December, 2008

Securing the Security Devices

OK, so you’ve bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny “security solution” from a vendor (one or many).

Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I’m spelling that fancy French right!) And of course either you have to manage it (without training, “that’s too expensive, just watch the consultants put it in”), or it’s been “outsourced.”

Or as an auditor, you’ve been told to use it for all auditing functions, and not worry about doing any follow up or periodic testing because this product is such a “time-saver.”

So, how do you know (my favorite question) it’s working and doing a good job? Not what the fancy report it produces says, not what the consultant says, not what the manual says, not what the boss says. What you can actually see.

I’ve been following a discussion on the Security Focus “pen-test” mailing list about how security software has just as many issues as regular software. I don’t like thinking that the software protecting me and writing to a SQL database is using an unencrypted ODBC connection that can be captured by ARP poisoning.

So, although I am rarely asked to audit or test a firewall, IDS or host IDS, having run and learned on all of them, I have some suggestions for you to try out.

NEXT: How to Audit Your IDS/Firewall/ECM for free.

Getting What You Pay For…..2008

In my travels as an auditor this year, I’ve visited 15 states and seen approximately 20 different networks, both LAN and WAN. I’ve audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service bureaus.

I continue to see networks that are not patched. “It might break our custom code,” is the most common excuse, followed by, “Gee, we just didn’t get around to it.”

Software coding continues to be a security disaster in the making. Developers continue to open up databases by giving too many rights to users and application IDs. I still find individual developer IDs inside production databases.

Management continues to be unwilling to invest the money in a secure architecture. In the last three years, I can count on the fingers of one hand the organizations I’ve seen that follow secure best practices. And not use all the fingers.

I still hear people try to tell me that they don’t need a firewall because they have really good routers. And then they don’t update the IOS on the routers and/or leave the default SNMP strings in place.

If you are paying for these services, and you are getting the above, there is a problem waiting to happen on your network. If you don’t know what’s going on in your databases, time to find out before another Countrywide happens in your back yard.

Have a safe holiday. And remember: who is responsible for good security? You are. I am. Let’s keep trying to do it right.

Thank you, Federal Trade Commission…

For saying the blindingly obvious:

“Companies and schools should find new ways to authenticate the identities of customers, employees and students that do not involve social security numbers, a U.S. consumer protection agency said on Wednesday as part of recommendations to fight identity theft.”

Now here is the real challenge: could the FTC, a government agency, please communicate this point with Medicare? You, know, the government agency that puts the social security number on the medical benefits card it requires members to carry? The report addresses the use in the “private sector,” but medical use of social security numbers is a huge factor in medical identity theft, synthetic identity theft, and plain ol’ identity theft.

The FTC released the report on December 17, 2008, and you can read it here. All 21 pages of it in double space.

The “Social Security Number” was created in 1936 for the purpose of tracking workers’ earnings for benefits purposes. Not as a universal identifier. Any good DBA will tell you that only using one “identifier” predicates a high risk of false positives. Newer techniques, such as full name, address, date of birth, place of birth, etc, as a group predicate a much more accurate positive response (”Yes, this is the right person”).

But this additional data is “out there” as well, along with social security numbers. The genie IS out of the bottle.

The report worries about social security numbers data already being out of control. Given how many databases are out there (public and private) with ALL of the above information in storage, I think it is already way out of control, and the other identifying data along with it. Daily reports from the “Breach Blog” saturate my email box. Reading Pogo Was Right only confirms my opinion.

The FTC report seems to be an exercise in “too little, too late.”

Nobody is “Too Small” to Get Hacked

It’s been an interesting week in “Breachland,” with reports of breaches in all sorts of places: eyewear companies, auto dealerships, Universities with “password-protected laptops,” Dallas City Hall, and, unfortunately, a big German Bank.

We are already statistically well past any previous year’s statistics for number of break-ins, laptop losses, backup tapes stolen, and internal employee data theft.

And yet I still see organizations that blithely ignore data on laptops, don’t monitor or encrypt their backup tapes, and have firewall rules that are like Swiss cheese.

Security costs money. Organizations struggling to meet payroll don’t have the willingness to allocate resources to address logical security issues. “It hasn’t happened here!”

It will. The big businesses make it harder (not impossible, just harder) to hack in from the Internet, but small businesses online are becoming the focus of cybercrime cartels. Especially if those businesses have a back-door connection to much bigger organizations.

Many large organizations outsource their data to third party service bureaus, marketing firms, or connect via an Extranet. If the small organization has weak security, it provides access to the back door of the larger one. Something to think about.

