Wednesday, 30 November 2011

Why PCI DSS is good for Information Security

There is a growing consensus within the Information Security Community that the Payment Security Industry Data Security Standard (PCI DSS), is actually proving to be detriment to the general information security across the business. One point regularly made is the Payment Card Industry standard is responsible for diverting precious funding and resource away from the overall business information security strategy, where the breach risks can be much greater for the overall business.  That well maybe the case in larger enterprises which rightly regard best practice information security as a business priority, but consider the medium to small businesses, this is the land where information security ignorance is bliss. Within such SMEs 
PCI can be a real InfoSec wake up call, as in merely attempting to comply with the many PCI DSS requirements, it can provide benefits across the business, where before the business were previously completely unaware of the risks, or perhaps hadn't being treating risks with the proper regard. Forcing them into action to meet the specific PCI requirements, often results in security improvements across the entire business, so not just tightening the security of credit card data in their possession, but personal and confidential information as well.

Love it, Or Hate, PCI does business good

The truth of PCI DSS is most of its laid out 260 odd individual requirements, which set the minimum baseline for PCI compliance, are just best industry information security practices anyway. So businesses are supposed to be doing the lion share of them already. What PCI DSS does in the small to medium business environment (when taken seriously), it forces businesses to take note and ultimately implement these best practices, and in most cases  applying security improvements holistically across the business. For instance measures such as establishing a good patch management process, Anti-Virus deployment and information security policies are applied and benefit the entire business, not just within the cardholder environment, so the business ends up killing many data protection birds with one stone.

Today 90% of the card fraud in the UK occurs within level 4 merchants (the smallest of businesses), specifically due to web application vulnerabilities, vulnerabilities which have been around for over 10 years. Yet if these businesses were PCI DSS compliant, it would be fair to say the majority of these breaches just wouldn't occur This statistic is actually testament to the success of PCI DSS in medium to small businesses, in that larger companies (level 1 to 3), have been chased and forced to address compliance with PCI DSS by acquiring banks, opposed to the highly breached small businesses which have yet to be vigorously chased for compliance, but given the latest fraud stats, they soon can expect to be chased for compliance.

I am not saying PCI DSS is perfect, lord knows it isn't, and I do understand the arguments made by infosec leaders working within larger enterprises, which already focus on information security as a business service priority. But I find it very hard to argue that PCI DSS is not helping medium to small businesses not only protect cardholder data, but to improve their general information security, even if they aren't strictly fully compliant with the standard. As in trying to comply and to meet most of the PCI DSS requirements, it seriously reduces their breach risks, not just of cardholder data, but with the personal data they hold as well.

One final point I want to be crystal clear on, a business cannot be considered PCI DSS compliant if they are not meeting all of the PCI DSS requirements, not just on the date of PCI assessment, but for 365 days a year ,7 days a week, 24 hours a day. The QSA's successful Report on Compliance will not save a business from fines, if a breach were to occur due to the business not meeting just a single compliance requirement. How many businesses are truly compliant in this way is up for debate.

Friday, 28 October 2011

Securely Wiping your Personal Data from the iPhone

It seems like every year Apple release a better 'must have' version of the amazing iPhone, sparking a rush to upgrade by the masses. Ensuring all your precious personal information is securely removed from your old iPhone is an essential step to take before trading in or selling your old iPhone on eBay. Like any smartphone, the iPhone hoards all types of sensitive information about you, not just your embarrassing ABBA playlist and dodgy drunken pictures from the weekend, but all your Emails including access to future mails, username and passwords for websites and social media, and even sensitive financial information such as bank account and credit card details are often stored. So unless you are putting your iPhone through an industrial crusher, you really need to ensure you erase all the data from it before passing it on, this post explains how.

This data erasing advice and method also applies to the iPad and iPod Touch

If your old iPhone is a 3GS or an above model, then securely erasing your personal data is simple enough. The 3GS and above iPhone models comes with built in hardware encryption by default (not that you can switch it off), namely the iPhone uses AES-256 encryption, which encrypts all data stored on the iPhone to a strong industry accepted standard. This is not to say your personal data is safe if your iPhone is lost or stolen, due to the way Apple have implemented this encryption, however that is the subject of another blog post, the important thing here is all the your personal data that is stored on the iPhone, is strongly encrypted, therefore by merely deleting the encryption key securely from the iPhone (and everywhere else), will render all the personal data inaccessible.

Built into the iPhone iOS is an option to erase all the data on it and restore it to factory conditions. Apple states the encryption keys are removed (which doesn't take long) and then a series of ones are written to the entire data partition, which is why it takes a couple of hours to complete the process.


"When you opt to “Erase All Content and Settings,” the process can take up to several hours. The time this process takes will vary by device:

Devices that support hardware encryption: Erases user settings and information by removing the encryption key to the data. This process takes just a few minutes.
Devices that overwrite memory: Overwrites user settings and information, writing a series of ones to the data partition. This process can take several hours, depending on the storage capacity of your iPhone or iPod touch. During this time, the device displays the Apple logo and a progress bar."
 - Apple


The overwrite of the entire data partition with ones post encryption key removal makes the process secure enough to trust in terms of general third party data recovery risk in my personal view, however military organisations and some industries (and the paranoid) may well require further overwrite passes of the data partition with further 1s and 0s, for which there is commercial software available, such as iShredder. If anyone has managed to recover data from an iPhone following Apple's erasing process, I'm yet to hear about it.

How to Erase your Personal Data from the iPhone
1. Backup your iPhone in iTunes, you may well want to restore your personal information to your new iPhone.
2. Make sure the iPhone has power, this process might take a couple of hours to complete, you don't want the iPhone to run out of battery life before finishing.
3. On the iPhone go into "Settings"
4. Then select "General"
5. At the bottom tap "Reset>"
6. Select "Erase All Content and Settings"
6. Tap "Erase iPhone"
7. Wait a couple of hours and you are done.

Finally don't forget to remove the SIM card. The iPhone doesn't store any data on the SIM card but it is a wise precaution just in case your mobile operator doesn't de-active it properly, also its not like the person you are selling the iPhone to needs it anyway.

Friday, 16 September 2011

Internet Troll Stomping

I was featured in The Sun newspaper today in relation to Internet Trolls.  Trolling or a Troll is net slang for an individual who intentionally posts inflammatory, insulting or threatening remarks online. Pretty much anywhere where people can feedback comments on the Internet, such as on Forums, Facebook pages, Twitter, YouTube, Newspaper comments, is often subject to abusive comments. People can say the most extreme things when they think they are protected with the shroud of anonymity, words they’d never dream of saying to anyone face to face. However there are increasingly individuals that post abusive comments which go well beyond the boundaries of decency and taste, these are the individuals which are really regarded as the trolls under the definition.

