Thursday 24 March 2011

RSA SecurID - What's the Risk?

This week there has been plenty of concern following RSA’s announcement about their two-factor authentication solution, SecurID, which was subjected to a sophisticated cyber attack.  A lot of people are asking for my views on the risk in continuing to use RSA SecurID following this attack, so I am going to attempt to explain this risk in simple terms, but it won’t be easy.

Facts
What are the facts? Well we simply don’t know exactly what has been stolen from RSA at present, as RSA aren’t providing details beyond “the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products”. However in Information Security we always hope for the best but prepare for the worst, the worst case scenario is all of the RSA SecurID private keys (seeds) records along with corresponding serial numbers were stolen. http://www.rsa.com/node.aspx?id=3872

Stolen Seeds?
Every RSA SecurID has a unique 128 bit key hardware coded into it, a 128 bit number is very long number, so it’s very hard to brute-force/guess what it is. This key is often referred to as the seed. RSA keep a copy of the seed unless the customer specifically tells them to remove it, RSA’s storage of SecurID seeds is what is suspected to have been compromised. Each SecurID issued to a customer is associated with a customer based RSA SecurID Server, which stores the seed number.  The seed is in essence a private key which must be kept secret, even from the user, and is used to generate the challenge response number on the SecurID token, and is used to match it up on SecurID Server.

In simple terms, if an attacker were to know which SecurID token you had, based on the serial number on the back or from the customer site database; and assuming the attacker had the stolen RSA database of serial numbers and seed numbers, the attacker could generate the SecurID number without having possession of SecurID token, which defeats the purpose of two factor authentication.

Big IFs
However they are many factors and ‘ifs’ in play, assuming the attacker had the full RSA SecurID database in their possession, to be fully successful the attacker would need to obtain the username, password, remote gateway details and SecurID serial number. Most of this information would need to be collected from the user or from within the customer site. So phishing attacks, social engineering and network attacks are most likely ways to obtain such information, which is why RSA is providing warnings to be on the guard with such attacks.

More IFs
Now throw into the mix other best practice security controls, including one of the most significant, namely account lockout after fail attempts to prevent brute-forcing.  We are talking pretty long grass in terms of risk.  However risk means different things to different people, in my personal view, in the worst case scenario I don’t think the risk is significantly high enough to consider switching off RSA SecurID remote access at present. That is as long as you have adopted a good set of information security best practices, and inform staff to be extra vigilant to phishing, social engineering and network attacks specifically targeting the RSA SecurID remote access.
What Next?
Hopefully RSA will provide further details and end the speculation, but I think it is highly likely their copy of SecurID seeds were stolen, although I think these seeds probably won’t be directly associated with a customer, but just by serial number.  I think we could see a very clever patch or a complete product recall on RSA SecurIDs in the near future. The latter would be something as RSA SecurID is the industry leading two-factor token, with tens of millions in circulation.

Wednesday 23 March 2011

Play.com Breach – Don’t Trust your Third Parties

Over the last couple of days many Play.com customers have received an Email, informing them their personal information has been breached, including me. This Email states “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.” So personal details were stolen thanks to a security breach at Play.com’s third party service provider, namely a US based marketing company called SilverPop.  Play.com sent the warning Email in response to an increase in malicious Emails being targeted at Play.com customers, this was first noticed on 20th March 2011.  It is worth noting SilverPop, actually a US based Email marketing company, was breached in December last year; this was the point which the Play.com customer information was actually stolen, although Play.com nor SilverPop failed to realised the data was breached at the time.


The Risk to Play.com Customers
The facts of this breach is only Play.com customer names and Email addresses were stolen, so the more important information such as credit/debit card information and Play.com usernames and passwords have not been compromised, as thankfully Play.com didn’t share such information with SilverPop.  It seems pretty clear to me that the bad guys who stole this information sold it on for exploitation by Spammers and Phishers. Therefore the advice to Play.com customers is to be extra vigilant for phishing Emails. There have been several reports of Spam Email originating from play@fakedomain.com addresses (obviously with different fake domain names).  Always remember Play.com will never ask you for your username and password by Email or by phone, and I would also advise never to click any links within Emails which seemingly originate from Play.com, only login directly on the website by typing in the URL. If you do receive any dodgy Emails forward them on to privacy@play.com

The “Third Party lesson” to Business
I don’t want to give Play.com a hard time as when it comes to information security they aren’t too shabby, especially compared to other merchants which operate in the same marketplace. But in their statement it states “Please be assured this issue has occurred outside of Play.com”, well I am not assured at all. The “Data Controller”, which is Play.com, is the company that collected the information in the first place, and so is at fault. Play.com has a legal obligation to protect the personal information they have collected from us, which includes the sharing of such information with third parties.  In this case I guess Play.com didn’t place a high enough value on the information it was sharing with its third parties,  even though a list of Names with Email addresses all associated with a single merchant website carries a decent value on the black market. Again I’m speculating, but if this type of information didn’t have a high value placed on it by the business, unlike the credit card data in their care, then it is easy to expect the controls and management around sharing it with third parties to be lax.

Sharing personal or other sensitive information with third parties carries a risk to which the business is responsible, and as such needs to be adequately controlled. Before sharing such information with any third parties, the business is suppose to fully assess their third parties service providers, to ensure they are capable of protecting the information to the same level as their own business as well as to legal requirements. Interestingly the SilverPop third party is based in the United States, where the same levels of personal data protection don’t match up to stricter European standards.  Information Security due diligence needs to be performed prior to accepting a third party services to which information is intended to be shared. This assessment needs to be more than just sending the third party a security questionnaire to complete, but an actual on site assessment by a person with an appropriate level of expertise, even an independent appointed third party assessor if need be. People tend to provide the answers you want to hear in questionnaires, making the effort and going to the site and asking your information security questions face-to-face provides a much greater understanding of your third parties approach to protecting the information you intend to share with them.

