crowmoor.se

PCI DSS is an interesting and demanding standard. Small retailers seldom have the time or resources to actually handle it correctly. This still doesn´t mean that they are not a target. With large retailers becoming PCI DSS compliant the focus for the crooks is shifted towards where it is easier to conduct a hack. In Australia half a million cards have been stolen from small retailers using only the simple remote desktop built in Windows (and almost all other OS). You could just imagine the fines those retailers now are facing for not taking security seriously.

The common user sometimes asks why people bothers with finding new vulnerabilities and creates Trojans. For a number of years ago that was maybe a valid question but today the answer is very easy: Money. And there is a lot of money to make in malware. A recent Java exploit was marketed for a five-digit amount. This means that any malware must generate at least twice that amount for its user.

Looking at the risk analysis you need to follow the advice of Deep Throat: Follow the money. Do an asset valuation of your information with an especially deep analysis of assets that has a value for someone else or that is very valuable for you from an availability perspective.

Some months ago I wrote a post regarding You3, a model to classify risks with regards to the targeting profile. Looking at bank attacks today we see that they are a lot more targeted and that they remain undetected for a lot longer. The real question is: why are the harder to detect? The most obvious is of course that the number of samples is a lot less but living in a world where even a single attack should be identified this should not pose a problem, but still it does? The problem is that even if we may classify the attacks according to You3 and map security mechanism accordingly we still rely on You Have-based monitoring tools and vendor updates. Whenever you identify a You Belong or You Are-type risk you need to think through how your defence mechanisms, including logging and analysis systems, should work to capture targeted attacks.

During the last years we have seen numerous scams where different scammers try to trick us out give them money. Isn´t it Microsoft Security Department calling it´s a mover trying to get you to ship your table to UK. Whatever currently is the most successful scam. Ransomware has been a minor problem in the past as it still has the same problems as kidnapping: sending the money. However, one could expect, with new payment systems to arise that they will solve this problem. This will mean that ransomware will be a lot more aggressive and that we soon will see a lot more bullying in the future. Backups becomes more and more important and ransomware will have to be taken a lot more seriously as different kind of malware will include a ransomware component.

I have been engaged in many IAM projects throughout my career and one thing that quite often is lacking in the projects is the identity discussion. What is an identity for this organisation?
We need to look at two separate entities: What’s needed for authentication and what’s needed for usability.

The authentication should be the least possible needed to manage the security requirements. It is all very well and fun to use biometrics, smart cards, long pass phrases etc. but in the end we should only implement as much as is needed for authentication. In some cases the identity is a photo id showing a picture together with your age. In some other cases we could use a swipe identity, the ability to swipe open your smart phone. 🙂

As for usability we need to add all those properties that is needed for your identity to integrate with all systems that is to use your identity for authentication, be it phone number, e-mail or biometrics.

In the end of the day the identity and the authentication is the first and the last you encounter at work.

Interesting enough signed code and signed websites have been regarded as fairly safe to use for the common user. Whenever the green bar is visible assuming that the page is valid has always been a safe bet. However, in South America a certificate issuer was hacked and a few malwares were signed and released in the wild. Having the hack in the Netherlands in fresh memory one has to start question if signing of code is really the way forward when even the sources of certificates can´t protect themselves. Microsoft had a problem with certificates as well that was used in the malware attacking Iran.

Moving forward, I would suggest, for high security machines to remove all certificate chains but those that you have to rely on. This would mean that ordinary usage of the computer would be problematic but in a high security context this would be mandatory as attacks using signed code will target those environments.

CSA is short for Child Sex Abuse, a terrible crime that has global attention nowadays. Sadly, those perpetrators exist everywhere at all levels of society. Most of them are only ‘viewers’ looking at CSA material while a few produces the material. I will not get into a discussion if you want to have those people in your organisation or not but merely point out a fact regarding security. A paedophile that has started to watch CSA material on the laptop has stepped over quite a few boundaries and become totally risk unaware. Such people have stopped to care if they visit sites where the laptop gets infected by a virus or what the risk is to start doing file sharing using Direct Connect or Torrents.

I work as a CSA investigators and sadly I have seen many examples where CSA material is stored beside secret material from the office, confidential stock reports shared on Direct Connect and a laptop so full of viruses and Trojans that I almost catched a cold touching it. This is otherwise high security areas of the organisations. So all work by the security staff was down the drain just because they didn’t find the consumers of CSA material in time.

You go on vacation to get some rest and relaxation. Still, being the curious individual that I am, I cannot just put my biggest hobby on hold, security. Sitting at a restaurant I watch the crowd in a few stores and suddenly I saw something peculiar. When taking payments of every fourth client or so at one store the used a scruffier looking device and all of those demanded a signature instead of PIN. Having had a chat with a store owner I knew that they only use PIN here on Mallorca, at least in the normal stores. After the meal I strolled over to the restaurant and picked up something to buy. I planned it so that my card would probably be the next to be skimmed. When it was my turn to pay the sales person took the old device and tried to take my card. I frankly told him that due to contracts I´m not allowed to let go of my card and ask to put it into the device myself. He was reluctant at first but gave me the device and I tried to find the slot for the ship. A bit irritated he told me that I needed to swipe my card instead. A bit amused I examined the device, a bit fumbling for show, and found that the backside was opened and contained a WIFI device (small antenna was visible). I decided to not swipe my card and cancel my purchase (would put my card at risk) ;-). The sales person became very nervous but let me go.

For some reason the store was closed the following days to come. Could it be that my call to the local police actually had an effect? 🙂

One way of working with security architecture (SA) and compliance is to use SA as a way to understand the essence of compliance. A few months back I took the time to break down PCI DSS into a number of patterns. Just recently I picked out all PCI DSS requirements and mapped them towards Open Security Architecture´s library of controls making it a lot easier for me to understand what security mechanism needed to solve a PCI DSS requirement. My next task here is to do the same thing with ISO-27001.

IT-security has moved beyond the computer hacking into the real world. Having read in the news about SCADA system that makes it possible to close the pumps protecting the Netherlands from water or reboot a heart pump machine from remote makes you understand that computers are everywhere now a days. About 1 year ago I took part in a project to create a security architecture for an unstealable car using security architecture in general and Jericho 2.0 in specific. Even though it was a concept only it would have prevented car thefts like this one described in a very interesting context. The biggest flaw is that due to different regulations car manufactures have to allow open and unsecured access to the ODB codes. This opens up for a variety of actions that in the end leads to cars being stolen. Read more how a car is stolen here.