Friday 26 October 2012

Social Media Witch Hunting

Last Friday evening (19th October 2012), I was at home watching a football match between Leeds United and Sheffield Wednesday. You could feel the bitter rivalry between the teams through the tv, both on the pitch and with the crowd atmosphere, which in all honestly added to the entertainment as a neutral watching it, as football played with passion rarely fails not to entertain. Sheffield Wednesday had taken the lead just before the end of the first half, but with 12 minutes from the end of the game, Leeds equalised. Then several Leeds supporters spilled onto the pitch behind the Wednesday goal, then one Leeds fan ran around the goal and up to the Wednesday goalkeeper Chris Kirkland, the fan raised his hands and shoved the keeper in the face, knocking the keeper to the ground for several minutes.

Outrage: Chris Kirkland Assaulted Live on TV

This sort of incident is extremely rare in the English game, unlike other European countries, fans are "trusted" not to encourage onto the pitch due to safety reasons, and fans aren't fenced off from the pitch. Which is one of the reasons why this incident had outraged 99% of English football fans, regardless of their club loyalty.  However it is what happened next in the virtual world that really intrigues.

Within minutes the incident had made headlines on news media websites, not just the sports pages, but the main news, which displayed pictures of the incident and a close up picture of the culprit. Even before the final whistle had blown at the match, comments on these media websites and within football forums had placed claim to the culprits identity, along with links to the culprit's Facebook page, which had no privacy set, and to a twitter account in the culprits name.
As you would expect malicious comments were posted by outraged football fans to these Facebook page and to Twitter accounts. In fact the culprits name started to trend on Twitter, meanwhile telephone numbers and an address for the culprit started to appear in posts.  But there was a problem, the twitter account being touted for hatred, @aaroncawley1 didn't actually belong to the culprit, but to a Liverpool fan who just happened to share the same name, nether-the-less this innocent person was subjected to loads of terrible comments on Twitter.
I have seen this reaction before, and this is my main point, these online witch hunts are not uncommon. Malicious people or trolls, tend to be cowards online and try to conceal their identity, typically they will either steal an identity or just make one up, anyone can set-up a Facebook page, using any name and even build a profile based on someone else.  Using such a profile to launch a troll attack can result in a similar witch hunt response, that can turn another innocence person into a victim.  So my message for those who go after trolls to seek justice, don't blindly witch hunt and assume you the found the culprit's actual online identity, remember stealing social media identities is child play, if someone is out to do harm online, 99 times out of 100, they tend to do it anonymously with a false identity, so do not assume you have found the correct person. Even if the profile ticks all the boxes, for all you know you are dealing with someone else's stolen identity. It is extremely difficult to corroborate an online identity to an actual physical person, in the physical world. It is easy to be fooled by pictures, convincing you that you are dealing with a specific individual, this is due to our human natural social behaviour.

Thursday 25 October 2012

PCI SSC Community Meeting Dublin 2012 Review

I attended the Payment Card Industry Security Standards Council (PCI SSC) Community Meeting in Dublin this week, in all honestly there isn't a lot happening with PCI SSC Standards at the moment, namely, PCI DSS, PA-DSS and PTS, and I will explain why.

Firstly the PCI SSC and PCI DSS has been around for many years now, I was at the inaugural SSC community meeting in Toronto in 2007. Since then the PCI standard has only undergone a few fairly minor changes, don't be fooled with PCI SSC's version control process i.e. PCI DSS V1.21 to V2.0. We can certainly expect PCI DSS Version V3.0 next year. The actual changes since the original release of PCI DSS are minor, so in essence we have a mature and highly static data security best practice standard.

Secondly, over the last 6 years PCI SSC has provided reams of guidance, FAQs and have improved how they communicate with those within the payment card industry trying to comply. Again this has matured,  there just aren't any new questions anyone is posing which haven't already been answered in PCI SSC online library of information.

