Thursday 25 March 2010

New Podcast: Removing Viruses, Worms & Spyware

This podcast is aimed at day to day people outside the IT security industry using Microsoft Windows. This podcast gives a quick over view on the types of malware (Virus, Worms & Spyware), describes how to prevent malware infection on your PC, and how to remove malware from your PC following infection.

IT Security Expert Podcast - Mar2010 : Removing Viruses, Worms & Spyware

Dave @ ITSecurityExpert.co.uk - IT Security Expert - IT Security Expert UK Podcast - IT Security Expert UK PodcastITSecurityExpert on iTunes

Free Malware Removal Tools Recommended in this Podcast
Microsoft Windows Malicious Software Removal Tool
Spybot - Search & Destroy
AVG Rescue CD

There are other free malware removal tools out there, including those which run online in the web browser. If anyone wants to recommend any they have used, please go ahead and make your recommendation in this post's comments - Thanks

Notes
1. "Malware" is a collective term which includes Viruses, Worms, Keyloggers, Trojans, Spyware, Adware, and apps referred to as Crimeware
2. I recommend running these tools frequently, even if your Anti Virus application is not reporting any malware infections. AV doesn't detect all malware!
3. Windows Defender is always worth installing and protects mainly against spyware and adware, and is free.
4. Beware some malware removal tools are actually malware themselves, and actually add further infections to your PC. Therefore I recommend sticking with removal tools listed on this post and provided by reputable security companies and organisations.
5. After running a malware removal tool, I recommend rebooting your PC and running the tool a second time, to ensure all malware has been permanently removed from your PC.

Monday 22 March 2010

UK Shops with Minimum Spend OR Charges for Accepting Card Payments

I really love those new Visa World Cup Football TV and the Barclaycard Contactless Card commercials (see below).





These ads depict using Visa and Barclaycard plastic to pay for small transaction amounts, such as using your credit card to pay for your lunch, and paying by card for a haircut. But these TV commercials representation does not quite match the reality on the ground in the UK, where many cardholders appear to be continually taken advantage of and are becoming frustrated by small merchants shops who either apply a surcharge, or insist on the minimum spend for payments by card. This reality is in direct conflict with Visa, MasterCard and Barclaycard's overall strategy, namely for card payments to replace all cash payments, hence the recent introduction of contactless payments in the UK. Contactless cards are not just designed for your convenience but to allow the card brands to soak up the small payment transaction space.

Can Merchants Apply a Minimum Spend or a Surcharge in the UK?
I have been speaking with Visa, MasterCard and Barclaycard about this, and to be honest the answer is not clear cut as I thought it would be, mainly thanks to complicated European Laws and UK Laws, and even local area laws comes into the equation.
What I do know is the likes of Visa and MasterCard do have strict regulations which they say apply to all merchants (retail shops) which accept their card payments. These regulations clearly state merchants are not allowed to apply any surcharge or require a minimum spend amount as detailed below.

VISA
5.1.C Prohibitions
A Merchant must not:
• Add any surcharges to Transactions, unless local law expressly requires that a Merchant be permitted to impose a surcharge.

MasterCard
A Merchant must not directly or indirectly require any Cardholder to pay a surcharge or any part of any Merchant discount or any contemporaneous finance charge in connection with a Transaction. A Merchant may provide a discount to its customers for cash payments. A Merchant is permitted to charge a fee (such as a bona fide commission, postage, expedited service or convenience fees, and the like) if the fee is imposed on all like transactions regardless of the form of payment used, or as the Corporation has expressly permitted in writing. For purposes of this Rule:
1. A surcharge is any fee charged in connection with a Transaction that is not charged if another payment method is used.
2. The Merchant discount fee is any fee a Merchant pays to an Acquirer so that the Acquirer will acquire the Transactions of the Merchant

However these regulations are trumped by law, EU, UK and even local laws. For example airlines, holiday companies and large concert ticket providers cite legalise to get around these regulations, applying surcharges to their card payments.  Sometimes they hide the surcharge as an administration fee, which is fine for a business which don’t offer a cash payment alternative. I thought this could be a key point, as small shops obviously are accepting cash payments along side card payments.


I have been reading up on the legal side of this issue, as I understand it, it appears merchants are not allowed to profit from surcharging. However going back to the strict card scheme regulations, lets take the scenario where we have a small shop which has been provided with the equipment to accept card payments, as provided by the likes of HSBC and Streamline. From my conversations it came across surcharging and applying a minimum spend in this type of scenario is highly frowned upon by the card schemes (Visa & MasterCard). In fact during my discussions with these card brands, they both offered a method to file a complaint about small merchants doing this.

MERCHANT COMPLAINT FILING
Visa: Notify your Visa card-issuing bank. Visa Member financial institutions have access to the appropriate Visa rules and regulations. Your card-issuing bank can best answer your questions about surcharges. They also have access to the Notification of Customer Complaint forms that should be used by the financial institution to document and file this type of complaint. You can contact them directly, using the address or telephone number on your Visa statement or on the back of your card.

MasterCard: File a merchant violation by Email consumer_advocate@mastercard.com . We do contact the merchant's bank when we see repeated violations and they are requested to maintain appropriate controls over the merchants.

Now my legal eagle brother likes to point out shops can always refuse your card payment transaction and kick you out of their premises without providing any reason, true. However I argue that most small merchants sign an agreement to abide by these regulations as part of the package in being provided with the means to accept the card payments. Therefore it seems pretty clear to me most smaller merchants are not permitted to surcharge or require a minimum spend at all. Banks which provide the payment devices have the power to disable the payment devices from any merchant which doesn't comply, so would act if a card scheme or customers highlighted a merchant wasn't complying with these regulations.

