Basefarm at 2013 European PCI Community Meeting – PCI DSS 3.0

The annual European PCI Community Meeting was held in Nice, France from October 29th to 31st. As a Participating Organization, Basefarm sent two representatives to the meeting.The big news here was of course the new 3.0 standard, available in draft version at the time. There is currently much focus on the entities that have a low level of PCI awareness, typically small merchants in brick-and-mortar shops. The catchphrase for PCI DSS 3.0 is “Business As Usual”, so much used that it got it’s own TLA; “BAU”. Expect to see the term BAU being used whenever PCI DSS compliance is discussed. It has to be implemented into the daily procedures, which also the “Maintaining Compliance” Special Interest Group has emphasized. In this blog post I will attempt to highlight the most significant changes from the perspective of Basefarm as a hosting provider and how it may affect our customers.

E-commerce requirements

To begin with, the big change discussed at the Community Meeting is how the new e-commerce requirements will actually be implemented. Basically, a lot of web shops managed to avoid the issue of PCI DSS compliance by simply redirecting their customers to the Payment Service Provider at the time of checkout. In 3.0, the definition of PCI DSS Scope (page 6 of the Draft) now defines web redirection servers as systems that may impact the security of the CDE. They are also included in requirement 10.6.1 as part of the system components you have to include in your daily log review. The document “Summary of Changes from PCI DSS Version 2.0 to 3.0 – Draft” does not explicitly mention these changes. Rumours have it that large e-commerce sites must expect to run ASV scans and be prepared to have the payment brands review these. We’ll see what happens, I expect the first reaction of the E-commerce software vendors will be to describe how they have somehow implemented their redirects in a way that leaves them out of scope.

The challenge for PCI DSS hosting providers

As a PCI DSS hosting provider, there has been much focus on third parties during the last year. The “Third Party” Special Interest Group has looked at all kinds of third parties involved and created guidelines. Some of the issues that have been discussed during the creation of the guidelines have been included into the PCI DSS 3.0 standard under 12.8.x instead. One item that will complicate matters for service providers is the new requirement 8.5.1 which says “8.5.1 Service providers with access to customer environments must use a unique authentication credential (such as a password/phrase) for each customer environment.“. The guidance further emphasizes that you cannot use “similar” authentication credentials, such as simply prefixing your password with the customer name. Service providers will have to come up with a solution before the extended time period of June 30th, 2015.

The service provider requirements are clarified with regards to two-factor authentication (8.3) and remote administration (8.1.5) – vendors must be 2FA authenticated and their accounts must be disabled when not in use. The Third Party SIG has also emphasized that the entity required to comply with PCI DSS will retain this responsibility, but all service providers must now be made aware that they are supporting a PCI DSS environment and ensure that they also comply with their relevant requirements (12.8.x). Hopefully, this will ensure that the service providers are professional and knowledgeable in PCI DSS.

In general, the document contains a lot of clarifications and some entirely new items. Here are a few other quick highlights from 3.0:

  • The PCI Council apparently agree with the rest of the world that passwords are dead. There are still specific requirements with regards to password policies and quality, but more importantly they use the more general term “credentials” instead of actual passwords.
  • For the larger merchants, there is a new requirement (9.9) to keep inventory of POS terminals and inspect them for skimming. This has of course to be documented so it can be presented during audit. A necessary update to the standard, but still a time-consuming job. It is one of the requirements that are only best practice until they take effect July 1st 2015.
  • There is a new requirement 2.4 where an inventory of system components must be maintained. If you have cared about any other standards such as ITIL, Cobit, anything ISO or even the SANS Top 20 this is usually high on the list, but has been absent from the PCI requirements. This means it should already be in place for most companies that care about PCI DSS, but it is good to finally see it included in the standard. The PCI justification for the requirement centers around scoping, as asset management has perhaps not been considered an important part of security before. However, you can’t patch what you don’t know you have. Orphaned assets are a known problem in many organisations, where they are only discovered when they are infected with malware and causing network issues.
  • There are some more details on what exactly constitutes a pentest according to the PCI Council, but the main requirement is that you must base the methodology on industry-accepted standards (NIST SP800-115 is mentioned as an example). It is sufficient to demonstrate organizational independence of the tester, there are no approval programs for pentesters (yet). With the focus on pentesting I have seen in previous SIG proposals, I expect this to mature further during future PCI standard versions.
  • In chapter 12, otherwise known as the paperwork requirements, the items that must be included in the security policy have now been relocated from the single 12.1 requirement into each separate requirement. Risk assessments now have to be done not only annually, but after “significant changes to the environment”. And 12.4.1 makes one specific type of separation of duties clearer – security must be handled by an independent role.

