http://www.boston.com/business/articles/2008/04/23/stung_by_hackers_grocer_encrypts_customer_data/
As any Hannaford exec will tell you, the last place you want to secure is the first place hackers will target. As the cliché goes - a chain is only as strong...
In this case, although details are quite nebulous, it appears that malware running on internal servers intercepted credit card data as the cards were swiped (plaintext data is sent from the POS terminals to the processing servers before the data is encrypted, so anyone snooping right in the middle could easily get access to the entire card data), and then simply shipped the info off to the hackers.
Really simple operation, but how did the malware get inside the internal servers? There are a few ways:
a. Someone used it to surf the 'Net, and probably downloaded it by mistake
b. Someone planted it on purpose (inside job)
c. Hackers got in from outside and planted the program
The company will not really say what happened, so the possibility that it was an inside job is quite high.
Steps the company has taken to avoid such illegal interception include encrypting the data right at the POS, having IBM monitor the network for suspicious activities and so on. This, thus, is another case of bolting the barn...although it is a sure deterrent to hackers planning the same method of stealing information in future.
The problem is hackers will probably find a way around it; they always do. The PCI-DSS standards (see one of my previous blogs) only regulate the encryption of data when it reaches the servers and not before or during, so that is definitely a weakness.
Further, as the article in the link notes (and is so true anyway), retailers depend badly on the software vendors to update their software/patch issues and vulnerabilities, and overall make sure their product is not a gateway for hackers to drill into the enterprise and steal information.
One critical step would to monitor INTERNAL traffic (in terms of always monitoring who accesses sensitive servers, implement a strict ACL, and checking ALL packets that leave the servers - especially those that break known patterns/signatures).
Doing extensive background checks on staff that must have access to these machines should be made mandatory, and any unauthorized attempts to peek at the database or perform any kind of illegal operation should result in immediate termination, no exceptions. Quite obviously (as before in my earlier blogs) I am not advocating tyranny at the workplace, just prudence/caution/curiosity- and lots of it.
Hacking is done by humans - not machines or software, although they're indispensable in meeting their nefarious goals. The instigator is still a living, breathing human; so any security plan that mindlessly targets malware, viruses, worms, trojans etc without taking into account the human element (especially employees and also the psychological aspects of hacking/hackers) is doomed to fail.
For most large corporations that deal in data (finance, medicine, retail etc) there is nothing more horrific than a panicky call in the middle of the night from the sys admin. Don't let it happen to you - tighten your network; encrypt; monitor; adjust; implement; monitor.
Be safe!
Wednesday, April 23, 2008
Friday, March 14, 2008
The Entertainment Virus
Enough to send shivers down the spine of any IT Security employee is news that viruses now come preinstalled (for your convenience) on portable music players like the iPod, as well as on GPS systems and possibly other portable devices.
Many employees treat lunch-time as a somewhat sadistic date with their computers - so that means plugging in various devices to their hapless desktop/notepad and torturing it with downloads of firmware upgrades, content, and syncing up mail/contacts etc.
Not an issue per se, of course, and in fact this may increase productivity by making employees feel more 'at home' and comfortable at their workplace - as long as the actions do not constitute a violation of corporate policies, needless to say.
However, the risk is that some of these devices - which you'd expect to be 'pristine' and 'untouched' may be having a nasty surprise in store for you (and for your IT team that must clear up the gory mess).
http://ap.google.com/article/ALeqM5j5sV-97QAoIse_DNzmQ6bD6oKXJwD8VCQIK80
It appears that many of these problems originate in devices manufactured in - where else? - China, where a careless tester may be plugging in these mini-computers to their stations for a final validation step, and inadvertently transferring the evil payload in the process.
Where this could be a REAL threat to a country's security is when this corruption happens DELIBERATELY, with malicious intent. So, imagine a defense dept official plugging in his/her child's iPod to their office laptop to download music or troubleshoot - and WHOOP - you got a password stealer installed stealthily. You can imagine the rest.
I've previously noted on this blog on the risks of USB ports and CD/floppy drives on sensitive computers. Just glue them up if there's no need for them to be available. I'm not about to preach on the physical aspect of a company's security policy, but having steel doors is not enough. And for those that think AV solutions are the panacea for such problems, please note that some of these miserable little programs DISABLE the AV so no alarms are raised.