Finally technological solutions which vastly aid the descoping of payment cardholder data (CHD) environments, so making PCI DSS compliance much easier obtain are no longer new. Whether tokenization, point-to-point encryption (P2PE) or Semafone's call recording solution which eliminates cardholder data within call centres, and so cuts call centre fraud risk significantly, are no longer new concepts to be explored and understood, but are tried and tested solutions in the field.  Even the problem platform of mobile payments is nothing new. By the way the PCI SSC are clear on this, they consider no mobile platform to be secure, therefore no payment application created to run on mobile can be PA-DSS, which jeopardises the PCI DSS compliance of any company deploying Apps which stores/process cardholder data on mobile devices. I should point out that PCI PTS approved readers connected to mobile devices, which used point-to-point encryption from the hardware reader device, are endorsed by the PCI SSC for usage with mobile.

Mobile Payments Usage is Exploding, but how many are PCI compliant?

What to expect with PCI DSS V3.0
Well we will have to wait until the North American Community meeting in Las Vegas in September 2013.  I tried my best to find out what changes PCI SSC have in store from various PCI SSC board members I know. As I believe SSC board do have an idea about what will be changed within PCI DSS, even though the standard process is still in a "feedback stage".  But it was like getting blood from a stone, even after several pints of the Irish black stuff they all remained tight lipped.  Personally, I think we'll see very little changes with PCI DSS V3.0. Sure some security vendors would like to see new requirements to help them sell solutions such as cardholder discovery (card data searching), but that isn't going to happen in my opinion. I do expect some changes with the PCI DSS Self Assessment Questionnaire (SAQ).  I think SAQs should be "rebooted", made to be more small merchant (retailer) friendly and clearer, especially as most of the card fraud at the moment is occurring with level 4 (small) merchants. In these breach instances merchants have been found to not correctly complying, or even attempting to comply with PCI DSS. We'll have to wait until Q3 2013 when PCI DSS V.3.0 is released.

Exhibition Hall

Key moments from the Community
So nothing really happening with PCI DSS, PA-DSS, PCI PTS, but there were some excellent presentations from the community meeting, these are my main highlights.

Mark Gallagher, the former Head of Cosworth’s Forumla 1 Business Unit, Head of Commercial Affairs at Jaguar / Red Bull Racing and Marketing Director at Jordan Grand Prix, was the keynote speaker at the event. His F1 risk management focus talk was superb, especially if you were a petrol head or F1 fan.
Mark Gallagher F1 Cosworth, Jaguar, Red Bull, Jordan

Mark had some great stories about Lewis Hamilton's rise from a 10 year old boy, to F1 World Champion, lessons learn from Ayrton Senna fatal crash, and a highly insightful yet some what information security industry familiar, F1 approach to risk management, not just with the cars but with processes, and the people maintaining and driving the cars. Technology, processes and people, now where have we heard that before.

Nicholas Percoco, Senior Vice President and founder of Trustwave SpiderLabs, talked about the mobile threat to cardholder data, and showed several examples of mobile device hacks.  Scary demonstrations indeed, therefore no wonder the PCI DSS states no mobile device can be considered a secure platform for payments  unless they are using a PTS approved card reader.
Nicholas Percoco on the Mobile Threat

Andy Bontoft, Foregenix co-founder and lead forensic investigator, gave an excellent and gripping presentation about what he had seen in the course of investigating numerous card data breaches around the world.   I always say the most difficult challenge facing card data hackers, is not getting into the systems, but extracting the cardholder data out.
Foregenix Investigations of card breaches

So when Andy described how he spotted the usage of a small website  image file to extract cardholder data, I was really intrigued. The hacker used a small graphic file on the website, and appended cardholder data to the image file parameters, then automated a cardholder data collection and clean up of the file on a periodic basis.
Foregenix Investigation: Hiding credit cards within files

Sky and Semafone presented separately about call centre fraud, and the usage of Semafone's solution which removes cardholder data from call centre environments. The solution allows call operators to remain on the call, while customers type in their card details on their phone keypads, the operator only hears a normal tone for each key press and doesn't see the card number on their systems, so removing cardholder data from their view, their local computer, servers, network infrastructure, and the phone system including the call recording. The Semafone solution not only descopes the call centre environment from expensive PCI DSS compliance IT technologies, but removes the opportunity for call centre fraud, and allows companies like Sky to provide better working conditions for their employees, such as allowing Facebook access and personal mobile phones at operator's desks, as the risk of internal cardholder fraud is virtually gone.

The networking at the event was excellent as always, I made new friends and caught up with many old friends within the industry, so until next year...