Recently a troll was convicted for abusing tribute websites of deceased girls, bringing the whole trolling issue into the public arena - http://www.bbc.co.uk/news/uk-england-14907590

You're not as anonymous as you might think
Forget China, the UK is one of the most high-tech surveillance counties in the world, we are most certainly not as anonymous as we might think online.  Many of the suggested workarounds to provide anonymity I hear about just don’t work. For instance Google stores every search you type in, these searches are linked to your physical computer(s), or if you have a Google account, direct to you individually. Google covertly provide all this info to the Police and our government security agencies when requested.  Apple monitor your movements and usage, while phone network providers, Internet Service Providers (ISPs),  Social Network websites all record every little detail about what you do and when you do it.  We do live in an Orwellian 1984 society, just accept it, there is no going back, there is no escape and there is no hiding place online, they’ll catch up with you eventually. All this is not quite as exciting as portrayed by Hollywood blockbuster movies or CSI Miami, just thousands of lines information which is being collected, recording what we are doing online, however the real life law enforcement is just getting to grips in using this vast amount of information, aside from the troll conviction, terrorism prevention and several murder cases, the many arrests and convictions for incitement of riots by individuals online is another example. If you ever did want to disappear and live anonymously, the first thing you should do is stop using the Internet!

Here are my comments on The Sun article today (Page 9/15-Sept-11)
"Idiots are very easy to locate
These twisted individuals are idiots — they assume they are anonymous online.
But their internet service provider can track their IP address and hand over their details to the cops.
Everyone has an IP address for their internet account which is linked to their name, address and any other details they gave to set up the account.
If the police want to track someone posting abusive messages, they simply speak to the internet service providers who have a record of everything which is written online.
There are some things you can do to limit the chances of being attacked.
Only be Facebook friends with people you know and trust. Parents can also make themselves friends with their kids, to monitor anything going on.
There are no instant answers to eradicating this kind of cyber-bullying, but if kids get educated about the internet they can avoid it much more easily.
The internet has the very best of life, but also the very worst."

Trolling Advice
1. Prevention
Trolling can be simple to prevent in certain circumstances. If you have at webpage at risk, which has the ability to enable comment pre-screening, namely you or other trusted individuals approving all comments before they can be posted, do it, as it will almost certainly prevent trolling. Trolls won’t even bother to make a remark if they know their comments are going to be checked before they are posted.

2. Dealing with Trolling Incidents
Trolling is most definitely illegal as per the Communications Act 2003, Section 127.  Therefore if you are a victim of trolling, by that I mean abusive comments which go beyond the pale of decency, consider reporting them to your local Police. http://www.police.uk/

http://www.legislation.gov.uk/ukpga/2003/21/section/127
127Improper use of public electronic communications network
(1)A person is guilty of an offence if he—
(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b)causes any such message or matter to be so sent.
(2)A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he—
(a)sends by means of a public electronic communications network, a message that he knows to be false,
(b)causes such a message to be sent; or
(c)persistently makes use of a public electronic communications network.
(3)A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4)Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Thursday, 1 September 2011

Evolution of UK Home Banking Security - In progress?

I was featured in an article by MSN Money titled "Online Banking Security gets more Complex"

http://money.uk.msn.com/news/crime/articles.aspx?cp-documentid=159017310

Nothing ground breaking, but it would appear UK banking consumers are starting to feel the pain of increased online banking security trade-offs, due to UK banks trying to save money by cutting previously acceptable losses from online account fraud.

"One person, one bank: three devices

But despite the evidence that new measures are more than just inconvenient, many banks are pressing ahead. Lloyds, Barclays, Cooperative Bank, RBS and Nationwide Building Society all require customers to use a card reader when amendments are made to standing orders, direct debits or when setting up payments.

"This is called two-factor authentication," said independent bank security expert Dave Whitelegg.

How two-factor authentication works
The idea is that no fraudster can access your account, however much they know about your life, your pets and your mother's maiden name, unless they also physically possesses the device. "It's the same theory as for chip and pin," Whitelegg told MSN.

Chip and pin dramatically cut credit card fraud, and banks are hoping that two-factor identification will have the same effect on online bank fraud.

The biggest worry for banks is phishing attacks, by which fraudsters send emails hoping to get customers to log into cloned bank websites and enter their details, which are then captured and used to empty the real accounts.

"Phishing emails are sent out by the million, so even if 0.1% of recipients fall for them, they are a success," Whitelegg said.
Most such phishing attempts are easy to spot, failing to address the customer by name and littered with bad grammar and mis-spelling. But a new generation are more convincing. They may not only have your name, but much more convincing cloned websites.

Mobile banking: a worrying new frontier
The next frontier in banking fraud is coming with smartphones, which are increasingly enabled for transactions, but which experts say add a new vulnerability.

"They have never been targeted before, so they have never matured with fraud in the same way that PCs have," Whitelegg said.

Sending a text to confirm payment changes, which Santander among others allows, will become less secure if the entire transaction was originated from a stolen mobile.

So who are the people behind online fraud? There is a whole ecosystem out there, with software masterminds writing key logger and phishing programmes and devising convincing copies of bank websites. Then there are communities of hackers and fraudsters who meet online, and buy this software off the shelf, Whitelegg says.
"You have the people who steal cards, or personal data, who can be from anywhere, and then there are the Far Eastern networks of botnets, clusters of remotely controlled computers, which actually generate the phishing attacks," Whitelegg said.

The result is that just a few clever people have seeded a whole crime industry for thousands of criminals who would never have the brains to devise the whole process themselves.

How you can protect yourself
There are no absolutely foolproof ways to avoid data or identity theft but here are a few sensible precautions.

1) Treat your personal data like cash: Don't leave it lying around. Shred unwanted documents, don't disclose financial details or potential answers to security question (eg your mother's maiden name) except on verifiable and encrypted sites.

2) Use reputable anti-virus software and keep it up to date.

3) Never download an attachment from an untrusted source as it may contain viruses.

4) Phishing attempts usually begin with alarming warnings about a breach of your security. Banks never alert their customers this way. Even if you are concerned by an email, either ring your bank, or type in the web address from a bank statement. Never follow a link on the email.

5) Change your email address so it's not identical to your real name as used in any financial accounts, so you can easily spot crude phishing attempts which address you by your email name.

