Security Curve Weblog

My Tax Records at ChoicePoint?

In a characteristic move, the IRS has announced their data broker of choice, and shiver me timbers, if it isn't ChoicePoint. At least someone over there had the sense to take a second look at that doozey of a decision. I'm really, really, really hoping that my tax records stay out of the hands of ChoicePoint.

Scary stuff in the courts

Scarily enough, the supreme court ruled that, despite the name ('order'), restraining orders are more or less just guidelines that the police can choose to follow (or not) as they deem fit. In other words, if person A gets a restraining order against person B and the cops elect not to enforce it, there is no recourse for person A. In the particular case that decided this, a woman's ex-husband (who she had a restraining order against) abducted her children, and the police (whom she called repeatedly) took no action for 10 hours until the ex-husband killed them all. The ex-wife informed the police where he was no less than four times, and showed up at the police station trying to get the police to take action (which they did not.) The findings of the supreme court were that (to paraphrase) "the wheels of the law grind slow; they will not be rushed, they will not be threatened, and they have no accountability." Sounds OK unless you're the one being stalked/threatened/abused.

Thanks to Alan for passing this one my way.

Examples Galore

Remember when I said in my previous post (in reference to ChoicePoint) that there are folks watching? Well, unbeknownst to me, at that exact second, Adam Shostack was authoring his "two minutes of hate". In short, he lays down enough spicy content to keep the interested ChoicePoint follower in reading material for days. Now that's kizmet.

"I ain't no ...... son of a Baich."

He's back! My favorite whipping boy, Richard "Dick" Baich is back with some commentary on the elite SWAT-team that is the ChoicePoint information security organization. Check out some of the choice commentary from everybody's favorite CISO:

(on why it's not a security breach) "It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year..."

Have I said recently how much I love this guy? I mean, credit card theft is not an IT issue? Where has this guy been?

(on whether their security is improved) "We are looking at our entire credentialing process, the entire business process and how it's being done." [So, does "looking at" mean that they've done anything or just that there's people sitting around talking about it?]
"We are looking at putting additional technologies in place and the way we do business with others." [Jeepers, all this looking, but where's the doing?] "We actually went down to an even better level by looking at the type of data they need."" [he had me going there - I thought at first he was going to say they took action, but I guess there's just more looking.]

And the wisdom continues for a few more questions; typical Baich fodder for the most part. But you know what the punch line is? His book, "Winning as a CISO" was just released where he outlines his model for success in information security. Oh, I'm quite serious. Needless to say, that's on my summer reading list. Not.

Don't worry Rich; I'm sure myself and others like me will be there to remind folks about the salient facts. Like the fact that your company's spokeswoman said last week that promised data security improvements are overdue and not likely to see realization in the near future or that to-date the only action taken by ChoicePoint to increase data security was the one item specifically required by federal law (the public records report.) Some people are watching.

One eye on CardSystems

Wow. Apparently CardSystems is talking a big game about the added security protection from the software installed by eEye. Not that I'm the hugest eEye fan (really, I'm not), but I really think this is an unhealthy setup for eEye; the way this is being spun in the press (and by CardSystems), it sounds like eEye is publicly going on record associating themselves with CardSystems' security improvements (not good) and it sounds in the RedHerring article like CardSystems is making SecureIIS out to be 1) a panacea and 2) the only security enhancement required over there (again, not good.)

Televised Hijinx

Something tells me that if AT&T really is planning to broadcast an information security news channel, that said channel will be less about streaming security news and more about keeping various hijinkery to a minimum. I mean, really - think about it; if you wanted to, could you think up a bigger target for misguided jouvinile hacker shenanegans than 24hour streaming infosec from AT&T?

Why are these top-10 lists so inane?

So, Information Week has published their (particularly choice) Top 10 Mobile Security Tips. Since there's a low content-to-bluster ratio, I'm going to distill the recommendations down for the ever-busy public at large.

As per Jim, for maximum utility, wireless users should:

1) Consider using Ethernet instead. If you have to use wireless, make sure you use SSL (or a VPN)
2) Use SSL (or a VPN)
3) Use SSL (or a VPN)
4) Use SSL (or a VPN, WEP, or WPA). Consider disabling the SSID
5) Talk quietly in public and turn down the brightness on your monitor (always sound advice)
6) Change passwords frequently
7) Never put sensitive data on your phone; lock your screen; try not to lose it.
8) Disable the Wi-Fi card when not in use
9) Buy AV software for your phone
10) Lock the screen when you go to the toidey.

OK - I'm off to disable my wireless card and lower the brightness on my monitor.

By the way, maybe you want to review another list of wireless tips that I think adds quite a bit more value.

Interesting CardSystems Development

Here's an interesting new tidbit: apparently, CardSystems had been certified to comply with the Payment Card Industry Data Security Standard (PCI). They were audited, found to be in compliance, but were operating out of compliance in a manner contrary to the regs. According to the PCI, these folks should be fined for non-compliance. So will they be?

CardSystems will be an interesting case study and will establish a precedent for the PCI in future: will there be fines against CardSystems and thus set the precedent of enforcement, or will there be no impact to CardSystems and thus set the precedent that the PCI (like the CISP) is a paper tiger. So far, the (lack of) reaction from MasterCard has been pretty telling; maybe Visa will have something more to offer than MC's finger-wagging.

The Line Between FYI and FUD

Consider the Amir Herzberg Unprotected Login Hall of Shame. More specifically, this is the I-NFL (Inter-Net Fraud League) Hall of Shame, of which Amir Herzberg is "commissioner". However, as I can find no other references to the I-NFL other than this page (see google,) I'll just call it the "Amir list."

Anyway, here's my beef with this page. An interested party goes to this page, which has pictures of leading banking, payment, and commerce sites such as Amazon, PayPal, Chase, Bank of America, etc. under the heading "unprotected sites." Plus each site has in big red letters "this page is not protected" written across it (the output of the NetCraft tool). Pretty scary, right? This, coupled with the 24-pt heading "hall of shame" at the top of the page might lead one to infer (sarcasm intentional) that somehow the security of these sites is at issue. Oh my gosh! Time to panic, right? All these major sites! And they all have "shameful" security problems?!?! Holy *&%@!!!

Well, not so fast there buckarooney. Apparently, the "shame of being unprotected" that these sites bear has nothing to do with privacy of authentication data, authentication of the users, privacy of the account data, auditing features, security of facilities, backups, etc. In fact, the "shame" in question does not apply to anything that the majority of infosec practitioners or auditors would even consider a "security problem" per se. In point of fact, the "shameful" practice is that the login form is not SSL - note that the id/password submission is still SSL, it's just the preliminary submission form that's not.

According to Dr. H and the nebulous "Internet Fraud League," phishing is facilitated by the lack of SSL on the user ID form submission page. This is true from a certain point of view (and props to a true academic for pointing it out) but I think it totally misses the point of site security. Which is, there's more to a site's security than the logon form. CardSystems does not appear in the hall of shame, but Chase does. Which one would I trust with my account data nowadays? "Unprotected Login Hall of Shame" - maybe a qualifying adjective might help out there, Dr. H.

MasterCard Lays Down the Law

In a bold move, MasterCard lays down the law on CardSystems. And by "lay down the law", I mean they upped the ante from recommending they comply with security procedures to "putting them on notice" to comply. Um.... Is it me, or does that sound like the same thing to you? If the only ramifications from MasterCard is in the vein of finger wagging, it shouldn't be surprising that CardSystems would fail to take the regulations seriously. I'm concerned - this foolishness at CardSystems was the biggest loss of financial account data ever and MasterCard's reaction was to "put them on notice"? What do you have to do before they take any stronger action?

In other news, CardSystems says not to worry about it, 'cause they've got everything under control over there. To paraphrase Bill Reeves (Chief Marketing Guru for CardSystems) in his "remediation" statment: "it's totally handled. Like, we fixed the problem already, and now our security is all good. And, like, we spent a whole month totally hunting down all the problems but it was worth it 'cause now they're all totally fixed. Nothing more to see here, thanks." Thanks, Bill. Personally, when I need a security opinion, the first person I look to is in the marketing department.