All in all, a very useful update to a standard that is maturing and kept up to date. And of course, going to the community meetings create opportunities to meet and chat informally with vendors, colleagues and competitors in a friendly manner. With the usual exchange of war stories about hackers and crazy audit findings.

VMworld 2013 in Barcelona

2013-10-16 18.05.11Basefarm participated as an exhibitor at Vmworld 2013 in Barcelona for the second time. In addition to having a booth at the VMware service provider pavilion, we also had the pleasure of taking part in a panel debate about VMware products together with one of our customers. Our business developer in Sweden, Stefan Månsby, represented Basefarm in the panel together with the former CIO from the Norwegian State Educational Loan Fund. VMware increased the focus on Service providers like Basefarm at VMworld this year, and even included the Basefarm logo in one of the key note presentations 🙂

basefarm-vmworld2013-1So far there has not been reported of any other nordic based companies participating as an exhibitor or VMware partner at VMworld. We are happy with the exposure and the interesting people we have meet at the booth this year. Additionally there were also participants from Basefarm at VMworld solely to focus in the latest developments in VMware technology.

Thanks to all of you who came by our booth! We had many interesting discussions and hope to meet you again in the future!

2013-10-15 13.09.56

Welcome to Basefarm’s bank and finance seminar in Stockholm!

shutterstock_85956517

Welcome to Basefarm’s free breakfast seminar in Stockholm for you in the bank & finance industry! May 29 we will go through everything you need to know about business critical bank and finance systems like secure payments and DDoS. We discuss practical projects and give you knowledge, inspiration and tools that are important in a digital bank and finance world. Attend by sending an e-mail to me, elin.mattsson@basefarm.se

Read more about the event (in swedish)

Hope to see you in May 29! 🙂

 

This is how many services we host…

Last week, a collegue and I attended LARV (a career day for students at Luleå university in Sweden) and met a lot of curious students. It was a day with many rewarding conversations with the students. Who knows, we might meet in the future again?

319860_499138873469762_1921350678_n

During the day we arranged a competition at our booth where the students would answer the question: “How many sites does Basefarm hosts?” That means how many services we host throughout Basefarm, including Norway and The Netherlands. You who attended the competition is certainly curious to know who won? Many students participated in the competition, but the one who guessed closest was Maxime Koitsalu who guessed 40 000. The exact number of services are currently 34 689! Since we have customers in 23 countries and every customer often have more than one service, it becomes a lot in total.

Congratulations Maxime and hope you will like your subscription on Filmnet! 🙂

Sweden’s best sites from a hosting perspective

Tonight, the winners in the Swedish web competition Topp100, arranged by the magazine Internetworld, will be designated and here is the list of all nominated sites in all categories. Eight of our customers have been nominated in the competition and we at Basefarm are the engine behind everything and make sure that our customers services work. In this kind of contexts, usually the traditional web perspective use to be in focus, and with this blog post we want to tell you what makes the sites (regardless of platform) good from a hosting perspective.

Close cooperation and understanding is key

What is common for our customers who are nominated, is that they have had a high expansion. They have begun to see hosting in a new way and starting to demand how it should work, not just that it should work. The customers are good at creating, testing new things and set up requirements, while we take care of the demands, make them real and implement them. The customers rely on correct information is conveyed about how things should work. With our expertise, knowledge and experience, we understand our customers’ needs and can provide the best possible conditions for our customers. Today you have to concentrate on doing one thing well and trust that others will do the other things well. It’s this confidence that together allows us to agree about where our customers want to go and how to get there.

