Tuesday 4 December 2012

UK InfoSec Review for November 2012

Vital Microsoft (4 critical) and Adobe (7 critical flash) Security patches released this month.
  • Adobe have joined Microsoft in with releasing patches on Microsoft’s Patch Tuesdays, such is the regularity of new vulnerabilities that are found in their applications.
Fraudulent Westminster Council parking charge emails sent
  • At least 800 fraudulent emails have been sent telling people they owe Westminster Council money for parking.
  • Westminster's contractor, PayByPhone, said it had been the victim of a phishing scam. 
  • The council said it had received complaints from 800 people saying they had received fraudulent emails. However, it could not provide an estimate for the number of emails that had been sent out. 
  • Spam Emails are becoming more sophisticated and believable to end consumers, with attacks become more targeted against organisations, and personalised using stolen information. It is worth noting consumers and media can place blame at organisations for such attacks, as in this case.
Police arrest man over Home Office Distributed Denial of Service Attacks
  • Police have arrested a 41-year-old man in connection with distributed denial-of-service attacks against the websites of the Home Office and home secretary Theresa May.
  •  The Anonymous hacktivist group claimed to have launched a series of distributed denial-of-service (DDoS) attacks against the Home Office and Theresa May in April this year.
Sophos multiple critical flaws flagged by researcher
  • Google researcher said that security professionals should "exclude Sophos products from consideration for high value networks and assets" and "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
  • UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
  • One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
  • The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet
For Sale: Cheap access to corporate computers
  • Cyber-criminals are openly selling illegal access to the computer networks of many of the world's biggest companies.
  • One website called Dedicatexpress offers 17,000 server, with about 300,000 servers listed since the site started in 2010
  • List includes UK company servers for sale
  • Burglars seem to be exploiting a bug in widely used electronic key card door locks to steal from hotels.
  • Insurance firms said they expected to be "hit hard" as knowledge of the hack spread among professional thieves. 
  • UK swipe card systems are said to be also threaten by this and other similar vulnerabilities
Gartner warning on cloud security: Outages are bigger risk than breaches
  • Gartner analyst says the biggest concern should not be that data could be compromised in the cloud, but rather that there may be a cloud outage that could lead to data loss. 
  • Amazon Web Services, the market-leading cloud provider, has experienced three major outages in the past two years. After an April 2011 Elastic Compute Cloud (EC2) outage, some level of data was irrecoverable.
Lockheed Martin admits to growth in number of attacks on its networks
  • Defence contractor Lockheed Martin has reported a ‘dramatic growth' in the number and sophistication of cyber attacks on its networks. 
  • The attacks are ‘international' and attackers were clearly targeting Lockheed suppliers to gain access to information since the company had fortified its own networks. 
  • RSA said 20 per cent of the threats were considered to be advanced persistent threats (APT) and had increased dramatically over the last few years. 
  • Sophisticated cyber attacks are on the rise and present an increasing and persistent risk across UK plc. UK businesses must not be complacent about cyber attacks, as it is often said all FTSE 100 companies are primary targets by nation states and are actively being attacked, whether the companies realise these attacks are occurring, is another issue (monitoring).
  • A zero-day flaw that can be used as a vector to bypass sandboxing in Adobe Reader X and XI has been circulating on cyber crime forums, according to Russian forensics company Group-IB. 
  • Adobe introduced 'Adobe Protected Mode' sandboxing in October as part of an effort to improve Adobe Reader security. 
  • The flaw is advertised for sale for between $30,000 and $50,000, and is being included in versions of the Blackhole exploit kit 
  • The Blackhole exploit kit is often used to distribute banking Trojans such as Zeus, Spy Eye, Carberp and Citadel.
  • This vulnerability is yet to be patched
Kaspersky publish Top Ten Vulnerabilities List
  • The Security Patching of non-Microsoft applications such as Adobe Reader and Oracle Java on all Desktop and Laptops are a key area to validate within business Patch Management processes.
  • UK companies tend to patch Microsoft products pretty well but neglect other common desktop applications by Adobe and Oracle, which are rife with serious vulnerabilities if left unpatched.
1.    Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical.
2.    Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
3.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.
4.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.
5.    Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
6.    Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
7.    Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
8.    Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
9.    Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
10.  Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.

XSS remains the most frequently attacked website flaw according to FireHost
  • The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites. 
  • Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
  • The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.

Monday 3 December 2012

UK Data Protection Review for November 2012

ICO serves Prudential with a £50,000 fine after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. 
  • This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss, but is against not ensuring the customer information held was accurate and kept up-to-date 
  • The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007.
  • The accounts remained confused for more than three years, and the problem was only resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

ICO fines Plymouth City Council £60,000 for sending child neglect report to wrong person
  • The report included highly sensitive personal information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings.
  • An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
  • ICO stated although caused by human error, consider that the company hadn’t taken enough care when handling vulnerable people’s sensitive information.
  • ICO stated “The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that

ICO served monetary penalties totalling £440,000 on two owners of a marketing company which has plagued the public with millions of  spam texts over the past three years
  • Fine for breaching Privacy and Electronic Communications Regulations (PECR), which was approved in January 2012
  • The largest ICO fine to data
  • The ICO is also currently considering issuing penalties to three other companies believed to be acting in breach of the regulations as the office continues its crackdown on the illegal marketing industry.
  • All marketing by text message, email and mailshots, always are fully compliant with the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).

  • Media reports suggest organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.
  • The ICO have said not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up

Wednesday 28 November 2012

Text Spammings, Finally an ICO Fine of Merit

Today the Information Commissioner's Office (ICO) announced a record fine of £440,000 against the owners of Tetrus Telecoms. The ICO stated the Manchester based Tetrus Telecoms, were responsible for sending millions of unsolicited text messages using unregistered SIM cards, and personal data gained illegally.  Tetrus Telecoms were said to be sending 840,000 spam text messages a day promoting PPI claims and accident compensation claims, in the hope of earning a referral fee should any of the recipients respond. These referral fees netted the text spammers £8,000 a day. This is a lot of easy money, but it does mean 99.9% of those receiving the texts didn't reply, and so didn't want the text message in the first place.
Who hasn't had a PPI Text Message this year?

Finally the ICO dishes out a fine which is close to their maximum amount of £500K. Often criticised as a toothless tiger, the ICO fines are really hit and miss, however this £440K fine is the highest amount levied to date.

Finally a significant fine amount from the ICO against the owners of a private company. I don't agree with the past ICO six figure fines against public sector organisations, such as local authorities and the NHS, as in affect the ICO are taking money out of the public purse. Not great especially in these tough economic times, as these fines hit budgets, which in turn hit the provision public services. Negative publicity and pressure on organisation leaders, are the more appropriate method in dealing with publicly funded organisations that breach the Data Protection Act (DPA). Furthermore public sector fines appear not to be too much of a deterrent, as the NHS and local authorities continue to breach the DPA regularly  Private business are motivated by financial penalties hitting their profit margins, but the private sector do not have to disclose DPA breaches to the ICO. Also if a business volunteers for an ICO audit, they appear to be handed a "get out of jail free card" for any data breaches they knowingly have incurred. Businesses Consider Abusing ICO Data Breach Fine ‘Loophole’

ICO: Inconsistent enforcement action

Finally the ICO gets tough with text spammers, an issue which the vast majority of the UK public actually do really care about. Who doesn't hate being bombarded with streams of PPI text messages on our mobiles? Most people have received loads of these unwanted texts this year, wondering why such messages are allowed to be sent.  But it does beg the question, why has it taken the ICO so long to deal with text spamming, and what about phone call and email spamming which are equally rife. There are many other UK based illegal spamming operations in play, isn't it in the public interest to have these tackled as well?

Friday 9 November 2012

The Death of PCI: Two-Factor Online Payments

Back in September 2007, I attended the inaugural Payment Cards Industry Security Standards Council (PCI SSC) Community Meeting in Toronto.  These were the days before PCI was big business, there must of been only a couple of hundred people at the event in a typical down town Hotel in Toronto.  PCI was still finding its feet, the PCI SSC Board members spent most of the event being grilled by delegates brimming with questions about the PCI standard, and it is fair to say some delegates weren't happy chappies at all. I took the opportunity of asking SSC Board members several questions myself, looking back today some of my questions could be seen as rather naive, given who is behind setting up the PCI SSC and why. 

I asked why PCI SSC doesn't just regulate the card issuers, challenge them with a standard to secure the cards and cardholder data to a higher degree, instead of passing the buck onto to everyone else in the industry. I explained how in Europe we had just started using a new two-factor authentication system, Chip and Pin, which was already dramatically cutting face-to-face card fraud (known as cardholder-present transactions). I argued they just needed to replicate the two-factor authentication for when we couldn't prove a person (cardholder) was in possession of a payment card, specifically with telephone, online and perhaps mail order payments (known as cardholder-not-present or MOTO payments).  My point was the industry should be focusing on updating the plastic card technology itself, which had been standing still for decades with its 1970s magnetic strip holding sensitive card data on the back, wasn't it time to evolve the technology and make the cardholder data itself worthless, in order to combat card fraud more effectively? 
Magnetic Strip
Of course these questions and points all fell onto deaf ears, as the PCI SSC is about regulating cardholder data beyond the card issuers, passing the failing and fraud cost of weakly secured plastic cards onto the Payment Processors and Retailers, that need to process them for payments.  The one big downside to PCI DSS, is companies are paying to protect someone else's data, as cardholder belongs to the card brands (i.e. Visa, MasterCard, Amex), and not to the cardholders. My gripe is companies invest more in protecting someone else's data better than they do their own confidential information, and more importantly more than other people's personal sensitive data. This often leads to their information security budgets being plundered by PCI programmes in order to protect card brand's data at the expensive of protecting citizen's personal data.

Five years on from that Toronto meeting, it is clear for many years now, that Chip & Pin (EMV) works in cutting cardholder present fraud, every Information Security professional knows the benefits in using a two-factor authentication system. Only now has North America finally started to push Chip & Pin for cardholder present transactions following the European success, could the penny have finally dropped? Are card brands and card issuers now seriously thinking about using two-factor authentication to protect online transactions from fraud as well?

To secure online transactions in the same way as Chip & Pin, you need to ensure the cardholder is in possession of their card. This can be accomplished by using a unique number generator onto a thin LCD screen on the card itself, this card number. This one time number can be generated using a timed encryption sequence  which creates a unique number valid only for a limited time. This number can be keyed in or spoken by the cardholder, and so used to corroborate the payment card itself is in possession of a cardholder. Further the security could be seriously ramped up by first requiring the cardholder to type in their PIN on the card itself before generating the number. This gives a two-factor authentication for online and telephone payments (MOTO), both proof of possession of the card (something you have), and the cardholder must know their PIN number (something you know), well recently both Visa Europe and MasterCard have announced new cards that do just that.

MasterCard's Two-Factor Payment Card

Visa's Two-Factor Payment Card

Why we want one of those
Most card consumers don't want gimmicky pictures of themselves on their payment cards, we want two-authentication for all our card payments, not just at the checkout. Why? because consumers actually do care about having their accounts hit by fraudulent transactions, and do want to be decently protected, as when all is said and done, all consumers foot both the card fraud bill and the retailers PCI bill. These new generation of cards present dealing with the root cause of the card fraud problem, the weakly secured plastic itself, and has to be the best way forward.

Death of PCI
For retailers, if all cards switched to two-factor authentication completely, it could finally mean they don't need to protect cardholder data, certainly not to the same degree at present, which really could spell the death of PCI. We'll have to wait and see before this 'not new' technology takes off in the industry, but I don't think PCI DSS will be around a decade from now.

Saturday 3 November 2012

4 Ways Your Child is Vulnerable to Identity Theft

Scary American made awareness video on Child identity theft by Good Money.  It's titled "5 Ways", but it's actually 4 ways for UK parents, we can ignore number 2 on Social Security numbers.

My recommendation is to educate and monitor your children/teenagers online activity, and teach them to secure their personal information digital footprint online.

5 Ways Your Child is Vulnerable to Identity Theft Online from Good Money by CreditScore.net on Vimeo.

According to the United States Bureau of Justice Statistics, in 2010, 7% or “8.6 million households had at least one member age 12 or older who experienced one or more types of identity theft victimization.” But identity theft is not just reserved for tweens and adults. In this age of information, children are increasingly vulnerable to the same kinds of attacks that cripple credit scores and bust bank accounts. Check out this video to learn about five ways you could be exposing your child’s sensitive information to identity theft.

Friday 2 November 2012

UK InfoSec Review for October 2012

UK Police net suspected phishing gang http://www.scmagazineuk.com/police-net-suspected-phishing-gang/article/266148/
  • UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
  • One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
  •  The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet
XSS remains the most frequently attacked website flaw according to FireHost http://www.securityweek.com/cross-site-attacks-rise-top-q3-says-firehost
  • The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites.
  • Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
  • The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.
Android apps 'leak' personal details http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
  • Android apps can be tricked into revealing personal data, research indicates.
  • Scientists tested 13,500 Android apps and found almost 8% failed to protect bank account and social media logins.
  • These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.
  • The usage of Android in BYOD schemes by businesses, this is a risk to investigate further
Cost and education are the biggest hindrances and failings around PCI compliance according to Vigitrust survey
Microsoft rejects digital certificates with fewer than 1024 bits
  • Microsoft Security Advisory: Update for minimum certificate key length http://technet.microsoft.com/en-us/security/advisory/2661254
  • Microsoft said that certificates with RSA keys less than 1024 bits in length will be blocked. Microsoft has recommended that people using RSA keys should choose a key length of at least 1024 bits after it spotted a number of digital certificates that did not meet its standard for security practices
  • I recommend business adopt 2048 bit certificates by default with all applications and service
EU and banks stage DDoS cyber-attack exercise
  • The European Union has responded to an increase in the number of Distributed Denial of Service (DDoS) attacks with its biggest cybersecurity exercise.
  • Enisa (European Network and Information Security Agency), which is co-ordinating the event, said 25 nations actively participated in the practice run in October, and a further four countries were observing. But it would not specify the names of the states or organisations involved.
  • DDoS attacks have been increasing in the couple of years

Thursday 1 November 2012

UK Data Protection Review for October 2012

ICO fines Stoke-on-Trent City Council £120,000 after sensitive information about a child protection legal case was emailed to the wrong person
  •  11 emails containing sensitive information relating to the care of children were sent to the wrong address by Council employees
  • The fact the Email and attachments were not encryption protected was the root cause of the seriousness of the incident, leading to the high fine. An encrypted file cannot be opened by unintended recipient, therefore it is best practise to use file encryption on any document contain sensitive personal information sent outside a company infrastructure via email.
ICO fines Greater Manchester Police £150,000 following the theft of a memory stick holding sensitive personal data from an police officer’s home
  • The ICO action was prompted by the theft of a memory stick containing sensitive personal data from a police officer’s home. The memory stick was not encrypted and contained details of more than a thousand people with links to serious crime investigations.
  •  The ICO found that a number of police officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
ICO serve a £70,000 monetary penalty to Norwood Ravenswood after sensitive information about four children was lost after being left outside of a house
  • A social worker, who worked for Norwood Ravenswood, left the detailed reports at the side of the house on 5 December 2011, after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered.
  • The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.
  • In this case the lack of data protection awareness training provided to the social worker was identified as the root cause of the incident; therefore the business was held to account and fined.
ICO release a statement stating it was concerned with personal data protection within local government and the NHS
  • The ICO published four reports which summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.
  • In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.
ICO issues two monetary penalties over £250,000 to two marketers responsible for distributing millions of spam texts
  • Spamming is just wrong, especially all those PPI text messages going around at the moment, nice to see the ICO attempt to go after someone for it doing

Friday 26 October 2012

Social Media Witch Hunting

Last Friday evening (19th October 2012), I was at home watching a football match between Leeds United and Sheffield Wednesday. You could feel the bitter rivalry between the teams through the tv, both on the pitch and with the crowd atmosphere, which in all honestly added to the entertainment as a neutral watching it, as football played with passion rarely fails not to entertain. Sheffield Wednesday had taken the lead just before the end of the first half, but with 12 minutes from the end of the game, Leeds equalised. Then several Leeds supporters spilled onto the pitch behind the Wednesday goal, then one Leeds fan ran around the goal and up to the Wednesday goalkeeper Chris Kirkland, the fan raised his hands and shoved the keeper in the face, knocking the keeper to the ground for several minutes.

Outrage: Chris Kirkland Assaulted Live on TV

This sort of incident is extremely rare in the English game, unlike other European countries, fans are "trusted" not to encourage onto the pitch due to safety reasons, and fans aren't fenced off from the pitch. Which is one of the reasons why this incident had outraged 99% of English football fans, regardless of their club loyalty.  However it is what happened next in the virtual world that really intrigues.

Within minutes the incident had made headlines on news media websites, not just the sports pages, but the main news, which displayed pictures of the incident and a close up picture of the culprit. Even before the final whistle had blown at the match, comments on these media websites and within football forums had placed claim to the culprits identity, along with links to the culprit's Facebook page, which had no privacy set, and to a twitter account in the culprits name.
As you would expect malicious comments were posted by outraged football fans to these Facebook page and to Twitter accounts. In fact the culprits name started to trend on Twitter, meanwhile telephone numbers and an address for the culprit started to appear in posts.  But there was a problem, the twitter account being touted for hatred, @aaroncawley1 didn't actually belong to the culprit, but to a Liverpool fan who just happened to share the same name, nether-the-less this innocent person was subjected to loads of terrible comments on Twitter.
I have seen this reaction before, and this is my main point, these online witch hunts are not uncommon. Malicious people or trolls, tend to be cowards online and try to conceal their identity, typically they will either steal an identity or just make one up, anyone can set-up a Facebook page, using any name and even build a profile based on someone else.  Using such a profile to launch a troll attack can result in a similar witch hunt response, that can turn another innocence person into a victim.  So my message for those who go after trolls to seek justice, don't blindly witch hunt and assume you the found the culprit's actual online identity, remember stealing social media identities is child play, if someone is out to do harm online, 99 times out of 100, they tend to do it anonymously with a false identity, so do not assume you have found the correct person. Even if the profile ticks all the boxes, for all you know you are dealing with someone else's stolen identity. It is extremely difficult to corroborate an online identity to an actual physical person, in the physical world. It is easy to be fooled by pictures, convincing you that you are dealing with a specific individual, this is due to our human natural social behaviour.

Thursday 25 October 2012

PCI SSC Community Meeting Dublin 2012 Review

I attended the Payment Card Industry Security Standards Council (PCI SSC) Community Meeting in Dublin this week, in all honestly there isn't a lot happening with PCI SSC Standards at the moment, namely, PCI DSS, PA-DSS and PTS, and I will explain why.

Firstly the PCI SSC and PCI DSS has been around for many years now, I was at the inaugural SSC community meeting in Toronto in 2007. Since then the PCI standard has only undergone a few fairly minor changes, don't be fooled with PCI SSC's version control process i.e. PCI DSS V1.21 to V2.0. We can certainly expect PCI DSS Version V3.0 next year. The actual changes since the original release of PCI DSS are minor, so in essence we have a mature and highly static data security best practice standard.

Secondly, over the last 6 years PCI SSC has provided reams of guidance, FAQs and have improved how they communicate with those within the payment card industry trying to comply. Again this has matured,  there just aren't any new questions anyone is posing which haven't already been answered in PCI SSC online library of information.

Finally technological solutions which vastly aid the descoping of payment cardholder data (CHD) environments, so making PCI DSS compliance much easier obtain are no longer new. Whether tokenization, point-to-point encryption (P2PE) or Semafone's call recording solution which eliminates cardholder data within call centres, and so cuts call centre fraud risk significantly, are no longer new concepts to be explored and understood, but are tried and tested solutions in the field.  Even the problem platform of mobile payments is nothing new. By the way the PCI SSC are clear on this, they consider no mobile platform to be secure, therefore no payment application created to run on mobile can be PA-DSS, which jeopardises the PCI DSS compliance of any company deploying Apps which stores/process cardholder data on mobile devices. I should point out that PCI PTS approved readers connected to mobile devices, which used point-to-point encryption from the hardware reader device, are endorsed by the PCI SSC for usage with mobile.

Mobile Payments Usage is Exploding, but how many are PCI compliant?

What to expect with PCI DSS V3.0
Well we will have to wait until the North American Community meeting in Las Vegas in September 2013.  I tried my best to find out what changes PCI SSC have in store from various PCI SSC board members I know. As I believe SSC board do have an idea about what will be changed within PCI DSS, even though the standard process is still in a "feedback stage".  But it was like getting blood from a stone, even after several pints of the Irish black stuff they all remained tight lipped.  Personally, I think we'll see very little changes with PCI DSS V3.0. Sure some security vendors would like to see new requirements to help them sell solutions such as cardholder discovery (card data searching), but that isn't going to happen in my opinion. I do expect some changes with the PCI DSS Self Assessment Questionnaire (SAQ).  I think SAQs should be "rebooted", made to be more small merchant (retailer) friendly and clearer, especially as most of the card fraud at the moment is occurring with level 4 (small) merchants. In these breach instances merchants have been found to not correctly complying, or even attempting to comply with PCI DSS. We'll have to wait until Q3 2013 when PCI DSS V.3.0 is released.

