Tuesday 23 November 2010

iPhone Security Guide

Last week a reporter asked for my opinion on iPhone Security, I said I thought it was a good idea.

But seriously, Apple are actually taking steps to better secure the iPhone, this is driven by Apple's desire to impact the business smart phone market more, and better compete with the likes of Blackberry, who are the dominate force when it comes to business smart phone usage. Blackberry has been widely adopted by larger enterprises not only because their devices are easy to centrally manage, but because it comes with a whole raft of essential business security features, such as device level encryption and remote wipe functionality.
When you think about it, you realise your iPhone is absolutely crammed with your personal information, think about the details within your Contacts list, Email accounts, Facebook account and even your personal photographs and videos all stored on the device, so if you care about your privacy and safety online, you may well concern yourself with the security aspects of your iPhone. The good news is Apple are making improvements to better secure the iPhone, and it's cousin the iPod Touch, which is equally security important considering the same personal information is generally kept on it as well. 

There are security settings and device usage methods you need to consider as a security conscious iPhone user, so here are my top iPhone Security tips; and they don’t require the purchase of any Apps either.

1. Always update your iPhone operating system software, known as the iOS, to the latest version. The iOS can be freely downloaded and applied to your iPhone via iTunes, ensure you check by syncing your iPhone at least monthly basis for new iOS updates. I do find some people very rarely sync their iPhones with iTunes, while others choose not download and install iOS updates.

There are a number of security vulnerabilities in past versions of the iPhone iOS which have since been resolved. Such as bypassing the iPhone’s Passlock security by opting to make an emergency call and typing in ### or using the main iPhone button to access a shortcut. Also there are additional security functions that are only available with the latest version of iPhone iOS.

2. Avoid connecting to Free WiFi Hotspots when you are out and about. You’ll probably have a 3G connectivity data access package anyway, so stick to this and using your own home WiFi. I find rogue WiFi access points often pose as legitimate looking wireless connections. I have found rogue WiFi access points using real Hotel names, Restaurant names and default WiFi Router names like Netgear and BTRouter, all in a bid to have you connect to them, or even worst have your device automatically connect. Connecting to a rogue WiFi access point may well give you the internet access you crave, but in turn it gives criminals (yes WiFi theft is a crime under UK law) access to everything you do while connected to the Internet, allowing the bad guys to steal your information, login into the same websites as you, including fully accessing your Facebook, Twitter and Email accounts. There is a solution to this issue, by using a VPN service to connect your iPhone securely to the Internet, I'll blog about this separately.

3. In case you lose or have your precious iPhone stolen, you will want to ensure all your peronsal stored information like Emails and pictures, as well as the potential usage of your phone's call credit and even your iTunes account are well protected, should your iPhone fall into evil hands. So it is imperative you review the following account settings on your iPhone.

a. Tap on ‘Settings”, then Tap “General’

b. Ensure “Passcode Lock” is “On”, if not I strongly recommend you enable this feature.  Next tap "Passcode Lock"

c. Now enter your passcode

d. At this point the most important setting to check to ensure is enabled, is right at the bottom called, “Erase Data”. Enabled it means if a bad guy enters your iPhone passcode 10 times incorrectly, all your information on your iPhone is wiped, this is not only a good feature but is essential for iPhone Security.
This setting should be on by default (thanks Apple), but if this option is turned off, a bad guy can keep trying your passcode until he or she gets it right. There are up to a maximum 10,000 possible combinations with a 4 digit code, these attempts are feasible work for a serious phone hacker to try, however they always first try, and are often successful with the typical most common four numbers used, such as 1234, 4321, 0000, 1111 and numbers 1950 to 2010 etc. 

e. If you are using a passcode with the above common 4 digits, change it to something more unique and less guessable.

f. If you want more security with your iPhone passcode and don’t mind the extra inconvenience that comes with it, you can change your passcode from a 4 digit number passcode to a "text"passcode.

To do this tap “Simple Passcode” to off and follow the instructions

You don’t need a complex password if you have the “Erase Data” option enabled, 5 characters or more should be sufficient, unless it’s something easily guessable like your name.

If you are a security nut, go with a password of at least 8 characters in length, made up of upper and lower case letters, numbers and special characters.

g. Don’t tell anyone or write down your iPhone passcode (obvious really)

h. Enable “Require Passcode” feature to a sensible timeframe. This feature automatically lock the iPhone after a set amount of time, requiring a correct passcode to unlock and use. My suggestion is to set this to 15 minutes, however if you don’t mind the inconvenience for higher security, you can set this to immediately come on or after 1 or 5 minutes of inactivity. I wouldn’t recommend setting it to 4 hours or ever turning it off, as it kills the protection the passcode provides.

4. Be careful about the Apps you download and install onto your iPhone, specifically be vigilant about the information you type into your iPhones Apps. There are 100,000s of Apps available, while Apple do their best to vet all these Apps, some dodgy Apps do get through the iTunes AppStore vetting net. Past dodgy Apps have stolen personal information, passwords and credit card details, so be wary when requested for sensitive information by an Application. Also check Application options for security features, you may not want to allow Apps like Facebook to be able to geotag your location.

5. Within your Safari web browser settings, to help prevent possible malware infection and spam messages, ensure Pop Ups are blocked.  A web browser cookie is a piece of information which records details about you and your access on specific websites, sometimes cookies can automatically log into a website, so could be dangerous in the wrong hands. In Safari's settings, you have the option to disable cookies if you are highly security conscious, however my suggestion is to occasionally delete your cookies by tapping "Clear Cookies", under "General", "Settings" then Safari, especially after visiting sensitive websites. While in Safari's settings, double check the "Fraud Warning" is enabled, which it should be by default.

6. Finally avoid storing sensitive information on your iPhone, such as your bank account details, website passwords, credit card details and your PIN codes.

