia said, “HTML is the only true cross platform solution for everything, including (Apple’s) iOS platform.”

This is a big admission from the company that has spent years trying to push Silverlight as a cross-platform technology forward. As a video technology — indeed even as an application technology — Silverlight and WPF are actually pretty nice. I attended a two-day XAML workshop held at Microsoft’s Atlanta offices in 2009 and was very impressed with the capabilities and the toolsets that were possible within Silverlight.

However, despite the prevalence of the .NET platform on Windows and in the enterprise, Silverlight has had a problem gaining traction across the web. With the exception of the Olympics and a few other live broadcasts, you almost never see Silverlight used on the web.

Likewise, the number of desktop applications built using Silverlight are nascent in comparison to the growing number of Adobe Air applications. Aside from Seesmic Desktop, it’s hard to think of any cross-platform apps that are built using Silverlight.

All the while, Microsoft is increasingly embracing HTML5. The company’s recent launch of Internet Explorer 9 beta was promoted using a number of different HTML5-specific web pages and promotions. Silverlight may not have been mentioned much during PDC, but HTML5 certainly was.

It’s clear that Microsoft — like Adobe, Apple and Google — sees that HTML5 is the technology that will work across the broadest stretch of devices — and more importantly, will work on future devices.

News: http://www.securityweek.com/pci-security-standards-council-releases-version-20-pci-dss-and-pa-dss

The PCI Security Standards Council (PCI SSC), the industry standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), this week released version 2.0 of the PCI DSS and PA-DSS.

This latest version is designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants. Version 2.0 becomes effective on January 1, 2011, but validation against the previous version of the standard (1.2.1) will be allowed until December 31, 2011, giving organizations more time to understand and implement the updated standards and provide feedback throughout the process. After January 1, 2012, all assessments must be under version 2.0 of the standards.

Version 2.0 doesn’t introduce any new major requirements. The majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants. Key revisions serve to reinforce the need for a thorough scoping exercise prior to assessment in order to understand where cardholder data resides; promote more effective log management in securing cardholder data; allow organizations to adopt a risk-based approach when assessing and prioritizing vulnerabilities that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts.

“The nature of the changes is a testament to the strength and growing global maturity of the standards as a framework for securing cardholder data,” said Bob Russo, general manager of the Council. “I want to thank each and every individual and organization who contributed to the development of these standards. It’s their input that’s critical in making the PCI Security Standards an excellent baseline for protecting payment card data.”

In addition to the standards documents, the Council has also launched a new website with updated materials and navigational tools aimed at providing its diverse stakeholders with the targeted information they need to understand the standards and how to apply them in their organizations. As part of a broader initiative to help small merchants develop their PCI security programs, it also includes a dedicated site for this key group with resources to address their unique environments.

The release of version 2.0 begins the new three year lifecycle for standards development, which streamlines the development process by aligning DSS, PA-DSS and PTS on a similar three year schedule. The lifecycle also allows for minor revisions or errata to be issued throughout the cycle as necessary.

The standards, detailed summary of changes and supporting documentation can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
Tool: http://www.darknet.org.uk/2010/11/watobo-the-web-application-toolbox

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities. WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only.

WATOBO works like a local proxy, similar to Webscarab, Paros or BurpSuite.

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

• Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
• Can perform vulnerability checks out of the box.
• Supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
• Smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
• Written in (FX)Ruby and enables you to define your own checks
• Free software ( licensed under the GNU General Public License Version 2)

There is an ‘unofficial’ manual here:

WATOBO – the unofficial manual

And some video tutorials to get you started here.

You can download WATOBO 0.9.5 here: watobo_0.9.5rev226.zip

News: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=228000195
The world’s most heavily trafficked Web domain — .com — is also now the riskiest, according to McAfee’s fourth annual “Mapping the Mal Web report,” released yesterday.

In an analysis of more than 27 million websites designed to identify the most dangerous, McAfee found that 56 percent of the riskiest sites came from the top-level domain of .com. The riskiest country domain is Vietnam (.VN).

The report also found that 6.2 percent of the 27 million websites analyzed pose a security risk — up from 5.8 percent last year.

“This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught,” said Paula Greve, director of research for McAfee Labs. “Last year, Vietnam’s .VN was a relatively safe domain, and this year it jumped to the third most dangerous. Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught. A domain that’s safe one year can be dangerous the next.”

News: http://www.techdirt.com/articles/20101029/03055711647/archive-of-geocities-released-as-a-1tb-torrent.shtml

In early 2009, Yahoo announced that it was going to put Geocities out of its misery and finally shut down the site entirely, even as it was still getting 11 million unique visitors per month. Soon after the announcement, we had heard about some projects to try to archive the entire site (with some claims that it couldn’t be done in time). The actual shut down occurred almost exactly a year ago, and yet a group calling itself The Archive Team is apparently releasing its entire Geocities archive, blinking flashing “under construction signs” and all, as a nearly 1 TB torrent. They don’t think they got everything, but do believe they archived “a significant percentage” of the site.

It’s worth reading the blog post by the folks who did this explaining why they did it, noting how little people realized that this was basically erasing digital history and culture:

What we were facing, you see, was the wholesale destruction of the still-rare combination of words digital heritage, the erasing and silencing of hundreds of thousands of voices, voices that representing the dawn of what one might call “regular people” joining the World Wide Web. A unique moment in human history, preserved for many years and spontaneously combusting due to a few marks in a ledger, the decision of who-knows for who-knows-what.