6) If you must write down passwords or security details, disguise them. This is particularly important if they are kept on a computer. Use a long and secure password to 'lock' laptops.

7) When inputting details onto a bank website, don't input them in the same order as the questions appear, and use the mouse rather than tab buttons to move around the screen. This can help foil key loggers and other trojan devices.

8) Go ex-directory: keeping your phone details out of circulation stops most phone-based frauds as well as irritating sales calls.

9) If your bank phones you unexpectedly, protect your interests by asking THEM a security question. Ask what your balance was on the date of your last statement, or a recent transaction that you can check. Banks will not ask for online security codes by phone, so don't give them. If in doubt say you are going to ring them back on the usual customer service number."

Tuesday, 23 August 2011

How to comply with the EU Cookie Law in the UK

There is still much confusion and to be completely frank, some plain old nonsense being sprouted about the so called EU Cookie Law. So I thought it is high time to explain what it is all about, and specifically what UK businesses should be doing about complying with it. I am not a lawyer or an EU Law expert, therefore you should regard this blog entry as guidance and personal opinion. Having said that, it has not escaped my attention, there are some in the legal profession that are jumping on the EU Cookie Directive bandwagon in order to make a quick buck, and even providing very questionable technical advice to UK businesses.

If you are already in the know with this issue, you may just want to skip to the bottom paragraph, where I provide my advice – “How to comply with EU Cookie Law and avoid Fines.”

What is the EU Cookie Directive and its requirements?
All member countries (states) of the European Union are obligated to adopt EU Directives. One such EU Directive, known as the “Privacy and Electronic Communications Directive”, and also known as the “E-Privacy Directive”, was amended in 2009. The controversial addition involves requirements around the usage of website cookies, which applies to all websites servicing European Union citizens.


The updated Directive came into force on 26 May 2011, which means all EU countries should have brought the new requirements over cookie usage into law. There is some leeway and discretion on how Directives are interpreted by each individual EU member country.  However most EU countries haven’t done anything about meeting the new requirements at all, only Denmark and Estonia have attempted to comply by the deadline.

Meanwhile in the UK, the government has deferred the new directive requirements for a year while they try to work out a common sense way for UK businesses to comply with the updated Directive requirements, remember the government has some leeway on how meet the directive’s requirements. The Department of Culture, Media and Sports (DCMS), the Information Commissioners Office (ICO), and other commercial government departments are currently reviewing how the UK will comply. The ICO, who are responsible for enforcing data protection laws in the UK, has stated it expects UK businesses to be activity working towards compliance, even though no clear practical government requirements or advice has been set out. enforcement_cookies_rules_news_release

What is a Cookie anyway & is my business affected?
Nearly all websites and web applications use cookies, which are often stored locally on a website consumer’s PC, and are commonly required for functions such as tracking user login, remembering user personal preferences, tracking visitors and advertising. Therefore the implied change of law will affect all UK businesses which have websites. A full explanation of ‘cookies’ can be found at http://www.allaboutcookies.org/


What are the new EU Directive Cookie Requirements?
In simple terms, the change means all UK websites must provide information on their cookie usage. This is not a major business issue, just additional text to the website privacy statement, which explains how cookies are used on the website, and what information they hold. I have to say this requirement actually does make good sense.  However there is another new requirement in the Directive, which is causing all the controversy and confusion, namely that websites must obtain user consent before they use a cookie.

“Article 5(3) shall be replaced by the following:
‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

Cookie Usage Consent
Cookie usage consent on a website is a pretty crazy idea, as the Directive implies every time you visit any website, a pop-box or an in screen warning box appears, which forces you to tick a box before allowing you to access the website. As I said the vast majority of websites on the internet need to use cookies, and they just can’t work without them.  I have previously blog ranted about this before -

Why has this change in law?
The intent of the EU Cookie Directive is to protect all individual European citizen’s privacy rights, as cookies can be used to track an individual’s interests, which can be exploited by third party advertisers. I guess the folks at Brussels think it is in our own best interest, for them to create laws to protect us from this practice, no matter how high a price the inconvenience trade off is, a trade off which affects millions of daily European web users, a trade off which would be totally unacceptable to the vast majority of web users.

There is little doubt the vast majority of the UK public just don’t care about this law or cookie usage. Privacy is the currency and price we knowingly pay for using ‘free’ online services. Web services as provided by the likes of Google, Facebook, YouTube, news websites, the whole of e-commerce, free information sharing like this blog, these are the foundation of the Internet’s success, and so are the essence of how the web revolution has changed and driven human kind, in a way like no other human invention.  The reason why these amazing web services we take for granted are free to use, is they are paid for by advertisers, advertisers who feed off our privacy. For instance as I compose a Gmail Email, if I write about mountain climbing, sure enough unobtrusive advertisements offering to sell me outdoor equipment will appear on the right side of the page.  Does this bother me? No, all it is targeted marketing, and is really no different than advertising a beer brand at a football match, it’s the same type of targeted advertising, made against people’s predicted “wants” based on their interests, this is just the capitalistic world we all live in. Marketers would argue this type of advertising benefits consumers, as it presents consumers with only products they have an actual interest in.

There are more pressing privacy laws to which the EU should be focusing.  The public do care about companies breaching and losing their personal information a lot more than cookie exploitation. Yet private business still has no legal obligation to publicly disclosure EU citizen personal data breaches in the UK. I have previously blogged about this as well - http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html

Common Sense Solution for those who do Care about Cookies
For the very few individuals who do care about cookie usage, there is a simple solution they are probably doing already. Anyone can set consent (prompt) for all cookie usage within their web browser configuration, so a pop-up appears every time a cookie wants to be created or is changed. My sources tell me this will be very likely be the UK government response to the EU Directive, namely introduce a law which mandates the placing of instructions on the website, explaining to users how to set their web browser to screen cookie usage.
Although I still very much doubt if anyone would put up with nagging Cookie pop-ups for too long.  At a talk on this, someone raise a point that in their business they still operated an old browser, where cookie consent couldn’t be set. He said their business used a web browser that was several years out of date as they feared new browsers would break their internal web applications.  My response, “running really old web browser versions, and (due) to out of date business web applications, points to a security hole. Specifically it shows there is a patch management problem to be addressed. Its security 101 to ensure applications, especially web applications, are patched and kept up-to-date, while out of date web browsers (which are also applications) are at a much higher risk of being taken advantage of by malware. Nearly all newer versions of web browsers, whether Internet Explorer, Chrome or Firefox, come with many security and anti-malware features”, this response brought an applause in the room, which suggests a general consensus.