Be safe!
Many employees treat lunch-time as a somewhat sadistic date with their computers - so that means plugging in various devices to their hapless desktop/notepad and torturing it with downloads of firmware upgrades, content, and syncing up mail/contacts etc.
Not an issue per se, of course, and in fact this may increase productivity by making employees feel more 'at home' and comfortable at their workplace - as long as the actions do not constitute a violation of corporate policies, needless to say.
However, the risk is that some of these devices - which you'd expect to be 'pristine' and 'untouched' may be having a nasty surprise in store for you (and for your IT team that must clear up the gory mess).
http://ap.google.com/article/ALeqM5j5sV-97QAoIse_DNzmQ6bD6oKXJwD8VCQIK80
It appears that many of these problems originate in devices manufactured in - where else? - China, where a careless tester may be plugging in these mini-computers to their stations for a final validation step, and inadvertently transferring the evil payload in the process.
Where this could be a REAL threat to a country's security is when this corruption happens DELIBERATELY, with malicious intent. So, imagine a defense dept official plugging in his/her child's iPod to their office laptop to download music or troubleshoot - and WHOOP - you got a password stealer installed stealthily. You can imagine the rest.
I've previously noted on this blog on the risks of USB ports and CD/floppy drives on sensitive computers. Just glue them up if there's no need for them to be available. I'm not about to preach on the physical aspect of a company's security policy, but having steel doors is not enough. And for those that think AV solutions are the panacea for such problems, please note that some of these miserable little programs DISABLE the AV so no alarms are raised.
Be safe!
Wednesday, March 5, 2008
Amazingly Tamper-Friendly Machines
http://www.news.com/Windows-based-cash-machines-easily-hacked/2100-7349_3-6233030.html
By now you probably realize no data is safe from hackers, no matter where it may be stored.
However, hacking into ATMs, which in simpler times consisted of simply attaching one end of a strong rope to the machine and the other end to a truck and then hauling the whole thing off, has now become a fine art.
ATMs (esp in the UK) are supposedly highly vulnerable - essentially because they are nothing but wintel machines, networked with other wintel machines, and specifically built to perform one function - manage the transfer of money (and charge you sky-high fees while at it).
As the article discusses quite clearly, it's not so difficult getting into one of these black boxes and electronically heave away any $$ - leaving probably no traces of any kind.
Solutions? The article says (and I quote):
" It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network."
What got me? The fact that only the PIN was encrypted - everything else was plain text, EVERYTHING else. Talk about an open invitation to network fiends.
Best solution - don't use one of these things; just pay cash or use credit cards if you must.
By now you probably realize no data is safe from hackers, no matter where it may be stored.
However, hacking into ATMs, which in simpler times consisted of simply attaching one end of a strong rope to the machine and the other end to a truck and then hauling the whole thing off, has now become a fine art.
ATMs (esp in the UK) are supposedly highly vulnerable - essentially because they are nothing but wintel machines, networked with other wintel machines, and specifically built to perform one function - manage the transfer of money (and charge you sky-high fees while at it).
As the article discusses quite clearly, it's not so difficult getting into one of these black boxes and electronically heave away any $$ - leaving probably no traces of any kind.
Solutions? The article says (and I quote):
" It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network."
What got me? The fact that only the PIN was encrypted - everything else was plain text, EVERYTHING else. Talk about an open invitation to network fiends.
Best solution - don't use one of these things; just pay cash or use credit cards if you must.
Monday, February 11, 2008
Data Breach at Georgetown University
In what constitutes an inexcusable breach of trust and security, GU reported to its students and faculty that nearly 38,000 people have had their personal data exposed.
http://explore.georgetown.edu/news/?ID=31245
Apparently a sensitive hard disk was stolen - with the disk containing UNENCRYPTED information (SS numbers, names etc) of many thousands of students and faculty. I cannot imagine how such a prestigious institution could let such a thing happen.
Does security begin and stop with/at the ethernet cable?!!
Physical security is as important as network/digital security. For anyone to minimize the value or importance of one over the other is beyond ludicrous. GU is offering to pay for one year's worth of credit monitoring, but what about after that? The govt should mandate a MINIMUM of 5 years' worth of credit monitoring for each such incident, plus total insurance covering at least 5 times the total of the existing credit limit of all of the current credit cards owned by the affected people.
