A Target-ed Compromise

The media alerted consumers after learning that credit card information used to make purchases made at Target stores in the United States between November 27 and December 15 had been compromised.  Target is in the early stages of investigation so details are not being made public related to how the data was retrieved.

Certainly this is not the first time consumer data has been stolen from consumers or retailers collecting data.  In 2007, it was announced that throughout a 18 month period 90 million credit card records were funneled out of TJ Maxx stores.  The fundamental issue for TJ Maxx was insecure wireless connections used to transfer credit card data.  In September of 2012, Barnes & Noble discovered that hackers had tampered with one credit card pin pad in 63 stores.  The hackers at Barnes & Noble were able to capture credit card information from the altered credit card machine in each store.

In both cases consumers had no way to protect their data.  The credit card industry has worked to protect consumer confidence by instituting protections that retailers must follow to protect information.  Those protections are set forth by the Payment Card Industry (PCI) in the Data Security Standard (DSS).  PCI DSS standards are mandatory controls that apply to how cardholder information must be handled. It is there to protect consumers' information.

Beginning January 1, 2014, an enhanced version of security requirements will be implemented for any retailer accepting credit cards.  The new requirements in version 3 of PCI DSS  include changes that can be categorized as: (1) clarification of an existing requirement,  (2) additional guidance of an existing requirement and (3) an "evolving" requirement (think of this as a newly determined requirement).

Given the state of the Target breach, many consumers may be interested in the enhanced PCI DSS standards to see how the new requirements will provide better protection to consumers. 

According to an article in the Information Security Magazine the specific new requirements in PCI DSS include:

• Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected.

Malware is a major area of change.  Merchants are required to identify and prevent malware threats for any connected system, even if it typically is not a target of malware.   Additionally, merchants must ensure that anti-malware and anti-virus software do not allow the end user to disable the protections. 

• Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives. 

Passwords must be complex.  Smart. 

• Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer.
• Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
• Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
• Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2

Merchants often work with vendors to manage their PCI compliance and credit card systems.  Those credit card vendors work with many merchants.  In the past at least one vendor used the same password to interact with multiple merchants.  If that one password was compromised, all merchants were vulnerable.  The new standard requires all vendors to use unique passwords with each merchant.  

• Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
• Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution 

 Physical protections to point of sale equipment requirements now including controls on which personnel can access card equipment and physical protection of credit card hardware to protect against tampering and substitution.  Looks like the Barnes & Noble breach impacted this requirement.

• Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective 

The enhanced requirement for penetration testing will improve.  Penetration testing involves testing a computer system, network or application to find vulnerabilities that an attacker could exploit.  A new penetration methodology must be followed (reference NIST SP 800-115 for more information).  In addition, card holder data must be segmented from other areas of a network for greater protection.

• Req. 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism

This requirement may have caught changes to pin pads at Barnes & Noble had they been implemented prior to the Barnes & Noble hack. 


Another change to the new standard is that the requirements require constant monitoring where version 2 required an analysis to be completed one time a year. The Payment Card Industry is clearly learning from mistakes that retailers and merchants have made (or discovered) in the past. 

References:

http://www.reuters.com/article/2012/10/24/us-barnesnoble-breach-idUSBRE89N05L20121024http://searchsecurity.techtarget.com/tip/PCI-DSS-version-30-The-five-most-important-changes-for-merchants

Handy features in Windows 8.1

Windows 8 rolled out in August of 2012.  Windows 8 was updated to version 8.1 (a.k.a "Blue") in October of 2013.  Microsoft has not disappointed users, there is a lot to learn with this new operating system (OS).  I recommend that users upgrading to Windows 8 take a class to learn how to use the new OS.  For those who have already taken the plunge, I will go through some features I think are notable that you may not be aware of:

1.  Go straight to the desktop when you start Windows.

From the desktop right-click the taskbar and select "Properties".  Click the Navigation tab.  In the Start screen section, check the box next to "When I sign in or close all apps on a screen, go to the desktop instead of Start".

2.  Quickly shut down Windows 8.1 from the Start button. 

Right click the Start button.  You will see a menu that includes "Shut Down" and "Restart".  This is a new feature in Windows 8.1.

3.  Silence the notifications from Windows

Windows 8 includes an app notification feature that plays a sound when you get a message.  This can be annoying if you're in a meeting.  Use the Quiet Hours setting to prevent the sound from playing.  Click Settings, Change PC Settings, Search and Apps, then Notifications.  Viola!

4.  Look, no hands!

Windows 8.1 has a "hands free" feature in the recipe app called Food & Drink.  Those with touchscreens will love this feature.  To move to the next page you simply need to wave your hand in front of your webcam (after you have allowed the app to use your webcam).

5.  Internet Explorer 11 strips away visual clutter (including advertisements)

The feature in Internet Explorer 11 called "Reading View" removes visual clutter from the article you're reading by simply clicking the open-book icon from the address bar on the right side of Internet Explorer 11.

6.   Automatically update apps

Launch the Windows Store then open the Settings charm.  Select App Updates.  Turn "Automatically update my apps" to Yes.

7.  Resize the applicaton tiles (individually or as a group)

Right click on an empty part of the Start screen.  Click Customize from the bar at the bottom of the screen.  Select one (or more) app.  You can now move or resize their tile or even uninstall the app (or apps).

8.  Access the Camera app from the lock screen (especially handy if you have a touch screen).

Similar to the iPhone, it is possible to access the camera from the lock screen.  This is a great feature for Windows 8.1 laptop users. 

9.  Backup to the SkyDrive

Click Settings, SkyDrive, Sync to sync your app list, Start screen layout and Internet Explorer 11 tabs.

10.  Encrypt (if you have the right hardware)

In order to use encryption your PC (or tablet) needs to have Secure Boot support, Trusted Platform 2.0 and Connected Standby.   Click PC and Devices then PC Info.  If your hardware meets the standards you will see the "Device Encryption" option under Change Product Key.


My next step is to get started with my new Windows 8 machine.  I am anxious to start using the new features in Windows 8.1.

Which features do you like best in Windows 8?

Credible Sources of Security Information

Security professionals should create a list of sources to gather information on issues such as threats, vulnerabilities, updates and security news.  Over the years I have found several resources that have provided me a wealth of information and in some cases even provided me with some much needed humor.  Here are a few of the sites that you might want to check out:

WEB REFERENCES

Naked Security (available on the web at http://nakedsecurity.sophos.com/ or via twitter feed) provides information on issues related to computer security including news, opinions and advice in the United States and abroad.  The information posted contains both facts and opinions.  The information is generally well written and I have found that the references are current and factual.  I follow Naked Security on Twitter to assure that I have the latest information.

The Department of Homeland Security (DHS) provides a daily report of security information relating to a variety of industries including: Production Industries; Sustenance and Health; Service Industries; and Federal and State.  This report is available to anyone with internet access.  The report can be downloaded from http://www.dhs.gov/dhs-daily-open-source-infrastructure-report. DHS reports are available for a period of 10 days before they are replaced.  Sources for information are listed so the reader can verify posted data. 

SC Magazine provides a wealth of information.  URL:  http://www.scmagazine.com/.  The information provided includes current news, blogs and white papers.  I have used information from the site as references and have not been disappointed by the information posted on the website.  SC Magazine also publishes a magazine.

Kim Kommando is a wonderful resource for information. She writes for USA Today and she has a website (URL: http://www.komando.com). Her style of writing is informative for people with a variety of levels of experience with security information. She is my hero.  I appreciate that she has the ability to provide information in a way that most people can comprehend.  I often encourage users who proclaim they don't understand technology to subscribe to her email list.

Symantec is an excellent source of information with regard to virus and malware threats.  Symantec's website is available at http://symantec.com

Verizon is another great source of information, namely for their annual Data Breach Investigations Report.  The report focuses on threats to information security around the world.  The report    Download the 2013 report at:  http://www.verizonenterprise.com/DBIR/2013/.

GROUPS

There are several technology groups that meet where members (and in some cases guests) can gain knowledge and meet other security professionals:

InfraGard is an organization founded by the FBI that promotes the sharing of information by it's members.  The organization vets members prior to allowing them to join and requires members to follow an established code of ethics.  Vetting membership and requiring members to agree to the code of ethics a sense of confidentiality so data can be shared.  InfraGard provides a wealth of information to members in face to face chapter meetings as well as information available from the secure website.  The InfraGard website is available at:   https://www.infragard.org/. 

NebraskaCERT is an organization in Omaha whose goal is to share information with individuals interested in Information Security.  The group hosts meetings throughout the year to provide information or introduce information to security professionals.  The website to gather information is:  http://www.nebraskacert.org/

You may wonder how security professionals determine which information is credible.  My best advice is to verify information before acting on it.  Check with multiple sources to validate and verify information. 

Threats

This week's post will focus on computer threats. This may be a good time to define the difference between a vulnerability, threat and risk as they can easily be confused:

THREAT:  Can be thought of as an attack or something that exploits a vulnerability (either intentionally or unintentionally) that may results in damage or access to data or destroys an asset.  A threat could be a unencrypted computer that is lost.  The person who finds the PC could use one of a number of programs to access the machine without knowing the password.

VULNERABILITY:  Weaknesses that can be exploited by threats to gain unauthorized access to an asset.  Examples of a vulnerability could be the absence of a encryption on a laptop or a mis-configured router allowing all traffic in and out of an organization.

RISK:  "Risk is a measureof the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:  (i) the adverse impacts that would arise if the circumstanceor event occurs; and (ii)the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation" (Guide for Conducting Risk Assessments, 2012).

 


This diagram of threats, vulnerabilities and potential risks may make these terms easier to understand:

I hope this helps us all understand the differences between the terms so we all use the terms correctly.


References:

Guide for Conducting Risk Assessments. (2012, September). Retrieved from National Institute for Standards and Technology Special Publication Series: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf 

Maniscalchi, J. (2009, June 26). Threat vs Vulnerability vs Risk. Retrieved from Digital Threat: http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

  

The NSA is out of Control Spying on Americans

The NSA has abused the rights of the citizens by illegally intercepting, storing and reviewing their private communications.  The NSA has been secretly granted authority to collect data (defined as voice and electronic information traveling across the Internet) through the Patriot Act in October of 2001.  In March of 2004, a Justice Department review declared that the collection of this data was illegal.  The program was then suspended for some time.  In 2007 the program was authorized to re-start.  Trouble erupted in 2009 when the Justice Department acknowledged that they had collected telephone and other electronic data in a way that exceeded legal limitations.  Later, in October of 2011, the Foreign Intelligence Surveillance Court (FISA) “ruled that the NSA violated the Fourth Amendment at least once” (Lee, 2013).  The ruling associated with the October 2011 violation is secret so specific facts about the ruling are unknown, however many suspect that the NSA defeated some aspect of the minimization rules (Lee, 2013).

            The NSA not only illegally intercepts and secretly stores the telephonic and electronic data of people in the United States, it also requests that companies like Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype YouTube and Apple provide personal information through the use of court orders (Lee, 2013).  Individual users of these programs who have configured their account to restrict access have no way of knowing that their data is being intercepted and analyzed.  This illegally collected data is accessed illegally and may be used against them without their knowledge. 

            The collection of information from these companies has potentially injured their reputation by their users who expect them to protect their data and respect their privacy.  This information has only recently become public.  Facebook has fought off the notion that they had a choice on whether to provide the data, have made public attempts to assure their flock that they have acted responsibly and that they have been vigilant in requests to the government to publicize the activity. Their newsroom report states that they have urged the government “to allow companies to divulge appropriate information about government orders and requests that we receive, in a manner that does not compromise legitimate security concerns” (Ullyot, 2013).  Facebook pledges that they will vigilantly protect their users’ data but also states that they have complied with between 9,000 and 10,000 requests from all government entities between June and December of 2012 (Ullyot, 2013).

            It’s time to look back at this secret activity being handled by the NSA and see how this activity is in direct violation of the Bill of Rights.  The activity violates the First Amendment, “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech…” (The Bill of Rights).  The collection of data has prohibited our exercise of free speech by collecting and examining the data.   The First Amendment continues to prohibit the restriction of a citizens ability “…to petition the Government for a redress of grievances” (The Bill of Rights). Normally citizens can challenge statutes for constitutionality in court however the activity of the NSA comes from a secret law that cannot be challenged in court.  Furthermore, the FISA court is not a real court; it is an administrative body that listens only to the government and operates in total secrecy. 

            The Fourth Amendment prohibits warrantless search and seizure.  The NSA does not obtain a warrant which would mandate the accused appear before a federal judge.  The process is secret and does not allow the accused an opportunity to represent himself.  In addition, the NSA is permitted to provide only vague assertions that do not demonstrate that the target is a spy, terrorist or any other sort of criminal (Sullum, 2013).      

            The Fifth Amendment is violated because citizens are not provided protection against self-incrimination.  The NSA saves and uses evidence they collect, presumes guilt then investigates.  The individual does not even know he is being investigated.  The Fifth Amendment states “no person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury … nor shall be compelled in any criminal case to be a witness against himself, nor be  deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation” (The Bill of Rights).  The NSA’s collection and processing violates the Fifth Amendment.

            The collection and use of data is a violation of the Sixth Amendment as a target is not allowed to confront the NSA and has no right to trial. The Sixth Amendment states that the accused shall “be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence” (The Bill of Rights).  The practice of the NSA does not permit an accused person to even know that he is being observed and analyzed.  

            The Ninth Amendment, “The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people” prohibits the government from restricting freedoms that are not explicitly restricted by the Constitution (The Bill of Rights).  The government may not declare privacy a non-right, which is what they are doing.

            The NSA is permitted to intercept communications if at least one part of the conversation is outside the United States.  Since the requirement specifies that the discrimination occurs, the NSA is allowed to retrieve bulk information then it must sort it out to remove disallowed information.  In some cases this determination cannot be made without the intervention of a human analyst (Lee, 2013).  Interestingly, this counters allegations that the metadata collected is analyzed using a mathematical formula, not through the use of human intervention (Saletan, 2013).  When communications are analyzed by humans there is great potential for illegal activity including the ability to plant evidence or wrongly accuse an innocent person. 

            How many lives or potential terrorist attacks have been prevented by the illegal search and seizure of the information by the NSA?  During the House Intelligence Committee on June 18, 2013, General Alexander said, “The information gathered from these programs provided the U.S. government with critical leads to help prevent over 50 potential terrorist events in more than 20 countries around the world” (Elliott & Meyer, 2013).  The NSA has been able to substantiate the truthfulness of only four threats of the 50.  Of the four known instances where the NSA data was used to solve crimes none relied exclusively on NSA data to solve the case.  In the case of Basaaly Moalin who was convicted of sending $8500 to Somalia, used to support the terrorist group that bombed a mall in Kenya, the case could have been solved by simply getting a court order to retrieve the phone records in question.  The case involving Chicagoan David Coleman Headley who helped plan the 2008 Mumbai terrorist attack used tips from British Intelligence to solve the case.  The case of Najibullah Zazi, the man who plotted to bomb the New York subway system, did not require the warrantless powers of the NSA to find him.  The FBI has authority to monitor email accounts of known terrorists, which they had been doing.  The last case involving a plot on the New York Stock Exchange did not result in prosecution (Elliott & Meyer, 2013).  These cases may cause legal problems for the United States when those accused file lawsuits.

            The collection processes are illegal and they disregard the protections afforded to Americans in the Bill of Rights.  The unrestricted collection of data has not been demonstrated to actually prevent terrorism or other crimes.  The policy was created and executed secretly without disclosing information to the American people.  The founders of our country must be spinning in their graves.  The authority of the NSA to illegally collect data must be reversed and controlled.

                            

 

References

Elliott, J., & Meyer, T. (2013, October 23). Claim on “Attacks Thwarted” by NSA Spreads Despite Lack of Evidence. Retrieved from Pro Publica: http://www.propublica.org/article/claim-on-attacks-thwarted-by-nsa-spreads-despite-lack-of-evidence

Lee, T. B. (2013, June 12). Here’s everything we know about PRISM to date. Retrieved from The Washington Post: http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/12/heres-everything-we-know-about-prism-to-date/

Saletan, W. (2013, June 6). Stop Freaking Out About the NSA. Retrieved from The Slate: http://www.slate.com/articles/news_and_politics/frame_game/2013/06/stop_the_nsa_surveillance_hysteria_the_government_s_scrutiny_of_verizon.html

Sullum, J. (2013, November 1). Jacob Sullum: Broad spying law worthy of scrutiny. Retrieved from Omaha World Herald: http://www.omaha.com/article/20131101/NEWS08/131109960/1677

The Bill of Rights. (n.d.). Retrieved from http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html

Ullyot, T. (2013, June 14). Facebook Releases Data, Including All National Security Requests. Retrieved from Facebook : http://newsroom.fb.com/News/636/Facebook-Releases-Data-Including-All-National-Security-Requests