We’re just a few weeks away from sending the latest edition of the Unix and Linux System Administration Handbook to press, and as of today you can get a preview online at the Safari site.

This 20th anniversary edition brings the best of Unix System Administration Handbook and Linux System Administration Handbook together, and adds coverage of  IBM AIX to updated coverage of Oracle America Solaris (formerly Sun Solaris), HP HP-UX, Ubuntu Linux, SUSE Linux, and RedHat Linux.  In addition, it includes significant all-new coverage of system administration scripting languages such as Python and Perl, as well as virtualization, green IT, and modern standards and compliance management challenges. This is the ultimate system administration bible.

We’re very proud to have 4 Applied Trust staff members on the author team for this book (me, ned, ben, terry).  Look for the printed version in your favorite bookstore this June (or, pre-order at Amazon now), but enjoy the Safari online preview in the meantime!

Boulder is one of many communities vying to be the lucky recipient of this experimental network. As a city known for its smart people, progressive policies, and high tech companies, we are a great fit for a project like this. To capitalize on this, the City has stepped up efforts to get as many people as possible to vote, both by setting up a fan page on Facebook and by declaring this weekend “Boulder Fiber Weekend.”  Although nominations are being accepted until March 26, the City is hoping to have everyone vote before midnight on March 21.

This is an awesome opportunity for us to bring in more jobs, boost our local economy, and enhance communications across all sectors of our community. And, of course, having lightning-fast Internet speeds would be pretty sweet, too. So, what are you waiting for? Vote now!!



Ignite Boulder is one of those events that seems to fit right into the unique culture of this town. What is Ignite Boulder, you might ask? Well, let me sum it up in one word: entertaining. Ignite events are held all over the country, and the format is pretty simple. Presenters are chosen by the organizers and the attendees weeks before the event via online voting, and anyone can sign up to present. Each Ignite has a theme, such as Heart and Soul, and the presentations are supposed to have some connection to that theme. This is where it gets interesting. Each presentation is only allowed to be 5 minutes and 20 slides long, and slides auto-advance every 15 seconds. This leads so some very quick, but generally enlightening, and almost always funny presentations.

What I enjoy most about going to the Ignite events is the creativity of each of the presentations. Recent topics have ranged from Food Photography to Brazilian Portuguese to Decision Making. Every presentation has made me laugh, and almost all have a deeper underlying message.

The most recent Ignite I attended was Ignite 8 (or IgnEight as it quickly became known as). The Ignite Boulder events are held at the Boulder Theater, which is a great venue that holds about 850 people.  On this particular night, every seat was filled. The Ignite Boulder events attract a wide variety of folks, both as presenters as well as in the audience. As has become a sort of tradition with the Boulder Ignite events, Ignite 8 was kicked off by Ef Rodriguez. Ef has been the “ice-breaker” at every Ignite I’ve been to, and his presentations are always entertaining. For this Ignite, Ef broke the ice with a musical presentation on stepping up your game in the dating scene. Nothing says Ignite like being coaxed to “lay down the velvet” on your next date. I also managed to learn few words in Brazilian Portuguese (Fala Serio!), was seriously inspired by a 17 year old’s presentation on the time she spends in Mexico with orphans, including smuggling eyeglasses over the border! Like I said, these presentations run the gamut from silly and funny to inspiring.

As usual, I thoroughly enjoyed the presentations, and was impressed by the unique nature of the halftime band that played Zimbabwean music on an array of xylophones. I’ve heard that Boulder’s Ignite events are unique, even among all the other nationwide Ignites, and I’m not surprised. Boulder is full of exciting, unique events like this, and I look forward to exploring more.