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

Check out the New PCI Standards

The new PCI (Payment Card Industry) Data Security Standards, Release 1.2 came out in October, and are worth taking a look. They’ve added some updated recommendations (like getting rid of WEP entirely by 2010), and I especially liked some of the following features:

Compensating controls must be reviewed, documented and validated by an assessor annually. A compensating control worksheet must be completed for each compensating control. These changes emphasize the council’s intent to make it more difficult for merchants to use compensating controls rather than meeting the requirements of the DSS.

I like this; a control is a control - a compensating control is not meant to be a permanent solution.

Monitoring sensitive areas: Version 1.1 required the use of video cameras to monitor sensitive areas. The new version offers the possibility of using other access control mechanisms to monitor access to sensitive areas. This can include card keys or biometric access controls that would provide a date and time stamp upon access to sensitive areas. In addition, the clarification in version 1.2 expands the scope of video monitoring into areas that contain paper files. Many companies contain storehouses full of paper files, which now may require video monitoring as well.

It’s worth noting that standard keys and keypads do not meet the new requirements, as they do not provide the ability to monitor access to sensitive areas. About time this limited control was tossed. It’s not enough to lock the door; you need to know who is accessing the room, and when.

Service providers
Version 1.2 provides more detailed requirements when dealing with service providers (including shared hosting providers) that have access to cardholder data. Businesses must maintain a list of all their cardholder service providers and ensure that the service providers are PCI DSS compliant. This includes monitoring their compliance, maintaining a written contract with the service provider stating that they are responsible for the cardholder data, and establishing a vendor review process when selecting service providers in order to perform due diligence. These requirements force businesses to work closely with their providers and be aware of their service providers’ PCI DSS status. Nice.

“Selling It”

Information about consumer purchases, habits and history have become multi-billion dollar treasure troves for businesses to sell and mine for others.

Specialized, targeted information from consumer databases held by banks and other financial institutions are being used to develop business lines. Advertisements, mailings, telemarketing and other targeted ads are the marketing tools of choice to offer services to the targeted market of financially stable consumers. But it’s no accident that identity thieves use the same tools the marketers do. It’s the same information, put to illegal ends. Identity thieves have become experts at following the money.

I recently received a letter in the mail, with the words “Important Information!!!” emblazoned on the front, (along with the bank’s name and return address) and inside, along with my name and address, was the entirely unsolicited offer to let me cash out on the equity in my house via a six figure loan.

What would have happened to that information if it had been intercepted and I had never seen the offer? Or tossed it in the trash, to be opportunely reviewed by whoever took an
interest? How long would it have taken for me to find out a loan had been taken out on the equity in my house?

Mailing products have become the favorite hunting grounds of small-time identity thieves. One thief can ruin several dozen credit histories and move on before a consumer can react.

Consider the arrival of checks. Those pleasant brown boxes the bank orders for you are distinctive AND contain important nuggets of information, such as address, phone number, bank account and routing number. Some folks have had their driver’s license number printed on their checks. By providing this service via regular mail, with no safeguards to confirm arrival to the proper party, retail institutions invite theft.

Banks and financial institutions that send unsolicited checks in the mail (the kind used to withdraw from CDs, for instance) are also providing opportunity. Those long white envelopes from business addresses are becoming noticeable by their very anonymous return postal addresses.

Banks looking to expand markets often run credit checks on potential customers in order to offer tailored services (witness my home equity loan offer). But by doing so, banks open themselves to legal risk when data is lost or stolen, and angry consumers demand to know why their information was revealed.

Businesses can run credit checks with any of the “Big Three” credit bureaus (Experian, TransUnion and Equifax) by acquiring a business account and password. Once they log on, all they need to obtain a credit record is a name and Social Security number. That means those access codes are digital gold for would-be thieves who also happen to be employees.

Such temptation sometimes proves too much: 7,300 customers of Marchese Auto World settled a class action suit in May 2004 for $2.45 million. The charges were criminal and civil, based on customers of Marchese Auto World whose credit information was accessed by the defendant who used the information to take out loans in their names without their permission. The suit stated that the general manager of B.J. Marchese Auto World, Limerick, PA, illegally obtained credit reports for the victims and obtained more than $4 million dollars in unauthorized auto loans that were never purchased or leased. The plaintiffs were unaware of the loans, and suffered from credit damage and invasion of privacy.

It will be difficult for business organizations that depend on credit reviews to resist marketing campaigns that have provided profit before. Banks and businesses have been willing to absorb “acceptable levels” of fraud loss as part of the cost of doing business. The cost of this form of fraud is becoming extremely expensive when class action lawsuits take place.