Checklist – 6 factors for a good site:

Below we have listed the things we think should be included on the checklist for a good site from a hosting perspective:

    • The 3 basic principles – a fast, always available and secure site
    • Flexibility and adaptability – it should be possible to add new features and update quickly so that it has a vibrant and functional site
    • A hosting provider with unique competence in hosting mission critical business applications – extensive experience and competence within design and architecture creates understanding for the provider and customer confidence
    • Operational processes and structures – creates security and should be in place to follow-up, catching things and solve problems.
    • Dense dialogue – the hosting provider should work as an advisor and must dare to speak up and don’t be afraid to say what you think. Important to also announce when you think that things will not work
    • Close cooperation – proximity to customers is everything to work toward the same goal: our goal is to ensure that customers succeed!

We wish all our customers who have been nominated good luck tonight at the Top 100 Awards! Thanks for your cooperation!

baselogo_2_graa_slogan

 

Building Dreamhack, part three

DHCP design for IPv4 on Dreamhack

I will describe the protocol DHCP in general and specific the DHCP design that we use at Dreamhack for IPv4.

DHCP for IPv4
DHCP is a layer 3 protocol used for dynamic assignment of ip addresses and options to clients. The client device sends a layer 3 broadcast to 255.255.255.255 on the local network destination UDP port 67. This message is called a DHCP discovery and it is a request for a free ip with options. The server answers the broadcast on UDP port 68 with a DHCP offer. This offer contains information about IP, subnet mask, lease time, options and the ip address of the DHCP server. The client then sends a DHCP request to the DHCP server accepting the offered lease. When the server receives the DHCP request it sends back a DHCP acknowledgement with lease duration and options.
When half of the lease time has gone the client tries to renew its lease by sending a DHCP request message to the DHCP server. If the client does not get a response from the server it will continue to send DHCP request messages to the specific DHCP server on a regular interval. When the lease time ends the client will begin the process from start by sending a DHCP discover.

DHCP design at Dreamhack
At Dreamhack all the clients use DHCP for configuring IPv4, subnet mask, default gateway, SMTP, TFTP, DNS and NTP servers.

For hardware redundancy we have three DHCP servers. For operating system redundancy we run Debian and FreeBSD. We have one active/primary server that syncs its lease file to the two passive/secondary DHCP servers. If the primary goes down or a severe OS related issue occurs then we can start using one of the secondary.

DHCP monitoring and statistic
We have our own developed DHCP scope monitoring and statistic system written in ruby by me 🙂 The system has two daemons and a web application.

Daemon one tails and parses the DHCP lease file, and parses the scope information. Daemon one then sends the parsed output to MySQL and MongoDB datastores. Daemon two analyzes the data in the datastores and creates statistics and graphs. This information is then made available through a web application developed with the Sinatra framework.

Who won the raspberry?

Last week we attended the Swedish career day Armada 2012 in Stockholm. Thanks to everyone who came by our booth! Hope we meet in the future! 🙂

At our booth we arranged the competition “win a raspberry with Basefarm” where you could win a Raspberry Pi Model B V2 512 MB RAM, by guessing the closest to how many of our servers are virtualized. The correct answer is that we currently have 841 vitrtualized servers and the winners who guessed closesed is Alve Aalto and Joakim Jalap! They both guessed 850. Congratulations to Alve and Joakim! We have sent a raspberry to you both, so keep an eye out in the mail! 🙂

We have a winner from D-dagen!

In a previous blog post, we talked about a competition we arranged at the Swedish career day D-dagen at KTH. Christoffer Dahlgren and Daniel Swensson had guessed closest (with the same answer) in our competition. Today they visited us at our office in Stockholm to get a tour and make up for the firstplace.

As tiebreaker they had to guess how many customers we have at Basefarm in Sweden. How would you have guessed in that question by the way? Finally Christoffer guessed closest and won awesome headphones from Beats by dr. dre! Daniel didn’t left us empty-handed either, he got a gift card from the Swedish technology company Webbhallen as a consolation prize 🙂 We hope they enjoyed the tour at our office and wish them all the best in the future!

 

The competition from D-dagen at KTH

For a while ago, we visited D-dagen, a yearly career day at the technology school KTH in Stockholm. We had many rewarding conversations with the students and hope to meet you again in the future! Many students took part in a competition we arranged at D-dagen, where you could win headphones. I guess you are certainly curious about who won the competition?

