By Mike S
In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.
Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.
According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.
So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.
Very Bad Practice.
By Mike S
One thing I really enjoy about computer sercurity is learning from other peoples’ mistakes.
While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.
“With PCI compliance, those apps shouldn’t be on those systems,” said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But small retailers who don’t store credit card data are not required to have the same level of auditing as larger companies, Fellmann said.
It’s hard to believe a corporation as large as Subway put so little effort into PCI compliance, but this could have easily been discovered with an external scan, log monitoring, in-scope review, systems change monitoring, malware scanning, and so on and so forth.
So will Subway now have to post the Black Mark of Shame in every franchise?
By Mike S
Something you should read if you store data with Amazon, or even if you don’t, because:
“They basically are telling you compliance is all up to you regardless of the regulation,” said Joe Granneman, an information security professional with experience in the heavily regulated industries of health care and financial services. “This makes a lot of sense because there is no good way for Amazon to guarantee compliance when it only provides the infrastructure. The customer connects the infrastructure together and builds on top of it, which Amazon cannot guarantee. This document drives home the fact that compliance is still up to the customer and not the IaaS provider.”
By Mike S
SearchSecurity.com interviews Ramon Krikken on tokenization vs. encryption.
By Mike S
The PCI Security Standards Council issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centers while ensuring PCI compliance where necessary.
The PCI DSS Virtualization Guidelines Information Supplement, released June 14, covers a number of virtualization areas, including different types of virtualization, specific notes on cloud computing and how to ensure “mixed” virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK. The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI-DSS 2.0 standard.
New guidance is always appreciated! The PDF includes five pages of risks specific to virtualized environments, ten pages of recommendations to deal with the risks, and two pages to help assessors assess the risks.
But why do you need all that when Cisco has a Solution In A Box?
At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organizations can achieve PCI compliance. The document provide guidance for different types of “store footprints,” such as size of the retail organization and the type of services provided, Lindsay Parker, global retail industry director at Cisco, told eWEEK..
Oh, it’s a guide to solving your DSS problems with Cisco solutions.
Anton Chuvakin weighs in:
PCI DSS in the Cloud … By the Council
The long-awaited PCI Council guidance on virtualization has been released [PDF]. Congrats to the Virtualization SIG for the mammoth effort! I rather liked the document, but let the virtualization crowd (and press!) analyze it ad infinitum – I’d concentrate elsewhere: on the cloud! This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic.
Here are some of the highlights and my thoughts on them.
By Mike S
Here’s an exciting story: Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.
Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.
The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.
Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.
While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.
Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.
I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.
Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.
Watch those logs!
Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”
Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.
By Mike S
Interesting, but not surprising:
Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
There have been a number of high-profile incidents where production data wound up where the public could access it, without anyone in the organization realizing it. Make sure you know where your data goes!
One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn’t know or weren’t sure how long it takes to detect and correct unauthorized changes to the database.
About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn’t know how often patches were applied. Just under two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.
PCI DSS requires patching of production systems monthly — what are these guys doing?
And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don’t know how often audits are performed — or never do them at all.
By Mike S
According to the study, 64 percent of PCI DSS-compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of noncompliant organizations reported suffering no breaches involving credit card data over the same period. When it comes to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared with 22 percent of noncompliant organizations. Notably, 26 percent of noncompliant organizations suffered more than five breaches over the same time period.
It is fantastic that taking certain, specific, minimum steps to establish a secure environment actually decreases breaches.
Also notable is the fact that DSS is a private, voluntary initiative with noteworthy results.
“In an era where governments are struggling with the creation of vague yet complex data protection acts, the credit card industry took a bold step toward regulating itself, using plain language, clear goals and a pragmatic focus,” said University of Connecticut School of Business professor Robert Bird. “PCI isn’t perfect—but it succeeded by imposing security mandates and forcing attention on data security, all without government regulation.”
By Mike S
Here we are again – our fourth installment of the DBIR series (sixth if you count the ’08 and ’09 mid-year supplementals). To our readers, it may seem like the 2010 DBIR published ages ago. To us, it feels more like yesterday. The expanding scope and increasing depth of the report makes it almost one continuous effort throughout the year. It is, however, a labor of love and we’re very glad to be sharing our research into the world of data breaches with you once again.
By Mike S
This is important, because mobile phone security is pretty darn crappy.
The growing use of smartphones and technologies that turn them into payment devices has prompted the Payment Card Industry Security Standards Council (PCI SSC) to start a mobile task force to study the issue.