March, 2009

“Penetration Test” Terms

There are some really terrific pieces of software out there for running a vulnerability scan. I have a lot of respect for all of them. The vendors are working hard to find as many vulnerabilities as possible in order to protect businesses and organizations that need to find and fix those vulnerabilities so that the bad guys don’t get in. A scan is NOT a penetration test. It can be part of one. But it usually isn’t.

Software doesn’t think. It doesn’t perform social engineering. It doesn’t walk down the hall and check everybody’s desks at night until it finds the keyring labeled “server room.” It provides a lot of false positives because it doesn’t account for configurations that have compensating controls elsewhere.

PCI requirements include, for Tier 1 vendors, a quarterly scan of the Internet-facing environment. This is a great idea; kind of like the watchman making sure he rattles the door knobs. But this is a minimum requirement.Is that really all your company can do?

Scans are great for finding the “low-hanging fruit.” They save a lot of manual time and effort to that effect. But don’t let someone sell you a scan and call it a penetration test. Software can only find what you tell it to find. Anyone (literally) can run a scan. You can rest assured that the real bad guys don’t hire “anyone” to write their malware. Someone can spend enormous amounts of time attacking your network, and you can be sure that person has a fairly high skill level. Don’t you want the folks on your side to have equal, if not better, skills?

Next: Why isn’t a scan part of a penetration test?

When a “Pentest” is not a Pentest

There are as many definitions of pentest and penetration testing as there are google search results. (Some 10,700,00 or so). The problem is, there doesn’t seem to be a standard definition of what constitutes penetration testing.

As a result, there are hundreds of companies promoting their version of a “pentest,” and a wide variety of prices given for the proposed “service.” If you’re looking for “a penetration test,” you can spend hours reading about it on various vendor sites. But what are you really getting? It can vary. A LOT.

A couple of years ago one of our banking clients proudly informed us that he had commissioned a “penetration test” quarterly from the same company that managed their firewall. (Yes, I smelled a rat.)
I took a look at the contract, which did, indeed, provide a “penetration test” quarterly, and examined one of their previous reports.

I recognized the format of the report - it was output from a Nessus scan (back when Nessus used to be free). So this company was testing itself with a free product and charging the bank. Nice.

It was a nice report, and the client was happy with it. He was convinced he was going the extra mile to protect his bank. (Hopefully, he’s not still doing this.) I tried to explain to him the difference between penetration testing and a vulnerability scan, but it was hard going. Especially when he had been sold on the scan being the test.

It’s embarrassing when I see my own genre out to so blatantly make a buck. Right up there with “SAS 70 certification.” Then there’s the folks that come in with a lowball bid just to build business in a market they don’t have any traction in. They make us all look bad, don’t they?

So, what is a “penetration test?” Some of it depends on who is asking. The organization that is looking to acquire one really needs to know what they need to learn from the test. There is no passing grade, unfortunately.

Next: Let’s talk terms

Hijacking Your Website

With all the publicity going on about the Heartland breach, not much attention has been paid to what happened to CheckFree last December. The event is also much more challenging to explain to the average consumer, but it was a significant technical attack that you and I should be aware of.

And they did it without hacking into CheckFree. Simply, they redirected visitors to a faux CheckFree customer login page on a Web site in Ukraine that tried to install password-stealing software.

There’s all sorts of pharming, phishing (I’m getting a little weary of the “ph” naming convention, frankly) out there. What is important here is that the bad guys got into the Domain Registrar in order to redirect traffic. They didn’t go for breaking into domain servers; they used a legitimate admin name and password to log into Network Solutions and change the information.

So think for a moment about how you maintain your domain registration, and how important that is to your company. Over the course of five hours the bad guys captured who knows how many IDs and logins for CheckFree.

CheckFree is not just any company, it’s owned by Fiserv, and is the backend company for financial institutions that utilize billpay services.It manages between 70% and 80% of this type of financial service. So while no data was captured from CheckFree servers, the possible loss of login information is significant. Up to 160,000 users may have been impacted.

Even though the information on Network Solutions was corrected after five hours, the badguys had set up the information to last for 48 hours in the TTL (Time to Live) configuration. So unless a massive PUSH was made (and it wasn’t) DNS servers that received that information didn’t have to check back for another 48 hours.

Registrars are becoming increasingly attractive targets. At one point the IP address in the Ukraine held multiple fake sites.

It’s worth thinking about how your business might be impacted. And what kind of username and password you’re using with your Domain Registrar. How was the ID and password to Network Solutions captured? They don’t know. Can we imagine an admin’s PC getting infected?

Sweet Contest this month

Check out the contest for an XBOX this month here on the IT Knowledge Exchange. It made my mouth water!

The Emperor Has No Clothes

Visa is in a difficult position: it has said that merchants must be compliant, and the ultimate threat is to pull processing permissions from non-compliant merchants.

But if one of the merchants turns out to be a payment processor that generates huge profits for Visa, do they cut off their nose to spite their face? Evidently not. They just make them non-compliant. Sort of.

According to StorefrontBacktalk.com, Visa has declared that Heartland is no longer on the list of “PCI-compliant” vendors. Rather, Heartland is in a probationary period, with increased oversight, audits, etc.

But wait! In response to this announcement, Heartland declares that it had been compliant in 2008, is undergoing its 2009 assessment, and fully expects to be declared compliant.

(If you go to Heartland’s web site, they have quite a set of web pages on what it “means” to be PCI-compliant. The web page is entitled, “Ensuring You are PCI-Compliant.” They must take this literally, since THEY are not compliant (at least for the moment). Does anyone else besides me find this way too ironic?)

Are you confused yet? I sure am, and I’m the one who is supposed to be the auditor.

In a final expression of revisionist history, Visa is now declaring that “As of today, no compromised entity has been found to be compliant at the time of the breach.” So, temporarily, Heartland is not compliant, so no one who was compliant was…….I’m lost.

When is compliant not compliant? The message is, when Visa says it is. Or not.

PCI - Pay Cash Instead.

You May Not Want to Know, But…..

If you are wondering if your banking institution has been affected by the Heartland breach, you can visit bankinfosecurity.com’s web page (updated daily) tracking the number of institutions announcing they have been affected by the breach.

Had your credit/debit card replaced (unsolicited by you) recently? You would be well advised to call and find out why.

ATM Heists Grow in 2007 and 2008

A story on Wired came out recently about a $9 million ripoff of RBS WorldPay. Further reading on Wired led me to articles about, variously, a cracking of an ATM network in 7-Eleven stores that linked to Citibank, iWire cash payment cards, and Direct Cash management cards.

It seems that the bad folks are cracking ATMs and cash/debit/gift cards MUCH faster than the banks and financial services people can keep up. They have gotten adept at being able to clone cards, crack PINS and break account limits in order to drain accounts quickly with a host of people making fast runs on the system. Profits range from $750,000 to, so far, $9 million.

Banks and businesses are being ever more cagey about announcing such breaches, pointing fingers at various processors and claiming they can’t talk due to “ongoing criminal investigations.” This is the claim for the heist of $9 million that happened last November. Frankly, that excuse is getting harder and harder to swallow.

As my last post noted, we are starting to see a pattern of “repeat-offenders.” Companies that are broken into more than once, and don’t seem to be able (or willing) to make changes so that breakins stop happening. Monster.com comes to mind.

Of course, as consumers, we don’t see an impact until our cards get canceled, or God forbid, our accounts get drained. But for people being issued cash cards as a form of payroll, this can have devastating consequences. If you’re living from paycard to paycard, and one paycard gets hacked, what will you do for food, gas other necessary things that week? It might take the card company a week or two to straighten things out - maybe more. What happens until then?

The rising cost of these data losses are being well documented. For now, banks and financial companies are eating the cost out of their profits, and collecting damages from each other. It’s not a pretty picture, and ATMs are a growing part of the mess.

This is liable to get worse before it gets better. Companies tend to be unwilling to spend money on securing data in the best of times; but in these worst of times, securing data is just not happening.

PCI - Pay Cash Instead.