Tag Archives: infosec

Security News Roundup: Defending The Indefensible

news, security, , , , , ,

Here’s a data security conundrum. The news that anonymous DNA sample data has been used to personally identify the original donor sounds, at first, like an information security problem.

The reality is, it isn’t.  A team of geneticists has shown there is a systematic weakness in the way that this data is handled. It turns out that statistical analysis combined with good old-fashioned searching the Internet for identity clues may be all it takes to render the strict controls associated with donor data completely powerless.

The law of unintended consequences always applies with new technology. If we give information away freely, we shouldn’t be surprised when someone finds a way to use it. Imagine what a geneticist could do with this research that uses Facebook ‘likes’ to predict race, religion and sexual orientation?

This does raise the question of how to design security systems to protect data from threats (or developments in technology) that we don’t know about yet. This intractable problem is likely to remain with us for the foreseeable future, but one approach is to offer up your implementation for attack, and pay a bounty for positive results.

Which sounds very much like the Google-sponsored “Pwnium 3″ contest where cash prizes of up to $150k are available for demonstrable exploits of Google’s Chrome OS. Google did manage to get some last-minute patching done just before the competition started, and (consequently?) there were no clear winners, with Chrome fending off all attacks.

Let’s wrap up this weeks somewhat sober assessment with a data-leak-of-the-week  quote from this story about widely reported data breaches at various credit reference bureaus:

“The data leak this week is being called a juvenile prank and not necessarily the work of any sophisticated hacker”

We’re not entirely sure what the difference is, from the victim’s perspective, but it’s an interesting defence.

 

Security News Roundup: Can You Hear Me Now?

news, , , , , , ,

Sometimes, the price of success is unwanted attention. Witness the apparently stratospheric rise in malware on the Android mobile platform. With mobile usage continuing to explode, coupled with the vast array of valuable data we store and access from our phones, it should come as no surprise that the  bad guys want a piece of the action.

Why does Android seem prone to these issues? Part of the answer lies not in the technology, but in the end user. Hacking the human mind continues to yield some rich pickings. Disappointingly, we just keep clicking on stuff without thinking. Where’s the patch for that?

We can’t help recalling the uproar a few years ago when “free” webmail services were all the rage. The big deal then was the realisation that these providers could actually read your mail. The very thought! Roll forward to the present day, and not only have we completely forgotten about that, we’re storing all sorts of data in all sorts of places, without a care in the world.

Lost or stolen USB keys, DVDs and  laptops were also big deal, but now that’s all passé.  Now we have an even better way to lose sensitive data that we shouldn’t even be storing in the first place. Yes, it’s bring your own cloud, the thoroughly modern approach to data storage that has done for data security what King Henry VIII did for gender equality.

Emails aren’t secure, data is at risk of compromise more or less all the time. What’s left?  The good old cellphone system. That’s probably secure. By “probably”, of course we mean “probably not”. Witness this post via Bruce Schneier highlighting the techniques used by the FBI in order to intercept phone data and track users. Very informative.

But is it controversial? An organisation that tracks your location, knows all your contacts, reads your emails and extracts data from your phone? This is, of course,  completely unheard of on the Internet. On a mobile phone. We’re sure you see our point here.

Let’s end with a summary. We’re using mobile platforms that are full of holes, to store data that we shouldn’t be storing, on cloud services that are insecure; whilst assorted governments, commercial organisations and bad guys all compete for access to that data, right in the palm of our hands.

Who says information security is boring?

Security News Roundup: Chinese Take-away

news, , , ,

The biggest story this week. Chinese military unit behind ‘prolific and sustained hacking’ says security report.  A highly-skilled team of intelligence gatherers working systematically to steal confidential information from organisations around the globe?  Shocking stuff – we can’t imagine for a moment that our government is doing the same thing.

But things move fast in the murky world of  attack and counter-attack. The widely-touted report  itself  has become a security risk, and is being used as bait in a phishing attack.  Naturally, that’s the level of entrepreneurial, free-market thinking that one automatically associates with communist China.

Speaking of Chinese ingenuity, malware is getting smarter says anti-virus vendor McAfee; a revelation that presumably comes as no surprise to competitor Symantec, whose own products apparently failed to spot (and here’s that phrase again) the prolific and sustained hacking of the NY Times. Can anyone else see a pattern emerging here?

If security products can’t help us, we have to defend ourselves against the data breach apocalypse. Better not start with Sharepoint then. According to a recent survey, two thirds of Sharepoint users have no security policy.  We know it’s called Sharepoint, but really there are some things that one shouldn’t be sharing. Like the fact that you have no security policy, for example.

Finally, if that’s not apocalyptic enough, we now know that the emergency TV broadcast systems used to address the US public in the event of a real apocalypse are riddled with default passwords and other poor configuration choices. We know this because during a recent spate of zombie uprisings across three US states, community-spirited citizens were able to alert the general public to the imminent danger posed by the walking dead.

What a relief.

 

ATM & E-Commerce Security Guidelines

pci dss, security, , , ,

A couple of new information supplements have been released by the PCI SSC, covering E-commerce and ATM PIN security.

“PCI DSS E-commerce Guidelines”  contains a nice summary of common E-commerce models, vulnerabilities and some recommendations too.

From the intro:

“This Information Supplement is intended for merchants who use or are considering the use of e-commerce technologies in their cardholder data environment (CDE) as well as any third-party service providers that provide e-commerce services, e-commerce products, or hosting/cloud services for merchants”

Download it from here.