Sunday 10 October 2010

Love it or Hate it, PCI DSS helps cut UK Card Fraud

UK card fraud is significantly decreasing, according to the “UK Cards Association” statistics UK card fraud is down 20% to £187m for the first half of 2010.


There are several reasons why card fraud in the UK has been dropping in my opinion:

1. Chip & Pin
Chip & Pin, known as EMV in the payments industry, has been highly successful in cutting "cardholder present" fraud, namely face to face debit and credit card transactions, since its adoption in the UK in 2005. Chip and Pin has forced card fraudsters to commit fraud against stolen UK cards in different ways, typically by using online payments or by creating counterfeit UK credit cards to use in countries where Chip and Pin hasn’t been mandated. However since 2005 more and more countries have observed the huge success of Chip and Pin in the UK, and have been adopting the same payment approach, this in turn is also helping to reduce UK card fraud, simply because the number of places where you are allowed to bypass Chip and Pin is reducing.

It has always been my strong view the US market should also take stock of the clear benefits and mandate Chip and Pin across North America. Aside from the clear security benefits of using two-factor authentication, it could finally lead to the removal of a biggest security weakness of all with our plastic, namely the black magnetic stripe on the back. The magnetic stripe has been around for 40 years and is not only a really outdated technology, but it seriously compromises the security of all debit and credit cards. The magnetic stripe holds the full credit card details in plain text, for one that it makes it very easy for the bad guys to steal card details in seconds by simply swiping any card within a £3 magnetic stripe reader. For instance the mag stripe allows for card skimming at cash points or within comphromised retail card readers. In addition that black stripe also makes it easy to create counterfeit cards, especially in comparison to the chip technology, which is very difficult to counterfeit. Unlike the magnetic stripe, the chip on our plastic is a constantly evolving technology, meaning it should keep a step ahead of the card fraudsters, not that card fraudsters have really ever managed to successfully crack a credit card chip yet, I mean why would they even bought at the moment when they can take advantage of the mag stripe weakness.

2. Anti-Fraud Systems
The increased anti-fraud schemes introduced by the card brands like Visa and MasterCard, and within banks is also having an affect in cutting card fraud. Schemes such as Verified by Visa and MasterCard’s SecureCode, known as 3D Secure in the payments industry, together with improved fraud detection systems operating behinds the scenes in the banks, is also playing a part in cutting cardholder not present fraud. These are typically ecommerce and over the phone transactions, where we can’t be certain the payee has their card in their possession or just simply has the details of the card in their possession, which may of course not be their card details.

3. Public Awareness
Public fraud and security awareness is improving; the UK public are being more security savvy when using their plastic, especially online, and so are becoming less likely to be victims of fraud techniques like phishing scams. I think the public are becoming more informed because they are learning the hard way after being hit with fraud, as opposed to any general security awareness that is going on.

4. Law Enforcement
Law enforcement is improving, more card fraudsters and hackers are actually being caught by the authorities. Despite the UK cyber enforcement still being very weak in my view, it is clear international card fraud law enforcement led by the US is improving, with many high profile card fraudsters being arrested during the last 12 months. Many of the top card fraudsters based outside the UK have world wide operations and often branch out into the UK market.

Finally, and this is my main point, I think the adoption of PCI DSS is also playing a positive part. Many large scale credit card data breaches in the UK have occurred due to security neglect by UK merchants. The vast majority of UK credit card breaches are not disclosed to the general public because it is not in the interest of MasterCard or Visa, or merchant breached to do so, and there is no UK law which makes companies publically disclosure such data breaches.
However PCI DSS is helping medium and large UK merchants to become secure against card breaches. Even where UK merchants are not yet fully compliant with PCI DSS, there is still a vast improvement in the overall merchant IT security, pre-PCI DSS most merchants did little to secure cardholder data in their care. As I say on many occasions, there has been no known PCI DSS compliant merchants or payment processors that have ever been breached. Some folk believe Heartland were compliant at the time of their breach, which is untrue. One of the world’s most prolific card fraudsters, Albert Gonzales, who incidently is now behind bars, admitted to compromising and stealing card data from Heartland during their PCI assessment by exploiting SQL Injection vulnerability. The bottom line is you simply can’t have a SQL Injection vulnerability in your cardholder environment and be PCI DSS compliant.

To conclude, PCI DSS and the many other security measures is appearing to be making a serious impact on UK credit card fraud, however it is dangerous to rest on our laurels, as security is a continued game of cat and mouse; I know the bad guys are already becoming even more sophisticated in how they attack and steal credit card details. In addition less card compromises will probably lead to an increase in the value of credit card data on the black market, which in turn will fuel the demand and desire to steal card details all over again, where there is a will, there is always a way.

 Today’s low hanging fruit for UK card fraudsters is generally the smaller merchants, who perhaps take card details in their hundreds and low thousands, typically businesses such as hotels and small online businesses, who often neglect basic security practices and either not aware or fully understand their PCI DSS obligations, turning them into easy pickings for card fraudsters frustrated in trying to compromise the bigger merchants, although having said that not all large scale merchants in the UK are not PCI DSS compliant or as secure as you may think, you indeed as they may think.

Thursday 16 September 2010

An Evening with Samy, creator of the Samy MySpace Worm

Last night I was out talking security, drinking beer and eating curry with Samy Kamkar, following his presentation at an OWASP Chapter event in Leeds. Samy was responsible for writing and delivering the infamous Samy MySpace Worm in October 2005, which was one of the fastest growing malware infections to date.

Samy Kamkar
Samy delivered an excellent and fresh presentation at the OWASP Leeds Chapter meeting, highlighting several areas of new research and frankly new concern for us all. But I’ll save that for another blog posting once I’ve investigated it further, however you can read a little about one issue he discussed, which was highlighted in a recent BBC News report “The Web attack knows where you livehttp://www.bbc.co.uk/news/technology-10850875

What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.

As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.

I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet - http://namb.la/popular/

A MySpace Samy Worm Infected Profile
Aside from the Samy text you can see,
there is script code you can't see which executes

Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.

Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.

Thursday 9 September 2010

No Data Protection in Outer Space!

I just found out my name is on board the IKAROS spacecraft, which is currently solar sailing its way from Earth to Venus. Apparently this is a benefit of my membership of the Planetary Society – yes I do have other interests outside information security.


I don’t recall agreeing for my name to be sent into space, but I’m sure glad they did it, especially as this spacecraft may change course of interplanetary and interstellar exploration forever, plus the spacecraft could end up drifting in space for eternity, but I'll save further discussion on that for a different themed blog. So getting back to security, to be perfectly clear, an individual’s name on its own doesn’t require any protection and is not a requirement of legal acts such as the UK Data Protection Act. This is a common misnomer, it is only when you combine an individual’s name with another pieces of their personal information, such as a date of birth when it comes into scope of requiring protection. Although I have to say not many small UK businesses are up to speed with their legal data protection obligations.

I personally believe the Data Protection Act is outdated, and is in need of a major review and overhaul. The Act was written in the nineties before the Internet usage really took shape, and in this day and age of social networking and instant availability of UK citizen personal information, such within online electrical roll websites, there could be an argument there is actually little point in trying to make businesses protect certain aspects of our personal information anyway, because the horse has already bolted.

But even if my full personal details were along side my name on the IKAROS spacecraft, I would argue adequate data protection was in place. Due to the vacuum of millions of miles of space, my personal information isn’t exactly publically assessable. I consider my details to be certainly more secure in space than within the care of certain government departments and companies I could mention. I mean it’s not like I’m at risk of identity theft by extra terrestrials, or am I?

Wednesday 25 August 2010

Zurich UK Data Breach: Are large fines good for Information Security?

Yesterday (24th Aug 10), one of the largest fines for a data breach in the UK was issued, with the Financial Services Authority (FSA) announcing a £2,750,000 fine of the UK arm of Zurich Insurance (Zurich UK). Some 46,000 Zurich policyholders had their unprotected personal data, which included bank account and credit card information, “go missing” during a routine data transfer to a South African data centre in August 2008, with Zurich only noticing the breach a year later. By the way Zurich were actually fined £3.25m but were given a 30% discount for settling the fine early, see the FSA press release for more details - http://www.fsa.gov.uk/pages/Library/Communication/PR/2010/134.shtml

But do large fines actually work and help businesses, and indeed industries to become more Information Security savvy, and help enforce businesses to operate with better information security practices? Well I think the answer is a clear and resounding YES. And even more so when data breaches and their associated fines are placed into the public arena and not covered up. I say this because many credit card data breaches and fines involving UK merchants are regularly not made public, leaving UK citizens scratching their heads trying to work out how that “Online Poker” fraudulent transaction was made on their credit card by a fraudster.

Of course fines and public scrutiny will not ensure data breaches never occur, nothing will, but I’m sure the pain Zurich has gone through in paying the fine, dealing with the hassle and high cost of quickly addressing their security failings, and then the PR damage, will be a major incentive across their entire mutli-national business, and will help to prevent future data breaches. I am fairly certain other insurance service businesses will be taking stock of this particular fine due to it being a 7 figure amount. I imagine Chief Executives in boardrooms asking their business directors “Could this happen to us?”, which in turn should lead to security reviews of their own business processes. It’s worth mentioning according to the Verizon 2010 data breach report, 96% of data breaches are avoidable. So if businesses did take information security more seriously and apply the industry standard security best practices, they would significantly reduce their risk of data breaches and certainly would not incur such larges fines in the event of a data breach, as how negligent a business was in their information security controls and practices is a major factor in determining the scale of a data breach fine.

Under UK law businesses do not have to publicly disclose personal data breaches, so the UK general public are not being informed and made aware when UK businesses lose or even worst have stolen their personal information. Zurich was only found out because they are regulated by the FSA, so the FSA forced for this breach to be publicly disclosed. Isn’t it about time all UK businesses were regulated for information security best practices and data breaches? Now the Information Commissioner’s Office (ICO) have been given extra powers recently, but this government run office is still a toothless tiger, because private companies do not have to disclose their data breaches to them under law. The ICO certainly doesn’t operate with the same big stick as the FSA does, and as a direct consequence the ICO are generally not respected and feared by UK businesses .

Another angle which proves large fines can make businesses comply, is to look at the history of business Health and Safety obligations. It is fair to say health and safety in the work place has vastly changed since the 1970s. The way businesses were made to apply proper health and safety controls was by solids laws and strong industry regulation, together with large fines and public scrutiny, this is still  the case today. As with data breaches, fining cannot never fully prevent incidents, but it appears large fines can help bring about a culture change in the business world, and large fines do cut down the number of incidents.

The key point here, is that Health and Safety is backed up by strong regulations and law, at present in the UK both industry regulations and the legal requires for businesses to protect personal data is plain old out of date and weak. Sure we have the Data Protection Act but this was written before the Internet really took off, and without the big stick of heavy fines and clearer details of the required security controls in the modern age, many businesses simply do not take proper stock of their obligation to adequately protect UK citizen’s personal information in their care, and so businesses are not committing the financial resources to apply the necessary security controls. I predict (and hope), just as with the progress of Health and Safety, this will eventually change, but I fear it may take several more years yet, and no doubt a few more large and high profile data breaches will occur before we see any significant changes in our law, as the UK government in today’s information age are still in the dark ages when it comes to information security.

Thursday 22 July 2010

How to choose the right PCI DSS QSA

A few weeks ago (1st July 2010), I was a speaker and an expert panellist at PCI London. One particular subject which I spoke about generated a lot of interest from the mainly merchant delegates, and the QSA representatives, it was my views on PCI Qualified Security Assessors (QSAs). Specifically how merchants should go about selecting a quality QSA to help become and maintain their PCI DSS compliance. In my experience in working within the payment security field and with PCI compliance for many years, I find there are still far too many dodgy QSA individuals and QSA service providing companies out there, misadvising their clients with bad advice and providing merchants with what I personally call placebo PCI DSS compliance assurance.

