Thursday 19 June 2008

Mod Data Breaches & the Human Security Element

In the last few days we have seen a gulch of data breaches by the Ministry of Defence and the UK Government, all involving employees leaving highly sensitive and top secret documents on trains. These documents included details about terrorists, wars and organised crime. When analysing these separated cases it is clear the documents in each breach should not of been removed from their secure environments by the employees in the first place, let alone left in a public environment.

These breaches are the classic internal human data breach examples, and shows even the most security conscious bodies such as the Ministry of Defence are always struggling to deal and contain the human security factor. Sooner or later in the process security tends to be reliant on a human being, it is extremely difficult, expensive and can also introduce highly inconvenient trade offs to secure the human interaction, especially when it comes to preventing the removal of physical documents from a site. Even drilling in security awareness to staff offers little guarantee, as there are always individuals who either don't grasp the importance of the message or share the organisations appetite to taking risks. If you think about it, there are just some people in our society who are naturally big risk takers, I'm talking about those people who strap elastic bands to their feet and jump off cliffs, or that boy racer driving a Vauxhall Nova 1.0 who insists on barely over taking you on busy single carriage in the face of oncoming traffic, and pretty much anyone who rides 500cc+ motor cycle.

Part of the security defence against the human element is having a deterrent, so in each of these recent cases we know the employee in question has been suspended (likely pending firing), I'm sure the deterrent in these organisations are well know, if you work the Mod and responsible for a serious data breach, I know your MoD career is pretty much over. But this only goes to prove deterrent is not enough, as deterrent can't actually physically prevent someone from making the decision and physically walking off site with the secret docs.

There are always security measures that can be introduced to prevent these particular action, such as restricting sensitive documents to a need to know basis, but we must accept taking risks and bad judgement is just part of the human condition, and will always be an insolvable security problem facing any organisation, because you simply cannot take the human element out of the equation and there is always a point when apply security measures where cost and trades offs become too great.

Wednesday 11 June 2008

Cotton Traders: Where’s the PCI DSS Compliance?

A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance.

Lack of Disclosure
Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That’s 6 months after breach it was announced to the public, don't we have a right to know? What’s more there has been a lot of smoke and mirrors about this data breach, in one statement it’s 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can’t be certain to what data (especially if is their own) was compromised.

Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader’s bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you’d rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application.

Another example of the smoke and mirrors is Cotton Traders stating “all of its customers' credit card information was encrypted on the website”, which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use “it was encrypted” as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database.

PCI DSS Compliance
Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer.

I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent.

Hacking Trends
The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches.

Monday 2 June 2008

Why UK Privacy is Dead

I can’t recall who originally coined the expression “Privacy is Dead”, but whoever it was, I have to say that I agree. A couple of months back I was speaking about companies and the UK government protecting personal data on BBC News 24, when in a typical BBC newsreader style I was put on the spot and asked “…but isn’t this information you say needs protecting available in the phone book anyway?” Which is true, even if you made the effort to go ex-directory and de-list from the public phone book, your name and address (given a rough geographic location), can still be easily found online, because Privacy in the UK is Dead, lets be honest it was never really alive in the first place.

Part of the problem is very simple, when it comes to personal privacy; generally the default stance and settings for privacy is to have it “disabled”. Why? Well the online world and the information age is all about sharing information, and these days many companies are making money out of this information sharing. So in today’s information world it is very much up to the individual to ensure their personal privacy is being protected, yet this in itself can be a real trauma, even banks don’t play ball, don’t believe me? Then close your bank account and try ensuring the bank removes all of your personal details from their systems, here's a tip, use the Freedom of Information Act to check what they are still holding about you post closure. And have you ever tried permanently removing your profile from social networking sites like Facebook?

Going back to the BBC Newsreader question, let’s take “going ex-directory” with British Telecom, which basically means BT will remove your name, address and phone number from the publicly printed and distributed phone book, as well as from their online phone book, called “The Phone Book”. Is there any information within BT’s “The Phone Book” web site or even within the BT web site’s privacy statement about how a member of the public can de-list their private detail? No! Even if you search the main BT website for the terms “ex-directory” or “x-directory”, no results are returned. To go ex-directory you have to phone BT through their general enquiry number, and then specifically ask to go ex-directory. Could it be it is not in BT’s interest to encourage private citizens to ensure their private details aren’t placed in the public domain, because BT make so much money out of the advertising on their phone book web site and within the publicly printed edition, which is circulated nationwide. Yet it is generally accepted unless you asked to opted out, your name, address and phone number will be in there. Make no mistake the BT Phone Book is one of a number of “free” online tools which UK and overseas identity thieves make use of today.