Monday 15 October 2012

RSA Conference Europe 2012 Review

A conference is only as good as its speakers, specifically the speaker's subject matter expertise, presentation subject and presenting ability, in this the RSA Conference Europe succeeds where many others conferences fail miserably. The best InfoSec speakers do not regurgitate topics with arrogance, repeating empty messages to sell products and services. No, the best speakers converse with their fellow information security professionals at the same level, informing and exploring the latest and future issues that will matter to business. Speakers are not bound and gagged by their company sales and marketing reps, are free to share and open up new ideas, new thinking, new solutions, and so challenge thinking and generating discussion by security professionals and businesses influencers beyond the conference, which ultimately leads to improvements for society. Why? Because ultimately when businesses get information security wrong, it is everyone that ends up footing the impact, whether it is financial fraud or system blackouts.

You may call me an RSA Conference sycophant for my views, and rave about the amazing Black Hat, DEFCON and OWASP conferences, but as great as those conferences are, they only cover specific subjects, and not the whole field to which many information security professionals are confronting in their day to day roles.  And don't talk to me about any of the other ‘sales motivated’ IT security conferences, where speakers are practically sales people pedalling wares on the back of distorted views and misinformation.

It might be the Best Security Conference but it's not Perfect
I'm not a complete RSA Conference fan boy either, as the conference does need to evolve and improve in certain areas. The stand out is the conference’s perception as an "US Conference on tour", a view held by many European security professionals. Until the majority of the speakers speak with European accents, the conference can never truly feel like a European conference. This is important as there are some fundamental differences facing European Information Security professionals. In Europe privacy is strongly linked to information security, an EU citizen's right to privacy is increasingly being championed as an essential human right by EU politicians.  Rightly or wrongly human rights aren't regarded in quite the same way on the other side of the pond, hence death penalties, Guantanamo Bay and having your fingerprints taken like a criminal every time you visit. It is fair to say the US won’t be winning a Noble Peace prize any time soon.  Earlier this year the EU announced new privacy laws and regulations which will impact every European Information Security professional’s role in the next few years, yet there was very scant coverage of this at the conference this year.

2012 Conference Highlights
For those who didn't attend but are considering attending a future RSA Conference, here's a taste of my main highlights of the 2012 conference...

Wikipedia Founder Jimmy Wales

Taking time out of his honeymoon, the founder of Wikipedia, Jimmy Wales was 'the' keynote speaker at RSAC this year. The charismatic Jimmy did not fail to disappoint in entertaining, but his views with online freedom of information, was always going to be the stand out part of his talk, after his decision to take Wikipedia down for 24 hours in protest of a US bill. A bill in his words would have given the US government Chinese type censorship powers in controlling the Internet. The bill was dropped following the Wikipedia protest, which he was very proud of. Jimmy made it clear he was anti-piracy but said the called "snooping bill", SOPA, was just bad legislation. Jimmy's views can be summarised with his final words, "the biggest threat to online freedom of speech is bumbling regulators".

RSA Conference front man Hugh Thompson was in typical fine form, and as always one of the main highlights of the conference. Another entertaining speaker was Eddie Schwartz's (RSA CISO), particularly his flash presentation, which was very amusing even if you don't agree with his "privacy is dead" messaging. Eddie also presented an insightful talk about targeted user account hacking with real world examples.

Recognise the Hacked Football Club?

Joshua Corman is a star which continues to rise, posed the question whether information security professional weren't getting any better at security in Wednesday's keynote, in an industry challenging talk. I particularly liked it when he summarised one of the main problems of PCI DSS and security by saying, "businesses fear their QSA more than they do attackers". Joshua was also involved in a fascinating panel discussion on Anonymous along side Alex Empire, from the band Atari Teenage Riot, Parmy Olson, Anonymous Author, and Alan Woodward, Professor, Department of Computing, University of Surrey.

I saw a presentation by Bryan Sullivan (Microsoft & author of Ajax Security) on the latest application denial of service (DoS) attacks. With DoS coming back into fashion as a weapon used by hacktivists, Bryan focused on various the techniques and possibilities with application DoS. It was a highly technical talk which was right up my street.
Application DoS

Mitja Kolsek presentation on how to rob an online bank was an interesting one, although I wonder whether many banks today would be vulnerable to the types of attacks he outlined.
How to rob an online Bank!

Bruce Schneier, InfoSec's answer to Chuck Norris, talked about the psychology of trust within human society and how it relates to information security strategies. I have a confession to make, in that I broke out of the conference for a couple of hours on Thursday morning to listen to Bruce talk very frankly about cyber warfare, which was one of the best talks on the subject I've heard in a while, more on that in another post. But these kinds of things can happen at RSAC, you meet some very interesting folk which can result in some very interesting spin off discussions.

On Wednesday I saw an outstanding presentation by James Lyne of Sophos, who gave a lively talk about the maturing cybercrime business, showing how easily it is for anyone to buy cybercrime as a service, and demonstrating several attacks.

CrySyS Lab, the company which first detected and analysed the Duqu worm, presented a technical review of state sponsor malware, which included technical briefs on Flame, Stuxnet and Duqu.

Über Networking
Finally, arguably the best part of the RSA Conference is the networking. The conference provides a platform for both speakers and delegates to mix and discuss information security, debate and exchange ideas, and to have some good old fashioned fun. I met people I known in the industry for many years, and I made many new friends. This is always my biggest take home and main highlight from the conference.
 Great Networking at RSAC

RSA Conference Europe 2013 - Amsterdam
After six years of hosting in London, the RSA Conference Europe will be moving to Amsterdam in 2013, likely a decision based on engaging better with Europeans and putting more bums on seats. It is clear to me that a significant amount of delegates that attend the conference are from the European continent. But I do wonder whether some of my fellow UK rooted security professionals will be able persuade their bosses to send them to Amsterdam next year. I'll certainly intend to be there next year, heck I might even apply to present again.

Tuesday 2 October 2012

UK InfoSec Review for September 2012

Glasgow City Council has lost 750 devices over the last five years according to an IT audit
  • The Council incurred significant national and local media criticism following discovery of 56 unencrypted laptops and 487 desktop PCs, also thought to be unencrypted, are unaccounted for. These were also lost from an office in the City Chambers which contained about 17,000 bank details. A reported theft in May, which the Information Commissioner is aware of, led to the audit of all the council's IT hardware and revealed that almost 750 devices that are unaccounted for.
Microsoft release emergency Security Patch for remote code execution flaw within Internet Explorer
  • Microsoft released an emergency patch for the zero-day flaw in Internet Explorer on 21stSeptember 2012.
IPad led BYOD leaves gaping holes in enterprise security
  • Sophos warn many firms are leaving themselves open to attack based on the findings of Sophos' Warbike research.
  • Quest Software issue BYOD data warnings stating BYOD creates large holes within organisations due to the unstructured nature of the network access.
Go Daddy suffers four-hour outage following take down by Anonymous Hacker
  • Anonymous has claimed responsibility for a hack on hosting provider and registrar Go Daddy that caused it to have major service issues
Research highlights 20 per cent of IT staff access unauthorised executive data
  • Almost 40% of IT staff can get unauthorised access to sensitive information, and 20% admit to accessing executives' confidential data, according to research. IT professionals are allowed to roam around corporate networks unchecked, according to a survey of more than 450 IT professionals by security software firm Lieberman Software.
Antisec releases over a million Apple #UDID after Java-enabled FBI breach
  • Over a million Apple Unique Device Identifiers (UDIDs) have been posted online after hackers claimed to have obtained them from an FBI breach.
  • The AntiSec hacking group said it had 1,000,001 Apple Devices UDIDs linking to their users and their push notification service tokens. It said: “The original file contained around 12,000,000 devices. We decided a million would be enough to release. We trimmed out other personal data [such] as, full names, cell numbers, addresses, zipcodes, etc. Not all devices have the same amount of personal data linked.

Monday 1 October 2012

UK Data Protection Review for September 2012

ICO fines Scottish Borders Council £250,000 after employee records found in supermarket car park over-filled recycle bin
  • More than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.
  • Even though a third party caused the breach, the Council found responsible. Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
  • The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed. 
  • Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
  • Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £250,000 on the Council.
  • A classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place
ICO reminds businesses of data responsibilities as more look to cloud computing to process personal information
·         Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
·         Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
·         Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
·         Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
·         Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

ICO pressing for custodial sentences
  • The Information Commissioner's Office (ICO) has admitted that it is ‘pressing for' custodial sentences for malicious data loss with the UK government.