StillSecure, After All These Years

From the classic movie Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

The latest winner of the Captain Renault award is Lexis Nexis and its corporate sister, Choicepoint. It seems that cybercriminals were using their service for 3 years to obtain information that was used to obtain fraudulent credit cards. Then to make matters worse Lexis Nexis apparently asked for and received permission to wait for 18 months to notify people whose information may have been compromised.  This is of course not the first time that Choicepoint has been duped into giving out confidential data.

When are we going to put enough bite into the penalties so that these companies will take protecting this data seriously. How do they dare sit on this for 18 months to two years before notifying victims?  This is the kind of stuff that makes politicians want to do something, its about time they did!

I know you may not be feeling this way depending on where you live, but Spring is in the air.  How do I know? Easy, my anniversary has just passed.  For the 19 years I have been married, I know that once my anniversary is over it will soon be Spring.  Sort of my own bird like instinct maybe.  When we were first married we used to go to Maui every year for our anniversary.  It is always Spring in Maui, but by the time we would come home in early March, Spring was certainly on the way. Of course with the kids we don’t get to Maui much, but I watched a pre-season baseball game today, what more proof do you need then that?

So what does Spring have to do with anything?  Spring represents a rebirth. I think we need a rebirth.  We need to stop dwelling on the negative and start making our own luck and our own positives! To quote a greater thinker than I, “we have nothing to fear but fear itself”.  So take my word for it, Spring is on the way.  Start thinking about how you are going to break out of the winter/economy doldrums and attack your job, your life and your problems head on. 

Good luck with that!

1. Mike Rothman gave me a nice shout out yesterday in his blog about copying his format.  Besides thanking Mike, I want to say that I am thinking of this as just doing a few short blog/comments in one post.  I will of course add my own Shimmy schtick to it, but I like it. I will still do full posts when I see something I want to talk about. I am interested though if you readers like this type of blogging. Let me know.
2. The law of conservation of energy – Adrian Lane over on Securosis has a nice commentary up on the recent Symantec/Ponemon FUD that employees leaving their employment are taking IP and confidential data with them and that this number has gone up drastically.  As Adrian points out, no crap Sherlock! With all of the people being laid off, there are certainly more people leaving work.  The real issue though is how many of these people actually dong anything with this information. It reminded me studying science with my oldest son Landon.  The law of conservation of energy says that the amount of energy doesn’t change, just the form does. So really this is a potential threat, like potential energy. It remains to be seen if it will translate into anything more than that. Adrian says no, I say it desperate people do desperate things.
3. Dead men walking – While reading this story about Nortel laying off another 3200 people today I was reminded of a potential customer call I was on a while back for NAC. They were also looking at Nortel’s NAC solution and the CIO was telling me how good he felt dealing with a company Nortel’s size and the stability it offered over StillSecure. My how the mighty have fallen!
4. Its not a product, its a feature – Hoff loves to spout that one. I was reminded of the same thing today reading the article in Computer World by Mark Everett Hall that SaaS is not a market, just another channel. I actually agree with that statement and is one of the driving forces behind StillSecure’s recent ProtectPoint acquisition.  While many folks including Rothman question an organizations ability to sell service and product, I view the service offering as just another distribution channel.  Customers can buy our products as a hardware appliance, software or as a service. I think long term that view of SaaS is going to proven correct.
5. Firewall tools – I recorded a great podcast earlier this week with Secure Passage CTO Jody Brazil.  Jody is the former CTO of Fishnet and Secure Passage was originally spun out from Fishnet with the Firemon product. It is totally independent of FishNet now and is coming out of stealth mode.  My recording equipment messed up and am waiting on Mitchell to send me his file to edit. In the meantime Brian Prince of eWeek has a good interview with Jody. My view on this one is that PCI is totally driving this market.  The issue is will it be a victim of its own success. If it becomes big enough the firewall vendors will do a better job of packaging management tools with the firewalls and the 3rd party tools will find it hard to compete.  But who knows, maybe they get bought out by then.

Related articles by Zemanta

In the wake of the Heartland fiasco it is becoming fashionable to lay the blame for this mess at the feet of the PCI Council.  Almost as if the PCI folks were the ones who planted the malware on Heartland’s computers and stole the credit card info.  Mike Rothman questions “The Increasing Irrelevance of PCI” and Steve Ragan over at the Tech Herald asks “Does the Heartland breach prove PCI useless”. I say don’t throw out the baby with the bath water. Lets not confuse the good work that the PCI regs have done across the board, with the sophisticated methods of cybercriminals.  As I wrote last week, lets not confuse compliance with security!