The simplest way to understand this vulnerability is with an example. Assume there is a stock trading website, S-trade, that anyone who signs up for an account can access. This site has functionality available for every account – including things like logging in, logging out, transferring money, purchasing stock, etc. Our hero in the scenario is Bob. Bob trusts S-trade to make his trades and keeps a portion of his portfolio there. Malice is our villain. Malice is not interested in trading stocks or other portfolio tasks, only wreaking havoc. Bob and Malice both have accounts on S-trade with basic functionality. S-trade uses all of the standard security measures meant to authenticate and protect users. There is session management in place, data sent to and from the site is encrypted, and strong password policies are enforced. These do not bother Malice one bit. All Malice must do is get Bob to click on a specially crafted link while Bob is logged in to F-trade (i.e. Bob’s cookies and session IDs have not expired). The specially crafted link can take advantage of any functionality that already exists in the application, but to keep things simple we’ll use the logout functionality as an example. When logged in, both Bob and Malice’s sessions use the same logout code. If you right-click on the link to logout, you might get something like this for URL location:

https://www.s-trade.com/session.php?action=logout

This section of code will undoubtedly check to see if the user is logged in or if the session has timed out. Once it determines if the session is valid, it will do whatever the rest of the code accomplishes. If Malice could get Bob to click the link above, it would log Bob out of his session, just like if Bob had clicked “Logout” himself. There are many ways for Malice to mask this link to Bob.

Malice can embed it in her own HTML page on her domain with an iframe that runs when the HTML is loaded:

<iframe src=” https://www.s-trade.com/session.php?action=logout “>

As long as Bob is logged in, this code will run.

Malice could also use traditional email phishing techniques to hook Bob on the line.

Now, logging Bob out might only be a minor inconvenience, but you can see the power behind this vulnerability. If there were similar functionality that made a stock purchase or withdrew money, Bob’s account could really be put in jeopardy. If the site has other OWASP vulnerabilities in place in addition to this, Bob is really screwed. CSRF hooks right in to a lot of the most common and dangerous attacks.

The problem here is that no other checks are done to prove that the user requesting this action is Bob. All it checks for is if Bob recently logged in on this machine. Web sites need to start going to further lengths to prove requests are generated by the authenticated user. There are five major steps needed to prevent CSRF attacks:

1. Require authentication in GET and POST parameters, not just cookies.
2. Check the HTTP “Referer” header and make sure it comes from S-trade (the Referer header can always be forged, but this small step will do some amount of good).
3. Further limit the lifetime of authentication cookies.
4. Require queries which cause transactions to include a one-time token.
5. Eliminate all XSS vulnerabilities.

With large, existing applications, CSRF can be hard to mitigate completely, but organizations that are planning to build new web applications should wire protection against this right into the code from the get go. This sort of attack is only going to get more and more common and proactive prevention is crucial.

Some of the most common problems we see from organizations who go through social engineering assessments are the following:

1) Physical access to sensitive information in an office. Many people leave sensitive information lying around. They write their password on a sticky note and stick it to their monitor, or they print out sensitive information and leave it lying on their desk. Most companies do not adhere to strict visitor restrictions and our engineers can easily walk through the office space peeking into cubes and offices, looking for tidbits of information that might be useful to someone with ill intentions.

2) Physical access to servers. Another common problem is the unlocked machine room. Intruders who make it past the front desk can locate the organization’s machine room and wreak all kinds of havoc from the console of the organization’s accounting server.

3) Passwords divulged or reset over the phone. Generally speaking, people are helpful when you call them. This covers both help desk personnel and regular employees. We often test for the ability to get someone to either reset a password or divulge their own password over the phone, and find it shockingly easy to do both.

4) Phishing scams. The fourth attack that we frequently test for in social engineering exercises is the phishing scam. As with the prior example, we find it too easy to create a mock web site and then convince a user to click on a link that we’ve emailed them. This can be a very fast way to install a Trojan horse or some other type of malware on a system within an organization’s security perimeter for later use.

So what do we do about all these vulnerabilities? The first thing is to test for them. We need to understand the strengths and weaknesses of the particular organization. Some organizations actually protect their physical premises very well, but call the help desk and they will reset a password without verifying the caller’s identity. Some organizations are the exact opposite. Once the organization’s profile is understood, then it’s time to educate the staff and users. Users frequently don’t even think about information security in their day-to-day jobs. But educate them, and they will become a strong line of defense against intruders.

