Saturday, 27 February 2010

New Podcast: Safe Social Networking (Feb2010) Released

I thought it was about time I resurrected the IT Security Expert Podcast, so I dusted off my podcast mic and put together a podcast on using Social Networking safely. This podcast is aimed at day to day people outside the security industry.[]=6

Dave @ - IT Security Expert - IT Security Expert UK Podcast - IT Security Expert UK PodcastITSecurityExpert on iTunes

To go with this Podcast I have a “Parent Child Facebook Safety Guide” which I put together following my appearance on BBC Radio 5 earlier in the year.

And I have a couple of relevant blog entries to this Podcast

I’m considering a couple things with this Podcast, initially doing a new release once a month, and I am also considering Podcast Security topics aimed at UK industries and professions, coving subjects such as PCI DSS (retailer credit card payments compliance) and Government Code of Connection.

Saturday, 20 February 2010

Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.
The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.

Tuesday, 2 February 2010

A Cyberwarfare Warning: Greater Manchester Police & Conficker

In the information age our Police forces increasingly relies on their IT systems to help them perform their duties, these IT systems hold citizen’s most personal sensitive information. Given the nature of “Police Business” you would think Her Majesty’s finest would be pretty good at IT Security, but apparently not. One of the largest Police forces in the UK, Greater Manchester Police (GMP), were forced to disconnect their IT systems from the national Police systems, after their IT systems had been discovered to be riddled with the Conficker WORM. This nasty piece of malware has been around since 2008, however all the anti-virus systems I know of, has been protecting IT systems against it since just after Conficker’s release.

From School Children and to Silver Surfers, most people realise and understand the importance of having Anti-Virus software installed on their PCs, and the importance of keeping their Anti-Virus up to date. Installing Anti-Virus protection onto all Windows based operating systems and keeping it up to date is a very basic of best practices. Clearly this was not being achieved by the GMP, it was reported that much of their IT systems were infected with Conficker on Friday 29 January 2010, to such an extent they had to disconnected all their systems from the national police systems for several days, rendering GMP less effective. For instance GMP officers had to request checks on names and vehicles from neighbouring policy forces.

What I find particularly concerning about this successful attack, aside from the possible breach of highly sensitive information, which is a real risk of Conficker; is just how simple it is to take out key IT Systems leading to a direct impact on a pillar stone of our society’s infrastructure.
Previously Conficker also hit IT Systems at the Houses of Parliament, Hospitals in Sheffield and cost Manchester City Council £1.5 Million, although some might say preventing Manchester City Council from issuing hundreds of motoring penalty notices in time due to Conficker knocking out it's IT systems was a bit of a blessing.

In this day and age we tend to take for granted our increasing reliance on IT systems, in terms of cyber attacks against our national infrastructure, this is a very real and increasing risk, and there has already been several examples of international cyber attacks. This latest Conficker outbreak at the GMP should serve as a real warning to the UK Government. Whether it’s our national power grid, banking infrastructure, telecoms, air traffic control, or even key online servers and websites, cyber attacks can really hurt us and our economy.

It is more than feasible that cyber terrorists could make the next "Conficker" type WORM, to specifically target key infrastructure IT systems. The damage could be done before Anti-Virus and OS vendors can respond with a solution. At the end of the day Anti-Virus is reactionary and a "stick on a plaster" approach to security, meanwhile tens of thousands of new vulnerabilities are found in Operating Systems and Applications on a yearly basis. This increasingly vulnerability trend which will continue to rise despite the usual vendor hype of "this is our most secure platform ever". We saw this just two weeks ago with the actively exploited vulnerability in the latest version of Internet Explorer, indeed this took several days to be patched, or is that plastered.
The UK Government are responsible for protecting the country's key infrastructure, however I’m afraid to say the UK Government is doing very little to address this threat at present, unlike across the pond where Barak Obama recently appointed Howard Schmidt as their Cyber Tsar, to help tackle these types of risks. Just a few months ago I was speaking with Howard about this very subject; he didn’t disagree with me when I stated that I believe it’s just a matter of time before we see a Cyber 911.