Exhibition Hall

Key moments from the Community
So nothing really happening with PCI DSS, PA-DSS, PCI PTS, but there were some excellent presentations from the community meeting, these are my main highlights.

Mark Gallagher, the former Head of Cosworth’s Forumla 1 Business Unit, Head of Commercial Affairs at Jaguar / Red Bull Racing and Marketing Director at Jordan Grand Prix, was the keynote speaker at the event. His F1 risk management focus talk was superb, especially if you were a petrol head or F1 fan.
Mark Gallagher F1 Cosworth, Jaguar, Red Bull, Jordan

Mark had some great stories about Lewis Hamilton's rise from a 10 year old boy, to F1 World Champion, lessons learn from Ayrton Senna fatal crash, and a highly insightful yet some what information security industry familiar, F1 approach to risk management, not just with the cars but with processes, and the people maintaining and driving the cars. Technology, processes and people, now where have we heard that before.

Nicholas Percoco, Senior Vice President and founder of Trustwave SpiderLabs, talked about the mobile threat to cardholder data, and showed several examples of mobile device hacks.  Scary demonstrations indeed, therefore no wonder the PCI DSS states no mobile device can be considered a secure platform for payments  unless they are using a PTS approved card reader.
Nicholas Percoco on the Mobile Threat

Andy Bontoft, Foregenix co-founder and lead forensic investigator, gave an excellent and gripping presentation about what he had seen in the course of investigating numerous card data breaches around the world.   I always say the most difficult challenge facing card data hackers, is not getting into the systems, but extracting the cardholder data out.
Foregenix Investigations of card breaches

So when Andy described how he spotted the usage of a small website  image file to extract cardholder data, I was really intrigued. The hacker used a small graphic file on the website, and appended cardholder data to the image file parameters, then automated a cardholder data collection and clean up of the file on a periodic basis.
Foregenix Investigation: Hiding credit cards within files

Sky and Semafone presented separately about call centre fraud, and the usage of Semafone's solution which removes cardholder data from call centre environments. The solution allows call operators to remain on the call, while customers type in their card details on their phone keypads, the operator only hears a normal tone for each key press and doesn't see the card number on their systems, so removing cardholder data from their view, their local computer, servers, network infrastructure, and the phone system including the call recording. The Semafone solution not only descopes the call centre environment from expensive PCI DSS compliance IT technologies, but removes the opportunity for call centre fraud, and allows companies like Sky to provide better working conditions for their employees, such as allowing Facebook access and personal mobile phones at operator's desks, as the risk of internal cardholder fraud is virtually gone.

The networking at the event was excellent as always, I made new friends and caught up with many old friends within the industry, so until next year...

Monday 15 October 2012

RSA Conference Europe 2012 Review

A conference is only as good as its speakers, specifically the speaker's subject matter expertise, presentation subject and presenting ability, in this the RSA Conference Europe succeeds where many others conferences fail miserably. The best InfoSec speakers do not regurgitate topics with arrogance, repeating empty messages to sell products and services. No, the best speakers converse with their fellow information security professionals at the same level, informing and exploring the latest and future issues that will matter to business. Speakers are not bound and gagged by their company sales and marketing reps, are free to share and open up new ideas, new thinking, new solutions, and so challenge thinking and generating discussion by security professionals and businesses influencers beyond the conference, which ultimately leads to improvements for society. Why? Because ultimately when businesses get information security wrong, it is everyone that ends up footing the impact, whether it is financial fraud or system blackouts.

You may call me an RSA Conference sycophant for my views, and rave about the amazing Black Hat, DEFCON and OWASP conferences, but as great as those conferences are, they only cover specific subjects, and not the whole field to which many information security professionals are confronting in their day to day roles.  And don't talk to me about any of the other ‘sales motivated’ IT security conferences, where speakers are practically sales people pedalling wares on the back of distorted views and misinformation.