When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:

• Meet the intent and rigor of the original PCI DSS requirement.
• Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
• Be “above and beyond” other PCI DSS requirements.

Once its determined that a compensating control is necessary, the QSA is required to document the constraint, objective, identified risk, definition of the compensating control, validation of the compensating control, and the maintenance of the compensating control.

When building a PCI compliant environment, closely following, meeting, and exceeding the requirements will make the assessment process simpler. The requirements are minimums and there is no penalty for doing more – but compensating controls are not a ticket to doing less.

Image credit to ViaMoi via Flickr (Creative Commons).

In a recent study conducted by The Gallup-Healthways Well-Being Index, Boulder received top honors as the overall happiest, healthiest, and most optimistic city in the United States. The study surveyed more than 350,000 Americans across the country and assessed their lives based on a variety of pre-defined categories. While Boulder did not sweep every category looked at by the researchers, it did get the highest rank in the “Work Experience” arena. At Applied Trust we have always known this was true, but it is nice to get some nationwide visibility for it.

We care about having a good work and life balance for everyone that works here. That’s why the ATE Employee Canon is so important to us. Having this realization and making conscious, proactive maneuvers to maintain it is a key component to fostering a positive “work experience” like the one discussed in the survey. The section measured job satisfaction, ability to use one’s strengths at work, trust and openness in the workplace, and whether one’s supervisor treats him or her more like a boss or partner. These metrics align very closely to how we view work and how we want to spend our time there.

• Job Satisfaction – Applied Trust is always thinking of new ways to improve satisfaction in the work place. It is important to note that job satisfaction does not only take into account actual work-related tasks, but also other, less tangible, aspects. One of the more recent improvements we have made to increase job satisfaction is the MyATE program. Previous posts have talked about some of these improvements, but essentially every employee (either on their own or as part of a team) comes up with something they think would improve happiness at work. At the end of the year, a winner would be decided based on a vote. In 2009, these projects ranged from One Boulder Fitness gym memberships, to getting rid of all drinks in our fridges that contained high fructose corn syrup, to self-approved vacation (the eventual winner). This program is coming back for 2010, so expect to see some posts detailing ideas and improvements!
• Strengths at Work – Applied Trust has always been extremely open about letting employees choose their career paths. There are ample opportunities to get into existing disciplines in our space, and even encouragement to blaze new ones. Using your strengths at work is the simplest way to feel like you have an impact, and feeling needed and appreciated makes up a large percentage of a positive overall work experience.
• Trust and Openness – This seems to be an almost effortless component of life here, and I think that mostly has to do with our hiring process. Because we are a small company, we are able to have a majority of our engineers meet potential employees in both interview and social settings. Because of the multitude of perspectives via which we get to look at a candidate, it is unlikely that we will hire someone who isn’t trustworthy, open, and enthusiastic about working here.
• Boss or Partner? – We are a company of peers. This is not to say there is no strategic management in place, of course there has to be to run a successful business. But what is great about Applied Trust is that we are all have the same goal and we all work on projects together. There are no Bill Lumberghs here. We all work on big-picture infrastructure planning and we all reset passwords. There is very little red tape and very few politics. I think I take that aspect for granted sometimes, but am reminded of how rare it is when I hear office stories from friends.

So, if you feel like moving to the best city in America (I’m not biased, scientific research proved it!) and have an interest in working for a great local company, apply for a job today!

The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment.  Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

Below is an attempt to assemble those requirements into a single schedule.  Where the standard didn’t specify a frequency, I used reasonable “best practices” values.  I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan!  There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

See anything that I missed?  Did I get something wrong?  Let me know in the comments and we’ll work toward an accurate sample schedule together!!

Sample PCI DSS assessment schedule

We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

• Comply with the HIPAA security and privacy rules
• Provide medical information breach notifications
• Work with the Department of Health and Human Services to perform compliance audits as requested
• Train employees on HIPAA and its requirements for business associates

BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.