Friday Summary - November 20, 2009By Adrian Lane
Ironically, I was calling to activate my new credit card yesterday – as the number was considered compromised by BofA – when I read about the credit card scam in Spain.
Very little information is coming out about the EU Credit Card Breach. Seems to be Visa specific; some 100k cards are being recalled in Germany, and police efforts are focused in Spain. And it seems every news agency and security blog in the country is reliant on this tiny amount of data provided by the BBC. Given this is a multi-country effort, I would have bet some tangible news would have slipped out somewhere, but nothing more than these nuggets of almost nothing yet.
On the home front it is pretty much the same: no news of what happened. I was pretty sure that BofA recalling the Visa card meant a serious breach because this is a card I have not used in more than a year. Yes, I am making some assumptions here, but this was not an issue with skimming at a local restaurant or gas station. So someone was breached; going back through two years of records of very limited use, as there are two large firms who had this number in their databases (without my consent) and I am guessing one of them leaked it. This is not directly related to the Citigroup/BofA breach. I was trying to find out what their disclosure responsibilities were here in Arizona, but you could drive a big truck full o’ sensitive data through the holes in the Breach Notification Bill. And the BofA Disclosure Page basically says “we don’t know ‘nuthin ‘bout ‘nuthin’”, but don’t worry, your money will be returned to you. Let’s hope the Europeans get more data than we do.
On a more lighthearted note, this video is pretty funny, but I bring it up because I want a third opinion. Do you think a crime was committed? The Mogull pointed something out to me after I watched this … that the girl in the white shirt appears to shoplift in the video. I was skeptical but I think he’s right. At 2:14 in, the girl drops a shopping bag off he shoulder, grabs something off the table, and it places into the bag. She then shoves what looks like a pad of paper on top, pulls the strap back on her shoulder, dancing the entire time. She even performs this maneuver the moment the rest of the ‘dance troupe’ has their backs turned. She is one of a few without a badge and so I assume she was not an employee. Anyway, the whole thing is a little like a car wreck … it’s hard to look away.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s post on A Peek at Transparent Database Encryption.
- Rich quoted on InZero launch.
- The dog ate my podcast. No, really! Sorry Martin!
- Adrian on Encryption ‘Gotchas’ that hinder implementation. (Podcast)
- Rich and Adrian on Truth, Lies and Fiction with Data Encryption.
Favorite Securosis Posts
- Rich: The Anonymization of Losses: A Market Forces Failure.
- Adrian: Why You Should Take the Adobe Flash Origin Issues Seriously.
- Meier: Microsoft Encryption and the Cloud
- Mort: Ur C0de Sux.
Other Securosis Posts
- What the Renegotiation Bug Means to You
- Critical Infrastructure, 60 Minutes, and Missing the Point
- Three acquisitions, two visions
- ADMP Market Acceptance
- Why Successful Risk Management is Still a Failure
- New Thoughts On The CIO Is Your Friend
Favorite Outside Posts
- Rich: Not security-specific, but lasers on fighter jets!
- Adrian: Not really a single post, but a collection of posts on Microsoft Azure. It’s probably just me, but this feels like 1997, when MS did an about-face on their acceptance of the Internet … only this time they are a little late to the Cloud party.
- Mort: Google Books Settlement 2.0: Evaluating the Pros and Cons.
- Meier: Whose customers are they?
- Pepper: Researcher busts into Twitter via SSL reneg hole.
Top News and Posts
- Verizon admits employees sold private data.
- Most security products fail to perform.
- Good analysis by Larry Walsh on Fortinet IPO and some market risks, and for those of you tracking these things, the current stock price.
- Incite Rides Again.
- NIST updates infosec guidelines.
- Four in UK sentenced in connection to banking trojan.
- Inside the botnet hunters.
- Metasploit 3.3 released.
- Hoff launches A6 working group for cloud audits/assessments.
- Brazilian power company hacked (for real this time).
- Background checks in an iPhone app.
- Pentesting Adobe Flex Applications with a Custom AMF Client.
- Customers have a unique way of capturing your product’s nuances.
Blog Comment of the Week
It was hard to pick this week, but this week’s best comment comes from our own David Mortman’s in response to David Meier’s post What the Renegotiation Bug Means to You:
Okay I tried it:
openssl s_client -connect ebay.com:443 -ssl2 New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit SSL-Session: Protocol : SSLv2 Cipher : DES-CBC3-MD5 Session-ID: D5F3FA4A3750154014CE495E96E36139 Session-ID-ctx: Master-Key: 35F5ED93B6FC890AA84EBFCE849E9EE54919C8D3FA38D35F Key-Arg : 63826612A872A6AD Start Time: 1258654301 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
So something thinks it can speak sslv2, however if I force my browser to use only sslv2 it loops before dying so there’s some business logic stopping it. On the other hand, yahoo and hotmail/live.com both allow ssl2 connections no problem as does twitter and lenovo. Btw, so does Bank of America and Fidelity. So while clearly some folks are getting it (because of PCI?), there are some major players who don’t. Btw even the security vendors don’t do it right, McAfee allows SSLv2 only connections (Symantec doesn’t) as does HiTrust (gotta love an organization dedicated to security that screws it up). And my all time favorite, the IRS allows SSLv2 connections and has an invalid cert. So lots of potentially vulnerable sites, which in general make MitM attacks much easier, renegotiation bug or not.