Low Budget means PCI Fail
A QSA company should never be selected solely based on cost, as you tend to pay for what you get in the QSA provision world. Low budget tends to underpin a half hearted approach to PCI compliance, usually such an approach is just an attempt to tick the old compliance box; this is a sure way to PCI DSS failure. Typically in the QSA industry, I find the cheaper you pay the worst quality QSA you are likely to receive, although there are sometimes the odd exception, so I would recommend avoiding scrapping the bottom of the barrel if you are serious about PCI DSS compliance.

QSA status means little
An individual holding QSA status does not make them some sort of PCI god, the truth is, it is not too difficult to become QSA qualified, until recently the QSA exam was an “open book” exam. I find that individual QSAs are certainly not all cut from the same cloth, and there plenty of variation in their ability and dept of knowledge of the PCI standard, so do not blindly trust an individual knows all PCI DSS because he or she is QSA qualified.
The best QSA qualified individuals tend to be employed by the best QSA companies, typically companies which specialise in providing information security consultancy service, where QSA work is a core function of the business. This is as opposed to companies and security vendors which have "bolted on" a QSA business function just to get in on the PCI gravy train.

Selecting a QSA Partnership
Your QSA should be a partnership as opposed to a client auditor relationship. Certainly during the actual PCI DSS assessment process the QSA will be in an auditor mode, however prior and post your PCI DSS assessment your QSA needs to be acting as your PCI consultant, and not just for a month or two leading up to the assessment either, but 365 days a year, you should be able call on your QSA at anytime and obtain clear PCI advice on demand.

QSA Company Vetting Questions
The key question to ask a QSA company is not how many individual QSAs they have on their roster, but how many PCI DSS assessment, aka Reports of Compliance (RoCs), they have completed and submitted during the last 12 months. If the answer is over 20 then you know you are dealing with an organisation which has a specialism in performing top level PCI DSS assessments, anything less than 10, then to be brutally honest, you are likely to be dealing with an amateur QSA organisation, which may not be suitable if you are responsible for PCI compliance at a large and complex environment for instance.

There are many QSA companies out there which only ever submit a handful of RoCs each year. Interestingly along side the expected small time QSAs companies, there are several big name security vendors which fall into the category of performing less than 5 RoCs a year. So it is always well worth asking your QSA organisation, the question “how many RoCs have you submitted in the last 12 months?” so you are clear on the QSA organisation’s true QSA validity and general level of PCI expertise and experience.

Failing QSAs / QSAs in Remediation
The next part in vetting a QSA organisation before signing up, is to check whether they are in remediation on the PCI Security Standard Council's website – see direct link below, where the QSAs in remediation are marked on their listing.


This is a list of QSA companies which have at least one individual QSA that has failed to perform an adequate PCI DSS assessment in the view of the PCI Security Standard Council (PCI SSC). The PCI SSC oversees the standard requirements, all QSAs and performs quality control against QSAs, specifically by checking QSA reports to ensure QSAs have done their job properly.

Where the PCI SSC find an individual QSA has done a poor job in assessing a company, the PCI SSC put that individual's QSAs entire company into remediation, as it is part of responsibility of the QSA organisation to ensure their QSAs are doing their job correctly. Remediation is not the end of the world for a QSA organisation, it just means they have to ensure they resolve the problems with the individual QSA, however if they don’t, the QSA company can be delisted as being a QSA provider. The idea here is for PCI DSS QSA assessment quality control, this process is all about weeding out the bad QSAs and poor QSA companies.

Vetting the Individual QSA
After selecting a QSA company, do not yet sign up to anything before assessing your assigned individual QSA. Ensure you meet that individual before signing any agreements, and carry out your own assessment on the QSA individual, either directly or covertly by asking questions. I recommend the following areas to assess your QSA against.

How many past assessments have they done?
The best QSAs tend to have many years of industry and on the job experience in payment card security, and so should be able to reel off a list of previous clients they have assisted.

How complicated were their past assessment environments?
If you have complicated multi-site environment to validate against PCI DSS, it is no good having a QSA who has never assessed anything larger than a corner shop.

How long have they been with their QSA organisation?
The relationship with the individual QSA can be vital, as this is the person who you will have to explain your environment and payment processing operation to. Your environment and road to PCI DSS compliance is nearly always going to be unique to your business, if an individual QSA has a history of moving around between QSA organisations, which many do, then it is likely that you will be assigned a new QSA, and will have to start all over again in explaining your environment, payment operations and your approach to meeting PCI DSS compliance.Be aware that some individual QSAs may have different views on the way you should be meeting your PCI compliance in specific areas, such as with virtualisation, and so a new QSA may well disagree with your previous QSAs agreed approach, even if they work for the same QSA company. There is nothing worst than having a QSA leave their parent company a couple of days before your on site assessment; weeks of your preparation work can go down the pan, so it’s certainly worth asking this question, and being aware of the risk it poses.

Most merchants tend to be in a position where the QSA will know more about PCI DSS than they will ever do, however you can still research the latest hot and contentious topics in the PCI DSS industry, trust me there are always areas within the PCI standard which are in contention and in debate. Then ask your QSA for his or her view. If the QSA cannot provide a consist response and explain clearly the issues to you, then this is a tell tail sign of a lack of individual knowledge and confidence around the standard. QSAs which aren’t very confident about every aspect about the PCI standard tend not to have the experienced background, which in turn builds their knowledge around on the standard.

If a QSA changes his or her views, provides inconsistence advice, this is a definite red flag, and tends to mean the QSA is not knowledgeable and experienced. I have heard of situations where companies have spent £100,000s on IT systems following the advice of an individual QSA, only for that QSA change their advice (and their mind) down the line, resulting in their PCI budget being completely misdirected.