Third Party Assessing & Contracts
To ensure third parties continue to obverse the level of information security desired, the business must hold them to account in a business contract, with stiff penalties for breaching the contract. This should include the right to onsite audit the third party; these measures provide incentive to the third party to keep information security ship-shape. Don’t forget to pass on any breach costs within the contract as well, as personal data breach legal fines in the UK can reach up to £500K, while industry regulatory fines can even be higher, without contractual coverage you can’t pass on those fines to a third party.  While talking about contracts, it is good to add a clause which compels the third party to report any security incidents involving the business data, furthermore add the right to conduct an onsite forensics investigation at the third party site should a data breach occur. If you can’t get a third party to sign up to such clauses in a contract, it is a clear indication the third party’s information security isn’t up to scratch, as the third party business mustn’t have any confidence in their own information security.

Original Play.com Customer Breach Notification Email

Dear Customer,

Email Security Message

We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected.  Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

Customer Advice

Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

Play.com Customer Service Team


Follow Up Play.com Customer Breach Notification Email

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps.

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue .

Tuesday 8 March 2011

EU Cookie Wars: The Nanny State Vs Common Sense

From May this year (2011), the EU are set to introduce a new law to safeguard our privacy, but this law could mean the majority of websites you visit must 'explicitly request' your permission to use a cookie, this could mean a lot of needless pop-up boxes.


EU Directive 2002/22/EC (See 66) st03674.en09.pdf 

What is a Cookie?
Most websites use a “cookie”, which is essentially a file holding a small amount of text within it, this file is locally stored on your PC. This simple text file (cookie) is actually really important for websites to operate efficiently, amongst things the cookie is used to identify you as an individual on the website. For instance the cookie is used to keep you logged into the website and to provide access to specific information meant only for you. By their nature cookies tend to provide the ability to track what you have done on any given website, which again is important for the website to work effectively, however this tracking can also be used to capture your web surfing habits. Such user tracking information is sometimes automatically used to target specific types of advertising to you within certain websites, this is fundamentally what the EU has a problem with, I guess they want this process to be more transparent to the end user.
Flaky Law
Although the EU agreed their law last year, it’s all still a bit ‘flaky’, aside from the EU law not being specific enough about how they want each member state to enforce their directive, the UK government, who were generally fighting against the directive, have not really decided how they what to interpret the directive for the UK market, even though the deadline for enforcement is only few weeks away. Oddly the Department for Culture Media and Sport (DCMS) is supposed to be leading the implementation of this EU directive in the UK. But with just weeks to go there is no sign of any guidance, so I asked the DCMS today for an update.  The DCMS promptly forwarded me to an Information Commissioners Office (ICO) statement which was released today about this subject. However the ICO statement provides no practical advice on how UK businesses should meet the EU Cookie directive requirements, and the statement goes on to say the ICO won’t be enforcing it until they do work out what to do.

ICO Statement
data_protection_officer_conference_news_release_08032011

What a Shambles
This law is suppose to come into force in May, yet the UK government through the DCMS and ICO, just don’t have a clue, and are not providing any practical advice to what UK businesses should be planning for in order to comply, it’s a complete shambles.  If they want the “Cookie pop-up accept  box” to appear on pretty much all business websites as the EU appears to be suggesting, don’t they realise it is going to take time for businesses to develop and implement. I doubt if this will happen in my view, as I cannot see that UK consumers will tolerate such an inconvenient trade off for what is a lost privacy battle.

Back off Brussels
Don’t get me wrong, I think the “Data Protection” of our personal information is still essential to have, and I do understand where the EU is coming from with this, but I’m afraid to say they are out of touch with the reality on the ground. They are actually suggesting a web browser pop-up box before accessing each website aids privacy; seemingly this pop-up box would ask permission from the user to use a “cookie” before allowing access to the website.  We’ve seen this all before with Microsoft’s failed approach to Security in Windows, crying wolf in presenting pop-up security boxes too many times is actually detriment to good security, as users just blindly click “Yes” and continue.  So what’s the point, users who care about privacy can just set an option in their favourite web browser to present a “accept” cookie pop-up box anyway, further this will work on all websites. Actually it would make more sense to mandate the law through default web browser settings rather than through individual websites, but hey that’s just not the common sense solution a non-technical politician would think of.

I think the EU folk behind this directive need to wake up and accept the Internet privacy horse has long bolted when comes down to EU citizen privacy online.  The majority of people simply do not care about their own personal privacy online to the same extend as the EU fuddy-duddies would like to think, testament to this is the popularity of Facebook. Millions of people are posting personal images and messages knowingly, these days most do people do actually understand and accept Facebook owns their posted information, especially the younger generation, or is the EU suggesting people aren’t grown up enough or are just too thick to understand, do we really need more nanny state laws, back off Brussels!


If the EU were actually serious about the protection of their citizen’s personal information, they should look further beyond the website, and take a closer look at the actual business operations, not just how the personal information is harvested, but how the information is held, shared and exploited by some businesses, but the biggest problem today is still too many businesses are doing a poor job at actually protecting the personal information in their care. The biggest problem is not businesses advertising services based on their customer needs, which after all is just a normal business practice, isn’t it?