One of the more interesting conversations I found myself in was at the AusCERT Conference.  The Chatham House Rule was invoked, so I can’t say exactly who was involved, which is pretty convenient since I couldn’t remember the names or affiliations of half the people who were in the room at the time in any case.  A large number of the vendors at AusCERT got invited by representatives from the the Australian police forces to participate in open conversation and feedback.  This wasn’t simply a pretense to make vendors feel good, the LEO’s (Law Enforcement Officer) were genuinely interested in hearing from people who worked in the business.  The sad part is that after a break, only a few of the vendors came back for the second half of the conversation.  Not that I had any problems speaking my mind either half of the conversation.

The question that took up most of the time was “Australia is going to put our healthcare information online, how do we keep it safe?”  There were numerous suggestions, but the point that resonated with almost everyone was that the data was almost certainly already compromised and if it wasn’t, it would be soon.  This led to a few incredulous stares and the statement, “90% of businesses already admit to being compromised, the other 10% just won’t admit it or don’t know yet.”  Isn’t it uplifting when you get 20 or so vendors in a room and every one of them tells you you’re probably already compromised?  Several of the comments from the LEO’s gave me the impression that they had exactly the same opinion, even if they couldn’t admit it in any forum that contained people without the proper security clearances.

This conversation left me wondering.  How do we live in a world where we have to assume that if our data isn’t already compromised, it soon will be?  How do we make the data useful to the people who rely on it while denying value to the people who would want to steal it?  We know we can’t secure data forever, so can we give it a lifetime in some way and still continue to use it? 

One of the solutions I thought about was encryption.  We use it widely for the protection of credit cards, though perhaps not as widely as we really should.  It’s great for keeping data in motion secure if we’re using short lived keys and well known algorithms.  It’s relatively good for dealing with data at rest, at least as long as the keys are well maintained and everyone treats the data with due diligence.  Which is seldom the case, since most evidence points to compromises taking place in ways that easily circumvent encryption technologies.  The best encryption in the world doesn’t help much when legitimate user accounts are compromised.

We live in a world where our defenses don’t seem to be working and all data will be eventually compromised by someone.  We’re at a stage where we can’t pretend our static defenses will protect us from much except the pickers of low hanging fruit on the Internet.  Whether it’s a nation state actor, a chaotic actor or an out of work actor, someone wants our data; and they’re going to get it eventually, since we have so many holes in our protections.  Which means we have to change our way of securing the data to make it useless to anyone outside it’s intended audience.

I’m not even sure what making information lose it’s value outside of it’s intended audience would look like.  One idea is to make the information publicly available, which removes the value to an attacker, but that’s probably never going to be a viable option when dealing with healthcare information.  Rumors of technologies that will make data self-destruct when it’s removed from it’s proper environment is appealing, but I have yet to talk to anyone who’s actually given any such solution a walk through.  Hardware based solutions that rely upon encryption are slightly better than software, but then you have problems like vendor lock-in and longer life cycles for the technology, which really only help the vendor.

As usual, I don’t have an answer for this problem.  But I know that our data is leaking from where it’s stored every day and the leak may soon become a deluge.  Australia isn’t the only country that’s looking at putting their healthcare information online, and they need a solution that’s going to work as well for the big corporations as it does for the single doctor clinics in the Outback.  Any technology that can’t be operated by a doctor who’s willing to live hundreds of miles from the closest IT guy isn’t going to work.  And while the US might be a little different, I’m not sure we should look at the tech our doctors might use any differently.

If you have an answer to this problem, it might be the wave of the future.

Network Security Podcast, Episode 275, May 1, 2012

Time:  34:21

Show notes:

• RuggedCom Owes its Customers an Explanation
• Oracle scrambles to contain 0-day SNAFU
• The history of a -probably- 13 years old Oracle bug: TNS Poison
• ‘Stand Your Cyberground’ Law: A Novel Proposal for Digital Security
• Big Data’s Big Problem: Little Talent
• British ISPs Ordered to Block The Pirate Bay
• Tonight’s Music: Jet Lag Gemini with Run this City

When this podcast was first release, it was mistakenly seen by iTunes as the PDF of the DBIR as being the podcast.  Subsequent attempts to upload were similarly misidentified.  Here’s hoping that a remix of the podcast will be significantly different enough that it doesn’t try keying on the DBIR again

Network Security Podcast, Episode 272v2

Think on that for a while.  If it doesn’t scare you, it should.