How to comply with EU Cookie Law and avoid Fines
The ICO will be currently satisfied if your business is preparing for a change in law on website cookie usage, and if your business makes an effort to inform consumers about your website’s cookie usage. Therefore, at this time I advise the following approach in order to avoid fines and to prepare for compliance.

1. Conduct an audit of ALL Cookie usage
This business wide audit must cover all Internet facing websites and web applications. Record all cookie usage, including similar technologies like flash cookies, ensure you detail how each cookie is technically being used by the website/web application, and log the type of information stored within the cookie file (on local consumer’s PC). Ensure you note any cookie usage connected with third party advertisements, as these will be the highest concern to the law makers.

2.  If it exists, take a copy of the current website privacy and/or cookie statement

3. Create (or) update the website privacy/cookie statement, to include details of cookie usage. For example, review The Guardian’s Newspapers website cookie statement, which makes an good example covering most types of Cookie usage - http://www.guardian.co.uk/help/privacy-policy#cookies

4. Make sure your privacy/cookie statement explains in plain English what a cookie actually is. http://www.allaboutcookies.org/

5; Provide instructions on how to switch on web browser cookie screening, including all the major web browsers.

So get the audit done and update your website privacy statement accordingly. After all it shouldn’t take too long, and this has a very low cost to deliver. It is the right thing to provide this type of information to your customers, plus it will  protect your business from criticism and fines.

Finally the last step is to wait until there is a further announcement by the UK government.  I suggest not wasting any of your time and money in trying to develop a cookie acceptance box for your website. The ICO website has such an acceptance tick box http://www.ico.gov.uk/, however it is an epic fail, as you don’t need to tick the ICO acceptance in order to use the website!

How will the UK deal with "Consent"
This is speculation, but to my knowledge none of the UK government agencies and departments involved with addressing the EU Directive are even considering a solution which involves the website/web application code blocking a cookie prior to a user accepting it. They are viewing consent as providing clear information to users on cookie usage within websites, together with making web browser suppliers change default cookie settings. The International Chamber of Commerce is currently working on these solutions with ICO.

http://www.international-chamber.co.uk/press/19-icc-uks-response-to-the-new-eu-e-privacy-directive 

http://www.international-chamber.co.uk/blog/2011/07/22/compliance-with-eprivacy-directive/

http://www.culture.gov.uk/news/news_stories/8052.aspx

"the Government has said it will work with browser manufacturers to see if browser setting can be enhanced to meet the requirements of the directive"

Friday, 17 June 2011

Security Breach Epidemic: Are we becoming Complacent about Security?

At the moment hardly a day goes by without a security breach making the news, even as I write this I am hearing the CIA website has been taken down by a ‘Distributed Denial of Service’ (DDoS) attack by LulzSec. These are unprecedented times, as we are seeing large corporations, government enforcement agencies, banks and even reputable IT security companies being successfully attacked, which goes to validate phrases I regularly use, such as ‘there is no such thing as 100% security’ and nothing can ever be considered as being ‘secure’. My face always etches up with contempt when reading words like “this is a secure website”.  So what is going on, why are these breaches occurring now? Are these cyber attacks becoming cleverer and more sophisticated? Are such attacks going to continue? I’ll endeavour to explore and answer these questions in this post.

Cyber attacks appear to have reached an epidemical scale, why? 
Firstly we must take into account the public breach disclosure laws, which have been introduced in recent years stateside. The majority of US businesses now have a legal obligation to publicly announce data breaches, so we are becoming more aware of more data breaches than ever. In the past many data breaches were kept secret and we, the public, just never found out about them. This breach secrecy still exists in the UK today, where only public sector organisations have an obligation to disclosure data breaches to the Information Commissioners Office. And so the vast majority of UK private sector data breaches are still not making it into the media headlines, which is bad, as public data breach disclosure is an important driver for wholesale information security improvement, a subject which I have already discussed in an earlier post. http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html

Secondly some of the Groups behind these attacks, like Anonymous and LulzSec, are in the business of celebrating their attacks, promoting their organisation and particularly their ideology; these two groups really do see themselves as being righteous. To be honest I can’t help but smile when I visit the LulzSec website http://lulzsecurity.com/. Groups like these are claiming responsibility, and are even telling us in advance who they are going to attack next, LulzSec even asks for suggestions on who they should attack next. So when we are told they are going to attack a organisation that they have taken exception to, and that organisation’s website goes down the next day, it really leaves the target organisation with no option but to come clean to the world. So making the media headlines, even when no data loss has occurred, normally such breaches wouldn’t be disclosed and be put down to a technical issue.


In recent years most high profile hacks have been for financial gain. Normally such hackers tend not to announce their accomplishments, as doing so significantly increases their chances of being caught by the authorities. These days cyber theft is dealt with pretty harshly by the law enforcement authorities, hackers that steal know this, and the last thing they tend to do is to tell anyone about their crimes. In fact these types of hackers tend to really distrust each other, they are fully aware that the US Secret Service disguise themselves as fellow hackers within the global underground communities they frequent, and so tend not to talk about their accomplishments.  If anything the best ‘black hat’ hackers go to great lengths to cover their tracks, a notice of breach makes it harder for them to sell their informational booty and can even decrease its value on the black markets. The best outcome for them is to sell on their stolen info well before the company becomes even aware of the security breach.

Credit Card Data presents the fastest way to 'Cash Out' with a Breach

Are cyber attacks becoming more sophisticated?
This is a question being frequently asked by the media at the moment, I would have to say the current wave of cyber attacks are in general not any more sophisticated of those of the past few years. By nature most of these attacks do have a certain level of sophistication to them, in that targets are being specifically selected, reconnaissance and research is being done, and some of the attacks have several stages to them, but hacking has always been this way. If you look at both the technical and human vulnerabilities these attacks are exploiting, I have to say we aren’t really seeing anything new with most of the recent breaches.


Recent Breaches:
RSA Breach – The hacker(s) targeted specific RSA staff with malware. Specifically sending targeted individuals crafted Emails (known as Spear Phishing) with a malware infected attachment, namely an Excel Spreadsheet which held a Flash executable, which in turn installed a piece of malware called Poison Ivy.  This provided a “way in” to the RSA internal network, and exploited a non-public (zero day) vulnerability, and as such was undetected by RSA’s malware prevention, but this attack also relied on the RSA employees opening the infected file, which in turn installed the malware.  The second stage of this attack, namely stealing RSA SecurID seed data, is probably a failing of not having adequate internal data protection, protecting what is very clearly high valued information, something I’m sure that has been rectified now.