In the competition the students should answer the question: “How many servers have Basefarm overall in the datacenters in Stockholm? We received 51 responses and the correct answer is that we currently have 1348 servers overall in the datacenters in Stockholm! Christoffer Dahlgren and Daniel Swensson guessed closest on 1342 servers, which was really close! Since both Christopher and Daniel had the same response, we have invited them to the office in Stockholm to answer a tiebreaker and make up for the first place 🙂 This will be done shortly and we will then present who won. Keep an eye on the blog!

D-dagen på KTH

Defcon 20

Wednesday

Flight over Greenland

Flight over Greenland

This year, my colleague Jens and I were given the opportunity to visit Defcon 20 (https://www.defcon.org/html/defcon-20/dc-20-index.html) in Las Vegas. It was my first time visiting the US, so I was obviously very excited about it!

We started off around noon on Wednesday, and after having a transfer at Heathrow, London, we arrived to Las Vegas at 7 PM on the same Wednesday (due to Las Vegas being 9 hours earlier compared to Sweden).

Inside the terminal, the AC made it seem almost chilly at times, but once you went out to the taxi queue, you were greeted by a 45 degrees heat wave. The first thing that came to mind when going towards the hotel was how extremely big everything was, even compared to cities such as Shanghai. Once checked in at the hotel, I quickly drifted off to sleep as I had forced myself to stay awake on the plane in order to avoid as much jet lag as possible.

Las Vegas

Las Vegas

Thursday

Defcon Queue

Defcon Queue

Thursday morning, around 40 degrees outside at 8 AM when we made our way to the convention. Felt quite lucky in the cab when I saw actually walking the trek towards the convention in the blistering heat. When we arrived, we noticed that the queue started outside, not so good. The queue moved forward though, so we assumed we’d be able to pay the entrence fee once we got roof over our heads. Bad assumption. Once inside, the queue went on for about 2,5 hours more, and that’s when we were there 30 minutes prior to the desks opening. Lesson learned for next time.

 

Defcon Badge

Defcon Badge

Once we had paid the entrance fee, we were given the badges for the 20th Defcon, and they were mighty impressive. Rather than having a normal badge (which is never the case for Defcon, but still), you were given a badge containing a multi-core processor, IR transmitter, LEDs, usb-mini port, PS2/VGA ports that can be soldered on and open source software that contained a good variety of competitions for those who wanted to play around with cryptos. Certain badges could also ”infect” other badges, making the LEDs blink differently if you came in contact with them.

The amount of text you could write about these badges are probably enough to fill a book, but I suggest you check out the following resources for more information about the badges:
http://www.wired.com/threatlevel/2012/07/defcon20-badge/
http://forums.parallax.com/showthread.php?141494-Article-Parallax-Propeller-on-DEF-CON-20-Badge-Start-Here
!

Next in line was getting some food, and there was a nice ”chill out zone” where you could buy hot and cold food, drinks, breakfast and other vital things for your every day life.

Having refuled, we decided to get some swag to bring home. This turned out to be another 2 hour long queue to the single only shop they had for official merchendise. Eventually I ended up getting two t-shirts as a memory.

Defcon Merchendise

Defcon Merchendise

Later on we got into the first conference, which was the starting ceremony where everyone was welcomed to the 20th Defcon!

Since it was the registration day, we managed to get out earlier than usual, and used the time for a trip to the Grand Canyon, which has been one of my most wanted locations to see for quite a while. Due to the large time contraints, we had to take a helicopter ride, which in itself was quite an adventure!

At Grand Canyon

At Grand Canyon

Helicopter over Hoover Dam

Helicopter over Hoover Dam

 

Once back, we decided to do some sightseeing in the area next to the hotel.

Jens in front of the Bellagio Fountains

Jens in front of the Bellagio Fountains

Walking on the strip

Walking on the strip

Friday

One of the talks

One of the talks

First ”real” day of the conference! I started off with some talks about the badge and the history of Defcon to get some further ideas about how things had progressed. I found it very interesting and that it had a lot of ”unofficial information” about how things had been, even though I have wanted to go to Defcon for a long time and read a lot about it throughout the years. There was also the talk with General Keith B. Alexander (US Cybercom director and NSA Director) which proved well interesting to hear, as he talked about how important it is to secure the country as a whole from outside attacks. The talk after that was called ”Owning One to Rule Them All”, where the talker went through Microsoft SCCM and how it was possible to compromise it and make it send a payload decided by you to all clients that’s connected to it (which means by adding your trojan or whatever you’d be able to very quickly infect an entire network of computers).