A Good Information Security Professional does not equate to a good Payment Card Security Professional

QSAs from a general information or IT security background do not always make for a good QSA. Sure much of the PCI standard is industry information security best practices, but it is equally important that your QSA understands how your card payment systems work, and how cardholder data flows through your organisation's IT systems, from your cash offices, to PDQs, to Call Centres to your payment processor or acquiring bank, a regular industry information security professional knows very little about such areas, unless they have been specially involved in it.

Is your QSA helpful or acting like a typical auditor all the time?
There are QSAs out there who tend to be from strong auditor backgrounds, and as such may often be very poor in providing clear advice and guidance on how to address any issues they uncover or highlight to you. For instance they tend to say “No you can’t do that find another way”, whereas a quality QSA will say “No you can’t do that, but here's how you can do it”, then provide you with the right solution for your environment in a high degree of detail.

If your QSA is worth his or her salt, they will go out of their way to obtain a thorough understanding of your environment from day one, so they are in a strong position to provide you with the correct advice you need.

If a QSA is ever not completely honest with you, you must drop them like a stone. For instance I have heard of several QSAs which deliberately avoided telling their clients that their organisation has gone into remediation, as I said remediation is not the end of the world for a QSA. A decent QSA would tell you they have gone into remediation, why it happened and what they are doing to correct their issues, as oppose to taking a stance of deliberately not informing you.

I once came across one individual QSA, who within minutes of first meeting him told me about specific PCI compliance issues with his existing and past clients, and then went on to give me details about a cardholder compromise that another client had suffered, which to date has never been publicly disclosed. Is this the sort of guy you want to trust as your QSA?

There needs to be a high level of trust between you and your appointed QSA, as after all you will be providing a high degree of sensitive information about your company’s IT systems and security. You certainly need to ensure your QSA company’s has it’s own security all in order to protect any information you share. Ensure you have a non-disclosure and data retention contract in place, and make sure your QSA is fully aware that you don’t want them to share your organisations information with any other third parties.

Another side of ethics I have encountered are folk calling themselves a QSA when they aren’t employed by a QSA organisation. You cannot be a QSA unless you work for a QSA organisation, there is no such thing as an independent QSA, anyone pretending to be QSA should be shown the door. You can check an individual’s QSA status by checking on the PCI SSC website, you must always make sure the QSA is currently qualified and is in good standing, see the PCI SSC link below.


Finally remember your QSA should be a 365 day a year “partner”, not a once a year auditor, PCI DSS compliance itself is not a once a year event but a 365 day a year continued state.

Wednesday 26 May 2010

Facebook's Privacy U-Turn

Facebook, one of the world's most successful online businesses, has been pushing our personal privacy boundaries continually since its launch in February 2004.  Today, thanks to mainly public pressure, Facebook's owners finally held its hands up to the privacy issues it faces, and have backtracked on their relentless push against their user's privacy, by launching more simple and powerful privacy settings for all 400 Million Facebook users.

The heart of the Facebook business model like all social networking models, is the encouragement of its users to sign up and connect with as many individuals as possible, aka "friends". Facebook users are rewarded by adding “Friends”, especially the Facebook’s third party applications which actually profit for the practice. For them individuals with larger audiences of friends means larger advertising revenue. This causes the privacy problem, in that many Facebook users add friends which aren’t actually their real friends and sometimes individuals which are outright strangers, and so unwittingly they go on to share their personal information with them. Facebook’s privacy settings haven't helped their users, these privacy settings have been over complicated and out of the way controls, settings which are defaulted to a privacy "switched off" setting. http://blog.itsecurityexpert.co.uk/2009/12/facebook-privacy-settings-change.html

Facebook is a world where settings called “Friend of Friends” means even though you might be ultra careful about the friends you choose to add and share your personal details with, can mean your privacy is still unknowingly compromised by one of your friends who isn’t as careful about the friends they have added. Perhaps Facebook should have introduced a new category called “strangers”, so we could have a list of  real life friends as "friends", and a separate list of strangers, who you still might like playing games with, but perhaps not share our holiday snaps of our children with. A list called "strangers" would certainly make people think twice about their own privacy and what they share.

The Facebook privacy threat is very real and people from many different walks of life have approached me asking for advice after falling foul on Facebook. Facebook is a favourite tool of identity thieves, private investigators, stalkers and unscrupulous reporters, and a tool often used by employers to screen future employees, and bosses to spy on existing employees, not to mention the whole cyber bully and child protection issues. http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html

But know I am not anti-Facebook, in fact I’m a Facebook user myself. But understand this, if you use Facebook, understand it is not free, understand you pay for it by giving up your own privacy, how much privacy you give up is up to you to control, if you understand this and simply do not care what you share with the world, well I’m certainly not going to judge you. My own opinion on Facebook has been tarnished by those privacy victims I have met and helped, most of them did not realised what they were giving up at the time, so I’m certainly pleased to see Facebook are waking up to the whole privacy issue and are starting to step in the right direction.

Using Facebook is like drinking alcohol, if used responsibly and in moderation, it can be great fun, used irresponsibility, it can burn you down the line, perhaps even many years down the line.

Monday 26 April 2010

New Podcast: Home PC Malware (Virus) Protection

I released my "monthly" Podcast, yes it's officially a monthly Podcast now. Although I cheated and used a recent radio interview for the content.

The Podcast is about basic Home PC Malware (Virus, Worm, Trojan, Keylogger) Protection, and where to obtain decent Windows Anti-Virus Protection for Free.This podcast is aimed at day to day people outside the security industry.
Podcast: Home PC Malware (Virus) Protection

Dave @ ITSecurityExpert.co.uk - IT Security Expert - IT Security Expert UK Podcast - IT Security Expert UK PodcastITSecurityExpert on iTunes

To go with this Podcast I have the following links and recommendations.
Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
Requires licensed copy of Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.



