March 13th: E-Mail Exposed!
March 1, 2009
Communication via e-mail is the lifeblood of any business today, as well as your personal life. Those of you who access e-mail remotely using Outlook Web Access or another web client, and particularly those of you who are responsible for securing these systems, BEWARE. Web-based e-mail systems are especially vulnerable. A simple phishing scheme targeting any of your co-workers or your e-mail contacts could be used to compromise the entire e-mail infrastructure, harvest e-mail addresses, and access sensitive information about your business, your customers, and your personal life.
What’s in your e-mail?
On Friday, March 13th, Security Break Live addresses many of the traps you may not know about, as well as some ways to protect your e-mail environment moving forward.
Steve will be joined by Wayne Rash, a veteran computer journalist for more than 30 years. Wayne was Executive Editor of the eWEEK Knowledge Center and Ziff Davis Events. Now he is the President of Wayne Rash & Associates, which houses a testing lab. He continues to write, specializing in enteprise technology and development.
How to lose 100M transactions a month to the Bad Guys
February 18, 2009
Over the last few years, there have been several high-profile data thefts resulting from Bad Guys stealing credit card numbers in bulk. There was CardSystems a couple of years ago, and of course, the 90+ million stolen numbers from TJX.
Well, on January 20th – during the President’s inauguration – Heartland Payment Systems announced what may be the largest loss of credit card information ever: 100 million transactions a month! It’s theoretically possible that more cards were compromised in one month’s time than in the entire three years that the TJX systems were being attacked. Over 220 banks have issued notices to cardholders that their cards were affected. And, of course, the predictable class-action lawsuits have been filed.
Details have been sketchy, but I’ve read a few snippets here and there that give me a good guess or two as to how this happened. But first, some background.
The payment card industry imposes on itself certain data security standards, called (creatively enough) the Payment Card Industry Data Security Standard, or PCI DSS. PCI lays down a number of requirements that must be followed by card issues, processors, and the merchants that accept these cards. The standards require formal audits and certification, and having been through a few of them, I can tell you that they’re very specific as to what minimum level of security must be in place.
Among other things, the PCI DSS standards were designed to avoid precisely what happened at TJX, CardSystems, and now at Heartland: the mass loss of cardmember data.
So, what happened? Are PCI DSS standards useless? Well, the attack on Heartland worked because of an issue that the standards don’t address: the Bad Guys snooped on data as it was moving from one (presumably secure) system to the next. Data “in flight” is not required to be protected in any special way, as long as it’s moving within an organization between two secure systems. Furthermore, due to the way the payment card industry has evolved over the years, handing off data from one organization to another sometimes requires that there be no data encryption in place.
So, that’s the vulnerability in the standard that it appears the Bad Guys exploited. How’d they pull it off?
At this point, Heartland is being coy about the details, but they have said that they discovered an eavesdropping-style attack that had been going on for an unknown period of time. As in, this thing could have been there for months. The Bad Guys managed to find a way to tap into the data network inside Heartland at a point where the data was in the clear. Once they had the data in their hands, they simply needed a way to get it back into the Bad Guys’ hands. There are a number of possibilities here, including low-bandwidth uploads to a drop site on the internet, or even easier, uploads via a 3G cellular modem like a Verizon air card. Does this sound similar to the ATM skimmers I wrote about earlier? It should!
So, the only question left is how they got the data. Here, there are a couple of possibilities. The Bad Guys could have found a way to sneak a kind of program called a protocol analyzer onto a vulnerable system – or they could simply have used a built-in analyzer like tcpdump. Then, any captured data could simply be read from that analyzer and uploaded as described above. While the PCI DSS specs require some degree of binary checksumming (a way to make sure that the files on the computer haven’t changed), I’m not sure if Heartland would have detected new binaries.
The other possibility is using dedicated hardware to do the analysis. It could be as simple as one extra box on a rack, cabled into an analysis port on a switch – something that the Good Guys may never have noticed – or something even more elaborate, such as a passive RMON probe tap. Either way, we’re talking about ZERO specialized pieces of hardware; even the RMON probes can be built out of parts from your local MicroCenter.
A set-up like this might have gone undetected forever. In fact, it probably would have, had the Bad Guys been just a little bit more careful with the information they stole. You see, it turns out that Heartland was NOTIFIED that something bad was going on. A measurable uptick in fraudulent activity was noticed and reported to them months before their January 20 release. It took a specialist team – two of them, if you believe the press release – to take apart the network and find the bug. If the Bad Guys did their jobs right, this should be very very difficult to trace back.
What data was compromised? The Bad Guys got the information from the cards’ magnetic stripes. I wrote about mag stripe skimmers before, and all of the same considerations apply here. As to exactly what they got, it’s a virtual guarantee that the Bad Guys got card numbers and expiration dates. Some transactions likely included the Track 1 data from the card, which includes your name. Finally, there is room in the encoding for the card’s security code, although it’s not clear from reports whether that information was in the compromised data stream.
The most important question, though, is what to do about all of this nonsense. Start by assuming the worst – the Bad Guys have your name, your credit card number, expiration date, and maybe your card’s security code. This isn’t the end of the world in itself, but you DO have to take action to prevent this from causing you trouble down the line. While this is not specifically a major identity theft event, as it stands, it COULD impact your credit report if a Bad Guy uses your card without your knowledge.
Furthermore, it’s the cardholder’s responsibility to monitor activity on each statement, and to report anything that looks suspicious. That could be easy if you use program like Quicken to download and manually approve every transaction on every card you us – this is what I do – or it could be exceedingly difficult, to the point of futility, if you have lots of transactions on a card and get paper statements each month. The other danger scenario is if you have extra cards that you never use and therefore don’t monitor. Waiting too long to report fraudulent activity could cost you money.
Heartland declined to provide credit monitoring services to affected users. Partly, that’s because they probably can’t tell who has been affected, since they have no idea when the analyzer was installed. But whatever the case, I think they’re wrong: good credit monitoring services can let you know whenever a negative mark is made on your credit file. It can be much easier to address issues like this immediately, rather than waiting a couple of years and then wondering why your home mortgage application was rejected.
Of course, the best defense is to add a second factor of security to the card itself. Using a transaction confirmation system for risky or nonstandard transactions can go a long way toward preventing any credit problems.
Finally, if you ARE affected by this mess, you should have your bank issue new cards under new account numbers. In fact, you should consider replacing ALL of your cards, since it may be hard to tell which card you used at which merchant during which time period.
Feb 27th: Implications of the Monster.com Breach
February 13, 2009
Looking for a job? Know someone else who is? As if the terrible economy weren’t enough stress, looking for a job today could compromise your personal data and expose you to identity theft. Learn how to protect yourself while getting your name out to employers. On Friday, February 27th SecurityBreakLive! will take on the enormous security breach case at Monster.com, one of the largest breaches of personal data in history. Joining host Steve Dispensa will be guest co-host Elinor Mills, senior writer at CNET News whose beat is security.
ATM Fraud in Broad Daylight
February 2, 2009
Before you hit play and watch this news story, just know that the Bad Guy didn’t even have to try as hard as he did. This crime is easier to commit than this news segment shows, and there are places a whole lot more vulnerable than an ATM vestibule in the middle of the day.
It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data, and are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM with your PIN, and disappears into the sunset. You’ll never see your money again.
Roll ‘em:
Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.
The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.
(Security Break: What value does the card’s 3 or 4 digit security code add?)
To make things worse, there are a wide variety of ways to get the magnetic stripe info off a card, and because of that, attacks like this continue to grow in popularity. Some easy ways:
- Card skimmers on ATM’s, gas pumps, or even in shops – like in the video above, it only takes a few seconds to install a skimmer and an optional camera, and they can be extremely difficult to detect;
- Waiters at restaurants get your physical card for long enough to copy it, with or without a magnetic stripe reader. They simply take the stolen information and either sell it online, or if they’re truly ambitious, they fabricate a copy card themselves with inexpensive, widely available equipment;
- Browsers and websites can be compromised, or you could be phished – in which case, the Bad Guy gets everything you type and everything you see on your screen, including not only the information on the card, but also things like names, billing addresses, and whatever else you enter for the transaction.
