StillSecure, After All These Years

It's not often that security issues make mainstream media outlets. So when I saw this article on cbsnews.com I wanted to see what kind of "investigative journalism" the same folks who do 60 minutes would bring to the story. The story takes the particular case of Direct Marketing Services, Inc, the parent company of Montgomery Ward. It does a good job documenting the breach, the discovery of the breach and how the company complied with credit card company rules by notifying Visa, Mastercard, Discover, etc. but did not notify the 51,000 potentially affected customers. It also does a nice job of giving credit to Affinion Group Inc.'s CardCops for spotting and discovering this theft.

The article than goes on to say that 44 states have passed statues making disclosure and notification of security and confidential breaches to affected consumers mandatory. The article does caution though that based upon the volume of data being sold in "online black markets", there are many more breaches than we are being told about. I think it good that CBS bangs the drums on this, but frankly that "evidence" is a bit flimsy. I also found it gratifying that the article blames the credit card companies themselves for not doing more to publicize these breaches, so that they don't have to issue new cards. Just goes to prove what has been written before, that in the bigger picture the cost of doing business may include the risk of compromised data and big business has determined that that is a risk worth taking.

Had to laugh reading this story about the three men charged with hacking and installing a packet-sniffer at several Dave and Buster restaurants across the US. The scam did result in hundreds of thousands of dollars of fraudulent bank card charges. However, the packet sniffer software was so buggy that when it was first installed at the first Dave and Busters, it did not even work and captured no credit card data.  The next version of the program worked a little better, but it seems the criminals had to continually go back to the restaurants and restart the program when it hung up!

I don't know what is more disgusting.  The lack of quality of the sniffer program or the apparent lack of any security at all by the folks running the restaurants.  In any event I see a bright future for the outsourcing of hacking programs to people who can do a better job than this Apple Dumpling Gang.

So without my luggage I had to do something about clothes for my presentation at the Americas Growth Capital conference today. Wearing Levis jeans with a t-shirt and sneakers was just not going to cut it.  I waited until 10am (with still no word on when my luggage would show up, thanks Delta!) and than walked over to Macys, a few blocks from my hotel.  I went to the men's department and picked out a nice shirt (on the clearance rack), a matching tie (clearance too), underwear, socks and casual shoes.  I could not get pants that would fit.  Though I have lost a lot of weight, I am still one pants size to big for off the shelf at the likes of Macys. 

When I went to the cashier to pay they asked me how I would like to pay.  I explained to them that I had lost my luggage and had to make a presentation.  I told them my wife had a Macys account and I would like to use that.  I didn't have her charge card and I am not an authorized user of the card.  I than gave them Bonnie's Macys charge card number and our zip code and they charged my whole purchase!  I am sure that somewhere PCI or not, this is not kosher.  Anyone with the account number and zip code could have done this.

Now, maybe they liked my story and I have an honest face.  Frankly, I am glad they did as it helped me get my clothes.  However, it just doesn't feel right and shows you that even with PCI and everything else in place, you can still abuse credit cards.

A lesson I have learned in security is that most organizations can be better about security but choose not to.  They vote with their pocketbooks and budgets to manage the risk of loss with the cost of security.  A perfect example of this reality is the recent settlement by ChoicePoint with 43 states and Washington, DC.  I read about this in a blog article by Dennis Fisher on SearchSecurity. 

ChoicePoint settled all of the outstanding suits regarding its negligence in giving away almost 150,000 persons confidential information with 44 different jurisdictions for 500k.  This amounts to about $3.45 a record.  Not even a smack on the wrist, actually a joke.  Granted this is on top of a 10 million dollar fine to the FTC and a 5 million dollar payment to consumers who were effected by this.  So all together for 15.5 million, ChoicePoint is scottfree.  That sounds like a lot of money, but to a company doing a billion a year in revenue it is a mere pittance.

Clearly, ChoicePoint can make a business decision that the risk of paying the 15 million versus what it would cost to prevent this is not worth it. Other then the fines, companies embroiled in these data losses don't seem to suffer any further damage to reputation or the bottom line.  Until we make the repercussions meaningful enough, we will continue to see these type of data losses.  Its nothing personal, its strictly business.  Risk management at work.

I should point out that this was not a hack as much as a social engineering breach.  ChoicePoint in their greed to profit from all of the data they gather on everyone, was duped into giving this information out.  If they would have been slapped hard, they would think twice about failing in the trust placed in them to keeping such confidential data confidential!

About $18 dollars according to this article based upon a report by Symantec.  Slightly misleading, as I don't think you can go and get a specific persons identity for that price.  However, you can buy "an identity" for that sum. It is still scary stuff.  Just credit card numbers range from one dollar to 4 dollars.  Again according to Symantec, 25% of all leaked information came from pilfered government information.  Health care and education rank right behind the government as sources of the info.  Here is a shocker, only 13% came from hacking (though one can say all of the stolen info was hacked by some definitions).

And here I just thought Symantec was busy preparing reports that knocked Vista and Microsoft's inherent conflict of interest in providing operating systems and security programs that protect them ;-)

Jon Oltsik from the Enterprise Strategy Group has an excellent article up on the C/Net Corporate Security Blog, that has another view on this.  Basically, Jon says that both the MS and Cisco approaches are proprietary and that they had to do something to justify them co-opting an industry wide effort.  Jon says that what Cisco and MS are doing under the guise of support for IEEE 802.1x support is vintage behavior from these two.  They are taking legitimate standards and under an "open" smokescreen are hiding their efforts to "embrace and extend" the client code until it is no longer the industry standard it is supposed to be.  Jon calls for both Cisco and MS to work with the TNC/TCG standard (which to be fair MS has said they will support).  He points out Cisco claims they don't work with industry consortiums on standards, but catches them red handed in regard to their participation in SNIA another industry consortium on standards.  These are all dead on and good points by Jon.  I think his best point though is that this whole thing only applies to Cisco only networks and MS only computers.  In todays wired/wireless networked world where everything is logging on the network, you are going to need wider coverage than that.

As a Cisco NAC partner and MS NAP partner, I have to admit I was a bit excited to see for myself what the two companies have cooked up in making their products work together.  MS and Cisco are demonstrating the new interoperable architecture today at the Security Standard conference in Boston.  Both companies put out a joint press release announcing the fact along with a white paper that details some of how they will work together. For a long time even though both companies had announced plans to make NAC and NAP work together, i was not sure if we would ever see it so in our lifetimes.  Both companies appeared to be treading into each others traditional bastions and it did not seem like they really wanted to make it work.  But, it would appear at least on its surface, the mountain has come into the middle and met halfway.  However, before we all break out into a rousing chorus of Kumbaya, lets take a closer look at what is really going on here.

What the two have put together is an " ...architecture and ... details on how to integrate the embedded security capabilities of Cisco's network infrastructure with those of Microsoft Windows Vista^TM and the future version of Windows Server®, code-named "Longhorn."." So first thing that jumps out and this is confirmed in the white paper, this will only work together in Vista and in Longhorn when it is rolled out.  Current plans are for the latter half of 2007, so don't rush out and order it just yet.  Further reading of the white paper and press release shows a few other details:

1. Microsoft's NAP agent will be the single agent that works for both NAP and NAC in Vista and Longhorn
2. MS is including as a Windows update a patch to the Vista supplicant which will allow it to work with Cisco's proprietary EAP/802.1x, in addition to the industry standard supplicant that Vista will contain for 802.1x
3. Windows OS other than Vista and Longhorn will still need two separate agents for NAP and NAC
4. MS "will license elements of its NAP client technology to third party software developers" to support non-Windows OS.
5. MS NAP API's will serve as the single programmatic interface used for health reporting for both Cisco NAC and MS NAP
6. The Cisco ACS will receive notification of "health" from the MS server and then based upon that, grant access to the device depending on the users access rights.

In a nutshell, it looks like MS is responsible for the client, testing the end points, determining what policy and what tests the endpoint should be tested against and communicating this to the Cisco NAC solution.  The NAC solution is then in charge of assigning the device to the appropriate VLAN and quarantine and network enforcement. 

So here is my question then.  If I already have NAP, what I am I getting by adding Cisco NAC? Well first of all I have to have a Cisco only, NAC enabled nework, secondly I have to have a MS NAP enabled network.  Assuming the two above, is NAC doing anything that NAP by itself working with standard 802.1x can't do?  I don't see it.  I think this type of functionality will work with any 802.1x capable network and NAP.  I am encouraged to see them working together, I would like them both to support the TCG standard as well (MS has said they will support it), however as it now stands, I just don't see a lot that is special about it.  Maybe we will see more in the next year, before this goes live.

I received a nice note from a reader to the blog over the weekend named Rob.  Rob pointed me to an article in e-Week by Deborah Rothberg last week that had a survey that showed only 37% of IT professionals believe their company was effective at detecting, let alone preventing data breaches.  Another interesting fact was that in terms of what was the most detrimental factor in a data breach, loss of confidential consumer or customer data was second.  First was loss or theft of IP.  This is in spite of privacy laws and such. 

The biggest thing in my mind though was the fact that the biggest reason cited for not taking greater precautions and measures was cost.  With the cost of data breaches being what they are, I find it hard to believe the cost of protecting against data breaches is not cheap compared to the cost of data breaches.  The only way you can justify it, is that the people responsible for approving the budget for these kinds of tools follow a herd mentality with safety in numbers. They must know that the cost of protection is actually pretty cheap compared to the cost of a breach. However, in spite of the fact that we read and hear about data breaches every day, they still feel that they can hide in the crowd and that this will be someone else's problem.  That is until the day it comes home to roost and they have to pay the piper.  Maybe it is a good idea to keep publicizing these data breaches, so that people become more aware that it can happen to them.

E-Week has an article detailing yet another theft of ATM information.  This time from a retail chain called Dollar Tree Stores.  This theft has already resulted in move than 700k being stolen from personal accounts in the last two months.  This happened only in Modesto and Carmichael, CA and Ashland, Oregon stores.  What is not clear is did the thieves get the actual PIN numbers besides the card info or do they just have the names and numbers of the cards.  Another question, did Dollar Tree keep this info stored somewhere after the transaction?  If so why?  We all pay when these things happen with higher fees and rates.  I really hope they figure out how the thieves did this.

Both Chris Hoff and Bruce Schneier wrote about a report by the Privacy Rights Clearinghouse detailing the number of people whose identities were potentially compromised by data breaches since the Choice Point fiasco in February, 2005.

Shame on all of us!

Jerri Ledford blogged over on in Computer World today about the problems with government mandated security based upon some of the bills now pending in Congress. It was based on another CW article that detailed some of these bills.  It is obvious that the drums are being beaten very loudly around data loss and the media, if not the public is calling for something to be done about this.  So to the rescue come those knights in shining armor, your friendly congressmen and senators.  As Jerri points this is not a panacea and in fact may not even be a good thing.  My fear is the definition of what they want companies to do, "maintain strong internal safety protections for the data they hold".  What exactly does that mean.  It is just way to wishy, washy for me.  Without some definition around what this means, I would rather see no bill at all. 

The other important thing to remember is, that whatever Congress passes, will supersede the many state laws currently on the books. This could serve to in fact water down some of the better laws currently in effect in places like NY and California.  I hope this does not turn into another well intentioned effort by naive, non tech-savvy politicians actually hurting the efforts of those seeking to make our IT resources more secure.  I do agree with Jerri, that there will always be some who seek to avoid these rules and those who will just go for the "checkbox" to comply.  You should write your local lawmakers to weigh in on this issue.

I wrote last week about my appearance as a special guest on the Security Roundtable Podcast. Today, the episode was posted on the website.  It sounds pretty good considering it was a conference bridge over phone.  I appear with Michael Santarcangelo of the Security Catalyst, Martin McKeay from the Network Security Podcast and myself. You can listen directly to the MP3 here.  It was a lot of fun doing this show and it gave me lots of idea for my own podcast which I am working on episode 4 of right now.
Thanks to Michael and Martin for having me on.

Back in early March, I wrote about the big debit card breach that had taken place and the cover up by the credit card companies surrounding it.  Of course, by now we have learned that it seems OfficeMax was keeping PIN numbers from debit cards (among other information they should not have been keeping), and somehow that information was hacked.  Well in an ironic twist, I received a new ATM card from Wachovia today, stating that according to VISA it was very possible my debit card information was compromised.  Can you believe, it only took them 3 and half months to get me a new card.  I guess they just didn't think it that important.

Back when I wrote this, it never occurred to me that I use OfficeMax and I was writing about the compromise of my own debit card.  Now I have to go back over the last 3 months and really make sure there are no bogus charges there.  I am looking forward to reading about the fine OfficeMax had to pay for this incident.

In writing about Hotels.com loss of customer data due to an Ernst & Young laptop being stolen, I forgot to write about my recent, first and last experience with Hotels.com.  I needed a hotel in NYC for one night.  Not wanting to spend 300 to 400 dollars I went to the usual places like Orbitz, Expedia and Hotels.com.  I booked a room at the Park Central Hotel on hotels.com.  It was a superior king bed room with flat panel TV, very spacious, yada, yada, yada.  Looked good and was just $179.00 plus tax, coming in at just over $200.00. I had to pre-pay to hotels.com directly.  I had never heard of this hotel before, so though it was rated 3 and 1/2 stars I did some searching on the web about it anyway.  I found out that if I booked direct on their website, I could have had the same deal for $159.  I chalked it up to experience and headed to the airport. 

I arrived at the hotel around 10 PM that night, gave my name and reservation number and was given my room key.  Getting up to my room, I had two small double beds, crappy little TV and I was not a happy camper.  I went back down to the front desk, asked for the manager and was told that when you buy through hotels.com, the fine print says, they do not guarantee the bed or smoking preference of the room you get.  I should be lucky I was not in a smoking room.  Well, after a brief "discussion" with the manager, they put me in the king bed room I thought I was getting.  Of course I could not get a receipt as that had to come from Hotels.com directly.  The manager said they always have problems with people from that site. 

So I paid 20 dollars more than I should have, had to fight for the room I was supposed to get and didn't get a receipt, all because I went the easy way with hotels.com. It will be the last time I use them.  Now lets just hope my credit card info is not stolen, as that will be the cherry on the cake!

I just read today that the laptop that was stolen from an Ernst and Young employee a while back, contained nearly a quarter of a million names, addresses and credit card numbers of customers of Hotels.com.  The laptop was stolen out of a locked car (oh OK, I guess that means it was not their fault, not!).  Hotels.com is sending out letters to those whose data was stolen.  Again I ask, what is that data doing on a laptop?  Why can't that data be accessed via a secure network connection from a server kept in a safe, secure location?

E&Y who is really the culprit here, now says this won't happen again, as they are encrypting all data stored on their laptops.  Great, some data at rest encryption company just closed a nice sale.  But that does not go to the heart of the issue, that kind of data does not belong on a laptop.  When I give my data to a supposedly secure web site vendor or any vendor for that matter, I do not expect that data to ever be put on some laptop and moved around in a car, briefcase, taken home or anywhere else for that matter.  I just don't see a good reason for it.  We have enough network access to make this a fact.  I am tired of reading about these kinds of data losses.

I came across a good site on identity theft information, reading the Daily Rant from Security Incite.  The site is called Identity Theft Spy and the URL of all things is, http://www.identitytheftspy.com. Good resource with some good articles. I am adding it to my feed reader and I recommend you add it to yours.

Bruce Schneier has an excellent article up on his blog that originally appeared in Wired.com.  It is a perfect example, of how even with the best of intentions, our lawmakers can sometimes do more harm then good. As well as how special interests and the lobbyists are insidious in gutting even the most benign laws.  It deals with Congress desire to pass a nation-wide law making it mandatory that companies who keep confidential information, must disclose breaches of this information to those possibly affected.  Seems simple enough right?  So simple in fact that at least 23 states have similar laws on the book, including California who was first, NY, NJ, etc.   Well, in the case of the federal law, first the lobbyists have attacked what is defined by confidential information. By the time they were done, the unique combination of data that would constitute a loss of confidential data, was so narrow that most data breaches would not qualify.  Next they went after the definition of "breach of security".  Again, by the time they were done, many instances of what you and I would consider a breach, were not a breach under the law.

Here is the worst thing of all about the current bill.  It would preempt and render obsolete all of the effective state laws currently on the books.  So all of these state laws would be washed away by a watered-down, ineffective federal law, that was gutted by the lobbyists of the special interests.  This is why it is so hard for our federal government to be effective in today's "money talks" environment. This bill is not yet a law. There are other bills, some of which are even worse on the table as well.  I urge you all to do what you can to try and let your lawmakers know how important this issue is.

By the way, if you are not familiar with Bruce Schneier, besides being a well-known security expert, he is also an accomplished author.  His Beyond Fear, is a great read on security in today's environment.