A Deeper Dive: For the Cybersecurity Curious

Credit Card Fraud: Why the Payment Card Industry (PCI) Fails Consumers

02/12/2014   |   No Comments »

A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.”  The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.

ATM machine keypad

ATM with malware on it. Really!

But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.

When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.

Read the rest of this entry »

Internet Safety While Traveling – Deeper Dive

11/23/2013   |   No Comments »

A “man in the middle” or MIM attack is not particularly difficult to pull off, and it represents one of the biggest cyber security threats we face when we are traveling – or in fact, any time we consider using an unknown wireless network.

Here’s how it works: it’s rather easy to find software which will monitor or “sniff” network traffic.  It’s even easier to set up a wireless network – by example, like many business travelers these days, I carry a portable wireless hub in my purse. If the intent is to trick other people into using it, all that’s left is giving it a name which sounds legit like, “Marriott SecureWifi”. These can even be set up as far as 15 miles away from the wifi area.

As people try to connect to the criminally controlled network, the cybercriminal allows them to do so (using the same password as the real network, or no password at all). Then the cybercriminal becomes the “man in the middle” (MIM). Sample scenario (there’s a more detailed example of a MIM in my book):
1. You ask for the gmail page in your browser and type in your gmail password.
2. The MIM intercepts your request and provides you a fake gmail login page (which looks pixel by pixel exactly like the legitimate one, including “https/gmail” in the browser, which indicates that it is securely linked to the gmail server).
3. The MIM sends your password to Google.
4. Google assumes it’s talking to you, and opens your gmail.
5. The MIM passes the gmail back to you and continues passing requests and information back and forth until your session is done.

Read the rest of this entry »

Mobile Malware Update (and Juniper’s report)

09/09/2013   |   No Comments »

As a small part of my day job, I put together a monthly “Cybersecurity Digest”.  Most of my subscribers are IT Managers in large organizations.  I created the digest especially because I like efficiencies: If I’m going to fall asleep at night reading 45 page reports on cybercrime anyway, why not save IT Managers or small business owners some time by summarizing what I learned?  Often times, like when I was recently preparing to present details of the mobile virus Obad , I read five such reports.  Some of them are virtually useless – overly-generalized repetitions of data elsewhere – whereas others have fresh data and new perspectives.  In the excerpt below from my September  Digest, I review Juniper’s Mobile Malware report.    

Mobile Malware Update

The amount of mobile malware we’ve seen in the last year is approximately at the same point (200K – 300K samples) as Windows malware was back in 2006 which was the first year of cybercrime going completely crazy.  Is mobile malware poised to explode as well?    

The Mobile Malware Profit Model

The most successful profit model so far is sending or receiving premium SMS messaging without the user’s knowledge.  Currently this activity is heavily concentrated in China and Russia, two countries where premium SMS messaging is extremely popular.  This is also where we see the majority of mobile malware botnets.  One security company estimated the profitability of such a botnet.  The net of it is Read the rest of this entry »

Solving the End User Problem

09/07/2013   |   No Comments »

Every IT manager knows that poor behavior of the part of end users is the biggest challenge in cybersecurity.  The problem is primarily due to a lack of education – users don’t realize which of their actions (or inactions) put their companies at risk.  And it’s hard to blame them for what they don’t know: We security professionals haven’t made it easy for them. 

 

I believe the second biggest problem in cybersecurity is something I started began speaking about in April in my job with Kaspersky Lab.  I call it The Cybercrime Comprehension Gap.  With regard to the average consumer, most available information is simply too complex.  Very often we speak and write in terms unique to our field, and the average employee’s curiosity is exhausted long before they can discern what is relevant to them.   

  Read the rest of this entry »