(Security Break: What does signing the back of the card do?)
So, what can be done about this?
There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
So how would this work?
Transaction verification systems call you for approval (usually just pressing the # key) before dispensing the cash or completing the transaction, if the transaction looks suspicious.
I believe more and more banks will be implementing transaction verification systems for just this reason: It’s simple, and it works.
Getting a Break in the Case Against Computer Crime
January 30, 2009
It’s an us-against-them time in IT security. The more bad economic news I see, the more I understand the Bad Guy’s motive. Hacking, once a sport for the well-educated and well-off, is now a desperate measure for financial gain.
How many IT folks have been laid off in the last few months? How many are worried and anxious? How many are really angry on top of it? Attacks have never been more sinister because they’re conducted by really skilled people, sometimes with insider knowledge. Identity theft, man-in-the-middle attacks, malware gone mad – the list is endless, and attacks are growing in number, not just in intensity.
Keeping ahead of these threats keeps many of us up at night. So, this blog and the new Internet Talk Radio Show by the same name, will focus on breaking open cases of data theft, network intrusion, and other attacks on the systems and information us security guys strive to protect. Each post will focus on a specific threat – looking at how it was (or could be) perpetrated, and how to protect against it.
About my approach: I’ve been blogging on-and-off for several years now while working on a two-factor authentication solution that I believe to be an incredibly powerful tool in the fight against data and identity theft. So as I map out an approach to thwart each attack, I will focus on authentication technologies and issues where applicable. That doesn’t mean I’ll limit which cases I takes on.
But two-factor authentication can do a lot, which is why I’ve continued to work with it, and I’m going to prove it. I love a good challenge. Here’s my two cents about two-factor authentication: Sometimes (incorrectly, IMO) called “strong authentication,” two-factor authentication requires items from two of the following three categories:
- Something you know;
- Something you have;
- Something you are.
Given the expense and complexity associated with biometrics, that means that, practically speaking, two-factor means “something you know” and “something you have.”
There’s a catch, though. The “something you have” must really act like something you have, and not like “something you know”, or the security degrades to several-of-one-factor, which is generally not as strong.
An example of something you have is a cell phone. Here’s an example of something you think is something you have, but is really something you know: magnetic stripe cards, such as credit cards, ATM cards, lots of driver’s licenses, hotel room keys, door lock systems, time tracking systems, and whatever else has that little brown/silver/whatever stripe on the back of the card.
Magnetic stripe cards fool you: While they look like something you have, they act like something you know! What does it mean to “act like” something you know? Well, what are the characteristics of knowledge vs. tangible property?
- You can write down or memorize “something you know”;
- In particular, Bad Guys can copy “something you know” without your, um, knowledge.
- You can easily make a copy of “something you know”;
Now, think again about the magnetic stripe card. While it may be hard for you to make a physical copy of an American Express card, that’s rarely the issue: There are a great many cases where the merchant doesn’t even see the card. (Ever wonder why photographs on credit cards didn’t take off?) Heck, at this point, most modern merchants never see the card at all, even in retail stores-Target, Costco, and most of the other places I shop fall into this category.
So, if the merchant doesn’t see the card, what is it interested in? That’s right, the information on the card-the stuff encoded in the magnetic stripe, the stuff you know. It is not something you have. Something you have can only be in one person’s possession at a time.
I used the all-too-popular, honestly scary magnetic stripe card for a reason. For our first case, we’ll look at a case of ATM fraud, how easy it was for a Bad Guy to siphon a checking account at a public ATM in broad daylight, and why PCI regulations won’t help at all. Stay tuned.
Let the investigation begin….
