DataManagement

You Can’t Outsource Reputation

Reviewing yet another data breach in the news, I was struck by the phraseology of the news report. Specifically, the article on MassMutual brought a point to mind that I keep using with companies and organizations I work with: You can transfer risk, but you are still responsible for your data in the public eye.

Reading the article, I was struck by the fact that nowhere in the article was the name of the third-party vendor mentioned. MassMutual is taking it on the chin (and quite defensively, I might add) because, ultimately it is their data. They picked out the third-party vendor - I wonder how good their contract with the vendor is.

And the parties affected by this breach? Their employees, and their families.

The company announcement: “The vendor engaged a highly respected forensics team to investigate, and at this time we believe that no misuse of the information or fraudulent activity involving the data has occurred,” is disingenuous at best. We looked, but found nothing right now - so everything is OK!

Here’s the reality, however:

According to a recent report published by Javelin Research, (for which you must pay $1250.00, so you won’t be seeing me offer THAT as a download) individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud.

This result runs contrary to MassMutual’s defensive statement, and is very commonly used from breached companies, who often state that they have no indication that the compromised data has been used by criminals.

No vendor name, no information on how or when it happened, but trust us, your data is fine!

Things You Can Do To Help An Investigation, Part II

In a previous column, I talked about the importance of locking up a computer and not continuing to use it after it has been compromised, or the fraudster was fired.

This works in a lot of situations, but there’s also situations where it’s NOT the best thing to do. If you know a computer has been compromised by an external entity, the best things to do are:
1. leave it on,
2. don’t let anybody use it, and
3. call your experts in.

Why leave it on? There are things running in memory that won’t be captured if you shut it down. Remember that you lose everything that’s in RAM, as well as network connections and processes running. It’s critical information if you want to find out who is doing it, and how they’re doing it.

Don’t log into it to “see what you can find out.” In some cases, servers get hacked, and admins tend to log in to “fix it.” As I noted earlier, Sometimes they reboot the box to “clear it out.” There goes all your information, and very probably the ability to at least find out how it was done so that you don’t restore the box to the same “hackable” condition.

Don’t have experts you can call on, that you know are good? That means you’re suffering from the ostrich syndrome. The time to build relationships that can help in a crisis is not during the crisis. Do yourself a favor and at least research the mostly likely people you’ll need to get the job done.

A Not-So-Great Use of Cloud Computing

As I’m sure you know, I’m not yet a big fan of “cloud computing,” known by various acronyms. I have yet to see a really comprehensive approach to audit and security. Ultimately, you don’t know where your data is in the “cloud.” And the Feds have access to it without a warrant.

So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

End-To-End Encryption -Wouldn’t It Be Nice?

Since Heartland suffered a data breach (disclosed in January), they’ve become the poster child for end-to-end encryption. This is defined as encrypting card information from the moment it’s swiped until it reaches the card issuer. Of course, there may be some motivation provided by the fact that Heartland plans to sell a proprietary end-to-end encryption system by the end of this year. (Not sure I’d buy it from them!)

It sounds like a perfect solution, until you get into the mechanics. And that’s where the problems begin:

Hardware - Are all POS (Point of Sale) registers going to be able to handle the increased load of CPU cycles to encrypt and decrypt? It seems like all the vendors want you to use their hardware.

Software - Not all POS solutions are the same. What about companies that use registers AND online sales? Plus, there is currently no standard for what kind of encryption should be used. So you must go with a proprietary solution all the way through. How many companies can afford to replace so much materiel?

Location, location, location - Where does the data get stored? Can the database decrypt and re-encrypt? What about Call Centers, Fraud Management, or Marketing? They need to look at the information. Ultimately, where are the encryption keys stored and who/what has access to them?

Of the six vendors offering E2E, all of them require changes to POS systems.

And should this technology be implemented, it will not release businesses from complying with PCI. No, a report will still have to be delivered to the acquiring bank on an annual basis, signed by a C-level executive.

There’s no free lunch, it seems.

Malware on the Move

I was reading an article from Window Secrets this morning at 6:00 AM (in a hotel room, what else does a geek do?) and I wanted to pass along an excellent article in the newsletter.

The folks there offer a free and paid version of their newsletter. I have to say that after trying their free version, I decided to spend my hard-earned shekels for their paid subscription, and have not regretted it. It’s a newsletter for savvy Windows users, (as opposed to us more technical folks on TechTarget) but I frequently find tools and tips I’d like to have. Their list of freeware tools is outstanding AND examined for malware.

The article, by Susan Bradley starts out with the headline, The ads served by Bing and Google along with your search results are linking more and more often to sites trying to infect your machine.

This is not good news.

It seems that the major search engines, Google, Yahoo and Bing are looking the other way when evil people buy up popular search terms. When you click on the link, malware is installed through your browser. The search engines are not “vetting” the ads to make sure they are clean.

Susan suggests, and I’m inclined to agree, that the search engines know about this issue, but aren’t willing to police the ads because they are making so much money.

It’s possible to become infected, simply by viewing the sites. Not too long ago, the the New York Times reported on itself because an ad they posted infected subscribers.

Time for the search engines to start policing their ads.

Your Electric Utility and The Privacy Impact

You wouldn’t think that the power meter in your basement could have anything significant to say about you, personally, would you? Well, you (and I) would be wrong, very wrong, on that point.

We tend to have the mindset that only computers store and transport personal information, but there are far more items transmitting across IP or wireless connections, or RFID that by their nature reveal information about us.

Consider the EZ Pass, common on cars throughout the US. Officials can use that to track where your car is (and presumably you, or errant offspring) by watching where you have paid your tolls. That and your phone bill tell a great deal of “where, when and who” information.

There are privacy concerns about what there is in your wallet carrying an RFID chip, and how far away that information could be captured (estimates range from 3 ft to 30 ft). Credit cards, driving license and passports give your life away to the right reader.

Transmission from webcams, security cameras, and smartcards also go across the IP network.

So, imagine my dismay upon reading my colleague Rebecca Herrold’s Blog posting on SmartGrid privacy issues.

A SmartGrid “delivers electricity from suppliers to consumers using digital technology to save energy, reduce cost and increase reliability and transparency. Such a modernized electricity network is being promoted by many governments as a way of addressing energy independence, global warming and emergency resilience issues.” (Quote from Wikipedia) The Wikipedia is a very well written article, by the way.

All this sounds very nice until you read about a utility that planned to use power utilization to target low income customers for a “pre-pay” billing cycle.

Once again, a new technology puts security and privacy last. Her table made my hair curl.

The concept is marvelous for municipalities and governments; it provides an upgrade to an infrastructure put into place 120 years ago.

However, consider one of the points that Rebecca Herrold makes:

“The meter data could reveal resident activities or uses that utility companies may then subsequently decide are inappropriate or should not be allowed. Without restrictions, if this information could then shared with local government, law enforcement, or public media outlets the residents could
suffer embarrassment, harassment, loss of vital appliances, or any number of other damaging actions.”

What happens to privacy when that information is captured during a data breach?

Next Generation ATM Skimmers

I was over on identitytheft.info watching some video feeds when I came across this one. It’s worth taking a look at not because the technique for attaching Bad Things is all that different, but because of the hardware the Bad Thing is using.

Check out the hardware used: a modified cell phone (to call home with numbers? how convenient!) a camera and an SD card. It’s the hack of the cell phone I find the most interesting. Of course, they didn’t give us any details on that, but I would be interested to know how it was modified, wouldn’t you?

Although identitytheft.info is rather self-serving in its presentation (providing a variety of services to “victims”) they often have newsfeed videos that are very well done.

For instance, there’s another video that shows a keypad that can capture the pin (instead of a camera) as you type it in glued over the regular keypad.

They recommend notifying the bank if you discover a skimmer; I recommend notifying the police. They’ll take care of notifying the bank(s).

Small Business is Being Targeted

The days when you could assume that because your company was so small hackers wouldn’t care, have officially gone past. Security by obscurity has passed as well. Now the thieves are looking for small businesses so they can get to the banking accounts and wire money.

I was called on one of these last spring, and it worked like this: the controller got a call from the bank (someone was watching! Yay!) about some wired fund transfers that looked suspicious. After reviewing them, the controller realized fraud and theft had occurred. Other evidence was that the thief had changed the email address back to the controller so that she/he would receive no notification of the wire transfers. It seemed pretty clear that someone had somehow gotten her/his access to the bank account. That was all that could be discovered at the time. They lost over $40,000. That’s small change compared to some of the fraud going on.

Reading an article from the Washington Post, I recognized the scam. It works like this:

“In many cases, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company’s controller or treasurer, a message that contains either a virus-laden attachment or a link that — when opened — surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks’ anti-money-laundering reporting requirements.”

Sounds like exactly what happened to my client. The bad news is that once that money is wired out, there is no way the company can get it back. Losses to small businesses are becoming significant, but have not gotten much press up until this point.

In fact, wire-transfer fraud has gone up 58% in 2008, according to the US Treasury Department. Commercial business customers only have about two days to notify the bank of fraud, and then they eat the loss.

The problem is, Anti-Virus software is not keeping up with malware coming from over the Internet. Thieves are able to use malware to capture even the one-time codes on a fob during a transaction.

An advisory issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts. For example, the group recommends that commercial banking customers “carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”

Another option might be VMware, where an image could be loaded for banking use only.