Wednesday, March 17, 2010

PCI-SSC slaps ASVs wrists over marketing claims about 11.2 & 6.6

The PCI Security Standards Council's (PCI-SSC) recently published March Assessor Newsletter, which contains rather "interesting" language for certain Approved Scanning Vendors (ASV). It is unclear what the penalty will be for firms who continue their misleading practices. For those curious, WhiteHat Security was once an ASV, but has not been for over a year -- largely because we already understood the following requirements. We actually do focus on 6.6 to the spirit in which its supposed to be applied, while the others pay lip service and take customers for a ride.

ASV: I'm a lawyer so let me be your heart surgeon

Several ASVs have received notices recently surrounding the marketing of services they sell related to being qualified by the Council. While the PCI SSC does qualify each and every ASV to conduct external vulnerability scans to meet the external scan validation requirement for PCI DSS 11.2, it does not give any ASV license to sell their services for other security practices as an agent of the PCI Council.

Here are two examples that are unacceptable and violate the ASVs contract:

1. "As an ASV, our company has been certified by the PCI Council for you to achieve both Requirement 11.2 for vulnerability scanning and Requirement 6.6

There are two issues with the above statement. First, and this is a common mistake, ASVs do not help merchants fully achieve DSS Requirement 11.2. The requirement requires both internal vulnerability scanning and external vulnerability scanning. The Council only qualifies ASVs to perform the second half of that statement. Although an ASV can separately offer internal vulnerability scanning services, internal vulnerability scanning is a) not required to be done by an ASV and b) is not part of the ASV qualification process by the Council. We clarified this with a note in the 1.2 release of the PCI DSS and possibly further clarity to come October 2010. The second and more egregious is related to using a conjunction (YouTube "School House Rock" if you need a refresher on the function of a conjunction) to include another service completely unrelated to anything that has been validated by the PCI Council. In this case, there is no program to validate those who review adherence with Requirement 6.6 and the ASV lab testing is not an exhaustive process to endorse any solution as an exhaustive annual evaluation of the web application security.
for application scanning."

Friday, March 12, 2010

Best of Application Security (Friday, Mar. 12)

Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.

Password Managers, is this the best option user’s have?

Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.

Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior.

Phishing Scams (user hands over their passwords)
Client-side technology solution(s): Web browser security add-ons and anti-email-spam tools.
Behavior: Tell the difference between real/fake and safe/dangerous websites & emails using available visual indicators.
Outcome: The technology is not consistently effective and users are unable to reliably make accurate real/fake or safe/dangerous decisions.

Malware (passwords stolen off the PC)
Client-side technology solution(s): Update Web browser, Web browser security add-ons, desktop anti-malware, and scheduled patch management.
Behavior: Don’t install “bad” software off the internet. Don’t use a local password managers.
Outcome: The technology is not consistently effective. Users WANT to install software and by extension WILL install “bad” stuff. Users are unable to remember multiple hard-to-guess passwords so they’ll either write them down, have the same password across multiple websites, or use a password manager anyway.

Website Break-ins
Client-side technology solution(s): nothing
Behavior: Use different hard-to-guess passwords across websites.
Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or have the same password across multiple websites anyway.

Website Brute-Force Attacks
Client-side technology solution(s): nothing
Behavior: Use different hard-to-guess passwords across websites.
Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or use the same password across multiple websites anyway.

Now, consider the options users have for personal password handling:
  1. Mentally remember different passwords
  2. Write password down
  3. Use a password manager
  4. Use the same password across multiple websites.
Which should the experts recommend to the average user?

By enlarge users are unable to remember multiple hard-to-guess words so let's cross #1 off the list. From a security perspective the prevalence of malware has made written passwords easier for a user to keep safe than storing them on a PC. But, from a user perspective, this approach is terribly inconvenient and makes password managers or using the same password across websites more attractive.

If we consider the threat landscape, massive numbers of websites compromises who don’t encrypt their password, a password manager is preferable to having the same password across many websites. If a users account is compromised via website hack, ideally it should not impact the security of the rest of their online accounts.

On the other hand a PC getting infected with malware is a very common problem and could lead to every record in the password manage being lost. However when this happens the user has worse problems than a compromised password manager, i.e. Man-in-the-Browser attacks makes a password-only theft highly unlikely.

When you boil everything down, if a user can mentally remember multiple hard-to-guess passwords across various websites, this is their best option. If they can’t and don’t mind the inconvenience, write the passwords down and keep in a safe place. If they do mind (the inconvenience) and feel their PC is reasonably safe, password managers are the next most secure option. Perhaps the browser vendors should provide a native hard-to-guess password generator in the browser to auto-populate login/registration fields. Better still if they store them in the password manager by default (opt-out rather than opt-in). Then again, unless truly fixed this would encourage using XSS to steal from password managers.

What we do know is left to their own devices, users will continue to the use the same (weak) passwords across multiple websites -- and we know where that leads.