Passwords are evil!

It should be obvious just from the term “strong authentication” what the data security industry thinks of simple passwords. In fact, it’s hard to have much weaker security than just a password.

One of the biggest problems with passwords is that they can be shared. In fact, some of you may remember share-level security back in the days of Windows 3.x. This system required that everyone with access to the share know the password, which essentially meant that any user could make decisions about whom to give the password to – totally insecure.

When user-level security arrived on the scene (well, the Microsoft scene; most other OSes had had user-based security for ages), it was quickly adopted as a best practice, because it didn’t require the sharing of passwords.

And, for a decade and a half now, that’s where we’ve stayed. Passwords are not required to be shared, but they’re still fundamentally shareable, which is the attribute of passwords that all of the attacks in my previous posts exploit. Passwords are just something you know, which makes them easy to remember, write down, copy, share, lose, and so on.”

If passwords were merely secrets, the situation would be better, but they’re not absolute secrets: you tell them to someone (or something) every time you log in. And there’s the problem. You can’t be sure you can trust the system you’re telling. You can’t be sure the system you’re telling is really the system you think it is. You can’t be sure you’re not being overheard, by a wide variety of means.

Once you’ve been overheard, it’s game-over. Bad Guy can just run around impersonating you to the systems until he gets caught, which could take a while. Meanwhile, generally, you can’t tell this is going on, so you have no way to stop it. Administrators will only notice if the access pattern looks suspicious for some reason.

This is why the industry has evolved again, this time from simple user- level authentication with passwords to strong (and, increasingly, mutual) authentication of security principals. The technologies in play are varied; different approaches are appropriate for different contexts, but the bottom line is the same: if you make it impossible to share (intentionally or not) authentication credentials, you have a dramatically more secure system.

Monster.com breached

In late January, our friends at Monster were victims of a data theft covering an unspecified (but large) number of users. Because Monster also provides the USAJobs.gov website, it was also subject to the attack.

The first question everyone wants to know is, of course, “How many accounts were compromised?” Unfortunately, Monster has not been forthcoming about the magnitude of the breach, which could be intentional, or more likely, because they don’t know themselves (much like the Heartland breach I wrote about earlier). That tells me that, in theory, it could have resulted in the compromise of every single account in Monster’s system, and in fact, that’s my guess as to what really happened. In any case, with no additional data, it’s certainly what I’m forced to assume.

This looks like a basic database theft, where the attacker managed to get access to the Monster user database and steal basic demographic data, such as names, e-mail addresses, and so on. Monster asserts that passwords and SSN’s were not stolen, but this is belied by the password-change requirement that Monster imposed on all users (all) only five days after the break-in. Another article states that passwords and SSN’s were not compromised because they were encrypted (although it doesn’t identify a source for this information).

Time for a quick technical digression about encrypted fields in databases. A lot of sites will advertise that their passwords or SSN’s are stored encrypted in their databases. This is usually technically incorrect; typically, they’re stored as a one-way cryptographic hash, often using MD5, although sometimes using SHA-1 or something more exotic. These algorithms are great for finding a checksum (like a fingerprint) of a block of text, such that if you change anything about the text, the checksum will change with it. It’s Very Hard to take a given checksum and find a block of text with that checksum, although of course (way) more than one block of input text can have the same checksum. However, a good hash function tends to limit these collisions as much as possible.

So, great: in theory, everyone’s password and SSN are MD5′d before being stored in the database. In actual practice, that doesn’t matter as much as you’d think. The reason is that  you have to consider both the domain and the range of the function. Yes, the range (output) is very random-looking and is distributed over the 128-bit (or 160-bit, for SHA-1), but we know something special about the domain. For SSN’s, for example, it’s a number between 1 and 1,000,000,000. So, if you tried every single number, on average you’d have to try half of them before you found a match, meaning that the effective security of that “encryption” is the amount of time it takes your computer to do 500,000,000 MD5 sums. That is not that long any more.

You can guard against mass-cracking by salting your hashes. This is quite helpful, because the bad guy has to compute and store the checksum for (with a 32-bit salt) over 4 billion different versions of every possible SSN or password. Still, with SSN’s anyway, there are only a billion combinations (a little less than 2^30), each of which is a number that can be stored in 4 bytes (less, if you’re clever). You can think of it as a 62-bit key. There are some interesting combinations of pre-computed tables and on-the-fly processing that can yield some workable attacks even against keys this long.

All of a sudden, Monster’s warning that users change their passwords looks a little more serious. If the Bad Guys are 200 playstations away from being able to brute-force your password, you’re in trouble. Same goes double with your SSN: Monster already admitted to the theft of names, addresses, and dates of birth. That, plus a cracked SSN, is all the Bad Guy needs to get credit, or to do a variety of other nasty things.

But wait, there’s more! According to one stat I’ve heard, 41% of people use the same password on every website they use. Wow! Furthermore, I’d bet the number goes way up when you factor out the high-security sites like banks. Put another way, even if you’re in the other 59%, I’d bet a lot of people have the same password on Monster as on their e-mail account. And think about that for a second… where do you think all of those “I forgot my password” reset e-mails go? Yep, losing your e-mail account to a Bad Guy is just about as bad as it gets.

So, what do you do? For starters, quit using the password you used at Monster, forever. Change every password you have. Change all of your “secret” security questions and answers everywhere you can. And, of course, keep an eye on your bank accounts, credit card statements, and so on.

There are a couple of other things that can be done, as well. Websites that use two-factor authentication for login security are a big help, of course. You can also help mitigate the problem by using services like OpenID for login to sites that support it. That way, you only have to maintain your password in one place. And what’s more, if you use the right OpenID provider, you can get two-factor authentication for it. That leaves you in a particularly good position, at least for sites that accept OpenID.

And as for Monster… they saw fit to make everyone change their passwords (presumably because they could be compromised, as I described above), but they didn’t see fit to proactively notify users or buy ID theft protection for them, even though SSN’s are only 30 bits long, vs. your average 8-character password with at least one capital and one symbol, coincidentally also estimated to have 30 bits’ worth of entropy.

Fourth break-in in two years. Just sayin’.

How to lose 100M transactions a month to the Bad Guys

Over the last few years, there have been several high-profile data thefts resulting from Bad Guys stealing credit card numbers in bulk. There was CardSystems a couple of years ago, and of course, the 90+ million stolen numbers from TJX.

Well, on January 20th – during the President’s inauguration – Heartland Payment Systems announced what may be the largest loss of credit card information ever: 100 million transactions a month! It’s theoretically possible that more cards were compromised in one month’s time than in the entire three years that the TJX systems were being attacked. Over 220 banks have issued notices to cardholders that their cards were affected. And, of course, the predictable class-action lawsuits have been filed.

Details have been sketchy, but I’ve read a few snippets here and there that give me a good guess or two as to how this happened. But first, some background.

The payment card industry imposes on itself certain data security standards, called (creatively enough) the Payment Card Industry Data Security Standard, or PCI DSS. PCI lays down a number of requirements that must be followed by card issues, processors, and the merchants that accept these cards. The standards require formal audits and certification, and having been through a few of them, I can tell you that they’re very specific as to what minimum level of security must be in place.

Among other things, the PCI DSS standards were designed to avoid precisely what happened at TJX, CardSystems, and now at Heartland: the mass loss of cardmember data.

So, what happened? Are PCI DSS standards useless? Well, the attack on Heartland worked because of an issue that the standards don’t address: the Bad Guys snooped on data as it was moving from one (presumably secure) system to the next. Data “in flight” is not required to be protected in any special way, as long as it’s moving within an organization between two secure systems. Furthermore, due to the way the payment card industry has evolved over the years, handing off data from one organization to another sometimes requires that there be no data encryption in place.

So, that’s the vulnerability in the standard that it appears the Bad Guys exploited. How’d they pull it off?

At this point, Heartland is being coy about the details, but they have said that they discovered an eavesdropping-style attack that had been going on for an unknown period of time. As in, this thing could have been there for months. The Bad Guys managed to find a way to tap into the data network inside Heartland at a point where the data was in the clear. Once they had the data in their hands, they simply needed a way to get it back into the Bad Guys’ hands. There are a number of possibilities here, including low-bandwidth uploads to a drop site on the internet, or even easier, uploads via a 3G cellular modem like a Verizon air card. Does this sound similar to the ATM skimmers I wrote about earlier? It should!

So, the only question left is how they got the data. Here, there are a couple of possibilities. The Bad Guys could have found a way to sneak a kind of program called a protocol analyzer onto a vulnerable system – or they could simply have used a built-in analyzer like tcpdump. Then, any captured data could simply be read from that analyzer and uploaded as described above. While the PCI DSS specs require some degree of binary checksumming (a way to make sure that the files on the computer haven’t changed), I’m not sure if Heartland would have detected new binaries. 

The other possibility is using dedicated hardware to do the analysis. It could be as simple as one extra box on a rack, cabled into an analysis port on a switch – something that the Good Guys may never have noticed – or something even more elaborate, such as a passive RMON probe tap. Either way, we’re talking about ZERO specialized pieces of hardware; even the RMON probes can be built out of parts from your local MicroCenter.

A set-up like this might have gone undetected forever. In fact, it probably would have, had the Bad Guys been just a little bit more careful with the information they stole. You see, it turns out that Heartland was NOTIFIED that something bad was going on. A measurable uptick in fraudulent activity was noticed and reported to them months before their January 20 release. It took a specialist team – two of them, if you believe the press release – to take apart the network and find the bug. If the Bad Guys did their jobs right, this should be very very difficult to trace back.

What data was compromised? The Bad Guys got the information from the cards’ magnetic stripes. I wrote about mag stripe skimmers before, and all of the same considerations apply here. As to exactly what they got, it’s a virtual guarantee that the Bad Guys got card numbers and expiration dates. Some transactions likely included the Track 1 data from the card, which includes your name. Finally, there is room in the encoding for the card’s security code, although it’s not clear from reports whether that information was in the compromised data stream.

The most important question, though, is what to do about all of this nonsense. Start by assuming the worst – the Bad Guys have your name, your credit card number, expiration date, and maybe your card’s security code. This isn’t the end of the world in itself, but you DO have to take action to prevent this from causing you trouble down the line. While this is not specifically a major identity theft event, as it stands, it COULD impact your credit report if a Bad Guy uses your card without your knowledge. 

Furthermore, it’s the cardholder’s responsibility to monitor activity on each statement, and to report anything that looks suspicious. That could be easy if you use  program like Quicken to download and manually approve every transaction on every card you us – this is what I do – or it could be exceedingly difficult, to the point of futility, if you have lots of transactions on a card and get paper statements each month. The other danger scenario is if you have extra cards that you never use and therefore don’t monitor. Waiting too long to report fraudulent activity could cost you money.

Heartland declined to provide credit monitoring services to affected users. Partly, that’s because they probably can’t tell who has been affected, since they have no idea when the analyzer was installed. But whatever the case, I think they’re wrong: good credit monitoring services can let you know whenever a negative mark is made on your credit file. It can be much easier to address issues like this immediately, rather than waiting a couple of years and then wondering why your home mortgage application was rejected.

Of course, the best defense is to add a second factor of security to the card itself. Using a transaction confirmation system for risky or nonstandard transactions can go a long way toward preventing any credit problems.

Finally, if you ARE affected by this mess, you should have your bank issue new cards under new account numbers. In fact, you should consider replacing ALL of your cards, since it may be hard to tell which card you used at which merchant during which time period.

ATM Fraud in Broad Daylight

Before you hit play and watch this news story, just know that the Bad Guy didn’t even have to try as hard as he did. This crime is easier to commit than this news segment shows, and there are places a whole lot more vulnerable than an ATM vestibule in the middle of the day.

It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data, and are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM with your PIN, and disappears into the sunset. You’ll never see your money again.

Roll ‘em:

Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.

The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.

(Security Break: What value does the card’s 3 or 4 digit security code add?)

