Friday 28 January 2011

Andy Gray & Richard Keys Sky Sports Data Breach

First of all let me just stress I certainly do not approve of any of the sexist remarks made by Andy Gray and Richard Keys on Sky Sports last weekend (21st Jan 11). I have been watching live football nearly all my life and I have seen some really bad football officials in my time. I really don’t care about a football official’s gender, as long as they are the best officials for the job. Believe it or not, Premier League officials are ruthlessly vetted and monitored to ensure they are the best of the best. Indeed it is said women are better at multi-tasking than men, that may be considered a sexist remark in itself, but if this were true, then ladies are going to make better ‘lines-people’ than men, anyone who’s tried being a linesman will know it is about monitoring several things at the same time, I can tell you it’s not an easy job.

Anyway what business has the dismissal of Andy Gray and the resignation of Richard Keys from Sky Sports got to do with a ‘Security’ Blog. Well actually a lot, as something important has been missed by the media, probably because the media actually played a hand with this ‘something’ occurring in the first place. The mystical something at the centre of the whole story, is a breach of Sky’s information security. An insider of Sky has stolen Sky company information, namely a private recording of their football commentators, and then either passed or likely sold it to a newspaper for personal profit. I don’t know whether the recording was actually sold or not, but it’s fair to assume it was as no one is saying otherwise. If the stolen recording was sold for personal profit rather than being a whistle blowing exercise, then it really puts a whole new sinister slant on the whole affair. The ethics of which becomes even more murky when you consider the current fallout with the UK media involvement with phone hacking celebrities and politicians.

Thought Police
Personal privacy in the workplace also comes into play. Andy Gray and Richard Keys did not make their sexist remarks on air to the public, but in a seemingly private conversation. However, this conversation did occur ‘in the workplace’, and there are workplace discrimination laws against the use of such language. But it appears the Sky Sports commentators were unaware their conversation was being recorded. Look at it this way, I am sure the average office worker would deem it completely unacceptable to be recorded in their workplace, especially if those recordings were secretly analysed and then used against them. Their private comments were wrong, but I really doubt if everyone is perfect in this day and age, even an innocent phrase you really don’t fully understand can turn out to be offensive to someone. I remember many years ago being told off for using the phrase “brain-storming”, as it is a term which is offensive to people with mental disabilities. The choppy waters of political correctness, the right to freedom of speech and the ‘Thought Police’ are certainly full of pitfalls, and really brings into question how we define individuals privacy rights, it is starting to feel a little too Orwellian 1984 to me. I am sure Sky like most large UK based companies, provide all their staff with regular discrimination in the workplace training, so you could say the commentators should of known better, but to be balanced, I am sure Sky also have a whistle blowing and employee grievance process as well.

I think this whole affair is politically charged, as in the background we have Rupert Murdoch’s media empire’s intended takeover of Sky, so it is not surprising Richard Keys said “dark forces” were at work.
The Inside Threat Lesson
The lesson as a security professional, is hackers may well get all the limelight and write the media headlines, but in 2011 the greater security threat to a business comes from the inside. Whether a disgruntled employee, or an information thief employee out to make a quick buck, these are the everyday threats. Yet many companies continue to pay the price for these types of insider breaches, either by burying their heads in the sand and ignoring the problem, or not having the clarity to understand how to mitigate these type risk their own employees create. Just consider for minute, when you left you last job did you take any company confidential information with you? Most employees steal company confidential information, especially just before leaving the company, (http://www.pcworld.com/businesscenter/article/160041/nearly_twothirds_of_exemployees_steal_data_on_the_way_out.html). Yet many companies continue to ignore or tolerate this. This is bad business practice in the information age, as company information is a business asset, it has a real value to the business, therefore it needs to be protected, and it can actually be protected.

Tuesday 25 January 2011

Lush Credit Card Data Breach

Before I go into my thoughts on the recent Lush website credit card data breach, I have some important advice to all Lush online customers. If you have bought anything from the www.lush.co.uk website between October 2010 and January 2011, and even if you think your credit or debit card hasn’t been fraudulently used, you must consider your credit or debit card to be compromised, so cancel your card and have it replaced. Also note this breach does not affect anyone who used credit or debit cards over the counter at Lush shops, as it’s an entirely different payment system.
When Lush announced their website, www.lush.co.uk had been successfully hacked last week (21 Jan 11), leading to thousands of their customer’s credit card details being stolen, I was genuinely surprised. I wasn’t surprised that yet another UK online business had completely shirked their responsibilities, in not properly protecting their customer’s information by neglecting one of the most basic of web application security vulnerabilities, and their compliance to the Payment Card Industry Data Security Standard (PCI DSS). What surprised me was unlike the other 99 in 100 UK companies that get successfully breached with such attacks, Lush decided to tell the world about their negligence. Yes Lush in my view were most certainly negligent, as the SQL web application vulnerability which is very likely to have led to the theft of their customer card details, is a vulnerability which has been around for over a decade. Negligent as if Lush they were PCI DSS compliant as they are required to be in accepting payments online, or even made a decent effort to become PCI DSS compliant, then such a simple web application vulnerability flaw would of been almost certainly weeded out.

Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.
However Lush’s breach announcement leaves me with a real bad bath bomb taste in my mouth, not because their language is so cheery, which would personally really annoy me if they were responsible for compromising my credit card, causing needles stress and inconvenience, and possibly even financial loss. It wasn’t that, but it was their direct message to the hacker responsible which they posted on their website, this message was nothing less than a pat on the back to the criminal responsible for the data theft. It certainly doesn’t take a formidable hacker to take advantage of weak web application security, in fact any semi-IT iterate school boy is capable. For me the blame lies a lot more with Lush than their hacker. For instance if I left my car keys in my unlocked car on a public street and my car got stolen, my insurance company wouldn’t pay out a penny, while the police would almost certainly point the finger of blame on myself. Same thing here, if you don’t securely code your web application (website) and do not follow the PCI DSS requirements, yes PCI DSS is mandatory for any business accepting card payments, then just like the car with the car keys left in the ignition, it is pretty clear where the fault and blame lies.

Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.

Thursday 20 January 2011

Is Club Penguin Safe for my Child?

Disney’s Club Penguin is an online multiplayer game with social networking elements. Played by 6 to 14 year olds, Club Penguin is accessed and played through any web browser. Each player logs into the game with their own account, and plays in the Club Penguin ‘game world’ as their own specific Penguin character. Players use their Penguin avatar to play a series of games within the Club Penguin world, which in turn earns them in-game money which they can use to buy accessories for their Penguin character. While playing players can see other players’s Penguins in the game world and can interact with them.

Club Penguin: Online Multiplayer

Beware of the in game Chat Capability
The player interaction, specially the ability to chat with other players is the prime area to be concerned about as a parent, as typically a child’s usage of Club Penguin goes unmonitored. I find most parents aren’t always by the side of their child when they play the game, and I even had one parent tell me she thought Club Penguin was just a regular single game, she didn’t realise other players played it as the same time. When a child signs up to join Club Penguin, an Email is sent to the parent asking for permission for their child to play the game, assuming the child didn’t provide their own email address instead of their parent’s email address. During this confirmation process, the parent is provided with a choice of ‘Ultimate Safe Chat’ and ‘Standard Safe Chat’, with the latter being selected on by default. Ultimate Safe Chat means your child cannot send or receive any typed messages from other players, they can only select from a predefined set menu of greetings to interact with other players in the game world. With Standard Safe Chat, typed message can be sent and received with other in-game players, although these messages are filtered by Disney.

Confirmation & Safe Chat Selection

Standard Safe Chat
Credit where credit is due, Disney do a lot behind the scenes to ensure Club Penguin is safe and savoury for very young children, as after all it is in their interest not have their brand name and game's reputation tarnished, this games does require parents to pay for a subscription. With Standard Safe Chat Disney use specialist filtering of all typed in messages, which not only prevents swearing, but prevents the revelation of a player’s personal information, so information like real names, phone numbers, email addresses are blocked. Disney also use moderators to patrol their game worlds and have a panic button (top right of the screen) to report players to a moderator, which is good to see. More information can be found on this Club Penguin webpage - http://www.clubpenguin.com/parents/player_safety.htm

What should I select Ultimate or Standard Safe Chat?
Well this all depends on your own view on risk, in my view, if you are concerned and do have a pre-teen child that plays Club Penguin unmonitored I would recommend selecting Ultimate Safe Chat. However if you do trust Disney’s chat filtering and monitoring, and keep a regular eye on what your child is doing within the game and like the idea of child chatting, then select Standard Safe Chat. If you do choose Standard Safe Chat, be vigilant in what child is doing in the game, see if they are spending time playing the games or chatting, look out for excessive typing on the keyboard. In my study I found younger children who play Club Penguin like to find and chat with their real world friends who also play the game, rather than players they do not know. The game does allow players to keep a ‘friends list’ of up 100 players, if you child has more than 10 friends on their friend’s list, you should take a closer look at what they are doing socially in the game. My last but by far my most important advise on Standard Safe Chat, is to ensure you sit down and educate your child, tell them what is acceptable to say and what is not acceptable to say in chat, don't rely on the Disney filtering, as this education will serve them well in future years, as inevitability they will move onto the major social networking sites like Facebook.

Account Name and Password
It is important to ensure your child does not share their Club Penguin password with anyone, even their friends. No one, not even Club Penguin support will ever ask for a Club Penguin account password. This is a really good opportunity to teach young children about using online accounts and passwords safely. I also wouldn’t recommend letting your child play Club Penguin anywhere outside the home, a shared computer with Club Penguin is a no-no and increases the risk of the account being compromised. As part of the authorisation process, parents can also create own Club Penguin parent account, which allows the parent to monitor some of your child’s activity in the game.  There is also a nice option of restricting the amount of time in hours your child can play Club Penguin.

The benefits in letting your child play Club Penguin far outweighs the risks in my view. Anything that encourages children to use the Internet and read at any age, while learning about online account/password safety and social networking safety can only be good, just make sure you sit down with your child and understand fully what they are doing online and educate them appropriately.