jump to navigation

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

All’s Fair in Love & (Cyber) War September 17, 2012

Posted by Heather Mark in cyberespionage.
Tags: , , , , , , ,
add a comment

A report released today suggests that the United States government is far more involved in the use of trojans and mal-ware than previously thought.  The US had previously been linked to the Stuxnetvirus that wreaked havoc on the Iranian nuclear program. Speculation at that point was that the US and Israel had collaborated on the program in an effort to derail Iranian nuclear ambitions.  I don’t think many were surprised to hear that supposition.  Today, though, Kapersky Lab and Symantec announced that they have found evidence linking the US to three other, previously unknown viruses.

The use of covert operations on “enemy” governments dates back to the beginning of the civilization, really.  Sun Tzu writes extensively about the subject and the use of “covert operatives” peppers Greek and Roman history, as well.  These historical endeavors share a common purpose with the cyber-espionage that we see today – to gather data, or to provide data, that can be used to bring about the downfall of one’s enemy, or at least provide a significant advantage to the other side. It shouldn’t come as any surprise, then, that any country would make use of the available technology to conduct remote espionage operations.

We know that other countries, China in particular, has a specific focus on launching attacks on Intellectual Property of Western companies.  A recent report in the Baltimore Sun highlights the countries singular focus on hiring cyber-soldiers (for lack of a better word): “Experts estimate that North Korea has as many as 1,000 cyber warfare agents working out of China and is recruiting more every day.”  When we know that our enemies are fully engaged in cyber-warfare tactics, it would be short-sighted and naive to believe that our government is not fighting back.

“Why does the FBI have your UDID (and 12.4 million more)?” FBI Laptop Hacked…1 million Apple IDS posted online September 4, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

*UPDATE* It was reported yesterday that the FBI laptop was not, in fact, the source of UUIDs that were hacked.  A company called Blue Toad revealed that it was the source of the stolen ids.  It’s not clear how the data was stolen from Blue Toad or what, if any relationship exists between the company and the laptop that was first identified as the source of the breach.***

According to NBC News, hackers associated with the anti-government group AntiSec have hacked an FBI Agent’s laptop and posted over 1 million Apple Unique Device Identification Number or UDIDs online.   The Apple UDID is used by Apple to determine what applications are running and to lock down the phones, IPads and computers from other applications.  Alone, they do not represent personally identifiable information but However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple’s security guidelines by iOS game and app developers, it’s possible to determine a user’s identity through an UDID alone.  According to the story:

“The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force. “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” the posting states. “During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.”

Why the FBI has such a list of over 12 million UDIDs is an interesting question. Why the list would be on a laptop is another interesting question. To check whether your iPhone, iPad or iPod Touch’s UDID might be among those affected, a Unix developer based in Florida has already posted a tool: http://kimosabe.net/test.html

“Cyber Espionage is Alive and Well”; Motorola Employee Sentenced in theft of IP August 30, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my  article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.

Below is an excerpt of the CIO article.

“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.

The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.

Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.

Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”

Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses.  While not exclusive to China, they certainly represent the greatest threat today.