Sony PSN Breach – Unpatched systems and poor system architecture led to this breach; this is really basic Security 101. Indeed many hobbyist hackers had been more than aware of Sony’s PSN weaknesses for years.

Barracuda Networks – Was the subject of a successful SQL Injection attack, which is an easy to fix web application vulnerability which has been known about for over 10 years. Considering Barracuda are in the business of providing Web Application Security solutions, this is particularly embarrassing for them. However credit where credit is due, they did a great job in publicly announcing their data breach, providing specific details of the attack. RSA and Sony should take note, as this is the right way to handle a data breach, namely being open and honest, as this increases general awareness and allows everyone to learn from the mistakes. http://www.barracudalabs.com/wordpress/index.php/2011/04/26/anatomy-of-a-sql-injection-attack/

Sony Pictures – Again, SQL Injection, an old Web Application vulnerability.

Citigroup – Customer account data theft, again this hack is said to have taken advantage of well known web application vulnerability.

IMF – Subject of a “Spear phishing” email attack.


Google – Account theft of high profile users, another Spear Phishing email attack


CodeMasters - Personal info stolen via website, against well known web application vulnerability


Lockheed Martin – Use of compromised RSA SecurID Tokens, I don’t know all the details yet, I’m guessing there was a social engineering element to it.

Visa, the Spanish Police, US Senate & CIA websites all taken down - All done with by Distributed Denial of Service (DDoS) attacks. According to LulzSec, the CIA website was taken down by a “very simple DoS packet flood”, which says it all.
DDoS Overview

If such organisations can be hit so hard with what most experienced security professionals would regard as fairly unsophisticated methods, it goes to highlight the fact we all might be becoming too complacent about security.  Especially considering most of these organisations are already security focused, this is a concern, as what of the lesser security focused organisations.

Security Complacency: Mice that stand still, get caught!
Security has always been a game of cat and mouse, with the good guys trying to stay one step ahead, trying to outwit the bad guys who are continuingly seeking ways to beat the security barriers placed in their way. Maybe we have reached a stage where we are standing still again, with too much patting ourselves on the back for a job well done.  Perhaps we are becoming over arrogant and believing too much in vendor out of box solution promises, and relying too much on just best practices and information security standards. If we buy product x and follow what y says, we’re secure, job done? No, this is never the case. Information Security cannot be bought out of the box, nor can it be done properly by following a tick box approach to a list of requirements. All organisations are unique, as is the information flow within them, the best practice and vendor glove will not fit, to avoid being frost bitten by data breaches, you need to nit your own information security glove to fit correctly to the organisation, and it’s ever changing informational needs.

However securing large organisations with complicated and ever changing information flows, all occurring within a myriad of IT systems, is an extremely difficult task, and will always be impossible to completely secure. Replicating the hackers methods, specifically at the reconnaissance stage, which is namely trawling for the weak spots on a continuous basis, tends to be overlooked within industry best practices and regulatory requirements. Consider the highly regarded industry credit card security standard, PCI DSS, which sees as an acceptable level of security; network vulnerability scans on a quarterly basis and once a year penetration tests against key web applications, but does not require any social engineering tests at all. Yet these practices, which are a direct replication of what the hackers do, needs to be performed more frequently. IT systems rarely remain static while new vulnerabilities come to light on a daily basis.  We can take it as red that absolutely everything an organisation places on the Internet, will be frequently checked for weaknesses by the bad guys, so you need to ask yourself why organisations aren't checking for these weaknesses just as frequently, and fixing them before the bad guys get opportunity to find and to exploit them.

Becoming the Hacker is the Answer
In my view the best way to reduce the risk that external hacking presents, is to not only think like a hacker, but to actually act like a hacker. Until organisations adopt this kind of mindset and approach, instead of following security standards and purchasing out-of-the box security solutions like sheep, I think we are going to see plenty more hacking incidents and data breaches for some time to come yet.

Wednesday, 27 April 2011

PlayStation Hack: PSN Gamers Security Help

On 20th April 2011, without announcement Sony took down their online gaming network, the PlayStation Network (PSN), which is used by millions of gamers worldwide. I immediately suspected it was hacked, and my fears were confirmed by Sony, who stated between April 17 and 19, they suffered an “illegal and unauthorised intrusion”.   Sony also explained user account personal profile information ‘may’ have been compromised, which presents a major breach of personal information,  a real gold mine of black market personal information for use by identity thieves and card fraudsters.
PSN Profile Information at Risk
Full Name
Full home address
Email Address
Date of Birth
PlayStation ID
PlayStation Password
PlayStation Security Questions  & Answers (password reset)
Purchase History
Billing address
Credit Card Details

When a company uses the word “may” in reference to a data breach, it is always wise assume the information has been stolen and is in the hands of the bad guys.

PSN Gamers Security Advice
1.     Once the PlayStation Network comes back online, the first thing you must do is not play CoD or FIFA, but change your PSN password straight away.
2.     Pay extra attention to transaction activity on your credit card linked to your PSN account. With data breaches of this nature, credit card data is the quickest and so typically is the first piece of information fraudsters cash in on. If you have received an Email from Sony saying your account has been compromised, I suggest you play it safe, cancel and obtain a new credit card.  If you do find the bad guys have been using your credit card, report it to your credit card company immediately, they will cancel your credit card and reissue you a new one, and you should be fully refunded against any of fraudulent transactions made.
3.     Be on the lookout for Scam (phishing) Emails. By using your profile information, the bad guys can craft and send you fraudulent Emails which are highly personalised and so appear to be more genuine than normal spam Emails, this technique in the security business is known as Spear Phishing. For example they could use your full name and birth date to offer you a free birthday gift, perhaps a free PlayStation 3 game voucher, enticing you to click on a link to a website engineered to steal further credit card details. Always remember Phishing Emails have either a greed (i.e. you have won something or get something for free) or a fear element (i.e. your account security has been compromised), so do not implicitly trust any such Emails, even if they look like they come from Sony.
4.     Passwords. If your PSN password is the same password as with any of your other online accounts, especially with your Email account or online bank accounts, assume that this password is compromised and change those passwords right now.
5.     The potential compromise of your Security Questions, which are used to reset your password is particularly concerning, especially if you can’t remember what security questions Sony has used. Many of your other online accounts will use the same security questions and answers, and typically your date of birth to reset your account password. Most websites will Email that password reset confirmation to your registered Email address, so be vigilant for password reset Emails and if you use an online Email system like Gmail or Hotmail, ensure the password you use is a strong one and unique. As if the bad guys compromise that Email account, they can use password resets to compromise many of your other accounts.