Further to that, the govt, which seems to have absolutely no take on such issues, needs to get off its lazy behind and do something meaningful, like legislating strong penalties for careless and negligent organizations.
I've repeated such thoughts ad nauseam and probably will continue to do so until such events become a thing of the past. At the rate things are going vis-a-vis data theft, it's going to be a VERY long time before we can stop worrying about such horrible incidents of violation of our trust and safety.
Be safe!
http://explore.georgetown.edu/news/?ID=31245
Apparently a sensitive hard disk was stolen - with the disk containing UNENCRYPTED information (SS numbers, names etc) of many thousands of students and faculty. I cannot imagine how such a prestigious institution could let such a thing happen.
Does security begin and stop with/at the ethernet cable?!!
Physical security is as important as network/digital security. For anyone to minimize the value or importance of one over the other is beyond ludicrous. GU is offering to pay for one year's worth of credit monitoring, but what about after that? The govt should mandate a MINIMUM of 5 years' worth of credit monitoring for each such incident, plus total insurance covering at least 5 times the total of the existing credit limit of all of the current credit cards owned by the affected people.
Further to that, the govt, which seems to have absolutely no take on such issues, needs to get off its lazy behind and do something meaningful, like legislating strong penalties for careless and negligent organizations.
I've repeated such thoughts ad nauseam and probably will continue to do so until such events become a thing of the past. At the rate things are going vis-a-vis data theft, it's going to be a VERY long time before we can stop worrying about such horrible incidents of violation of our trust and safety.
Be safe!
Tuesday, January 22, 2008
Iron Mountain Not So Invincible After All...
I'm sure many JC Penney credit card holders read the news of the 'loss' of a tape containing information on tens of thousands of JCP customers, some including their SS numbers.
Hardly a month goes by without mention of at least one MAJOR breach (and who knows how many of these go unreported), so the important thing here is for the general public not to get jaded and let these things slide. The right thing to do for the various consumer groups is to get together and form a united front in pushing the govt to pass STRONG and EFFECTIVE consumer protection laws.
Yes, GE Money will offer a year's worth of ID monitoring for those that had their SS lost, but who's to say what'll happen after 1 year? SS numbers are permanent unless you have a VERY good reason to request a new one (Witness Protection Program, shelter from an abusive spouse etc), so how does one escape this?
The cleanest way to protect your id is not to apply for credit cards (just have a max of 2 for convenience and an emergency backup) and pay CASH everywhere. No wonder they say cash is king! Every year check out your credit report for free from each of the reporting agencies and spread it around so that you do it every 4 months (e.g. first from Equifax, second from TransUnion, and third from Experian). That way you have the entire year covered and can check for incosistencies and errors - and any fraudulent activities as well.
You'd think companies that store information for others would have a process in place to avoid just these kinds of incidents. That they'd have a tracking mechanism to identify the 'chain of trust' or the breadcrumb trail of what went where and why. I'm quite surprised that a tape (not a tiny floppy, you know) could just VANISH with nobody having any idea of where it may have gone.
To their credit, they do handle millions of items, so things may get 'lost' every now and then, but that again raises the question - that's precisely why customers invest in such methods for backing up and storing their critical data - that why should a company spend so much money on a backup solution that could go wrong? I guess one of the criteria in selecting a backup vendor would be to look at their processes (and audit them via third-party if the contract allows - or just make it a requirement) to see how it compares with other companies, and maybe their record as well.
Be safe!
Hardly a month goes by without mention of at least one MAJOR breach (and who knows how many of these go unreported), so the important thing here is for the general public not to get jaded and let these things slide. The right thing to do for the various consumer groups is to get together and form a united front in pushing the govt to pass STRONG and EFFECTIVE consumer protection laws.
Yes, GE Money will offer a year's worth of ID monitoring for those that had their SS lost, but who's to say what'll happen after 1 year? SS numbers are permanent unless you have a VERY good reason to request a new one (Witness Protection Program, shelter from an abusive spouse etc), so how does one escape this?
The cleanest way to protect your id is not to apply for credit cards (just have a max of 2 for convenience and an emergency backup) and pay CASH everywhere. No wonder they say cash is king! Every year check out your credit report for free from each of the reporting agencies and spread it around so that you do it every 4 months (e.g. first from Equifax, second from TransUnion, and third from Experian). That way you have the entire year covered and can check for incosistencies and errors - and any fraudulent activities as well.
You'd think companies that store information for others would have a process in place to avoid just these kinds of incidents. That they'd have a tracking mechanism to identify the 'chain of trust' or the breadcrumb trail of what went where and why. I'm quite surprised that a tape (not a tiny floppy, you know) could just VANISH with nobody having any idea of where it may have gone.
To their credit, they do handle millions of items, so things may get 'lost' every now and then, but that again raises the question - that's precisely why customers invest in such methods for backing up and storing their critical data - that why should a company spend so much money on a backup solution that could go wrong? I guess one of the criteria in selecting a backup vendor would be to look at their processes (and audit them via third-party if the contract allows - or just make it a requirement) to see how it compares with other companies, and maybe their record as well.
Be safe!
Wednesday, January 2, 2008
Friday, December 7, 2007
Why I Won't Join Facebook
I call it Sneakcon - they call it Beacon, not much difference there when you find out that affiliated websites (affiliated with FB) - were sending your information to your friends on FB despite your having LOGGED out of their site.
How did they figure this out? Well, simple - network monitoring via WireShark (I saw it on the blog of the original CA researcher that found this activity).
The idea behind Beacon was to send out info on your online habits to your friends on the site. However, soon people started complaining that the surprise element behind their surprise gifts were ruined because the intended recipient got to know of the purchase. Well, that's fine, and you can turn it off, but not even when you're logged off?? Whoa - that's serious breach of trust in my opinion.
As a reference, see this:
http://www.cio-today.com/story.xhtml?story_id=010000ZKE6WS
So, they track non-users as well - except that they will discard the data if it did not include an FB cookie saying it's an FB user - and then even if you were an FB user and even if you'd opted out of the 44 websites that work with FB, your info will STILL be sent except they won't process it (because you'd opted out). I don't think this is a good idea. Doesn't matter if you throw away the information or not: if I'm not an FB user you have NO RIGHT to my data. And who's to say the data is being REALLY thrown out? Who audits that?
You should know that you have to opt out ONE BY ONE - not all of the sites simultaneously. Couldn't be more painful than that. And considering how popular the site is, what if hundreds of companies choose to join the program. You'd have to constantly change your preferences to avoid opting in. It should be the reverse - unless you chose to opt in, nothing about you should be known to anyone.
This is why they are in very serious need of a customer privacy advocate, someone who can dispassionately identify such issues and guide the misguided person that chose to implement it so that people don't start abandoning the site or decide against joining it.
I'm quite sure that many people have decided not to join FB after this fiasco. I know I won't.
Be safe!
How did they figure this out? Well, simple - network monitoring via WireShark (I saw it on the blog of the original CA researcher that found this activity).
The idea behind Beacon was to send out info on your online habits to your friends on the site. However, soon people started complaining that the surprise element behind their surprise gifts were ruined because the intended recipient got to know of the purchase. Well, that's fine, and you can turn it off, but not even when you're logged off?? Whoa - that's serious breach of trust in my opinion.
As a reference, see this:
http://www.cio-today.com/story.xhtml?story_id=010000ZKE6WS
So, they track non-users as well - except that they will discard the data if it did not include an FB cookie saying it's an FB user - and then even if you were an FB user and even if you'd opted out of the 44 websites that work with FB, your info will STILL be sent except they won't process it (because you'd opted out). I don't think this is a good idea. Doesn't matter if you throw away the information or not: if I'm not an FB user you have NO RIGHT to my data. And who's to say the data is being REALLY thrown out? Who audits that?
You should know that you have to opt out ONE BY ONE - not all of the sites simultaneously. Couldn't be more painful than that. And considering how popular the site is, what if hundreds of companies choose to join the program. You'd have to constantly change your preferences to avoid opting in. It should be the reverse - unless you chose to opt in, nothing about you should be known to anyone.
This is why they are in very serious need of a customer privacy advocate, someone who can dispassionately identify such issues and guide the misguided person that chose to implement it so that people don't start abandoning the site or decide against joining it.
I'm quite sure that many people have decided not to join FB after this fiasco. I know I won't.
Be safe!
Subscribe to:
Posts (Atom)
