exboyfriendjewelry.com SQL error

A news story prompted me to look at the strange site “exboyfriendjewelry.com” where you can click on categories such as “gifts that should have been jewelry”. I guess the point is that purchasing something from a spurned or angry person might mean you get a bigger discount?

Anyway, when I clicked on a link, this is all I saw:

DB function failed with error number 145
Table ‘./joomlaboyfriend/jos_session’ is marked as crashed and should be repaired SQL=SELECT session_id FROM jos_session WHERE session_id = ‘b781cf5fddf30a084148d85edbc68d79’
SQL =

SELECT session_id
FROM jos_session
WHERE session_id = ‘b781cf5fddf30a084148d85edbc68d79’

Ooops. And then the site went down completely. It is always annoying to see detailed errors posted directly to the interface. Bad security practice. Maybe I need a doghouse category?

Maybe an ex-boyfriend wasn’t so happy to see his stuff up for sale…

Japanese computer (almost) survives pornography

The BBC tells a story today of a computer that survived a huge number of porn sites before being infected:

A council investigation found that he viewed more than 750,000 pornographic websites in nine months.

His habit reached its peak last July when he surfed for porn more than 177,000 times during office hours.

That works out at almost 10,000 pages a day, or more than 20 each minute he was at his desk.

A council official, trying to explain why no-one had noticed, said that each employee’s desk was set apart from the others.

The man was discovered only when his computer became infected with a virus, prompting officials to look at his web-browser history.

Unauthorized use aside, that seems like a pretty good run. I would have expected the system to be infected with a virus within the first hundred pages, let alone tens of thousands.

On the other hand, maybe it was infected but it took the company that many months to detect it. That would be more likely, but let’s assume his computer was actually “hardened”. Ha, couldn’t resist.

Another part of the story worth noting is the “why didn’t someone see his screen”:

A council official, trying to explain why no-one had noticed, said that each employee’s desk was set apart from the others.

It might seem implausible in many parts of the world, but when I was in Japan pornography did not seem like highly restricted material. So maybe people noticed but did not think it alarming? This reminds me of the old debate in some American states where any kind of violence and many kinds of hate imagery were considered tame but a picture of a naked woman would set off alarm bells. Detection is only as good as your filters.

Edited to add (May 6, 2008): I just attended an exhibit of paintings from 1690-1850 at the Asian Art Museum called “Drama and Desire” that explained erotic and sexual art was a significant although regulated form of expression.

Compliance Humor

Or, at least an attempt…

A lawyer runs a stop sign and gets pulled over by a sheriff’s deputy. The lawyer thinks that he is smarter than the deputy because he is from New York and certain that he has a better education than any cop from Houston. He decides to prove this to himself and have some fun at the deputy’s expense.

Deputy “License and registration, please.”
Lawyer “What for?”
Deputy “You didn’t come to a complete stop at the stop sign.”
Lawyer “I slowed down, and no one was coming.”
Deputy “You still didn’t come to a complete stop. License and registration, please.”
Lawyer “What’s the difference?”
Deputy “The difference is, you have to come to complete stop, that’s the law. License and registration, please!”
Lawyer “If you can show me the difference between slow down and stop, I’ll give you my license and registration; and you give me the ticket. If not, you let me go and don’t give me the ticket.”
Deputy “Sounds fair. Exit your vehicle, sir.”
The deputy takes out his nightstick and starts beating the ever-loving crap out of the lawyer and asks, “Stop or just slow down?”

Not sure who the joke makes more fun of, annoying lawyers or brutal police.

Time to encrypt internal traffic?

The article in the WSJ seems to accuse the PCI of lacking sufficient security.

In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable — a company’s private internal computer network. Many previous breaches involved wireless network systems.

PCI mandates that all transaction data sent over networks that are publicly accessible — such as in coffee shops — be encrypted, but it doesn’t require that for transmissions over internal private lines.

At Hannaford and Okemo, hackers managed to install malicious software into the companies’ private networks to steal credit-card information being transmitted to processors for approval.

Previously thought impenetrable? By whom? Everyone I know who is familiar with PCI, or even general security audits for that matter, has been talking about the perimeter fallacy for more than a decade.

More to the point, why does the PCI specify public networks only? It is hard to guess motive without speaking to the authors, but the reality is that you have to start somewhere. The authors made many omissions and mistakes, but the standard is a starting point and it has unquestionably had a positive impact in many areas of security.

Don’t try to boil the ocean.

In addition to the slow pace of security progress in the world of credit card commerce, compliance success should not be an end but rather a starting point. Every time I drive my car I wonder who on earth gave the other drivers their license. Similarly, each time we shop at a store we place ourselves (e.g. our financial identity) in the hands of a management team that we usually can not see or judge ourselves. A company might have achieved various compliance awards (e.g. technical ability, process maturity, cleanliness, credit-card security) but we should not forget that “compliant” and “well-managed” are not intrinsically the same.

The good news is that the bar is rising.

In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.

This means the “above and beyond” internal traffic encryption might be a worry, but if 33% of the largest merchants still are not PCI compliant then there are still a whole lot of companies not even reaching baseline measures in multiple areas.

Did you notice the detail in the Hannaford and Okemo cases suggests that internal computers were compromised via malicious software?

At Hannaford and Okemo, hackers managed to install malicious software into the companies’ private networks to steal credit-card information being transmitted to processors for approval.

So here are alternative solutions, perhaps more practical for most retailers: segment sensitive data from systems that have public/Internet access, monitor for malicious/unauthorized software being installed, and block control/command communication to non-authorized systems (e.g. proxy the traffic and inspect packets).

Don’t get me wrong, I have long advocated for internal encryption of sensitive data when it is in transit. In fact, I led the design and deployment of exactly such a system for a retailer several years ago. That work led me to the OASIS EKMI project where I work with others on a global standard so the encryption of internal traffic will be made even easier/cheaper.

However, I also understand that there are areas where this is an impracticality today (e.g. no standards) or another control is better suited to solve the same problem.

After reading the WSJ version of events, I find it sad that host-based monitoring was not mentioned at all.

Eventually people may realize that there is no silver bullet to achieving compliance in information security.

Is there a silver bullet for keeping a kitchen clean or being a good driver?

False hope is everywhere, even in the “big name” analysts:

“This kind of attack would not have been possible if the credit-card data had been encrypted,” says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.

Sorry Gartner, that’s not a fair assessment. Why? Because even with encryption, the keys have to be managed properly. And without baselines for good management infrastructure or standards, the probability of a company going “above and beyond” to protect their keys is very low. So this kind of attack would have only had one or two additional steps to execute the same vector successfully.

The real problem, IMHO, is that a system was compromised within the company and no one noticed in time to stop it from reaching sensitive data. Event monitoring and correlation, as well as the host and network-based controls mentioned above, need to be in the picture.