It’s not just private companies that are at fault either, take the UK government who are responsible for managing the country’s electoral roll, again the individual has to tick the box to ensure their full personal details aren’t placed online, these details include not only your name and full home address, but your children’s names as well, all are placed into a public accessible and unmonitored database, which is fully searchable online from anywhere on the planet, and is even printed and stored at your local library. Ever wondered how those marketing mail shots and Indian cold calls in the middle of the night are obtaining your details from? The online electoral role, yet another popular “free” tool used by identity thieves. Just in case you forgot or missed that tick box, I’ll provide full details on how to opt out at the bottom of this post. But even if you do tick that “privacy” box, guess what your personal details can still be easily found online for just a small fee.

Then there is the Social networking web sites, most of them have privacy switched off by default when you sign up, well that's how they make their money be exploiting personal information to direct marketing advertisements. Still too many users don't realise the information they are sharing to the world and to marketing groups, shouldn't they be protected from themselves by setting privacy on by default? Hell even Xbox Live has privacy settings now, again switched off by default.

The lack of privacy of personal information makes life so much easier for identity thieves and fraudsters. Lets say you dropped your bank debit card in the street, which often holds your bank account number and sort number as well as your name. A bad guy finds your card in a street in “X Town”; he can search the “X Town” electoral roll using your name as a guide, from which gain your full address and phone number. Then just a few more clicks away the bad guy can build up a frightening profile on you, all based on information which relatively easily to find. We are talking information like your mother’s maiden name, your date of birth, the place of your birth and even the schools you attended as a child. Why this sort of important? Well think about the typical security questions you are asked when accessing sensitive accounts, resetting passwords….”Can you confirm the first line of your address?”…”What’s you post code?”….”What’s the first school you attended?”…”What’s your place of birth?”…”What’s your mother’s maiden name?”…”What’s your date of birth?”…and it’s amazing how many people use their children’s names as a verbal password! Another even more sinister side of the coin is this information is enough to steal your identity, and to go on to obtain all sorts of credit and products in your name.

What’s worst, you don’t need to be hacker or some kind of fraud expert, it only takes a few minutes, as all this information can be effortlessly gained from the Internet. Furthermore once you have a profile, it’s very easy to obtain fake yet genuine looking documentation to back up the identity theft, from gas bills to fake drivers licenses complete with a picture, even passports and national insurance numbers, all can be purchased online. (Before anyone asks I’m not going to post how or any links). So small wonder Identity Theft is the UK’s fasting growing crime.

So that’s the problem, the answer is to secure all private information, but it’s too late, the horse has well and truly bolted, so privacy is indeed very dead. But surely more can do be done, so how about trying to turn the tide, but it’s down to the Information Commission and UK Government to tighten up in this area and perhaps pass a few laws and actually crack down. Never mind them complaining about the private sector, UK government departments should focus in getting their own house in order first, starting with properly protecting the electoral role information. Another such issue I haven't mentioned yet, is it fairly easy to "con" a full list of an area's electoral role through the proper channels, probably best not to elaborate too much about that one.

What can we do now apart from whinge at the powers that be, well there are some good services out there which can help reduce your "privacy footprint". These include the Mail Preference Service (MPS) to stop junk mail (mail shots) and the TPS (Telephone Preference Service). I have several friends use both these services, give them a month or two to kick in and they will reduce the amount of junk mail and cold calls, however in recent months I've noticed an increasing trend in the number of International (usually of an Indian origin) cold calls despite the TPS service.

To remove your records from all Direct Marketing databases and prevent companies sending unwanted mail or making unwanted telephone calls to you, you can register on with "MPS (Mail Preference Service) and TPS (Telephone Preference Service) database which is maintained by the DMA.

Once registered it is an offence for a company to contact you unsolicited (with a fine of £5,000).

Mailing Preference Service (MPS)

Mailing Preference Service (MPS)
DMA House
70 Margaret Street

MPS Registration line: 0845 703 4599 Tel: 020 7291 3310 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3327
Complaints Department: 020 7291 3321

Telephone Preference Service (TPS)

Telephone Preference Service (TPS)
DMA House
70 Margaret Street
London W1W 8SS

TPS Registration line : 0845 070 0707 Tel: 020 7291 3320 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3326
Complaints Department: 020 7291 3323

Removal from (Online electoral role)
download a CO1 form or write to by post and request removal of your details:

The CO1 Requests Administrator
I-CD Publishing (UK) Limited
8-10 Quayside Lodge

By fax: 0906 34 34 192 (calls cost £1.50/ min)