To make things worse, there are a wide variety of ways to get the magnetic stripe info off a card, and because of that, attacks like this continue to grow in popularity. Some easy ways:

• Card skimmers on ATM’s, gas pumps, or even in shops – like in the video above, it only takes a few seconds to install a skimmer and an optional camera, and they can be extremely difficult to detect;
• Waiters at restaurants get your physical card for long enough to copy it, with or without a magnetic stripe reader. They simply take the stolen information and either sell it online, or if they’re truly ambitious, they fabricate a copy card themselves with inexpensive, widely available equipment;
• Browsers and websites can be compromised, or you could be phished – in which case, the Bad Guy gets everything you type and everything you see on your screen, including not only the information on the card, but also things like names, billing addresses, and whatever else you enter for the transaction.

(Security Break: What does signing the back of the card do?)

So, what can be done about this?

There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
So how would this work?

Transaction verification systems call you for approval (usually just pressing the # key) before dispensing the cash or completing the transaction, if the transaction looks suspicious.

I believe more and more banks will be implementing transaction verification systems for just this reason: It’s simple, and it works.

Getting a Break in the Case Against Computer Crime

It’s an us-against-them time in IT security. The more bad economic news I see, the more I understand the Bad Guy’s motive. Hacking, once a sport for the well-educated and well-off, is now a desperate measure for financial gain.

How many IT folks have been laid off in the last few months? How many are worried and anxious? How many are really angry on top of it? Attacks have never been more sinister because they’re conducted by really skilled people, sometimes with insider knowledge. Identity theft, man-in-the-middle attacks, malware gone mad – the list is endless, and attacks are growing in number, not just in intensity.

Keeping ahead of these threats keeps many of us up at night. So, this blog and the new Internet Talk Radio Show by the same name, will focus on breaking open cases of data theft, network intrusion, and other attacks on the systems and information us security guys strive to protect.  Each post will focus on a specific threat – looking at how it was (or could be) perpetrated, and how to protect against it.

About my approach: I’ve been blogging on-and-off for several years now while working on a two-factor authentication solution that I believe to be an incredibly powerful tool in the fight against data and identity theft. So as I map out an approach to thwart each attack, I will focus on authentication technologies and issues where applicable. That doesn’t mean I’ll limit which cases I takes on.

But two-factor authentication can do a lot, which is why I’ve continued to work with it, and I’m going to prove it. I love a good challenge. Here’s my two cents about two-factor authentication: Sometimes (incorrectly, IMO) called “strong authentication,” two-factor authentication requires items from two of the following three categories:

• Something you know;
• Something you have;
• Something you are.

Given the expense and complexity associated with biometrics, that means that, practically speaking, two-factor means “something you know” and “something you have.”

There’s a catch, though. The “something you have” must really act like something you have, and not like “something you know”, or the security degrades to several-of-one-factor, which is generally not as strong.

An example of something you have is a cell phone. Here’s an example of something you think is something you have, but is really something you know: magnetic stripe cards, such as credit cards, ATM cards, lots of driver’s licenses, hotel room keys, door lock systems, time tracking systems, and whatever else has that little brown/silver/whatever stripe on the back of the card.

Magnetic stripe cards fool you: While they look like something you have, they act like something you know! What does it mean to “act like” something you know? Well, what are the characteristics of knowledge vs. tangible property?

• You can write down or memorize “something you know”;
• In particular, Bad Guys can copy “something you know” without your, um, knowledge.
• You can easily make a copy of “something you know”;

Now, think again about the magnetic stripe card. While it may be hard for you to make a physical copy of an American Express card, that’s rarely the issue: There are a great many cases where the merchant doesn’t even see the card. (Ever wonder why photographs on credit cards didn’t take off?) Heck, at this point, most modern merchants never see the card at all, even in retail stores-Target, Costco, and most of the other places I shop fall into this category.

So, if the merchant doesn’t see the card, what is it interested in? That’s right, the information on the card-the stuff encoded in the magnetic stripe, the stuff you know. It is not something you have. Something you have can only be in one person’s possession at a time.

I used the all-too-popular, honestly scary magnetic stripe card for a reason. For our first case, we’ll look at a case of ATM fraud, how easy it was for a Bad Guy to siphon a checking account at a public ATM in broad daylight, and why PCI regulations won’t help at all. Stay tuned.

Let the investigation begin….