It might be the Best Security Conference but it's not Perfect
I'm not a complete RSA Conference fan boy either, as the conference does need to evolve and improve in certain areas. The stand out is the conference’s perception as an "US Conference on tour", a view held by many European security professionals. Until the majority of the speakers speak with European accents, the conference can never truly feel like a European conference. This is important as there are some fundamental differences facing European Information Security professionals. In Europe privacy is strongly linked to information security, an EU citizen's right to privacy is increasingly being championed as an essential human right by EU politicians.  Rightly or wrongly human rights aren't regarded in quite the same way on the other side of the pond, hence death penalties, Guantanamo Bay and having your fingerprints taken like a criminal every time you visit. It is fair to say the US won’t be winning a Noble Peace prize any time soon.  Earlier this year the EU announced new privacy laws and regulations which will impact every European Information Security professional’s role in the next few years, yet there was very scant coverage of this at the conference this year.

2012 Conference Highlights
For those who didn't attend but are considering attending a future RSA Conference, here's a taste of my main highlights of the 2012 conference...

Wikipedia Founder Jimmy Wales

Taking time out of his honeymoon, the founder of Wikipedia, Jimmy Wales was 'the' keynote speaker at RSAC this year. The charismatic Jimmy did not fail to disappoint in entertaining, but his views with online freedom of information, was always going to be the stand out part of his talk, after his decision to take Wikipedia down for 24 hours in protest of a US bill. A bill in his words would have given the US government Chinese type censorship powers in controlling the Internet. The bill was dropped following the Wikipedia protest, which he was very proud of. Jimmy made it clear he was anti-piracy but said the called "snooping bill", SOPA, was just bad legislation. Jimmy's views can be summarised with his final words, "the biggest threat to online freedom of speech is bumbling regulators".

RSA Conference front man Hugh Thompson was in typical fine form, and as always one of the main highlights of the conference. Another entertaining speaker was Eddie Schwartz's (RSA CISO), particularly his flash presentation, which was very amusing even if you don't agree with his "privacy is dead" messaging. Eddie also presented an insightful talk about targeted user account hacking with real world examples.

Recognise the Hacked Football Club?

Joshua Corman is a star which continues to rise, posed the question whether information security professional weren't getting any better at security in Wednesday's keynote, in an industry challenging talk. I particularly liked it when he summarised one of the main problems of PCI DSS and security by saying, "businesses fear their QSA more than they do attackers". Joshua was also involved in a fascinating panel discussion on Anonymous along side Alex Empire, from the band Atari Teenage Riot, Parmy Olson, Anonymous Author, and Alan Woodward, Professor, Department of Computing, University of Surrey.

I saw a presentation by Bryan Sullivan (Microsoft & author of Ajax Security) on the latest application denial of service (DoS) attacks. With DoS coming back into fashion as a weapon used by hacktivists, Bryan focused on various the techniques and possibilities with application DoS. It was a highly technical talk which was right up my street.
Application DoS

Mitja Kolsek presentation on how to rob an online bank was an interesting one, although I wonder whether many banks today would be vulnerable to the types of attacks he outlined.
How to rob an online Bank!

Bruce Schneier, InfoSec's answer to Chuck Norris, talked about the psychology of trust within human society and how it relates to information security strategies. I have a confession to make, in that I broke out of the conference for a couple of hours on Thursday morning to listen to Bruce talk very frankly about cyber warfare, which was one of the best talks on the subject I've heard in a while, more on that in another post. But these kinds of things can happen at RSAC, you meet some very interesting folk which can result in some very interesting spin off discussions.

On Wednesday I saw an outstanding presentation by James Lyne of Sophos, who gave a lively talk about the maturing cybercrime business, showing how easily it is for anyone to buy cybercrime as a service, and demonstrating several attacks.

CrySyS Lab, the company which first detected and analysed the Duqu worm, presented a technical review of state sponsor malware, which included technical briefs on Flame, Stuxnet and Duqu.

Über Networking
Finally, arguably the best part of the RSA Conference is the networking. The conference provides a platform for both speakers and delegates to mix and discuss information security, debate and exchange ideas, and to have some good old fashioned fun. I met people I known in the industry for many years, and I made many new friends. This is always my biggest take home and main highlight from the conference.
 Great Networking at RSAC

RSA Conference Europe 2013 - Amsterdam
After six years of hosting in London, the RSA Conference Europe will be moving to Amsterdam in 2013, likely a decision based on engaging better with Europeans and putting more bums on seats. It is clear to me that a significant amount of delegates that attend the conference are from the European continent. But I do wonder whether some of my fellow UK rooted security professionals will be able persuade their bosses to send them to Amsterdam next year. I'll certainly intend to be there next year, heck I might even apply to present again.

Tuesday 2 October 2012

UK InfoSec Review for September 2012

Glasgow City Council has lost 750 devices over the last five years according to an IT audit
  • The Council incurred significant national and local media criticism following discovery of 56 unencrypted laptops and 487 desktop PCs, also thought to be unencrypted, are unaccounted for. These were also lost from an office in the City Chambers which contained about 17,000 bank details. A reported theft in May, which the Information Commissioner is aware of, led to the audit of all the council's IT hardware and revealed that almost 750 devices that are unaccounted for.
Microsoft release emergency Security Patch for remote code execution flaw within Internet Explorer
  • Microsoft released an emergency patch for the zero-day flaw in Internet Explorer on 21stSeptember 2012.
IPad led BYOD leaves gaping holes in enterprise security
  • Sophos warn many firms are leaving themselves open to attack based on the findings of Sophos' Warbike research.
  • Quest Software issue BYOD data warnings stating BYOD creates large holes within organisations due to the unstructured nature of the network access.
Go Daddy suffers four-hour outage following take down by Anonymous Hacker
  • Anonymous has claimed responsibility for a hack on hosting provider and registrar Go Daddy that caused it to have major service issues
Research highlights 20 per cent of IT staff access unauthorised executive data
  • Almost 40% of IT staff can get unauthorised access to sensitive information, and 20% admit to accessing executives' confidential data, according to research. IT professionals are allowed to roam around corporate networks unchecked, according to a survey of more than 450 IT professionals by security software firm Lieberman Software.
Antisec releases over a million Apple #UDID after Java-enabled FBI breach
  • Over a million Apple Unique Device Identifiers (UDIDs) have been posted online after hackers claimed to have obtained them from an FBI breach.
  • The AntiSec hacking group said it had 1,000,001 Apple Devices UDIDs linking to their users and their push notification service tokens. It said: “The original file contained around 12,000,000 devices. We decided a million would be enough to release. We trimmed out other personal data [such] as, full names, cell numbers, addresses, zipcodes, etc. Not all devices have the same amount of personal data linked.

Monday 1 October 2012

UK Data Protection Review for September 2012

ICO fines Scottish Borders Council £250,000 after employee records found in supermarket car park over-filled recycle bin
  • More than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.
  • Even though a third party caused the breach, the Council found responsible. Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
  • The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed. 
  • Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
  • Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £250,000 on the Council.
  • A classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place
ICO reminds businesses of data responsibilities as more look to cloud computing to process personal information
·         Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
·         Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
·         Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
·         Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
·         Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

ICO pressing for custodial sentences
  • The Information Commissioner's Office (ICO) has admitted that it is ‘pressing for' custodial sentences for malicious data loss with the UK government.

Saturday 1 September 2012

Look out for the Spies in the Skies

Using an Unmanned Aerial Vehicles (UAV) to covertly survey a target sounds like something out of a Tom Clancy novel or a hi-tech military operation in the middle east, but in reality decent quality UAVs costing less than £300 are available to anyone.

Military UAV

The AR drone Parrot is one such model made for the "home market". This quadricopter UAV can be easily controlled from your Smartphone, and is highly stable in flight outdoors. This stability clearly is a key factor in the design to meet the craft's main purpose, recording video via an on board HD camera, which not only records clear footage but can even send a live stream it to your phone.
This UAV could be yours for less than £300!

UAVs such as these will be a cool toy to many people, but there will be others that will purchase these spies in the skies for more sinister purposes, and not just for spying on the neighbours. These UAVs aren't as easy to spot as you might, newer models are bound to be even more covert, and even when spotted few will realise they have quality video cameras on board watching them.  They do make a good recognise tool for would be thieves targeting business premisses, and I wouldn't put it past the odd social engineer and professional hacker to use such a tool to help build information about potential targets as well.

Not easy to spot as you might think