Network Security Podcast, Episode 275, May 1, 2012

Time:  34:21

Show notes:

• RuggedCom Owes its Customers an Explanation
• Oracle scrambles to contain 0-day SNAFU
• The history of a -probably- 13 years old Oracle bug: TNS Poison
• ‘Stand Your Cyberground’ Law: A Novel Proposal for Digital Security
• Big Data’s Big Problem: Little Talent
• British ISPs Ordered to Block The Pirate Bay
• Tonight’s Music: Jet Lag Gemini with Run this City

When this podcast was first release, it was mistakenly seen by iTunes as the PDF of the DBIR as being the podcast.  Subsequent attempts to upload were similarly misidentified.  Here’s hoping that a remix of the podcast will be significantly different enough that it doesn’t try keying on the DBIR again

Network Security Podcast, Episode 272v2

Think on that for a while.  If it doesn’t scare you, it should.

Update:  Here’s the full text of Dan Geer’s talk at SOURCE Boston

Network Security Podcast, Episode 274, April 17, 2012

Time:  30:00 (Exactly, which may be a first)

Show notes:

• Internet Service Provider to put our privacy first
• CISPA is getting better, but still has a long way to go
• Kip Hawley finally admits the TSA is broken… and offers suggestions to fix it
• War games with China
• Tonight’s Music: Big Sandy with Big Fat Trouble

Let’s have some laws to promote information sharing. But let’s not give up our civil liberties and make our government into more of a surveillance state than it already is.

Update:  At the suggestion of a co-worker, I sat down and read the entirety of the CISPA bill, only to find it had changed significantly from when I’d first skimmed over it.  Several of the clauses that would have allowed the media companies to share information freely if they suspect piracy have been changed to clarify that it’s only if there is an attempt at network compromise that the CISPA sharing would be invoked.  Of course, that might not stop businesses from claiming they’re justified in sharing, which is a fairly likely event given previous experience with many media companies.  It also got a little worse in some ways, including the power infrastructure companies and limiting the liability of companies even more and making it nearly impossible to claim a violation, provided you can even find out there was one in the first place.  Techdirt has a good explanation of some of the changes.  There’s improvement, but not enough that we shouldn’t do everything we can to stop this law in it’s current form. 

Infographic designed by Lumin Consulting

…

Network Security Podcast, Episode 273, April 10, 2012

Time:  40:20

Show Notes:

• When the cops subpoena your Facebook information, here’s what Facebook sends the cops
• Hotel’s Free Wi-Fi Comes With Hidden Extras
• Executives Abroad May Get Owned Before They’re Off The Tarmac
• After killing SOPA, Internet activists take aim at a new House cybersecurity bill
• Mac malware thingy

As a follow up to last week’s episode, Martin was joined last week by Josh Corman to talk to Wade Baker about the 2012 Verizon Data Breach Investigation Report.  Wade talks to us about how the information for the report was gathered, some of the strengths and weaknesses of the analysis and finally how the amazing puzzle that is the front cover was concieved.  The episode is a little longer than normal, but worth the time.

Network Security Podcast, Episode 272, April 3, 2012
Time:  40:37

The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer.  When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor.  The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf.  The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks.  That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day.  At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day.  The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea.  For more information, there is a wiki page.

On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005.  CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence.  But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly.  Global Payments’ relative silence and the updates to the number of records compromised add to this impression.  Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself.  Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?

We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised.  But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on.  A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue.  The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis.  As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.

I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg.  If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time.  Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop.  My money is on the latter.

Update:  I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet.  Yeah, that can’t be at all related to the Global Payments breach, could it.

Since Rich is on the road this week, Martin and Zach are joined by none other than friend of the podcast, Josh Corman.  Which is not that surprising, since there’s only one story we’re talking about tonight, the latest Verizon Data Breach Investigation Report.  There’s a lot to talk about again in this year’s report, as well as a few things that left us scratching our head (cough *activists* cough).  Despite our minor criticism, the DBIR is once again a great report, though folks like Mandiant and Trustwave also turn out some pretty good reports as well. Oh, and as expected when Josh is on, we go a little long this week.

Network Security Podcast, Episode 271, March 27, 2011

Time:  46:35

Show Notes:

• 2012 Verizon DBIR – That’s the blog post, the report itself is available here.
• BeaCon 2012
• 0xBlood Ruffin and Hactivismo
• Source Boston 2012
• Cognitive Dissidents – Josh’s blog
• Tonight’s Music: Peace, Love and Don’t Trust MTV by TJR

Last Friday, Bruce had been invited to a House Committee on Oversight and Government Reform to talk about the effectiveness of TSA security measures.  Perhaps unsurprisingly, someone at the TSA caught wind of the fact that he was supposed to be there in person, challenging TSA assertions and had his inclusion in the proceedings blocked.  For some odd reason, the TSA is leery of having someone on the panel who not only understands most of the visible security measures we experience at airports, but can also articulate that in a manner the public can understand.  Of course, the reason the TSA claims they had him blocked is because of a lawsuit he currently has going on against them.

The TSA (and the DHS) is well aware of their detractors and takes great pains to avoid directly confronting any of them or giving critics a chance to get real answers to charges of ineffectiveness.  And Bruce Schneier has been one of the voices that’s taken them to task many times, coining the term ‘security theater’ to describe security that looks like it’s making us more secure while really providing little or no actual protection.  In fact, security theater is often harmful, since it makes us think we’re safer than we really are. 

One thing people tend to forget is that the TSA is a political organization first and foremost.  The people who run the DHS, currently Janet Napolitano, are appointed politicians who’s primary goal is not security, is not safety, but is instead simply keeping their jobs and doing whatever it takes to appear effective.  I know it’s cynical, but politics have always been about appearances rather than the actual utility of the actions politicians take.  And since the TSA’s role is so well defined, it’s easier to measure that effectiveness, or lack there of, than it is with many governmental agencies.  Which is why in most airports, no one is keeping count of the number of people who opt out of backscatter x-rays; if we counted, there would be metrics that could be used as a yardstick.  But of course, we wouldn’t want to know how good or bad our security measures are, since that means we’d expect changes to be made to make them more effective.

I had the dangers of mixing politics and security at the TSA made painfully clear to me several years ago when I had a chance to interview Michael Chertoff, who was then the outgoing head of the DHS.  At one point I asked Mr. Chertoff if there was ever going to be a time when we don’t have to take off our shoes when going through a security checkpoint.  His basic answer was, “I’m a politician.  The shoe bomber happened and if I don’t make sure it never happens again it’s the end of my career, so you’ll have to keep taking your shoes off for the foreseeable future.”  Which told me that for a career politician, protecting his career is much more important than protecting the folks who are traveling through the airport.  And by the by, Mr. Chertoff went to work for one of the companies who build and sell backscatter x-rays to the TSA when he left office.  Let that one sink in for a while. 

All in all, this is just one more data point in the argument that the DHS and TSA are less about actually protecting the public than they are about perpetuating a political power base built on fear of a once in a lifetime event.  The TSA has created a situation where people have given up a number of personal freedoms for the very thin illusion that they may be safer while flying.  But the sheer amount of inconvenience and humiliation that the TSA has heaped upon travelers is gathering more and more momentum for change as the public gets tired of it.  Which tells me that we might see some sort of incident or another in the near future that will re-instill fear of terrorists in the public.  Or is that too much cynicism and paranoia?  It is security theater after all.