Update:  Here’s the full text of Dan Geer’s talk at SOURCE Boston

Network Security Podcast, Episode 274, April 17, 2012

Time:  30:00 (Exactly, which may be a first)

Show notes:

• Internet Service Provider to put our privacy first
• CISPA is getting better, but still has a long way to go
• Kip Hawley finally admits the TSA is broken… and offers suggestions to fix it
• War games with China
• Tonight’s Music: Big Sandy with Big Fat Trouble

Let’s have some laws to promote information sharing. But let’s not give up our civil liberties and make our government into more of a surveillance state than it already is.

Update:  At the suggestion of a co-worker, I sat down and read the entirety of the CISPA bill, only to find it had changed significantly from when I’d first skimmed over it.  Several of the clauses that would have allowed the media companies to share information freely if they suspect piracy have been changed to clarify that it’s only if there is an attempt at network compromise that the CISPA sharing would be invoked.  Of course, that might not stop businesses from claiming they’re justified in sharing, which is a fairly likely event given previous experience with many media companies.  It also got a little worse in some ways, including the power infrastructure companies and limiting the liability of companies even more and making it nearly impossible to claim a violation, provided you can even find out there was one in the first place.  Techdirt has a good explanation of some of the changes.  There’s improvement, but not enough that we shouldn’t do everything we can to stop this law in it’s current form. 

Infographic designed by Lumin Consulting

…

Network Security Podcast, Episode 273, April 10, 2012

Time:  40:20

Show Notes:

• When the cops subpoena your Facebook information, here’s what Facebook sends the cops
• Hotel’s Free Wi-Fi Comes With Hidden Extras
• Executives Abroad May Get Owned Before They’re Off The Tarmac
• After killing SOPA, Internet activists take aim at a new House cybersecurity bill
• Mac malware thingy

As a follow up to last week’s episode, Martin was joined last week by Josh Corman to talk to Wade Baker about the 2012 Verizon Data Breach Investigation Report.  Wade talks to us about how the information for the report was gathered, some of the strengths and weaknesses of the analysis and finally how the amazing puzzle that is the front cover was concieved.  The episode is a little longer than normal, but worth the time.

Network Security Podcast, Episode 272, April 3, 2012
Time:  40:37

The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer.  When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor.  The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf.  The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks.  That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day.  At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day.  The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea.  For more information, there is a wiki page.

On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005.  CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence.  But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly.  Global Payments’ relative silence and the updates to the number of records compromised add to this impression.  Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself.  Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?

We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised.  But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on.  A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue.  The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis.  As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.

I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg.  If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time.  Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop.  My money is on the latter.

Update:  I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet.  Yeah, that can’t be at all related to the Global Payments breach, could it.

Since Rich is on the road this week, Martin and Zach are joined by none other than friend of the podcast, Josh Corman.  Which is not that surprising, since there’s only one story we’re talking about tonight, the latest Verizon Data Breach Investigation Report.  There’s a lot to talk about again in this year’s report, as well as a few things that left us scratching our head (cough *activists* cough).  Despite our minor criticism, the DBIR is once again a great report, though folks like Mandiant and Trustwave also turn out some pretty good reports as well. Oh, and as expected when Josh is on, we go a little long this week.

Network Security Podcast, Episode 271, March 27, 2011

Time:  46:35

Show Notes:

• 2012 Verizon DBIR – That’s the blog post, the report itself is available here.
• BeaCon 2012
• 0xBlood Ruffin and Hactivismo
• Source Boston 2012
• Cognitive Dissidents – Josh’s blog
• Tonight’s Music: Peace, Love and Don’t Trust MTV by TJR