Security and Risk

What Did We Learn From The Cyber Shockwave…March Madness Can Cripple Our Infrastructure

Usman Sindhu — Fri, 19 Feb 2010 05:00:00 +0000

Just this Tuesday, February 16^th 2010, the Bipartisan Policy Center hosted a mock cyber attack called Cyber Shockwave. The aim of this simulation was to understand the impacts of a cyber attack and assess infrastructure capability during such an incident. There are many articles explaining the motive and results of this simulation, and post mortem is still coming as we speak.

So, what did the simulation entail? It depicted a war game taking place in 2011 – basically an application installed on smart phones during ‘March Madness’ thatturned out to be a malware. This hypothetical malware affected telecom and IT infrastructure throughout the country, with the result actually bringing down the nation’s cellular network...but there is more. According to an article from ‘The Atlantic Wire’:

“Later, two bombs disabled the country's electricity network and destroyed gas pipelines... Soon 60 million cellphones were dead. The Internet crashed, finance and commerce collapsed, and most of the nation's electric grid went dark. White House aides discussed putting the Army in American cities.”

Also, according to an article from DarkReading:

The Fear Of Four... And The Future Of Fraud Detection

Chris McClean — Thu, 18 Feb 2010 05:00:00 +0000

I had a few great conversations yesterday about the increasing role analytics will play in risk and compliance programs, which brought to mind the article, For Some Firms, a Case of 'Quadrophobia' appearing earlier this week in the Wall Street Journal and referenced yesterday by the NY Times’ Freakonomics blog.

The article covers a study of quarterly earnings reports over a nearly 30 year period, which found a statistically low number of results ending in four-tenths of a cent. The implication here is that companies fudge their numbers slightly to report earnings ending in five-tenths, which can then be rounded up... clever. Even more interesting, authors of the study found that these “quadrophobes” are “more likely to restate financials and to be named as defendants in SEC Accounting and Auditing Enforcement Releases (AAER)”... not clever.

The report encourages the SEC to enhance its oversight with a new department dedicated solely to detailed quantitative analysis that might catch this type of behavior. It also occurs to me that many corporations would like to identify such trends within their four walls to detect and prevent potentially damaging behavior.

Clearly, the cultural/human aspects of risk management and compliance – policies, attestations, training, awareness, whistleblowing, etc. – are essential. But as the number and complexity of business transactions continue to grow, companies will be looking more and more for ways to analyze massive amounts of data for damaging patterns and trends.

Don't Sign Here Please

John Kindervag — Wed, 10 Feb 2010 05:00:00 +0000

Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card." Wow.

What this seems to signal is that Visa, and perhaps the other card brands, feel that they will make more money by eliminating barriers to the sale, such as the 2.2 seconds needed to sign your name, than it would lose in fraudulent transactions, considering this program is for transactions of US$25 or less. Also, it appears that people no longer know how to sign their names.

I have often heard (in low, barely audible whispers) that US consumers were too lazy to care about security, which is why the US will probably never have CHIP and PIN transactions for enhanced credit card authentication. We Americans are too darn busy to push 4 numbers on a key pad (4.3 second). This drives folks in the other parts of the world crazy as they are in love with CHIP and PIN and, mistakenly, think that this technology eliminates all transaction risk. CHIP and PIN cards still have a mag stripe that can be scanned, and skimming is still a problem. It's a great authentication method, however, and would really help reduce some of the smaller, card-present CC frauds were we to adopt it.

Americans need more paranoia about credit card theft. We are much more likely to suffer some type of credit card fraud or be affected by a major credit card breach than a terrorist attack, but for some reason we are unwilling to punch in a few numbers to help protect ourselves.

Trends in Mobile Payments Are Frightening

John Kindervag — Mon, 08 Feb 2010 05:00:00 +0000

Question: Do I really want someone with an iPhone taking my credit card info?
Enormous buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments.
So many questions:

Online Shopping Sites May Be Sharing Your Credit Card Data

John Kindervag — Fri, 05 Feb 2010 05:00:00 +0000

The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:

"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."