For the majority of merchants who accept credit cards the PCI regs have led to the adoption of security measures that many of them never had before.  Anyone who doubts that, does not have the facts on their side.  Yes, many of these merchants have adopted measure solely to pass an audit and check the box, but that is still more than they had.  Expecting these merchants to get serious about security and do more than the minimum that the standards mandate is a pipe dream. The PCI standards are not supposed to be some super-hero like shield of invincibility.  They are just a set of minimal steps that merchants and those with sensitive information should take to protect that data.  They were never meant to be the be all and end all in the matter of security.

All of the above not withstanding, I do think the PCI council needs to adopt a higher standard for companies like Heartland and Cardservices that process credit card transactions.  The sheer numbers of information they process put them in a different class. I think for this class the PCI folks should put some constant monitoring of security practices in place. A yearly audit is not enough.  I also think that larger merchants need not only more often monitoring but a higher level of security.

But folks, don’t throw the baby out with the bath water.  Give the PCI council time to adjust and learn from this episode.  Those who condemn them for not anticipating this type of attack are not without sin themselves.  Who among us in the security industry have been able to stop the bad guys dead in their tracks every time? Lets not hold the PCI regulations up to an impossible and artificial standard, that no one can live up to.

Related articles by Zemanta

• Security is not the same as compliance
• May Have A New Winner In The Largest Security Breach Ever Department
• Huge Security Breach at Heartland Payment Credit Card System
• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever

By now you have all read about the Heartland Payment Systems fiasco.  One thing that I wanted to point out is around PCI compliance.  For all of the money, talk and energy spent around achieving PCI compliance, an examination of the time line shows that Heartland was PCI certified in April.  That means that they had to have quarterly scans, probably twice since April. The Heartland folks became aware of a potential breach in October and discovered the malware in January (and of course announced it the day of the Presidential inauguration).

So at least one and maybe two PCI scans failed to discover this problem.  Being PCI compliant did not help Heartland from exposing the data on 100 million credit cards.  If ever there was a poster child for compliance does not equal security, this is it.  Compliance drives dollars and drives the security business, unfortunately it does not drive security.

Related articles by Zemanta

• Malware Inside the Credit Card Machine
• May Have A New Winner In The Largest Security Breach Ever Department
• Payment Processor Breach May Be Largest Ever (Brian Krebs/Security Fix)

Dialogue from Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

Pretty much sums what I was reminded of when reading about Symantec's "revelation" that the market for stolen data was in the hundreds of millions of dollars. Did Big Yellow think people were just doing this for kicks and giggles?

Round up the usual suspects.

Adam Dodge writing on the Security Catalyst blog (another great SBN member site) writes about how data breaches have a substantial impact on companies losing customers. Adam points out that nothing will make a company take security more seriously than hits to the bottom line.  Adam cites two recent studies to prove how data breaches make customers lose faith in the breached companies and how a substantial amount (30% or more) terminate their relationship. 

I don't buy this for a second.  In fact I think for many kinds of breaches, it doesn't effect bottom line or customer loyalty at all. DSW Shoes,TJX, Best Buy - none of these retailers had any lingering effect to the bottom line or their stock prices as a result of data breaches. Adam's evidence from two studies are both sponsored by companies that make their living in id management and identity protection.  These are hardly neutral parties.

I can understand if the data breach was your banking institution, but when it comes to retail at least, I don't think people stop shopping there.  That is not to say that they don't get upset and on a short term basis bitch and moan about it.  But long term the next time DSW has shoes on sale or Best Buy is running a great deal on HD TV, consumers will be lining up to buy.  Also the fact that stock prices are not effected is not lost on executive management of these companies.

The fact is until there are real hits to the bottom line from these high profile breaches, as a business plan it may be cheaper to absorb the cost of a breach than to try to lock it down and prevent them.

* The two studies Adam mentions are here:

http://www.debix.com/docs/Javelin_Research_Consumer_Survey_Data_Breach_Notification_2008.06.pdf

http://www.idexpertscorp.com/breach/ponemon-study/

Related articles by Zemanta

• US retailer Forever 21 hit by payment card breach
• ID theft a growing problem for business
• Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
• TJX breach could top 94M accounts

Maybe you should go catch it.  Most of you have played some sort of iteration on this one over the phone when you were a kid.  But a couple of radio DJs from Montreal actually managed to dupe Sarah Palin herself evidently.  C/Net reports that the duo known as the "Masked Avengers" actually convinced Mrs Palin and her team that they were French President, Nicolas Sarkozy.  Even when the supposed Sarkozy acts just a bit too goofy, Governor Palin doesn't pick up on it. 

I don't necessarily approve of this kind of thing, but I question her people not checking on this before putting her on the phone and I question her for not catching on to this.  Another incident of social engineering being successful way too easily! I guess you can't see France from her doorsteps.  Anyway, here is the audio on this one:

Related articles by Zemanta

• Sarah Palin Prank Sarkozy Call Gets Punked on French Canadian Radio Station
• Phony Sarkozy punks Palin
• Montreal comedians prank-call Sarah Palin
• Palin Brutally Punk'd by Fake French President Sarkozy
• Sarah Palin caught out by prank call from 'Nicholas Sarkozy'
• Palin's prank call from fake French president

One of the foundations of our system of laws is that we are all equal under the law.  The USA has no class or caste system that is recognized by our laws and our courts.  We are all entitled to equal protection under the law, right?  So why did the Justice Department indict the kid who p0wned Wasilla Wolverine's Yahoo email account, yet they refused to take action against the people who did to me? 

I don't know, maybe I don't wink enough when I speak or maybe it is time I "put on the heels and take off the gloves", but I find it a true double standard that the Federal Government would take action against the people who did this to her, but not the people who did the same thing to me.  Is it a sexist thing?  Are only woman entitled to protection under the law?  Are only Republicans? Only people running for office?  If this is a crime (and I believe it is a crime for sure), than the government should not be selective in who is eligible for its protection.  Enough of catering to special interests! I am not a second class citizen and want the same rights that Sarah Palin has!

Let me be clear, I don't condone what this person did to "that ones" (isn't that the term to use) Yahoo mail.  It is a crime, it is wrong and should be punished.  But I was told by multiple law enforcement personal that unless there was financial theft or fraud over 10k the federal government will not get involved.  Any one who hacks into someone's private email or accounts should be prosecuted under the law.  No Double Standards!

Related articles by Zemanta

• Sarah Palin's Yahoo Hacker Indicted
• Tennessee man indicted for hacking Palin's e-mail account
• Was McCain's VP Pick Ever An AIP Member?

I came across a very poor security feature of the iPhone 3g this week.  Like many of you, unless I actually turn wireless networking off, by default it is on.  The caveat is that many of you have set the phone to "warn you before connecting".  I thought that this would mean that before my phone connected on to a wireless network, it would ask my permission.  In fact that is what happens the first time you connect to a named wireless network. But after you have connected to a particular SSID before, in the future the phone will connect to that network automatically without asking!  On top of this networks like ATTWireless seemed to be already pre-approved and the phone does not ask you permission. To be fair, Apple does warn in the fine print that "known networks will be joined automatically".  But how hard is it to change an SSID today?

So what does this mean?  Lets say you go to a friends house or some other location that is using a default SSID like Linksys.  You want to use the network while at that location and give it permission.  After that you are at an airport or other public place and your phone picks up a wireless network named linksys.  Guess what, your phone just connected and didn't ask you a thing.  Lets say some bad guys set up a network to gather your data.  They name the network ATTWireless or Linksys or some other common name.  If you have wireless on your phone turned on, even if you have the "warn me and ask permission" set, you will still connect to that network without notice to you.  I am sorry, but this is just terrible design by Apple!  I want to be asked before I connect to any network every time I connect.

Could this be how my log on information was stolen in Vegas?  I don't know, I actually had wireless shut down entirely for most of the time in Vegas.  But I have been racking my brain to remember if there was a time I turned wireless on for a short time.

In the meantime, I now keep my iPhone's wireless network settings to off at all times.  You should too! Of course Apple designed many of the programs to be optimized for high speed connections like wireless network connections, so there might be some trade-offs there.

http://compnetworking.about.com/cs/wirelessproducts/qt/changessid.htm

2. Be careful of the Free Public Wifi SSID. I see it always as an ad hoc network and though I have never tried to connect and I don't know for sure what it is, I know that it is probably not good.