Spybot Search & Destroy
Anti-Spyware/Anti Adware Protection & Spyware/Adware Removal

For more information read my blog posts Anti-Virus: Completely Free as it should be and Does Apple Mac need Anti-Virus

Monday 19 April 2010

Does the Apple Mac need Anti-Virus Protection?

If you are running on the latest Mac OS X at home and you allow Apple to automatically update Mac OS X on demand, then my advice is No, you don’t need anti-virus protection on your Mac at home, well not at the moment anyway. Apple themselves go out of their way to state Mac OS X is not effected by viruses and protects itself from other malicious applications - "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box" - Apple.

A word of caution with my view, which will be highly controversial to some, the Mac malware situation could change in the future should the bad guys decide to target the Mac OS in anger. Theoretically this may happen if the bad guys started to find they aren’t getting any joy out of attacking Microsoft Windows PCs, however this is currently not the case, there are no significant shifts in the malware OS attack vector occurring. In my view, I feel the bad guys will actually move onto targeting the smart phone market in the future, of course this is a market which is well occupied by Apple. In the meantime Mac users should guard against complacency, especially when considering all software will have it faults and therefore will have vulnerabilities to be exploited. Where we have an operating system, we are talking hundreds of thousands lines of code, which is ultimately written by human beings, so it can never be perfect, while operating systems by their nature are a highly complicated pieces of software. So it is safe to conclude no operating system can never be regarded as being ‘secure’ and therefore cannot never be guaranteed to be vulnerability free; there is just no such thing as 100% security. The answer to this problem is to continually fix (patch) the operating systems as vulnerabilities become known, hence the importance of ensuring your Mac OS is automatically updated. Going back to the lead question, today if I was a ‘home’ or mobile Mac user running OS X, I personally wouldn’t bother with deploying anti-virus protection, as the risk is currently extremely low, while Mac OS X itself does have good malware protection built in. I certainly wouldn't criticise anyone who wants to deploy anti virus on your home Mac as matter of precaution, of course the trade off in doing this is an impact on system performance and the cost of purchasing an anti-virus product.

Why aren’t Macs at the same risk of Windows
The fact is the vast majority of malware (including viruses) are written specifically to exploit the world’s most popular operating systems, namely the Microsoft Windows range. There are well over a million documented* “viruses” which specifically target the Windows operating system, while there is only a handful of known viruses which targets the Apple Mac operating system range, and of these, some are actually concept malware produced by good guys, but to my knowledge none currently work against the latest version of Mac OS X. The folk behind writing and deploying malware target the largest market share and the lowest hanging fruit, namely the easiest OS they know is the easiest to exploit from. Microsoft Windows operating systems are by far the most used operating system on this planet and has arguably been one of the weakest for security in comparison to other operating systems like Mac OS.

A third point often raised in this debate, is Windows users are less technologically savvy than Mac users (in other words more stupid!) and therefore are more easier to be "conned" into clicking links which execute and install malware. I think this might have been true in the past, but today I note that many non-techies are using Macs, many people are simply choosing a Mac over a PC as a status or even fashion symbol, so I no longer buy the PC users on average are more stupid than Mac users argument.

Anti Virus Protection is no Guarantee
Anti virus does not guarantee complete protection against all known viruses and malware, AV protection is only as good as AV's latest update, and even then may not be able stop all of the latest malware. So you could well have anti virus installed on your Mac which is bang up-to-date, but if a new type of virus suddenly appears on the scene, the anti virus may not detect the virus anyway, the truth of how ineffective some anti-virus products on Windows PCs is actually quite alarming, but I'll save that one for another post.

Do business Macs need Anti-Virus Protection?
The short answer in my opinion is Yes. Medium to large businesses which have Apple Macs deployed in a mixed Microsoft Windows environment, may well want to consider deploying and running anti-virus protection on their Mac estate.

Why? Macs have been known to harbour Windows based malware, malware which could make its way from the Mac via file sharing on to Windows PCs. Just because Windows malware does not work on the Mac, it does not mean it cannot be stored on a Mac drive, and if that Mac has no anti-virus protection, then the malware files on the Mac drive are never checked for Windows malware, which in turn means the malware files are never removed, and leaving any Windows malware present and dormant on the Mac drive. Should that malware data file make its way onto out of the Mac drive, perhaps via a network share, USB memory device, or server storage, and then onto Microsoft PCs, then there can be real issues in store for the PC estate.

Also there are information security regulations and standards which insist on the deployment of anti-virus protection regardless of the operating system and your perceived risk.

Where can I get Mac Anti-Virus Protection
If you feel you need anti-virus protection on your Mac at home, or within your business environment, most of the usual big commercial anti-virus vendors provide a Mac OS anti-virus client, personally I'm independent of security vendors, which is important, as I try to keep my advice independent and objective, so I'm not going to be suggesting any vendors here. But there is a free home Mac anti-virus client called ClamXav - http://www.clamxav.com/, as I said in my blog post last week, I believe anti-virus protection should be free for all home users and provided out of the box by the OS vendor - http://blog.itsecurityexpert.co.uk/2010/04/home-anti-virus-is-completely-free-as.html

The Biggest Threat to Mac Users
Finally home Mac users should be still be wary of attacks made through their web browser and their email client. For instance phishing attack is just as likely to be successful against a Mac user as it is a Windows user, always remember many online fraudsters are targeting your personal information, your credit card details and your online bank account login details, which are often obtained through attacks through web sites (the web browser) or through the Email client, either way by conning the person into sending the details. Some third party applications on Mac can also provide a way in for malware, such as file sharing apps, to be wary about what you agree to install.

This is an interesting topic, and has been hotly contested in the security industry for years, especially between AV vendors with Mac anti virus products to pendle, and Apple enthusiasts (BTW I'm neither!), so if anyone has any different views whether in agreement or not, or indeed recommendations, please post in the comments - Thanks.

* April 2008, the BBC News reported Symantec now claimed "their anti-virus programs detect to 1,122,311 http://news.bbc.co.uk/2/hi/technology/7340315.stm

Tuesday 13 April 2010

Home Anti-Virus is Completely Free, as it should be

It's a real travesty that many home users are for paying for anti-virus protection on subscription, not realising they can obtain solid anti-virus protection for free. Commercial anti-virus vendors have been snaring home users for years by providing their commercial AV applications with new PCs, often pre-installing their anti-virus application onto the PC operating system itself as a free trial. Once the free trial has finished, home users end up signing up to the AV on subscription through fear, not believing they have any other free alternatives for anti-virus protection. However home anti-virus protection should be completely free, and it is completely free.

For many years it has been long my personal belief home anti-virus protection should be provided completely free of charge, and in the case of Windows Operating System (OS); the OS most plagued by viruses, worms, spyware and other malicious software (malware), it should be built into the operating system itself.
Malware: A term which is short for Malicious Software, the collective term for describing Viruses, Worms, Trojans, Keyloggers, Spyware, and Adware.

I believe free and built in anti-virus is a necessity to protect the individual PCs of non-security savvy home user, and to protect everyone else on the Internet as well. As 100,000s of PCs infected by malware affects and impacts everyone online. Malware infected PCs are used for everything bad, from sending spam Email messaging on mass, to the mass propagation of malware, to highly intricate network based attacks. It has been a long personal criticism I had of Microsoft, in that they didn’t provide built in anti-malware (anti-virus) protection right out of the box, well until now.

Yes the good news is at last Microsoft has finally got around to providing free anti-virus and anti-spyware with their Windows operation systems for home and small business users, the only proviso is you actually own a licensed copy. Over the last six months I have been trying the Microsoft anti-virus protection on a multiple of Windows operating systems and different hardware, and I have to say I have found it to be up to the job, and indeed I would say it’s on par with most home commercial anti-virus applications, in fact in one test I found it scans much faster than some of the commercial AV products. Now commercial anti-virus vendors will claim their specific product is better than everybody else’s anti-virus application, and that their product provides extra security protection, has won awards etc. However the truth of the matter is no anti-virus application can ever guarantee 100% protection, and it is a dangerous game to play to assume one anti-virus application protects better than another, given the fluid nature of malware threats which changes by the hour.

It is true many anti-virus products come packaged with additional security protection for your money, some are more useful than others. Many of these additional services such as web filtering and anti-spam can be obtained for free elsewhere. For instance home users should be aware Microsoft Windows 7 provides web filtering out of the box while email providers such as Google's Gmail have pretty good anti-spam built in these days. And as for operating system firewall protection, well that's already built into the Windows operating systems. Some of these extras can actually unnecessarily slow your PC operation down for very little security benefit, especially on older PCs.

Free Anti Virus: Microsoft Security Essentials

Aside from the Microsoft offering, there are several other good free Windows based anti-virus applications available, which have been around for a number of years, such as AVG and AVAST. However for home users I would recommend installing and trying out the Microsoft anti-virus application first, which known as Security Essentials. But that’s my personal opinion, the important thing is you install and use an anti-virus application on your Windows PC, regardless of who provides it, as it’s a vital component of home PC security.

My recommended Free Anti-Virus\Anti-malware Products are:

Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
Requires licensed copy of  Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.

Anti Virus Protection

Anti-Virus Protection

Spybot Search & Destroy
Anti-Spyware/Anti-Adware Protection & Spyware/Adware Removal

Microsoft Malicious Software Removal Tool

Finally I would like to stress the importance of ensuring your anti-virus application receives updates automatically, without automatically updating enable with your anti-virus application, your PC won't be protected against the latest threats.  And equally the important, is to check Microsoft security updates (patches) are automatically downloaded and updated upon their release, these updates tend to be released on at least monthly basis.

Thursday 25 March 2010

New Podcast: Removing Viruses, Worms & Spyware

This podcast is aimed at day to day people outside the IT security industry using Microsoft Windows. This podcast gives a quick over view on the types of malware (Virus, Worms & Spyware), describes how to prevent malware infection on your PC, and how to remove malware from your PC following infection.

IT Security Expert Podcast - Mar2010 : Removing Viruses, Worms & Spyware

Dave @ ITSecurityExpert.co.uk - IT Security Expert - IT Security Expert UK Podcast - IT Security Expert UK PodcastITSecurityExpert on iTunes

Free Malware Removal Tools Recommended in this Podcast
Microsoft Windows Malicious Software Removal Tool
Spybot - Search & Destroy
AVG Rescue CD

There are other free malware removal tools out there, including those which run online in the web browser. If anyone wants to recommend any they have used, please go ahead and make your recommendation in this post's comments - Thanks

1. "Malware" is a collective term which includes Viruses, Worms, Keyloggers, Trojans, Spyware, Adware, and apps referred to as Crimeware
2. I recommend running these tools frequently, even if your Anti Virus application is not reporting any malware infections. AV doesn't detect all malware!
3. Windows Defender is always worth installing and protects mainly against spyware and adware, and is free.
4. Beware some malware removal tools are actually malware themselves, and actually add further infections to your PC. Therefore I recommend sticking with removal tools listed on this post and provided by reputable security companies and organisations.
5. After running a malware removal tool, I recommend rebooting your PC and running the tool a second time, to ensure all malware has been permanently removed from your PC.

Monday 22 March 2010

UK Shops with Minimum Spend OR Charges for Accepting Card Payments

I really love those new Visa World Cup Football TV and the Barclaycard Contactless Card commercials (see below).

These ads depict using Visa and Barclaycard plastic to pay for small transaction amounts, such as using your credit card to pay for your lunch, and paying by card for a haircut. But these TV commercials representation does not quite match the reality on the ground in the UK, where many cardholders appear to be continually taken advantage of and are becoming frustrated by small merchants shops who either apply a surcharge, or insist on the minimum spend for payments by card. This reality is in direct conflict with Visa, MasterCard and Barclaycard's overall strategy, namely for card payments to replace all cash payments, hence the recent introduction of contactless payments in the UK. Contactless cards are not just designed for your convenience but to allow the card brands to soak up the small payment transaction space.

