A Target-ed Compromise

The media alerted consumers after learning that credit card information used to make purchases made at Target stores in the United States between November 27 and December 15 had been compromised.  Target is in the early stages of investigation so details are not being made public related to how the data was retrieved.

Certainly this is not the first time consumer data has been stolen from consumers or retailers collecting data.  In 2007, it was announced that throughout a 18 month period 90 million credit card records were funneled out of TJ Maxx stores.  The fundamental issue for TJ Maxx was insecure wireless connections used to transfer credit card data.  In September of 2012, Barnes & Noble discovered that hackers had tampered with one credit card pin pad in 63 stores.  The hackers at Barnes & Noble were able to capture credit card information from the altered credit card machine in each store.

In both cases consumers had no way to protect their data.  The credit card industry has worked to protect consumer confidence by instituting protections that retailers must follow to protect information.  Those protections are set forth by the Payment Card Industry (PCI) in the Data Security Standard (DSS).  PCI DSS standards are mandatory controls that apply to how cardholder information must be handled. It is there to protect consumers' information.

Beginning January 1, 2014, an enhanced version of security requirements will be implemented for any retailer accepting credit cards.  The new requirements in version 3 of PCI DSS  include changes that can be categorized as: (1) clarification of an existing requirement,  (2) additional guidance of an existing requirement and (3) an "evolving" requirement (think of this as a newly determined requirement).

Given the state of the Target breach, many consumers may be interested in the enhanced PCI DSS standards to see how the new requirements will provide better protection to consumers. 

According to an article in the Information Security Magazine the specific new requirements in PCI DSS include:

• Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected.

Malware is a major area of change.  Merchants are required to identify and prevent malware threats for any connected system, even if it typically is not a target of malware.   Additionally, merchants must ensure that anti-malware and anti-virus software do not allow the end user to disable the protections. 

• Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives. 

Passwords must be complex.  Smart. 

• Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer.
• Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
• Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
• Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2

Merchants often work with vendors to manage their PCI compliance and credit card systems.  Those credit card vendors work with many merchants.  In the past at least one vendor used the same password to interact with multiple merchants.  If that one password was compromised, all merchants were vulnerable.  The new standard requires all vendors to use unique passwords with each merchant.  

• Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
• Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution 

 Physical protections to point of sale equipment requirements now including controls on which personnel can access card equipment and physical protection of credit card hardware to protect against tampering and substitution.  Looks like the Barnes & Noble breach impacted this requirement.

• Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective 

The enhanced requirement for penetration testing will improve.  Penetration testing involves testing a computer system, network or application to find vulnerabilities that an attacker could exploit.  A new penetration methodology must be followed (reference NIST SP 800-115 for more information).  In addition, card holder data must be segmented from other areas of a network for greater protection.

• Req. 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism

This requirement may have caught changes to pin pads at Barnes & Noble had they been implemented prior to the Barnes & Noble hack. 


Another change to the new standard is that the requirements require constant monitoring where version 2 required an analysis to be completed one time a year. The Payment Card Industry is clearly learning from mistakes that retailers and merchants have made (or discovered) in the past. 

References:

http://www.reuters.com/article/2012/10/24/us-barnesnoble-breach-idUSBRE89N05L20121024http://searchsecurity.techtarget.com/tip/PCI-DSS-version-30-The-five-most-important-changes-for-merchants

Handy features in Windows 8.1

Windows 8 rolled out in August of 2012.  Windows 8 was updated to version 8.1 (a.k.a "Blue") in October of 2013.  Microsoft has not disappointed users, there is a lot to learn with this new operating system (OS).  I recommend that users upgrading to Windows 8 take a class to learn how to use the new OS.  For those who have already taken the plunge, I will go through some features I think are notable that you may not be aware of:

1.  Go straight to the desktop when you start Windows.

From the desktop right-click the taskbar and select "Properties".  Click the Navigation tab.  In the Start screen section, check the box next to "When I sign in or close all apps on a screen, go to the desktop instead of Start".

2.  Quickly shut down Windows 8.1 from the Start button. 

Right click the Start button.  You will see a menu that includes "Shut Down" and "Restart".  This is a new feature in Windows 8.1.

3.  Silence the notifications from Windows

Windows 8 includes an app notification feature that plays a sound when you get a message.  This can be annoying if you're in a meeting.  Use the Quiet Hours setting to prevent the sound from playing.  Click Settings, Change PC Settings, Search and Apps, then Notifications.  Viola!

4.  Look, no hands!

Windows 8.1 has a "hands free" feature in the recipe app called Food & Drink.  Those with touchscreens will love this feature.  To move to the next page you simply need to wave your hand in front of your webcam (after you have allowed the app to use your webcam).

5.  Internet Explorer 11 strips away visual clutter (including advertisements)

The feature in Internet Explorer 11 called "Reading View" removes visual clutter from the article you're reading by simply clicking the open-book icon from the address bar on the right side of Internet Explorer 11.

6.   Automatically update apps

Launch the Windows Store then open the Settings charm.  Select App Updates.  Turn "Automatically update my apps" to Yes.

7.  Resize the applicaton tiles (individually or as a group)

Right click on an empty part of the Start screen.  Click Customize from the bar at the bottom of the screen.  Select one (or more) app.  You can now move or resize their tile or even uninstall the app (or apps).

8.  Access the Camera app from the lock screen (especially handy if you have a touch screen).

Similar to the iPhone, it is possible to access the camera from the lock screen.  This is a great feature for Windows 8.1 laptop users. 

9.  Backup to the SkyDrive

Click Settings, SkyDrive, Sync to sync your app list, Start screen layout and Internet Explorer 11 tabs.

10.  Encrypt (if you have the right hardware)

In order to use encryption your PC (or tablet) needs to have Secure Boot support, Trusted Platform 2.0 and Connected Standby.   Click PC and Devices then PC Info.  If your hardware meets the standards you will see the "Device Encryption" option under Change Product Key.


My next step is to get started with my new Windows 8 machine.  I am anxious to start using the new features in Windows 8.1.

Which features do you like best in Windows 8?

Credible Sources of Security Information

Security professionals should create a list of sources to gather information on issues such as threats, vulnerabilities, updates and security news.  Over the years I have found several resources that have provided me a wealth of information and in some cases even provided me with some much needed humor.  Here are a few of the sites that you might want to check out:

WEB REFERENCES

Naked Security (available on the web at http://nakedsecurity.sophos.com/ or via twitter feed) provides information on issues related to computer security including news, opinions and advice in the United States and abroad.  The information posted contains both facts and opinions.  The information is generally well written and I have found that the references are current and factual.  I follow Naked Security on Twitter to assure that I have the latest information.

The Department of Homeland Security (DHS) provides a daily report of security information relating to a variety of industries including: Production Industries; Sustenance and Health; Service Industries; and Federal and State.  This report is available to anyone with internet access.  The report can be downloaded from http://www.dhs.gov/dhs-daily-open-source-infrastructure-report. DHS reports are available for a period of 10 days before they are replaced.  Sources for information are listed so the reader can verify posted data. 

SC Magazine provides a wealth of information.  URL:  http://www.scmagazine.com/.  The information provided includes current news, blogs and white papers.  I have used information from the site as references and have not been disappointed by the information posted on the website.  SC Magazine also publishes a magazine.

Kim Kommando is a wonderful resource for information. She writes for USA Today and she has a website (URL: http://www.komando.com). Her style of writing is informative for people with a variety of levels of experience with security information. She is my hero.  I appreciate that she has the ability to provide information in a way that most people can comprehend.  I often encourage users who proclaim they don't understand technology to subscribe to her email list.

Symantec is an excellent source of information with regard to virus and malware threats.  Symantec's website is available at http://symantec.com

Verizon is another great source of information, namely for their annual Data Breach Investigations Report.  The report focuses on threats to information security around the world.  The report    Download the 2013 report at:  http://www.verizonenterprise.com/DBIR/2013/.

GROUPS

There are several technology groups that meet where members (and in some cases guests) can gain knowledge and meet other security professionals:

InfraGard is an organization founded by the FBI that promotes the sharing of information by it's members.  The organization vets members prior to allowing them to join and requires members to follow an established code of ethics.  Vetting membership and requiring members to agree to the code of ethics a sense of confidentiality so data can be shared.  InfraGard provides a wealth of information to members in face to face chapter meetings as well as information available from the secure website.  The InfraGard website is available at:   https://www.infragard.org/. 

NebraskaCERT is an organization in Omaha whose goal is to share information with individuals interested in Information Security.  The group hosts meetings throughout the year to provide information or introduce information to security professionals.  The website to gather information is:  http://www.nebraskacert.org/

You may wonder how security professionals determine which information is credible.  My best advice is to verify information before acting on it.  Check with multiple sources to validate and verify information.