Thursday, 24 March 2011

RSA SecurID - What's the Risk?

This week there has been plenty of concern following RSA’s announcement about their two-factor authentication solution, SecurID, which was subjected to a sophisticated cyber attack.  A lot of people are asking for my views on the risk in continuing to use RSA SecurID following this attack, so I am going to attempt to explain this risk in simple terms, but it won’t be easy.

Facts
What are the facts? Well we simply don’t know exactly what has been stolen from RSA at present, as RSA aren’t providing details beyond “the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products”. However in Information Security we always hope for the best but prepare for the worst, the worst case scenario is all of the RSA SecurID private keys (seeds) records along with corresponding serial numbers were stolen. http://www.rsa.com/node.aspx?id=3872

Stolen Seeds?
Every RSA SecurID has a unique 128 bit key hardware coded into it, a 128 bit number is very long number, so it’s very hard to brute-force/guess what it is. This key is often referred to as the seed. RSA keep a copy of the seed unless the customer specifically tells them to remove it, RSA’s storage of SecurID seeds is what is suspected to have been compromised. Each SecurID issued to a customer is associated with a customer based RSA SecurID Server, which stores the seed number.  The seed is in essence a private key which must be kept secret, even from the user, and is used to generate the challenge response number on the SecurID token, and is used to match it up on SecurID Server.

In simple terms, if an attacker were to know which SecurID token you had, based on the serial number on the back or from the customer site database; and assuming the attacker had the stolen RSA database of serial numbers and seed numbers, the attacker could generate the SecurID number without having possession of SecurID token, which defeats the purpose of two factor authentication.

Big IFs
However they are many factors and ‘ifs’ in play, assuming the attacker had the full RSA SecurID database in their possession, to be fully successful the attacker would need to obtain the username, password, remote gateway details and SecurID serial number. Most of this information would need to be collected from the user or from within the customer site. So phishing attacks, social engineering and network attacks are most likely ways to obtain such information, which is why RSA is providing warnings to be on the guard with such attacks.

More IFs
Now throw into the mix other best practice security controls, including one of the most significant, namely account lockout after fail attempts to prevent brute-forcing.  We are talking pretty long grass in terms of risk.  However risk means different things to different people, in my personal view, in the worst case scenario I don’t think the risk is significantly high enough to consider switching off RSA SecurID remote access at present. That is as long as you have adopted a good set of information security best practices, and inform staff to be extra vigilant to phishing, social engineering and network attacks specifically targeting the RSA SecurID remote access.
What Next?
Hopefully RSA will provide further details and end the speculation, but I think it is highly likely their copy of SecurID seeds were stolen, although I think these seeds probably won’t be directly associated with a customer, but just by serial number.  I think we could see a very clever patch or a complete product recall on RSA SecurIDs in the near future. The latter would be something as RSA SecurID is the industry leading two-factor token, with tens of millions in circulation.

Wednesday, 23 March 2011

Play.com Breach – Don’t Trust your Third Parties

Over the last couple of days many Play.com customers have received an Email, informing them their personal information has been breached, including me. This Email states “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.” So personal details were stolen thanks to a security breach at Play.com’s third party service provider, namely a US based marketing company called SilverPop.  Play.com sent the warning Email in response to an increase in malicious Emails being targeted at Play.com customers, this was first noticed on 20th March 2011.  It is worth noting SilverPop, actually a US based Email marketing company, was breached in December last year; this was the point which the Play.com customer information was actually stolen, although Play.com nor SilverPop failed to realised the data was breached at the time.


The Risk to Play.com Customers
The facts of this breach is only Play.com customer names and Email addresses were stolen, so the more important information such as credit/debit card information and Play.com usernames and passwords have not been compromised, as thankfully Play.com didn’t share such information with SilverPop.  It seems pretty clear to me that the bad guys who stole this information sold it on for exploitation by Spammers and Phishers. Therefore the advice to Play.com customers is to be extra vigilant for phishing Emails. There have been several reports of Spam Email originating from play@fakedomain.com addresses (obviously with different fake domain names).  Always remember Play.com will never ask you for your username and password by Email or by phone, and I would also advise never to click any links within Emails which seemingly originate from Play.com, only login directly on the website by typing in the URL. If you do receive any dodgy Emails forward them on to privacy@play.com

The “Third Party lesson” to Business
I don’t want to give Play.com a hard time as when it comes to information security they aren’t too shabby, especially compared to other merchants which operate in the same marketplace. But in their statement it states “Please be assured this issue has occurred outside of Play.com”, well I am not assured at all. The “Data Controller”, which is Play.com, is the company that collected the information in the first place, and so is at fault. Play.com has a legal obligation to protect the personal information they have collected from us, which includes the sharing of such information with third parties.  In this case I guess Play.com didn’t place a high enough value on the information it was sharing with its third parties,  even though a list of Names with Email addresses all associated with a single merchant website carries a decent value on the black market. Again I’m speculating, but if this type of information didn’t have a high value placed on it by the business, unlike the credit card data in their care, then it is easy to expect the controls and management around sharing it with third parties to be lax.

Sharing personal or other sensitive information with third parties carries a risk to which the business is responsible, and as such needs to be adequately controlled. Before sharing such information with any third parties, the business is suppose to fully assess their third parties service providers, to ensure they are capable of protecting the information to the same level as their own business as well as to legal requirements. Interestingly the SilverPop third party is based in the United States, where the same levels of personal data protection don’t match up to stricter European standards.  Information Security due diligence needs to be performed prior to accepting a third party services to which information is intended to be shared. This assessment needs to be more than just sending the third party a security questionnaire to complete, but an actual on site assessment by a person with an appropriate level of expertise, even an independent appointed third party assessor if need be. People tend to provide the answers you want to hear in questionnaires, making the effort and going to the site and asking your information security questions face-to-face provides a much greater understanding of your third parties approach to protecting the information you intend to share with them.

Third Party Assessing & Contracts
To ensure third parties continue to obverse the level of information security desired, the business must hold them to account in a business contract, with stiff penalties for breaching the contract. This should include the right to onsite audit the third party; these measures provide incentive to the third party to keep information security ship-shape. Don’t forget to pass on any breach costs within the contract as well, as personal data breach legal fines in the UK can reach up to £500K, while industry regulatory fines can even be higher, without contractual coverage you can’t pass on those fines to a third party.  While talking about contracts, it is good to add a clause which compels the third party to report any security incidents involving the business data, furthermore add the right to conduct an onsite forensics investigation at the third party site should a data breach occur. If you can’t get a third party to sign up to such clauses in a contract, it is a clear indication the third party’s information security isn’t up to scratch, as the third party business mustn’t have any confidence in their own information security.

Original Play.com Customer Breach Notification Email

Dear Customer,

Email Security Message

We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected.  Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

Customer Advice

Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

Play.com Customer Service Team


Follow Up Play.com Customer Breach Notification Email

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue .

Tuesday, 8 March 2011

EU Cookie Wars: The Nanny State Vs Common Sense

From May this year (2011), the EU are set to introduce a new law to safeguard our privacy, but this law could mean the majority of websites you visit must 'explicitly request' your permission to use a cookie, this could mean a lot of needless pop-up boxes.


EU Directive 2002/22/EC (See 66) st03674.en09.pdf 

What is a Cookie?
Most websites use a “cookie”, which is essentially a file holding a small amount of text within it, this file is locally stored on your PC. This simple text file (cookie) is actually really important for websites to operate efficiently, amongst things the cookie is used to identify you as an individual on the website. For instance the cookie is used to keep you logged into the website and to provide access to specific information meant only for you. By their nature cookies tend to provide the ability to track what you have done on any given website, which again is important for the website to work effectively, however this tracking can also be used to capture your web surfing habits. Such user tracking information is sometimes automatically used to target specific types of advertising to you within certain websites, this is fundamentally what the EU has a problem with, I guess they want this process to be more transparent to the end user.
Flaky Law
Although the EU agreed their law last year, it’s all still a bit ‘flaky’, aside from the EU law not being specific enough about how they want each member state to enforce their directive, the UK government, who were generally fighting against the directive, have not really decided how they what to interpret the directive for the UK market, even though the deadline for enforcement is only few weeks away. Oddly the Department for Culture Media and Sport (DCMS) is supposed to be leading the implementation of this EU directive in the UK. But with just weeks to go there is no sign of any guidance, so I asked the DCMS today for an update.  The DCMS promptly forwarded me to an Information Commissioners Office (ICO) statement which was released today about this subject. However the ICO statement provides no practical advice on how UK businesses should meet the EU Cookie directive requirements, and the statement goes on to say the ICO won’t be enforcing it until they do work out what to do.

ICO Statement
data_protection_officer_conference_news_release_08032011

What a Shambles
This law is suppose to come into force in May, yet the UK government through the DCMS and ICO, just don’t have a clue, and are not providing any practical advice to what UK businesses should be planning for in order to comply, it’s a complete shambles.  If they want the “Cookie pop-up accept  box” to appear on pretty much all business websites as the EU appears to be suggesting, don’t they realise it is going to take time for businesses to develop and implement. I doubt if this will happen in my view, as I cannot see that UK consumers will tolerate such an inconvenient trade off for what is a lost privacy battle.

Back off Brussels
Don’t get me wrong, I think the “Data Protection” of our personal information is still essential to have, and I do understand where the EU is coming from with this, but I’m afraid to say they are out of touch with the reality on the ground. They are actually suggesting a web browser pop-up box before accessing each website aids privacy; seemingly this pop-up box would ask permission from the user to use a “cookie” before allowing access to the website.  We’ve seen this all before with Microsoft’s failed approach to Security in Windows, crying wolf in presenting pop-up security boxes too many times is actually detriment to good security, as users just blindly click “Yes” and continue.  So what’s the point, users who care about privacy can just set an option in their favourite web browser to present a “accept” cookie pop-up box anyway, further this will work on all websites. Actually it would make more sense to mandate the law through default web browser settings rather than through individual websites, but hey that’s just not the common sense solution a non-technical politician would think of.

I think the EU folk behind this directive need to wake up and accept the Internet privacy horse has long bolted when comes down to EU citizen privacy online.  The majority of people simply do not care about their own personal privacy online to the same extend as the EU fuddy-duddies would like to think, testament to this is the popularity of Facebook. Millions of people are posting personal images and messages knowingly, these days most do people do actually understand and accept Facebook owns their posted information, especially the younger generation, or is the EU suggesting people aren’t grown up enough or are just too thick to understand, do we really need more nanny state laws, back off Brussels!


If the EU were actually serious about the protection of their citizen’s personal information, they should look further beyond the website, and take a closer look at the actual business operations, not just how the personal information is harvested, but how the information is held, shared and exploited by some businesses, but the biggest problem today is still too many businesses are doing a poor job at actually protecting the personal information in their care. The biggest problem is not businesses advertising services based on their customer needs, which after all is just a normal business practice, isn’t it?

Thursday, 17 February 2011

The Spy Next Door: Stealing your life for £44

How easy can it be to steal your life?  For less than 44 quid is it possible to steal your bank account username, password and bank account security questions? For less than 44 quid is it possible to harvest your credit card details, including your credit card security code and Verified by Visa or MasterCard SecureCode password? Is it possible to read your private Emails and access your Email account?  Is it possible to monitor all your private web surfing habits and instant messenger conversations, and obtain your username and passwords for all your websites?
Well for £43.83 all this is possible by using the Spy Cobra USB drive.  Once plugged into your Windows PC, it installs a hidden monitoring application in less than 20 seconds, after which the drive can be removed. From that point on every single key stroke is recorded, it records all websites visited and even takes screenshots of what is displayed on the screen, and stores these screenshots at regular intervals. The device even encrypts the information it stores locally on the drive, so you can’t tell what is being stolen.
All a perpetrator needs to do is to plug the Spy Cobra USB device into your PC, and return to collect your most important personal information which it has harvested from your PC at a later date, information which can be truly life stealing from an identity thieves perspective. You might think twice about allowing that friend or neighbour to use your home PC, or even leaving folk unattended in the presence of your PC while it is still logged on.

In the past I created such devices, however I found most Anti-Virus protection eventually caught up and stopped it from working, this is good reason to keep your anti-virus up-to-date, while disabling media auto-run within Windows can also help defend from similar spy USB devices from automatically installing. However looking at the way the Spy Cobra installs its spyware payload, I think it is likely it will not be detected by most Anti-Virus at present, this is something I will be researching further and reporting back on.
Hardware Key Logger

There are also hardware based keystroke recorders available for anyone to buy openly in the UK which most anti-virus applications can never detect. For the same £44 price as the Spy Cobra you could purchase the LM Technologies USB Keyboard Logger (see picture above). This ‘hardware’ key logger fits snugly between the keyboard and PC USB connection, and will record weeks of your keystrokes.  Hardware key loggers like this don’t require the computer to be in use or even switched on to be installed and often go undetectable by the operating system (PC) and anti-virus. Furthermore these devices are very difficult to spot, when is the last time you checked the keyboard cable going into the back of your PC?

