Monday 29 March 2010

Remote Robber does Local time

Last week, Albert Gonzalez was sentenced to 20 years in prison for his part in the hacking of more than 90 million credit and debit card numbers from TJ Maxx and other retailers. What makes this sentence unique is that it fits the severity of the crime. Gonzalez and his conspirators went after financial data with the intent to use it fraudulently. His knowledge of enterprise network weaknesses and how to exploit them made him no different from a common bank robber who plans a heist. Unlike the common bank robber, however, Gonzalez had technology that shielded his involvement and made him anonymous – allowing him to rob remotely.

We can expect these types of attacks to continue, given the potential reward. With many of the perpetrators geographically dispersed, nations need to have a no-tolerance policy toward this type of attack and be ready to do whatever it takes to bring the parties involved to justice. In the case of Gonzalez, the sentence is a good first step and should prove a deterrent.

Monday 22 March 2010

The IC3 report -- an exponential rise in identity theft

The IC3 issued its annual online crime report, which reported that losses almost doubled from 2008 to 2009. In 2009, the losses totaled $560m (£371m) vs. $265m (£176m) in 2008. What is interesting to us in the security industry is an even greater increase in identity theft between the two years.

In 2008, identity theft accounted for 2.5 percent of the claims; in 2009, the number is 14.1 percent, an increase of 564 percent. We should note that in 2009 the IC3 issued a new complaint class system that consolidated the amount of categories from 157 to 79. However, we do not believe that the smaller amount of categories had a marked effect on the increase in identity theft cases.

Rather, what is happening is that the online criminal is progressing from one-off fraud schemes to more sophisticated stealing of personal data for increased and prolonged gain. Personal data is a far more valuable commodity and over the past year, these US criminals have both realized this and found ways in which to obtain and use this data. The Internet provides a channel that can easily be manipulated to appear reputable, while also allowing the criminal crucial anonymity.

For the US consumer, the stakes are higher, in that identity theft is a far more devastating crime than one-off cyber-stealing. The consumer should be on alert and vigilant whenever he is sharing personal information.

Thursday 11 March 2010

A truly international breach

News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.

French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained the information between late 2006 and early 2007. Initially, when HSBC discovered the breach, it thought it affected fewer than 10 customers. The reality is that approximately 15 percent of the bank’s customers could have been affected.

From a security standpoint there are a number of things that make this newsworthy: First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data. Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify “fewer than 10” affected and then have a breach that in reality numbered in the tens of thousands. Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation.

With truly international data breaches, how long will it take to get truly international legislation?

Monday 8 March 2010

Even Schneier agrees: “It’s all in the database”

It’s official -- credit card security is no longer simply about WWII style “encryption” defenses, “it’s all in the database”. So says the information security industry’s “rock-star” Bruce Schneier. Bruce was being interviewed at this year’s RSA conference and was asked about the confidence of online shopping now that some “doubts” have arisen over the SSL encryption.

True to form, Schneier went straight to the heart of the matter stating that the problem is not about “eavesdropping” but rather it is about hacking the “endpoint”. It is clear that the database is the endpoint holding the potent information – including credit card information – and this remains the lucrative target for hacking.

Too many easy routes to the database exist – usually due to poor practice. Attackers who compromise databases get more than the data held inside. They get a completely privileged jump-off-point, deep within the corporate network. This is what Heartland discovered –after 130 million card details left. I am sure that they would suggest agree with Bruce that “It’s all in the database” – except when a complete copy has escaped!

Monday 1 March 2010

Check-in to your hotel – and let hackers check-out with your credit card

According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.

In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.

What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.

As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.