data security

You Can’t Outsource Reputation

Reviewing yet another data breach in the news, I was struck by the phraseology of the news report. Specifically, the article on MassMutual brought a point to mind that I keep using with companies and organizations I work with: You can transfer risk, but you are still responsible for your data in the public eye.

Reading the article, I was struck by the fact that nowhere in the article was the name of the third-party vendor mentioned. MassMutual is taking it on the chin (and quite defensively, I might add) because, ultimately it is their data. They picked out the third-party vendor - I wonder how good their contract with the vendor is.

And the parties affected by this breach? Their employees, and their families.

The company announcement: “The vendor engaged a highly respected forensics team to investigate, and at this time we believe that no misuse of the information or fraudulent activity involving the data has occurred,” is disingenuous at best. We looked, but found nothing right now - so everything is OK!

Here’s the reality, however:

According to a recent report published by Javelin Research, (for which you must pay $1250.00, so you won’t be seeing me offer THAT as a download) individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud.

This result runs contrary to MassMutual’s defensive statement, and is very commonly used from breached companies, who often state that they have no indication that the compromised data has been used by criminals.

No vendor name, no information on how or when it happened, but trust us, your data is fine!

A Not-So-Great Use of Cloud Computing

As I’m sure you know, I’m not yet a big fan of “cloud computing,” known by various acronyms. I have yet to see a really comprehensive approach to audit and security. Ultimately, you don’t know where your data is in the “cloud.” And the Feds have access to it without a warrant.

So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

End-To-End Encryption -Wouldn’t It Be Nice?

Since Heartland suffered a data breach (disclosed in January), they’ve become the poster child for end-to-end encryption. This is defined as encrypting card information from the moment it’s swiped until it reaches the card issuer. Of course, there may be some motivation provided by the fact that Heartland plans to sell a proprietary end-to-end encryption system by the end of this year. (Not sure I’d buy it from them!)

It sounds like a perfect solution, until you get into the mechanics. And that’s where the problems begin:

Hardware - Are all POS (Point of Sale) registers going to be able to handle the increased load of CPU cycles to encrypt and decrypt? It seems like all the vendors want you to use their hardware.

Software - Not all POS solutions are the same. What about companies that use registers AND online sales? Plus, there is currently no standard for what kind of encryption should be used. So you must go with a proprietary solution all the way through. How many companies can afford to replace so much materiel?

Location, location, location - Where does the data get stored? Can the database decrypt and re-encrypt? What about Call Centers, Fraud Management, or Marketing? They need to look at the information. Ultimately, where are the encryption keys stored and who/what has access to them?

Of the six vendors offering E2E, all of them require changes to POS systems.

And should this technology be implemented, it will not release businesses from complying with PCI. No, a report will still have to be delivered to the acquiring bank on an annual basis, signed by a C-level executive.

There’s no free lunch, it seems.

Who REALLY Owns Your Data

I had an up-close-and-personal experience today of “cloud computing.” It’s worth thinking about.

I had just finished reading Bruce Schneier’s essay on cloud computing, (which is a great read, by the way) and was considering the following point he recently penned in his Cryptogram:

As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.

You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.

What if those companies delete your data because they don’t like it? Or some copyright is at issue and they “can’t” let you keep it, such as Amazon’s now notorious “removal” of the Orwell books due to copyright issues (How ironic is it that Orwell’s books were deleted???)

So, I’m logging into Skydrive this morning because I’m building an online collection of tools I can access when I’m on the road or someplace where I don’t have my computer or USB drives with me.

I’d uploaded about 3 gigs of tools, which might be considered by some to be “hacking” tools, including Cain and Abel, which (AV constantly tries to delete). But today, those directories and programs are nowhere to be found.

Big Brother Microsoft evidently doesn’t approve. And this is why we should all consider that if our data in the “cloud” doesn’t pass the vendor’s muster, our data will be deleted.

I’ll stick with my computer, for now.

Small Business is Being Targeted

The days when you could assume that because your company was so small hackers wouldn’t care, have officially gone past. Security by obscurity has passed as well. Now the thieves are looking for small businesses so they can get to the banking accounts and wire money.

I was called on one of these last spring, and it worked like this: the controller got a call from the bank (someone was watching! Yay!) about some wired fund transfers that looked suspicious. After reviewing them, the controller realized fraud and theft had occurred. Other evidence was that the thief had changed the email address back to the controller so that she/he would receive no notification of the wire transfers. It seemed pretty clear that someone had somehow gotten her/his access to the bank account. That was all that could be discovered at the time. They lost over $40,000. That’s small change compared to some of the fraud going on.

Reading an article from the Washington Post, I recognized the scam. It works like this:

“In many cases, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company’s controller or treasurer, a message that contains either a virus-laden attachment or a link that — when opened — surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks’ anti-money-laundering reporting requirements.”

Sounds like exactly what happened to my client. The bad news is that once that money is wired out, there is no way the company can get it back. Losses to small businesses are becoming significant, but have not gotten much press up until this point.

In fact, wire-transfer fraud has gone up 58% in 2008, according to the US Treasury Department. Commercial business customers only have about two days to notify the bank of fraud, and then they eat the loss.

The problem is, Anti-Virus software is not keeping up with malware coming from over the Internet. Thieves are able to use malware to capture even the one-time codes on a fob during a transaction.

An advisory issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts. For example, the group recommends that commercial banking customers “carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”

Another option might be VMware, where an image could be loaded for banking use only.

Don’t Go Banking with your iPhone Just Yet

Articles are being released today about a flaw discovered by security researchers Charlie Miller and Collin Mulliner. They informed Apple a month ago about this flaw, but no fix had been issued. So they decided to go public at the Black Hat conference with a demo of just how easy it is to take over an iPhone. The demo will be done today and I’m sure details of how to do it will be flying. From here, it sounds like a buffer overflow.

Experts are warning that a text message containing a square character means someone is in the process of taking over the phone. They recommend that you shut down the phone immediately and “wait awhile.”

I suppose they think waiting awhile will motivate the hacker to move on to other iPhones. I’d suggest, however, that you turn OFF text messaging until they get this fixed. Shocking to some, I know, but it would be much more shocking to have all your information compromised.

Have a new iPhone with 3G? You can visit a site on YouTube that demonstrates the ease of bypassing both the passcode and the encrypted backup. He has a number of other videos that are equally painful.

Once again, security has taken a backseat to speedy software development. Now Apple is getting a lot (more) bad press.

Adventures in Auditing #2

While doing a PCI exam not long ago, I visited a company that was very proud of it’s security measures, and rightly so. They had done a lot of work to secure their environment.

Sometimes it’s the smallest things that we are so used to seeing that we stop “seeing” them. They become part of the background noise of everyday functions and escape our notice. Social engineers are masters of acquiring those functions and using them for the wrong reasons. For example, the building cleaners. Do they have keys to everything in order to clean your offices? What if they decide to clean out your data?

Corporate espionage agents have been known to offer cleaners $50.00 per bag of trash. Another point of easy cash is backup tapes.

When we walked into the tape storage room, I inquired, “Do you have an inventory of the tapes in this room? How often do you check that the inventory is all accounted for?” Nonplussed, the CIO replied that the door was secured and only he and one other IT person had the key, which was signed out in the Data Center whenever it was used. So they weren’t “bothering” to inventory the tapes in the room.

Looking down, I noticed that the wastebasket was empty, with a fresh plastic bag neatly wrapped around it. I said, “Do your cleaners have a key to this room?” “Why, yes,” the CIO replied blankly. Then comprehension dawned on his face.

Next day, a new policy was posted by the tape storage door: all trash receptacles were to be placed outside the door. The CIO informed me that the lock had been changed to the door, and inventories would be done monthly.

There are some companies that go the extra mile of encrypting tapes or requiring that their cleaning companies be bonded AND employees have an annual background check.

It’s expensive, but so is losing the company’s reputation to a building cleaner……

“Cloud Computing” Redux

I know I keep harping on this “new” concept. The only “new” thing about it is the marketing around the name. It’s still off-site data storage and third-party management of corporate hardware and data. It’s got a prettier face than the old green-screen connection to the mainframe, but the concept of thin client/thick client is exactly the same.

A lot of banks that I audit use contracted time and space on mainframes as a standard part of business. From what I’ve seen of this, there are both pluses and minuses:

One Plus:
No mainframe in the basement that requires at least two technically trained engineers.
One Minus:
You are entirely reliant on the third-party for coding changes, reporting and security implementations. They will most definitely charge you for every little and big thing they can. It’s death by a thousand fees. You are also at their mercy for when they are willing to make a change for you. “Security flaw? We’ll fix it in the next release.”

Is there actually a cost savings? It varies from bank to bank. A tiny regional bank may find it difficult to acquire technically skilled employees, in which case it can make a lot of sense and save money. Consider, however, that the larger the organization, and the more IT functions are needed, the more complex management of that third-party relationship is going to be.

Second Plus:
You rely on a SAS 70 for assessing the security of the service provider.
Second Minus:
You rely on a SAS 70 for assessing the security of the service provider.

Yes, I repeated myself. Right now we only have the SAS 70 as a way to assess service providers, and that applies ONLY if the service bureau is handling financial services for the company. The SAS 70 is meant to provide assurance for the financial auditors of the client companies, NOT test to a standard or any kind.

And then, only the controls that the service bureau says are in place are the controls that are tested in a SAS 70.

There is not an independent standard to test “cloud computing” environments for secure practices.

Cloud computing vendors tout the possibility of security: “Cloud computing can be as secure, if not more secure, than the traditional environment,” said Eran Feigenbaum, director of security for Google Apps. Which, in my mind, means that it will be an additional cost to the business.

Eigen’s Rule of Thumb - you get what you pay for. How many businesses will pay for security beyond what the vendor offers as basic services? How many businesses will skimp because they can’t afford it and there is no requirement for it?

Short answer: too many.

“Electronic Medical Records” or “Ready - Fire - Aim!”

What happens when we build a national database, with everyone’s health records? Will everyone get better, less expensive healthcare? That’s the impetus for funding a portion of the stimulus bill to push more health providers into the electronic age.

There are three items to consider, and they are the same ones we must always deal with:

Confidentiality - WHO has access to your health records? Right now hospitals, doctors, pharmaceutical companies and the government have access to your health records. And probably a lot more marketing companies have pieces of information, as well. A online pharmacy clerk in West Overshoe knows all your prescription medications and is paid minimum wage.

Integrity Is your data accurate? Or has someone stolen your medical information to get health care, died, and left you with a rolling disaster?

Availability Can you inspect and correct your data - ALL your data, including any diagnoses? What if you don’t agree with one? Can you delete it?

If you compare the answers, it looks remarkably similar to where your (and my) credit record is right now - in the hands of the data miners. All my data belong to….them.

From a regulatory perspective, the Feds are not providing any real consequences for medical data breaches, or lack of HIPAA compliance. They are waving a large carrot around, instead. Only one or two organizations have actually been fined for non-compliance, despite a large uptick in data breaches. It is left to the outraged patient to sue for damages. There are no clear statistics for medical identity theft, because the appropriate agency isn’t tracking them.

It’s one thing to get information online, another thing to get it online safely. It seems to be a pattern in every industry that data becomes electronic before any thought of security.