Only twos days ago at libraries just around the corner from the Information Commissioner's Office in Wilmslow, hardware keyloggers were found attached to publicly used computers, no doubt the bad guys were trying to steal credit card and bank account credentials. http://www.theregister.co.uk/2011/02/15/hardware_keyloggers_manchester_libraries/

Friday, 28 January 2011

Andy Gray & Richard Keys Sky Sports Data Breach

First of all let me just stress I certainly do not approve of any of the sexist remarks made by Andy Gray and Richard Keys on Sky Sports last weekend (21st Jan 11). I have been watching live football nearly all my life and I have seen some really bad football officials in my time. I really don’t care about a football official’s gender, as long as they are the best officials for the job. Believe it or not, Premier League officials are ruthlessly vetted and monitored to ensure they are the best of the best. Indeed it is said women are better at multi-tasking than men, that may be considered a sexist remark in itself, but if this were true, then ladies are going to make better ‘lines-people’ than men, anyone who’s tried being a linesman will know it is about monitoring several things at the same time, I can tell you it’s not an easy job.

Anyway what business has the dismissal of Andy Gray and the resignation of Richard Keys from Sky Sports got to do with a ‘Security’ Blog. Well actually a lot, as something important has been missed by the media, probably because the media actually played a hand with this ‘something’ occurring in the first place. The mystical something at the centre of the whole story, is a breach of Sky’s information security. An insider of Sky has stolen Sky company information, namely a private recording of their football commentators, and then either passed or likely sold it to a newspaper for personal profit. I don’t know whether the recording was actually sold or not, but it’s fair to assume it was as no one is saying otherwise. If the stolen recording was sold for personal profit rather than being a whistle blowing exercise, then it really puts a whole new sinister slant on the whole affair. The ethics of which becomes even more murky when you consider the current fallout with the UK media involvement with phone hacking celebrities and politicians.

Thought Police
Personal privacy in the workplace also comes into play. Andy Gray and Richard Keys did not make their sexist remarks on air to the public, but in a seemingly private conversation. However, this conversation did occur ‘in the workplace’, and there are workplace discrimination laws against the use of such language. But it appears the Sky Sports commentators were unaware their conversation was being recorded. Look at it this way, I am sure the average office worker would deem it completely unacceptable to be recorded in their workplace, especially if those recordings were secretly analysed and then used against them. Their private comments were wrong, but I really doubt if everyone is perfect in this day and age, even an innocent phrase you really don’t fully understand can turn out to be offensive to someone. I remember many years ago being told off for using the phrase “brain-storming”, as it is a term which is offensive to people with mental disabilities. The choppy waters of political correctness, the right to freedom of speech and the ‘Thought Police’ are certainly full of pitfalls, and really brings into question how we define individuals privacy rights, it is starting to feel a little too Orwellian 1984 to me. I am sure Sky like most large UK based companies, provide all their staff with regular discrimination in the workplace training, so you could say the commentators should of known better, but to be balanced, I am sure Sky also have a whistle blowing and employee grievance process as well.

I think this whole affair is politically charged, as in the background we have Rupert Murdoch’s media empire’s intended takeover of Sky, so it is not surprising Richard Keys said “dark forces” were at work.
The Inside Threat Lesson
The lesson as a security professional, is hackers may well get all the limelight and write the media headlines, but in 2011 the greater security threat to a business comes from the inside. Whether a disgruntled employee, or an information thief employee out to make a quick buck, these are the everyday threats. Yet many companies continue to pay the price for these types of insider breaches, either by burying their heads in the sand and ignoring the problem, or not having the clarity to understand how to mitigate these type risk their own employees create. Just consider for minute, when you left you last job did you take any company confidential information with you? Most employees steal company confidential information, especially just before leaving the company, (http://www.pcworld.com/businesscenter/article/160041/nearly_twothirds_of_exemployees_steal_data_on_the_way_out.html). Yet many companies continue to ignore or tolerate this. This is bad business practice in the information age, as company information is a business asset, it has a real value to the business, therefore it needs to be protected, and it can actually be protected.

Tuesday, 25 January 2011

Lush Credit Card Data Breach

Before I go into my thoughts on the recent Lush website credit card data breach, I have some important advice to all Lush online customers. If you have bought anything from the www.lush.co.uk website between October 2010 and January 2011, and even if you think your credit or debit card hasn’t been fraudulently used, you must consider your credit or debit card to be compromised, so cancel your card and have it replaced. Also note this breach does not affect anyone who used credit or debit cards over the counter at Lush shops, as it’s an entirely different payment system.
When Lush announced their website, www.lush.co.uk had been successfully hacked last week (21 Jan 11), leading to thousands of their customer’s credit card details being stolen, I was genuinely surprised. I wasn’t surprised that yet another UK online business had completely shirked their responsibilities, in not properly protecting their customer’s information by neglecting one of the most basic of web application security vulnerabilities, and their compliance to the Payment Card Industry Data Security Standard (PCI DSS). What surprised me was unlike the other 99 in 100 UK companies that get successfully breached with such attacks, Lush decided to tell the world about their negligence. Yes Lush in my view were most certainly negligent, as the SQL web application vulnerability which is very likely to have led to the theft of their customer card details, is a vulnerability which has been around for over a decade. Negligent as if Lush they were PCI DSS compliant as they are required to be in accepting payments online, or even made a decent effort to become PCI DSS compliant, then such a simple web application vulnerability flaw would of been almost certainly weeded out.

Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.
However Lush’s breach announcement leaves me with a real bad bath bomb taste in my mouth, not because their language is so cheery, which would personally really annoy me if they were responsible for compromising my credit card, causing needles stress and inconvenience, and possibly even financial loss. It wasn’t that, but it was their direct message to the hacker responsible which they posted on their website, this message was nothing less than a pat on the back to the criminal responsible for the data theft. It certainly doesn’t take a formidable hacker to take advantage of weak web application security, in fact any semi-IT iterate school boy is capable. For me the blame lies a lot more with Lush than their hacker. For instance if I left my car keys in my unlocked car on a public street and my car got stolen, my insurance company wouldn’t pay out a penny, while the police would almost certainly point the finger of blame on myself. Same thing here, if you don’t securely code your web application (website) and do not follow the PCI DSS requirements, yes PCI DSS is mandatory for any business accepting card payments, then just like the car with the car keys left in the ignition, it is pretty clear where the fault and blame lies.

Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.