Can Merchants Apply a Minimum Spend or a Surcharge in the UK?
I have been speaking with Visa, MasterCard and Barclaycard about this, and to be honest the answer is not clear cut as I thought it would be, mainly thanks to complicated European Laws and UK Laws, and even local area laws comes into the equation.
What I do know is the likes of Visa and MasterCard do have strict regulations which they say apply to all merchants (retail shops) which accept their card payments. These regulations clearly state merchants are not allowed to apply any surcharge or require a minimum spend amount as detailed below.

5.1.C Prohibitions
A Merchant must not:
• Add any surcharges to Transactions, unless local law expressly requires that a Merchant be permitted to impose a surcharge.

A Merchant must not directly or indirectly require any Cardholder to pay a surcharge or any part of any Merchant discount or any contemporaneous finance charge in connection with a Transaction. A Merchant may provide a discount to its customers for cash payments. A Merchant is permitted to charge a fee (such as a bona fide commission, postage, expedited service or convenience fees, and the like) if the fee is imposed on all like transactions regardless of the form of payment used, or as the Corporation has expressly permitted in writing. For purposes of this Rule:
1. A surcharge is any fee charged in connection with a Transaction that is not charged if another payment method is used.
2. The Merchant discount fee is any fee a Merchant pays to an Acquirer so that the Acquirer will acquire the Transactions of the Merchant

However these regulations are trumped by law, EU, UK and even local laws. For example airlines, holiday companies and large concert ticket providers cite legalise to get around these regulations, applying surcharges to their card payments.  Sometimes they hide the surcharge as an administration fee, which is fine for a business which don’t offer a cash payment alternative. I thought this could be a key point, as small shops obviously are accepting cash payments along side card payments.

I have been reading up on the legal side of this issue, as I understand it, it appears merchants are not allowed to profit from surcharging. However going back to the strict card scheme regulations, lets take the scenario where we have a small shop which has been provided with the equipment to accept card payments, as provided by the likes of HSBC and Streamline. From my conversations it came across surcharging and applying a minimum spend in this type of scenario is highly frowned upon by the card schemes (Visa & MasterCard). In fact during my discussions with these card brands, they both offered a method to file a complaint about small merchants doing this.

Visa: Notify your Visa card-issuing bank. Visa Member financial institutions have access to the appropriate Visa rules and regulations. Your card-issuing bank can best answer your questions about surcharges. They also have access to the Notification of Customer Complaint forms that should be used by the financial institution to document and file this type of complaint. You can contact them directly, using the address or telephone number on your Visa statement or on the back of your card.

MasterCard: File a merchant violation by Email consumer_advocate@mastercard.com . We do contact the merchant's bank when we see repeated violations and they are requested to maintain appropriate controls over the merchants.

Now my legal eagle brother likes to point out shops can always refuse your card payment transaction and kick you out of their premises without providing any reason, true. However I argue that most small merchants sign an agreement to abide by these regulations as part of the package in being provided with the means to accept the card payments. Therefore it seems pretty clear to me most smaller merchants are not permitted to surcharge or require a minimum spend at all. Banks which provide the payment devices have the power to disable the payment devices from any merchant which doesn't comply, so would act if a card scheme or customers highlighted a merchant wasn't complying with these regulations.

UK local legislation allows surcharging on credit cards which takes precedence over Visa rules and regulations - Visa Europe

So after doing further digging on the legal side, it appears merchants are indeed allowed to make charges under law, remember the card schemes state law trumps their regulations, however I found another angle on legal side, in that merchants need to clearly advertise their surcharges.

 Since the 28th February 1991, in accordance with the Credit Cards (Price Discrimination) Order 1990, retailers have been allowed to apply these charges to the cardholder.

It may help you to know that customers are protected under the Consumer Protection Act 1987, which states that is a criminal offence to mislead the customer regarding the cost/charges of a purchase. Retailers are therefore required to clearly advertise and advise their intentions to the customer before applying this charge.
My conclusion on minimum spending and surcharges; because of the legal situation, unfortunately I cannot state UK merchants are not allowed to add surcharges or require customers make a minimum spend for payment card transactions. But if you feel strongly about this you can raise a complaint against any merchant indulging with these practices with the card schemes and acquiring banks, namely the providers of payment equipment e.g. Streamline, HSBC. I will continue to research this situation, I am very interested if anyone else has any further information or views on this one.
Now I do feel the merchant’s pain in that the cost (transaction charge imposed on them) in taking small transactions really hits their profit margins, but hey this is the price of having the ability to accept card payments at your business, no one is forces any business to offer the acceptance of card payments.

Here’s the thing that really bugs me about this. There are too many merchants in the UK which are running a muck with these charges, some are ignorant of these requirements, and some are actually sticking two fingers up at the regulations they sign up to, I know because shop owners get very nervous when I ask question their surcharging. So what do you think merchants are doing about the Payment Card Security regulations, specifically Payment Card Industry Data Security Standard (PCI DSS)? The next time you have fraudulent transactions on your credit card and don’t understand how your card details were stolen. Know it is more than likely than not, that your details were stolen from a merchant which held your card details, because the merchant was not following card security regulations and adequately protecting your card details while in their care. By the way merchants certainly cannot hide behind law when comes to their compliance with card payment security regulations, and specifically PCI DSS compliance.

It is worth noting that we do not have any breach disclosure laws in the UK, it is never in the interest of merchants, banks and card brands to publicly disclosure payment card breaches. But I can tell you card payment breaches of UK cards in significant numbers are occurring due to UK merchant security negligence, it's happening behind closed doors, and it's happening far too often.