My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard. According to the PCI DSS:

"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."

It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:

MiFi Pwned!

John Kindervag — Wed, 03 Feb 2010 05:00:00 +0000

Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi. The cool thing is that the wireless signal can be shared with other nearby computers. According to Josh, he has found a way that, "An attacker can recover the default password from any MiFi device." This is big news because anyone who is involved with wireless ne

The changing nature of governance, risk, and compliance

Chris McClean — Tue, 02 Feb 2010 05:00:00 +0000

In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

Is 3-D Secure Insecure?

John Kindervag — Mon, 01 Feb 2010 05:00:00 +0000

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."

Virtual Network Segmentation for PCI?

John Kindervag — Fri, 29 Jan 2010 05:00:00 +0000

Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls. We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."

Plain speaking about industrial spying

Andrew Jaquith — Mon, 25 Jan 2010 05:00:00 +0000

Or: why “advanced persistent threat” is the wrong phrase

Google's revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written several illuminating posts about the nature of the attacks.

The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the “Advanced Persistent Threat,” concisely described by Lockheed Martin’s Mike Cloppert as “any sophisticated adversary engaged in information warfare in support of long-term strategic goals.” In his posts, Mike also nearly always uses APT in conjunction with the word “actor” (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is:

Cyber security sees the light of day in the NIST smart grid interoperability standard

Usman Sindhu — Fri, 22 Jan 2010 05:00:00 +0000

Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.

The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.

The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.

A few important highlights to pay close attention to in the cyber security sections are:

(Update) Google calls and retracts the VPN story

Chenxi Wang, Ph. D. — Thu, 21 Jan 2010 06:00:00 +0000

Google called again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is: "This is not accurate." So, I should rephrase how the attack happened:

a) A Google employee's machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that "the compromised client used their corporate VPN to gain access to the servers." At Google's request, I retract that particular statement.

This is what we do know factually:

1) The attack on the Google server happened.

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn't going on the record to say that the attack came in via the VPN, and that's their official position.

On a positive note, Google is actively trying to schedule the security interview with me. So hopefully I'll have more to report shortly.

Why Google and Microsoft, not cloud computing, were at fault for the Google hack

Chenxi Wang, Ph. D. — Thu, 21 Jan 2010 05:00:00 +0000

By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet markets, as well as the already tenuous relationship between US and China - it is no wonder this attack is drawing the attention of headlines worldwide.

Why isn’t this an attack on cloud computing?

The Devil’s Dictionary, InfoSec Edition

Andrew Jaquith — Wed, 20 Jan 2010 05:00:00 +0000

Ambrose Bierce’s The Devil’s Dictionary is a wickedly witty piece of work (and website). It slyly redefines common words and phrases, usually with a bitter, contrarian, or comic touch. But why should Mr. Bierce (or more correctly, his estate) have all the fun? It is time for one in the information security field. Here are a few nominations. Most of these are original, but a few were gleefully filched from others:

ALE: an intoxicating liquor that gives imbibers perceived omniscience and discernment, but with one unfortunate side effect: it causes their pants to spontaneously fall down

Advanced persistent threat: a security product manager hyping new categories

Blended threat: a hemlock smoothie

Claims: a more expensive form of assertions, officially sanctioned with George Orwell’s posthumous blessing. cf “flatbread” v. “pizza”

Collective intelligence: the dawning epiphany that the cyber-villains have already won

Data leak prevention: adult undergarments for stopping electronic incontinence

Device control: using Super Glue to plug holes in the sides of laptops

Full disclosure debate: a ritualistic Kabuki performance that ends with a fist-fight amongst members of the audience

Actionable: providing information of sufficient detail and clarity to enable one party to sue another*

Full disk encryption: spray-on auditor repellent

The Attack on Google: What It Means

Andrew Jaquith — Fri, 15 Jan 2010 05:00:00 +0000

Unless you have been living under a rock for the past few days, you probably have heard about some big changes Google has made regarding an attack on its infrastructure. Here is what we know: