Archive for the ‘General Security Issues’ Category

Credit Card Fraud: Why the Payment Card Industry (PCI) Fails Consumers

Wednesday, February 12th, 2014

A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.”  The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.

ATM machine keypad

ATM with malware on it. Really!

But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.

When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.

(more…)

Target breach update – how were HVAC passwords stolen?

Thursday, February 6th, 2014

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: (more…)

Has Target Done Enough?

Saturday, February 1st, 2014

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  (more…)

Solving the End User Problem

Saturday, September 7th, 2013

Every IT manager knows that poor behavior of the part of end users is the biggest challenge in cybersecurity.  The problem is primarily due to a lack of education – users don’t realize which of their actions (or inactions) put their companies at risk.  And it’s hard to blame them for what they don’t know: We security professionals haven’t made it easy for them. 

 

I believe the second biggest problem in cybersecurity is something I started began speaking about in April in my job with Kaspersky Lab.  I call it The Cybercrime Comprehension Gap.  With regard to the average consumer, most available information is simply too complex.  Very often we speak and write in terms unique to our field, and the average employee’s curiosity is exhausted long before they can discern what is relevant to them.   

  (more…)

Why We Should All Pay for Smartphone Apps

Saturday, August 24th, 2013

Suppose Josephine and Rick have built the most incredible smartphone application ever.  They offer it up to the market for a few dollars, and next thing we know they are millionaires.  Their customers not only love the app, but they also appreciate not being deluged by incessant banner ads or pop-ups.   Jo and Rick didn’t have to bring in on-line advertisers because their profit model was simple: sell the app itself to make money.   

 

But not all developers are as lucky.  Steve and Sue can’t get anyone to pay attention to their app, and darn, they spent all their money creating it.  So they will have to figure out another way to earn their money back.  The most popular way to do this is to get paid when users view ads.  Steve and Sue decide to make their app available for free, and advertisers pay Steve and Sue to place ads alongside the application.  These ads change dynamically just as they would at a (more…)

Zombies Attack Montana! (US Emergency Alert System Gets Hacked)

Tuesday, February 19th, 2013

Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System.  The station was muted as the following voice-over message was recited by a somber-sounding fellow:

Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police. (more…)

Gordon Snow on Cybersecurity at Home

Sunday, December 23rd, 2012

I’m a military brat.  Most Americans are familiar with this term, because it is a common way we brats answer the question: “Where are you from?”  Every other answer takes too long.  You know, like explaining why being born in Italy doesn’t mean I’m Italian.  And we really don’t have enough time to talk about all the schools we went to.

According to Wikipedia, we are an entire sub-culture.  One component of this subculture is a company called USAA.  USAA is an organization which provides financial services, loans and banking to anyone associated with the military.  And in their eyes, once a brat, always a brat.  This turns out to be a good thing, because the children of service men and women have a lifetime right to use their services.

The Fall 2012 issue of USAA’s magazine features an interview with Gordon Snow.  He was formerly the FBI’s top cybercrime cop.  Naturally I was curious to read about his tips for keeping our families safe.

You can find the on-line article here, but they cut out a lot of the good stuff (nice reference to my employer though).  Here are my two favorite useful tips:

1.)  Go Long!  – Here’s a password quiz: which is a stronger password – the hard-to-remember: “H7%doss!” or the easier: “MyLazyDogRex” (note: this second one is also called a “passphrase”)?

Believe it or not, the short one will take a password cracker 6 hours to crack; the longer (but easier to remember) one will take 317 years.

(more…)

The real reason Mitt Romney released his tax returns – his accountants got hacked

Sunday, October 7th, 2012

I’m not saying that Wikipedia is the ultimate authority on all things, but let’s agree that at least it’s a fabulous starting point.  There’s obviously something powerful about “anonymous” collaboration.

Some of you may have heard about the allegation that a group of hackers successfully stole the Romney’s tax returns, forcing them to release them.  Here’s how an “anonymous” editor sums it up on the Wikipedia profile of Price Waterhouse:Dark-haired man with graying hair at the temples, dressed in dark suit, at a nighttime indoor event

___________

Mitt & Ann Romney tax returns

On September 4, 2012,[64] an anonymous group of hackers claimed on Pastebin.com, a popular website for hacking groups such as Anonymous, to have gained access to PwC’s “network file system” at their Franklin, Tennessee office and copied documents relating to Republican presidential candidate Mitt Romney and his wife Ann’s tax returns before 2010, which the candidate has refused to release.[65] The group demanded that the company pay $1,000,000 USD in Bitcoin electronic cash. The group said that failure to meet their demands will result in the release of the material to “all major media outlets,” on September 28.[64]

____________

So is it just a huge coincidence that the Romneys released their returns on September 24th?  Allow me to add another data point: Today – October 7th, 2012 – Price Waterhouse posted over ten job openings on dice.com with titles like “Cybercrime Manager”.

(more…)

The Pitch for Paying Attention to Internet Safety

Sunday, September 30th, 2012

I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky.  Here’s a link to the latest one.  It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

 

(more…)

The Holy Grail of Internet Security – finally, all our problems solved!

Monday, August 27th, 2012

Last week I was scouring the web and I came across a white paper on “security threats of 2011” which I hadn’t read yet.  It was a 56 page document written by a top security organization (we all publish these reports but each company has a different spin).

There on page 41 was the fix for all our security woes!    Sure it took me a while to get there, but well worth it don’t you think?  The answer was (drum roll, please): “Secure the network perimeter.”

This made me laugh!  Really?  I have to say that anyone who thinks there is a network perimeter anymore – meaning, a definable, non-permeable network perimeter – is either smoking crack or lost in a delusional Dilbert dream where IT guys rule. That would be the fantasy where IT actually gives us mobile/portable devices of their choosing along with a set of rules we actually follow.   Useful rules like, “don’t get infected.”  Ha-ha!

And the more I contemplate this idea, the more I think it was always a fantasy.  Back when I was working for NEC’s Corporate Capital group – ten years ago – my laptop went home with me every day.  I used it for everything – my (more…)