If you’re developing or implementing applications for the ATM environment, you’ll be interested in this next information supplement, entitled “PCI PIN Transaction Security Point of Interaction Security Requirements”.

From the intro:

“This document proposes guidelines to mitigate the effect of attacks to ATM aimed at stealing PIN and account data. These guidelines are neither definitive nor exhaustive and are not intended to be used as requirements for a validation program at the PCI SSC.”

Download the document from here.

8 Recurring Themes Within The PCI DSS

pci dss, security, ,

The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles?

As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard. Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon a number of sound security principles. Here are eight of them.

  1. Least privilege. Did you ever delete something by accident? In any secure environment, this principle is as much about restricting access as it is about saving you from yourself. All administrative privileges should be used only for the task in hand, and then relinquished once the task is complete.
  2. Separation of duties. Why is it a bad idea to have a single role with access to everything? The same reason it is a bad idea to put all your eggs in one basket. It may seem convenient, but such systems are error prone and open to fraud and failure. It also violates principles 1, 5 and 8.
  3. Simplicity, or “complexity is the enemy of security”. The malicious exploitation of technical vulnerabilities is possible because of poor technical configuration, implementation or just plain oversight. Unnecessary complexity provides extra opportunity for failure. Keep it simple.
  4. Fail safe, or “default deny”. Implicit access is a poor approach here. Example: If you are putting together a list of users who do not need access to your card data environment, then you need to think again. Whether it is access controls, firewall rules, or any other security restriction; enforce the basic principle that nobody gets any access unless explicitly permitted.
  5. Authorisation, Authentication, Access Control. All secure systems need to support full accountability for their use. This means granting access (authorisation), confirming the identity of the requesting party (authentication) and controlling what that party can do (access control). Just as important is your ability to revoke permission – especially when things go wrong.
  6. Open Standards. This is especially true when it comes to the use of cryptography to protect your cardholder data. Designing your own proprietary encryption is usually a poor idea. It is unlikely that you will have the time or expertise to prove that your design really can keep a secret and is not simply based upon obscuring data.
  7. Re-use. Why re-invent what is already been done, and done well? Just like the example of cryptography above, it is usually best to build on the work of others, not to start from scratch. Existing policies and procedures are also a candidate here – chances are you already have material that could easily be adapted.
  8. Defence in depth. Relying on a single line of defence seems like an obvious strategic oversight. To understand this principle, try to recall how many times you have heard about a data breach occurring via a single, unsecured point of access. Also, have another look at these eight principles, and see how readily they overlap.

This article was originally written by Ambersail for the Worldpay “Safer Business” newsletter published earlier this year.

7 Security Warning Signals

pci dss, security, , , , , ,

2011 featured plenty of news about high-profile data loss and cybercriminal activity. And so did 2012. Any guesses for 2013?

Some common causes emerge in all of these cases. Poorly managed infrastructure, insecure web applications, and a lack of attention to security procedures are often cited.

But how do these conditions arise? How is it possible that otherwise capable and competent organisations fare so badly?

Our work with clients around the World gives us a privileged insight in to the security infrastructure of numerous organisations, from the largest to the smallest, and from the simplest the most complex. In all cases where data loss or compromise has taken place, common themes emerge.

Here then, are 7 significant warning signals to look out for. Why not score yourself?

  1. Management belief that it’s getting harder to defend your data, and the bad guys will get in anyway if they want to. This unfortunate attitude is especially dangerous if it comes from the top of the organisation. It indicates a lack of understanding of security issues as well as a disregard for the information assets of the company.
  2. Internal memos stating that “security is everyone’s responsibility”. Organisations should adopt internal programmes to raise security awareness but this is a different kind of message. It says “Security is nobody’s specific responsibility”. It makes about as much sense as a team where everyone is the manager.
  3. There is no IT executive who can articulate the relationship between the terms “regulatory compliance” and “corporate information security”. If an exec is confused by the difference between an audit standard and the protection of valuable data assets of the Company, then the organisation is already at a disadvantage.
  4. A security team who are so difficult to work with that the business simply ignores them. It is an unfortunate fact that there sometimes exists an “us and them” attitude; and it can emanate from the infosec team. Security has to support the business, rather than be tolerated by it.
  5. A compliance project that only extends to achieving compliance rather than maintaining it. PCI compliance, for example, is re-validated once per year. But PCI DSS requires that a compliant state is maintained at all times, not just on the day of the assessment.
  6. Blind faith in security products. Security products are a useful and often essential part of a secure infrastructure. But it’s vital that organisations have the skills to configure, operate and react to the events that such products detect and disclose. Otherwise, they are a waste of time and money, or worse, a source of false or incomplete information.
  7. The use, in any compliance or security discussion, of the phrase “ticking the boxes” to describe the validation of a compliant or secure environment. This last point is included to underline all of the others. “Box ticking” suggests an attitude to security that takes no account of what is actually going on. It suggests that instead of real, practical implementation of policy, we have a discussion-based activity. A piece of paper rather than observable evidence. It pays lip-service to real security and it is to be avoided.

How did you score?

0 – Congratulations, you’re running a tight ship. In fact you’re so busy you probably haven’t even read this post.

1-4 – Security probably feels like an uphill struggle right now, but it gets easier as you improve.

5-7 – Unfortunate. Even though no box remains un-ticked, there’s still work to do.