jump to navigation

“Money Laundering May Support Drugs and Terror Funding?” – US Senate says of HSBC July 17, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

According to a US Senate Report issued today and major news outlets including MSNBC, Europe’s largest bank, HSBC, has  “A “pervasively polluted” culture at HSBC allowed the bank to act as financier to clients moving shadowy funds from the world’s most dangerous and secretive corners, including Mexico, Iran, Saudi Arabia and Syria, according to a scathing U.S. Senate report issued on Monday.”  The report, titled: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History  “…examines the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. affiliate to provide U.S. dollars, U.S dollar services, and access to the U.S. financial system to high risk affiliates, high risk correspondent banks, and high risk clients.”   The US Enacted stronger Anti Money Laundering laws as a part of the PATRIOT act passed in the wake of 9/11.  These AML laws were designed to cut of the flow of money to terrorists.  In the case of HSBC it appears many of the rules were ignored potentially allowing drug cartels and terrorist to move and launder money.

In a statement emailed to NBCNews.com, the bank said:

We will apologize, acknowledge these mistakes, answer for our actions and give our absolute commitment to fixing what went wrong. We believe that this case history will provide important lessons for the whole industry in seeking to prevent illicit actors entering the global financial system.

“123456, password, welcome” – Yahoo Password Posted Online July 12, 2012

Posted by Chris Mark in News, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

A story today on MSNBC says that Yahoo Voices was compromised and 450,000 usernames/password posted online.  Not surprisingly, the passwords were not hashed or otherwise protected using encryption.  While the posting of passwords is nothing new what is interesting is what the researchers found when looking at user generated passwords.  The most common passwords were ‘123456’ followed by ‘password’ and ‘welcome’.  Fully 1/3 of the passwords used lower case letters only.  Here is where I get on my soapbox.  According to the story:

“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”

First, strong passwords would not have helped because YAHOO WAS STORING THEM IN CLEARTEXT!..and they were stolen! Second, the company should enforce strong passwords.  While all users should use strong passwords, when dealing with 450K users it is prudent to understand that either some users aht a will not understand what a strong password is or will simply ignore the directions.  Yahoo should have forced strong passwords…

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

“I can neither confirm nor deny”; NSA + Google = Glomar Response May 12, 2012

Posted by Chris Mark in News, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

In a story on Foxnews it is revealed that a US Federal Appeals court has turned down a request under the Freedom of Information Act that would have forced the National Security Agency to disclose what, if any, relationship it has with Google and specifically a cyberattack against Google which originated in China.  According to the story: “The Electronic Privacy Information Center, which focuses on privacy and civil liberties, sought communications between Google and the NSA, which conducts worldwide electronic surveillance and protects the U.S. government from such spying. But the NSA refused to confirm or deny whether it had any relationship with Google. The NSA argued that doing so could make U.S. government information systems vulnerable to attack.”

Now for some history- In April 1968, the Soviet Union’s K129 nuclear submarine sank.  Seeing an opportunity to get some intelligence, the US CIA’s Special Activities Division came up with a plan known as Project Azorian.  Using Howard Hughes’ company as a front, they commissioned the Hughes Glomar Explorer.  Hughes claimed the ship was designed to extract minerals from the ocean floor.  The HGE was sent to pick up the remains of the submarine and return them to the US.  When the project came to light and the US Government was asked about the project, the response was: “I can neither confirm nor deny” the existence of such a project.  Thus was born the Glomar Response or Glomar Denial…

“The Weakest Link”- Insider Foils Underwear Bomb Plot May 8, 2012

Posted by Chris Mark in Risk & Risk Management, terrorism, Uncategorized.
Tags: , , , , , ,
add a comment

I have written extensively about the weakest link in any security program being the actual people responsible.  While we understand this point from a “good guys” perspective, it is just as true for our adversaries.   MSNBC reported today that the underwear bomber who was supposed to blow up a jet liner this month had been working for US and our Allies since day one and was a paid informant.  As stated on MSNBC: “An insider who worked with the United States and an allied security service to thwart an al-Qaida bomb plot hatched in Yemen was the man picked to carry out the suicide attack on a U.S.-bound airliner, U.S. and Yemeni officials tell NBC News. An unidentified Yemeni  government official, speaking on condition of anonymity, said the supposed suicide bomber was working for Western intelligence “from day one.”

The interesting point of this story is that it does not matter whether we are talking about nuclear facilities, cybersecurity, or counter terrorism, the human element always plays a role and is always the most unpredictable.  While the group that sent the man on his suicide mission clearly believed he was a ‘true believer’ willing to give his life for their cause, it appears that he had another agenda.  This is the challenge with security.  Trust but verify is a mantra that rings true in all aspects of security.  Thank goodness the group that tried to blow up the airliner acted on faith and not solid security principles.

%d bloggers like this: