By Mike S
So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.
The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.
The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties. But it’d be quite embarrassing for Bill if his site now has to post the ”We’ve been hacked!” banner.
By Mike S
Something you should read if you store data with Amazon, or even if you don’t, because:
“They basically are telling you compliance is all up to you regardless of the regulation,” said Joe Granneman, an information security professional with experience in the heavily regulated industries of health care and financial services. “This makes a lot of sense because there is no good way for Amazon to guarantee compliance when it only provides the infrastructure. The customer connects the infrastructure together and builds on top of it, which Amazon cannot guarantee. This document drives home the fact that compliance is still up to the customer and not the IaaS provider.”
By Mike S
SearchSecurity.com interviews Ramon Krikken on tokenization vs. encryption.
By Mike S
The PCI Security Standards Council issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centers while ensuring PCI compliance where necessary.
The PCI DSS Virtualization Guidelines Information Supplement, released June 14, covers a number of virtualization areas, including different types of virtualization, specific notes on cloud computing and how to ensure “mixed” virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK. The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI-DSS 2.0 standard.
New guidance is always appreciated! The PDF includes five pages of risks specific to virtualized environments, ten pages of recommendations to deal with the risks, and two pages to help assessors assess the risks.
But why do you need all that when Cisco has a Solution In A Box?
At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organizations can achieve PCI compliance. The document provide guidance for different types of “store footprints,” such as size of the retail organization and the type of services provided, Lindsay Parker, global retail industry director at Cisco, told eWEEK..
Oh, it’s a guide to solving your DSS problems with Cisco solutions.
Anton Chuvakin weighs in:
PCI DSS in the Cloud … By the Council
The long-awaited PCI Council guidance on virtualization has been released [PDF]. Congrats to the Virtualization SIG for the mammoth effort! I rather liked the document, but let the virtualization crowd (and press!) analyze it ad infinitum – I’d concentrate elsewhere: on the cloud! This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic.
Here are some of the highlights and my thoughts on them.
By Mike S
Here’s an exciting story: Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.
Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.
The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.
Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.
While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.
Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.
I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.
Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.
Watch those logs!
Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”
Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.
By Mike S
Interesting, but not surprising:
Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
There have been a number of high-profile incidents where production data wound up where the public could access it, without anyone in the organization realizing it. Make sure you know where your data goes!
One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn’t know or weren’t sure how long it takes to detect and correct unauthorized changes to the database.
About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn’t know how often patches were applied. Just under two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.
PCI DSS requires patching of production systems monthly — what are these guys doing?
And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don’t know how often audits are performed — or never do them at all.
By Mike S
Lara Bergman of Sword & Shield presents a case study of a site hacked to sell pharmaceuticals outside the website’s normal product line:
Sword & Shield recently received a call for help from a medical center when someone informed them that their website was being used to sell Viagra online. Director of Forensics and Incident Response Bill Dean and Senior Security Analyst Matt Smith began their investigation into the allegations and soon uncovered an amazingly covert way hackers caused a high traffic website to be redirected to an online pharmacy selling the drug without a prescription.
A hacker had infiltrated the website and embedded nefarious code into the source code containing the word, “Viagra.” Thereafter, when a web user searched on the keyword, “Viagra,” or even searched for the medical center online, the repeated use of popular keywords would cause either search to appear high on the first page of the search engine’s “organic” (non-advertising) results. Research has shown that most web users opt to choose one of the first four or five URLs presented in their search, so it is important to spammers to get top placement.
Does your website have change auditing, which notifies you when any change has been made to a live website? This is required by the PCI DSS, but is a good idea for any website.
By Mike S
According to the study, 64 percent of PCI DSS-compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of noncompliant organizations reported suffering no breaches involving credit card data over the same period. When it comes to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared with 22 percent of noncompliant organizations. Notably, 26 percent of noncompliant organizations suffered more than five breaches over the same time period.
It is fantastic that taking certain, specific, minimum steps to establish a secure environment actually decreases breaches.
Also notable is the fact that DSS is a private, voluntary initiative with noteworthy results.
“In an era where governments are struggling with the creation of vague yet complex data protection acts, the credit card industry took a bold step toward regulating itself, using plain language, clear goals and a pragmatic focus,” said University of Connecticut School of Business professor Robert Bird. “PCI isn’t perfect—but it succeeded by imposing security mandates and forcing attention on data security, all without government regulation.”
By Mike S
This is important, because mobile phone security is pretty darn crappy.
The growing use of smartphones and technologies that turn them into payment devices has prompted the Payment Card Industry Security Standards Council (PCI SSC) to start a mobile task force to study the issue.
By Mike S
Dr. Anton Chuvakin presents a Q&A session on PCI DSS 2.0:
Just like last year, I did this great interview with Bob Russo, the GM of PCI Council. There is no audio recording, what follows below are my notes reviewed by the Council. Italic emphasis is added by me for additional clarity.