Also, as you walked around, you noticed more and more competitions around the place. On the floor, there were multiple puzzles and crypto challanges, and others could be found on posters etc.

One of the puzzles

One of the puzzles

During the evening we went out to have another look at the surrounding area, and ended up eating at a place, called Johnny Rockets, that had amazing burgers. We also went to check out the opening ceremony of the Olympics!

Outside the Hotel

Outside the Hotel

On the strip!

On the strip!

 

Olympic Games Opening Ceremony

Olympic Games Opening Ceremony

On the strip!

On the strip!

Saturday

Defcon talks

Defcon talks

Today was a mix of talks concerning the future of the net and what limitations should or should not be in place, how government agencies operate, and how attacks on our infrastructure are being done. The more ”practical” talks were regarding botnets and how they are being operated through webpages or irc servers, and various ways of how DDoS are being done on companies and how it can be mitigated.

Today I also walked around a bit on the other parts of the convention! For example, I visited the CTF area where teams are competing against each other for securing their own servers in order to prevent other teams to compromise their running services, but they are also supposed to take over other teams servers in order to gain points. There was also the wall of sheep area, where traffic that had been sniffed on the network (non-SSL-traffic) were posted on a a big screen for shame and for others to see.

Competition room

Competition room

Competition room

Competition room

 

The vendor area on the other hand was a place of business where people gathered up to buy and sell various merchandise, ranging from t-shirts to satellite transmitters. It was also a book signing area with people such as Bruce Schneider, and an area where you could view things as actual Enigma machines.

Bruce Schneider signing books

Bruce Schneider signing books

Enigma Machine

Enigma Machine

There was also the hardware hacking area, an area where you could learn how to create robots, learn how to solder, learn how to make your badge do things it couldn’t when you got it, and a lot of other things.

Hardware Hacking Area

Hardware Hacking Area

Afterwards we went out for some sightseeing and visited the Venitian as well as Treasure Island!

The Venitian

The Venitian

The strip

The strip

Sunday

Metasploit talks

Metasploit talks

Sunday was the last day of the conference, and it contained a variety of talks ranging from new generation port scanners, metasploit examples, how easily certain Huawei routers can be hacked, and Kevin Poulsen talking about his previous experience as well as his book. It was also the closing ceremony with all the contestants getting their prices, with some getting the all-mighty black badge that gives you a life-time free entrence fee to Defcon.

As we hadn’t have time to eat much other than sandwiches or the quick burrito, we decided to hit the buffet at the Bellagio for our last conference evening. The queue took quite a while to process, but it was well worth it with a lot of really great food. Also took a quick stroll down the south of the strip.

Closing Ceremony

Closing Ceremony

Bellagio Buffet!

Bellagio Buffet!

 

Hotel entrance

Hotel entrance

In front of Paris Paris!

In front of Paris Paris!

Monday

Mandalay Bay

Mandalay Bay

Monday was the last day in Las Vegas, as we were supposed to leave for Stockholm again at 8.45 PM. For once, we decided to take a long morning rather than getting up at 7.30 AM, so we met up at 11.00 for checking out and having something to eat. Once that had been sorted, we decided to take a stroll down through all the Casinos south of Bally’s to see what each of them offered. We ended up visiting each one, and also went into the Aquarium of Mandalyn Bay to see some sharks. Once at the airport, we found out that the plane was 3 hours delayed. That in turn, meant we missed our connecting flight in Heathrow which meant we got home after 00:00, which kind of made the next work day feel ”so so” considering the time difference etc. All in all I’d definitely rate this convention the best one I’ve been at! Some of the talks were not very interesting at all, while some were very very good. The two I liked the most were: ”Black Ops” and ”How to Hack All the Transport Networks of a Country”.

You can find the full schedule here: https://www.defcon.org/html/defcon-20/dc-20-schedule.html

The main thing I feel I gained though was ”getting back to basics” rather than being so emerged in the commercial aspect of the IT industry. The experience gave me a lot of reminders about why I started loving computers in the first place!

At the Luxor Entrance

At the Luxor Entrance

Hotel New York New York

Hotel New York New York