UK local legislation allows surcharging on credit cards which takes precedence over Visa rules and regulations - Visa Europe

So after doing further digging on the legal side, it appears merchants are indeed allowed to make charges under law, remember the card schemes state law trumps their regulations, however I found another angle on legal side, in that merchants need to clearly advertise their surcharges.

 Since the 28th February 1991, in accordance with the Credit Cards (Price Discrimination) Order 1990, retailers have been allowed to apply these charges to the cardholder.

It may help you to know that customers are protected under the Consumer Protection Act 1987, which states that is a criminal offence to mislead the customer regarding the cost/charges of a purchase. Retailers are therefore required to clearly advertise and advise their intentions to the customer before applying this charge.
My conclusion on minimum spending and surcharges; because of the legal situation, unfortunately I cannot state UK merchants are not allowed to add surcharges or require customers make a minimum spend for payment card transactions. But if you feel strongly about this you can raise a complaint against any merchant indulging with these practices with the card schemes and acquiring banks, namely the providers of payment equipment e.g. Streamline, HSBC. I will continue to research this situation, I am very interested if anyone else has any further information or views on this one.
Now I do feel the merchant’s pain in that the cost (transaction charge imposed on them) in taking small transactions really hits their profit margins, but hey this is the price of having the ability to accept card payments at your business, no one is forces any business to offer the acceptance of card payments.

Here’s the thing that really bugs me about this. There are too many merchants in the UK which are running a muck with these charges, some are ignorant of these requirements, and some are actually sticking two fingers up at the regulations they sign up to, I know because shop owners get very nervous when I ask question their surcharging. So what do you think merchants are doing about the Payment Card Security regulations, specifically Payment Card Industry Data Security Standard (PCI DSS)? The next time you have fraudulent transactions on your credit card and don’t understand how your card details were stolen. Know it is more than likely than not, that your details were stolen from a merchant which held your card details, because the merchant was not following card security regulations and adequately protecting your card details while in their care. By the way merchants certainly cannot hide behind law when comes to their compliance with card payment security regulations, and specifically PCI DSS compliance.

It is worth noting that we do not have any breach disclosure laws in the UK, it is never in the interest of merchants, banks and card brands to publicly disclosure payment card breaches. But I can tell you card payment breaches of UK cards in significant numbers are occurring due to UK merchant security negligence, it's happening behind closed doors, and it's happening far too often.

Tuesday 16 March 2010

The Vulnerability Management Game

I have been asked to speak about IT Security Vulnerability Management at a Security Conference, and it got me thinking. Vulnerability Management is the good practice of finding security weaknesses, which bad guys may exploit (hack) and then fixing them. It’s an endless cycle of finding and fixing, Why? Because software code is extremely complicated and tends to be highly rushed by developers these days. Some code can even be millions of lines long, code is never perfect and so never can be bullet proof secure, it’s just a question of discovering the vulnerabilities which are present. This is the reason why Microsoft release security patches on at least a monthly basis and why Microsoft will continue to release security patches as long as they have software to support.

An interesting vulnerability management game is played by security vulnerability management vendors and security researchers, as it these vendors and security researchers which tend to find the vast majority of the most threatening vulnerabilities. Finding high risk vulnerabilities is good, however they usually announce their findings to the world; what exactly the vulnerability is, and how it could be exploited, so telling the bad guys along with the good guys. There is clear evidence the bad guys wait for these announcements and act on them before the good guys have chance to apply fixes. I'm not sure if anything can be done about this part of game, while it is plain old bad security to assume bad guys do not known about vulnerabilities which the security vendors have to yet to discover. However with mass vulnerability exploitation, more often than not, I am seeing an “IT Security Industry” vulnerability announcement and media coverage which has started the ball rolling.

Worst yet are “zero day” vulnerabilities, which is the term to describe the announcement of a vulnerability which has yet to have a fix available. Remember it can take time to code and test vulnerability fixes. The worst case scenario is to have a vulnerability activity exploited by bad guys without the software provider having a fix ready.  A recent example of a “Zero Day” vulnerability was with Microsoft Internet Explorer - http://news.bbc.co.uk/1/hi/technology/7784908.stm  Announcement of "zero day" vulnerabilities which aren't being actively exploited on mass is particularly shaky ground, why not wait until a patch is ready for release? I know there has been issues in companies not listening to security vulnerability researchers, even threatening to sue them, but I can't see how it can be right to publish a vulnerability which doesn't have a fix.

So let us switch this around another way, last week I took a couple of flights, and despite all security checking at the airports, I thought of several ways I could of successfully bypassed the airport security to get “banned” items onto the plane. So these are airport security vulnerabilities, just like IT vulnerabilities, remember no system can ever be 100% secure. As a society we are all very sensitive about airport security, mainly thanks to media led risk assessment of terrorism- I’ll save that one for another blog post.


My main point is this, I am not going to announce to the world how to bypass airport security, because:

(A) I don’t think it is ethical

(B) I don’t think it would reduce risk and make flying safer, even should someone from the airport security industry be actually willing to listen, I think they would accept the risk (the vulnerabilities)

(C) Just saying them could get me arrested thanks to the UK’s strict anti-terrorism laws

(D) This is the most important reason. I really don’t want to tell bad guys how to bypass airport security.

Again I do not assume terrorists don't already know about weaknesses in airport security, I'm sure airport security authorities know their security weaknesses as well. But even though some terrorist may know about vulnerabilities in the systems, it serves no purpose in telling them all about all possible weakness in our airport's security, it by nature can never be 100% secure, is a question of risk management, so why is the security industry chomping at the bit to tell world about all weaknesses in our IT systems?