Give me a break, CardSystems saying it's "remediated" is a joke - take a look through Bill's marketing pablum and see if you can find the actual steps they took. Here are the steps as reported by Bill: 1) contact the FBI, 2) hire a 3rd party to "validate systems security", 3) kick off an assessment initiative. Read the news stories, Bill - the FBI contacted YOU - so take #1 off the list. #3 is something you should be doing already, but frankly it scares the crap out of me that you didn't have an assessment team before this crap hit the fan. And #2, while a decent marketing tool, really doesn't do much for the underlying problem - which is the fact that your business people are running fast and free without security or regulatory guidance.

So, where is CardSystems now? More or less in the same place they were before, except now marketing is on board telling the public not to worry about it. Want my opinion? First, assign somebody the role of knowing what the regulations are and involving them in the business process decision making process; make sure they sign off that they've reviewed every new business process. Assign them a staff to work with them. That should help with the "we didn't know it was against the rules" crap. Second, have a security team (just like 98% of the rest of financial services) and give them the charter to review the current business processes and applications - since apparently having a team of people "assess" the security of their business processes is a new concept at CardSystems, look to outside guidance like the FS/ISAC for help on how to set up a security organization.

Disturbing.

CardSystems Fallout Continues

According to CardSystems CEO as reported by Forbes, CardSystems were keeping the recently-stolen credit card information for "research purposes."

Does anybody else see anything wrong with this picture? More wrong beyond the exposed financial data, that is. Think about it - hypothetically speaking, if you were a payment processor, why would you want to keep account data if you're doing research? After all, your job as a processor is to watch all those transactions coming by and route them.

Here's the scary part: the only research activity that I can think of that is really facilitated by keeping the account data is tracking purchasing activity by cardholder. Seriously, think about it. As a processor, their job is to route the transaction; by the time a payment is at a processor, it consists only of: the merchant ID, a transaction amount, a customer account #, and some various approval/transaction codes from the various players along the way. What other possible research could they be doing?

It makes good business sense (what a great service for their merchants), it's easy for them to do (all they need to do is keep the account number) and it's scary as hell.

What, Me Worry?

40 million credit card numbers (with associated CVV's apparently) hit the streets via CardSystems; I recommend Adam's take on the incident for anyone who hasn't heard. In my opinion, it is the volume of this exposure that makes it significant and not anything intrinsic to the data itself.

I don't know about the rest of the world, but I'm starting to become thick-skinned and cynical about the repetitive mantra of disclosures coming from Wall Street, Delaware, etc. And to put the icing on the cake, consider the multiple recent Equifax disclosures - two batches in the past month. Think about what a criminal could do with a bunch of credit histories.

Why do we as consumers continue to just sit there and take it? Where are the lawyers? I bet a good class action law suit from the 40 million folks who lost their information because of CardSystem's negligence would wake somebody up. This is all data that CardSystems was not supposed to have stored in the first place - in fact, it directly violates the security rules of both Visa and MasterCard. I hope there are lawyers out there mulling over right now how to put CardSystems over the fire for this one.

Tools Proven in Court

This is a useful document that was sent around on the forensics list today. Basically, it describes what a forensics tool must do in order for it to be recognized in a court of law. This paper is very useful; thanks to Becky Nelson for sending it around.

Phishing Phoolishness

OK, you've all heard of phishing. New, and probably growing, is pharming, which seeks to use other means to send users to bogus websites. Quoting from the Register article's advice on how to mitigate the problem, this stands out: "Banking sites could adopt two-factor authentication as a comprehensive defence." And it's not just el reg saying this either: Microsoft is saying it along with pundits at RSA.

Here's the straight dope: identification of the user is not the problem. It's identification of the institution that is at issue. I won't go into the numerous ways that phishing is still possible even in a world of two-factor authentication - it would take too long to go through all the ways that it can still happen; suffice it to say that it is not only possible, but likely that phishing would still occur even in a world of ubiquitous two-factor user auth. In other words, phishing is about fooling the user into thinking that the rogue site is the real bank when it isn't, not about fooling the bank that the hacker is the real user when it isn't.

What we need, instead of more user authentication, is some authentication of the institution. And guess what? The current protocols in place for HTTPS support this already; it's already there, just not being used! Really, in order to support SSL, Bank of America has to get a cert from a (semi) reputable party that is stamped "BANK OF AMERICA" all over it. The problem isn't that the information isn't there, it's that today's browsers do not expose any of that information to the browser user - all the user sees is a lock icon. Divorced from all of the other associated data, the lock icon is binary - it's "secure" or it isn't. The question is: secure from what? If the lock icon is there, the session is secure from eavesdroppers but not necessarily secure from anything else (like impersonation.) If the words "BANK OF AMERICA" appeared next to the lock icon (or even at the top of the browser window) for the legit BOA site and came up as "shady h4xx0r" (or whatever the bogus site's address/owner information is) for bogus sites, do you think people would be as succeptible to this crap? I don't.

So, in conclusion of this rant: more user auth vs. more site auth? I see it like protecting a house. If your house has a front door which you keep locked and a back door that you keep unlocked, and robbers keep coming in through the back door - is the answer to put another lock on the front door? Of course not. But that's analogous to what's being proposed here and what's being proposed by the industry. It won't solve the problem.

Britney, Queen of the Virus

According to Panda, Britney has been dubbed "Virus Queen" in the list of top 10 email-borne malware incidents. Kevin didn't make the list (but Michael Jackson did.)

Verisign to Acquire ICANN

For Immediate Release (This is obviously false, so don't sue me)

Mountain View, Calif. - June 8, 2005. Verisign Incorporated (Nasdaq: VSGN) today announced a definitive agreement to acquire the ICANN (Internet Corporation For Assigned Names and Numbers) in an all-stock transaction valued at approximately $1.4 billion.

The combination of Verisign and ICANN will ensure that all Internet users will experience the service quality, timeliness of data delivery, and uptime that they have come to expect from Verisign. Together, the two companies will meet a wider set of shareholder profitability needs by eliminating costly and inefficient consumer choice from the Internet equation.

"Our incorporation of ICANN under the Verisign umbrella will allow us to offer a whole new range of services to the typical Internet surfer," said Verisign CEO Stratton Sclavos. "Take, for example, our new SiteFinder 2.0 service. SiteFinder 2.0 will allow Verisign to insert advertising into non-Verisign related Internet content, track consumer Internet usage for resale to interested parties, and redirect traffic away from objectionable material (such as controversial or adult material) to 'safe' material (such as our website.) This is clearly a brilliant move on my part."

Said ICANN CEO Paul Twomey, "This move by Verisign is actually the cementing of a relationship that ICANN and Verisign have shared for some time. We're very excited about the move from Verisign puppet to Verisign subsidiary. I was starting to get worried about all the covering up."

Crank Yankers, Bill Clinton, and Digital Privacy

Everybody's heard about the now-infamous Paris Hilton sidekick incident. It's been the subject of numerous Internet parodies, television hijinkery, and entertainment gossip. Apparently, in a similar incident, Jimmy Buffet's phone was stolen by a restaurant busboy and used to "crank yank" former president Bill Clinton.

So where am I going with this? Who cares, right? Everybody nowadays has a cell phone, PDA, sidekick, nomad, iPod, or some other easily-misplaced digital information appliance. We use them to store everything: pictures, phone numbers, music, plans to the death star, etc. One often-overlooked fact in all this is that these devices of today are more and more frequently starting to obviate the privacy measures of yesterday. In other words, Bill Clinton thought his number was unlisted and inaccessible to the casual prank caller; it was, and it would have stayed that way if it weren't for a lost cell phone half a hemisphere away.

There are three trends at work: 1) these unsecured devices are starting to carry more data and more types of data. 2) these devices are becoming more ubiquitous. 3) any data on these devices can be (as was the case with Paris' data) instantaneously shared amongst interested parties across the globe. I think, looking down the road, that privacy erosion is less about government "big brother" (as argued by Orwell) or the numerous corporate "little brothers" (although this is slightly more prevalent.) After all, pro-privacy folks at least have a chance to fight back on those fronts. What scares me much more is the large array of personal "micro brothers" - the "Amway"-tization of privacy loss. By the time anybody notices, there will be no such thing as an "unlisted number", "private IM account", or anonymous email address; how can there be when all this data is stored in so many different places and can be instantly shared? Call me cynical, but I think it's only a matter of time; for the truth of this, just ask all the famous people who had to change their number as a result of Paris' hacked side-kick account - or ask Bill Clinton for that matter. You can still find their phone numbers on Google.

Another Victory for DHS

Ah yes, what an impact 911 made on how our borders are protected.

Take, for example, the almost machine-like efficiency with which alleged multiple-murderer Gregory Despres was snatched by authorities. Sarcasm aside, is this what we've given up our civil liberties for? Give me a break. Patriot act? Where's the "don't let the guy with an arsenal and a sack of human heads into the country" act? This guy arrived at the border wearing clothes soaked in human blood carrying a hatchet, a sword, brass knuckles, and chainsaw and the DHS let him in. I'm sorry, but WTF!

Seriously, would you let "this guy" into the country:

Wisdom of the Shares

Software vendors stand and take notice: stock prices demonstrated to dip subsequent to discovery of application vulnerabilties. Schneier points out via the Register's take that he'd like to see more long-term answers. I agree with that - there is more that we can do, but I think we as consumers of this can do more than crow about its limitiations. Specifically, in my mind, this answers a question that we've had for a while now: does the public at large even notice software vulnerabilities? Apparently, it does.

Yet another non-starter

I'm in violent agreement with anybody such as these researchers who contend that C needs to go. However, I really question the idea of trying ONCE AGAIN to replace C with an hitherto unknown or unused langauge. How many times do we need to try this before folks in academia clue in that it won't work? Listen - if C++, Java, C#, Objective-C, C-, J++ or any of the other millions of other languages derived from C haven't replaced it, why do we think "Ivy" will just brecause a few researchers at Berkeley say it's all the rage? And for those sticklers who say Java isn't derived from C: in questioning your assumption, I ask you to take a good hard look first at Java loops, arithmetic operators, and keywords; then compare those same artifacts to their cognates in a clearly non-C inspired language like Fortran.

Anyway, I'm not getting on the "new language" boat. Nope - not anymore.

More Pain for BoA

Bank of America has a PR problem right now; there has been a stream of unrelated public data exposures in which BoA was right in the center. For example, the incident where the financial records of those 100,000 people were stolen or any of the numerous other public theft incidents in the press recently. To see evidence of the "world of hurt" they are in, just do a google search for "bank of america" and "fraud" or "theft." In current news, I get over 700 hits (just current news mind you.) Meaning, there are over 700 news articles currently discussing BoA's security problems. Painful.

Obviously, some serious PR needs to be done and quickly; as such, BoA apparently seems to have decided to break the cardinal rule of FS Internet activity: namely, "thou shalt not distribute software to the customer." Over time, most banks/brokerage have found the experience of distributing software to clients to lead to astronomical costs in terms of help-desk activity. Well, BoA has decided to forge ahead with anti-phishing software distribution to clients. They are going to lose their shirts on this, but I guess they already know that. Everybody and their brother is going to be calling the helpdesk with "now Word doesn't load" to "my digital camera doesn't work after I installed your software."

This software distribution thing is mostly PR if you ask me; BoA is probably losing enough business and getting enough heat from its customers that it is willing to ante up the ridiculous expense to get some people off its proverbial back. Just some of the complainants will be appeased by this; not all of them. The problem is that they've already inherited the bad rep; I prophesy that they will continue to lose business (millions) and continue to be the FS insecurity whipping boy and that there is nothing they can do about it. The bad press is already at critical mass - customers are leaving rather than coming - the articles have already been printed. It will be years before they can recover. All in all, I'm glad I'm not Bank of America right now.

DHS Progress in a Word: "Unacceptable"

Everybody knows someone who's been stopped in an airport for carrying something that DHS perceives as the next airplane hijacker weapon of choice; such obviously deadly implements like toothpicks, nail clippers, bic lighters, or matches. And really, think about the damage that a terrorist could do to the human body with nail clippers... creepy.

Anyway, by now, most of us have likely made statements to the effect that DHS is "unacceptable" or "bogged down by the wrong priorities." I know I have. However, it's nice to see members of congress agreeing with that assessment in a public forum.