I was reading one of Alan’s posts over at StillSecure, based on the Lending Tree debacle. He starts with a bit I totally agree with:

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around. However, this is a great example of some things not going out of style. Obtaining your competitors information is a great motive, computers are just the container where the information is kept.

This is something I’ve been harping on for a while- the only new thing about cybercrime is the vector; nearly every crime we see has a corollary in the physical world. Why? Because we’ve been screwing each other over since before we were technically humans. We’ve been taking things that don’t belong to us since far before we had any concept of commerce or society. That’s tens of thousands, if not hundreds of thousands, of years of criminal refinement. Nigerian 419 scam? It’s the Spanish Prisoner. DoS? It’s sabotage or a protection racket. You name the cybercrime, and I can name the pre-cyber-crime.

Now how does this practically apply to how security professionals do their job?

Focus on the crime, not the tech. When you’re piecing together your defenses, monitoring for incidents, or cleaning up a mess, always remember that someone attacked for a reason. If they didn’t steal something, hijack an asset for their own use, trespass for the fun of it, or vandalize/break something, keep looking. Odds are you still haven’t figured out why they are there, and what the real target is, and your day ain’t over yet.

A person may change, but people don’t.

On Tuesday morning I’ll be giving a breakfast session at RSA sponsored by Vericept entitled Understanding and Preventing Data Breaches. This is the latest update to my keynote presentation where I dig into all things data breaches to make a best effort at determining what’s really going on out there. Since the system itself is essentially designed to hide the truth and shift risk like a token ring network, digging to the heart of the matter is no easy task.

On Friday Dark Reading published my latest column which is a companion piece to the presentation. It’s a summary of some of the conclusions I’ve come to based on this research. Like much of what I write I consider much of this to be obvious, but not the kinds of things we typically discuss. It’s far easier to count breaches and buy point solutions than to really discuss and solve the root cause. Here are a couple of excerpts, but you should really read the full article:

…

When I began my career in information security, I never imagined we would end up in a world where we have as much need for historians and investigative journalists as we do technical professionals. It’s a world where the good guys refuse to share either their successes or failures unless compelled by law. It’s a world where we have plenty of information on tools and technologies, but no context in which to make informed risk decisions on how to use them.

Call me idealistic, but there is clearly something wrong with a world where CISOs are regularly prevented by their legal departments from presenting their successful security programs at conferences.

…

1. Blame the system, not the victims, for identity fraud.
…
2. Blame the credit card companies, not the retailers, for credit card fraud.
…
3. Consumers suffer from identity fraud, retailers from credit card fraud.
…
4. We need fraud disclosure, not breach disclosure.
…
5. We need public root cause analysis.
…
6. Breach disclosures teach us the wrong lessons.

…

Based on the ongoing research I’ve seen, it’s clear that the system is broken in multiple ways. It’s not our failure as security professionals — it’s the failure of the systems we are dedicated to protecting.

While my presentation focuses on using what little information we have to make specific tactical recommendations, the truth is we’ll just be spinning our wheels until we start sharing the right information — our successes and failures — and work on fixing the system, not just patching the holes at the fringes.

Technorati Tags: Dark Reading, Data Breach, Governance, Information Security, Information-centric security, Security, Security Industry

Yesterday, Jay shared with us his experience with eBay fraud and his attempts to work with law enforcement, Today, he takes matters (legally) into his own hands and… well, you’ll just have to read the story…

Now in between these phone calls I had been pursuing the email address the seller used. The address was a hotmail account. I figured if it’s a hotmail account then they must be using a web browser to read it. I crafted an email linking in a 1×1 transparent gif image hosted on my web server. Sure enough, within a day I had a log entry from a dial-up IP address in Georgia. I really wanted to find out who this person was so I crafted another one, this time with logging information maxed. I also tried to include tantalizing messages, “The good and bad thing about the internet is that people never really know who they are dealing with.” and “Yum, AOL users are my favorite” after one of the connections was through an AOL proxy. That last one must’ve hit their pride because I got a response bashing AOL and my lame attempts.

Throughout this time I continued to keep in touch with John in D.C. Once I had identified that most of the IP addresses centered on the same town in Georgia. He remembered that some of the purchases on his credit card were shipped to an address in Georgia. Sure enough the address was the same area as my IP addresses.

I didn’t want to give up on our justice system so I called the local police in Georgia. In spite of my efforts to educate them on computers, the internet and EBay, they thought I was insane. There was no amount of haggling, pleading or demanding that would get the long arm of the law to that address based on me calling.

Of course I kept my baiting emails going. I had sent seven unique image emails and by chance I had a window open watching the logs when the seventh popped up. I poked and prodded the host on that IP… windows PC, this time with an EarthLink branded browser dialed up through UU-Net (backbone provider, commonly resold). With my scans running, I got on the phone to UU-Net support, told them the person connected *right now* on *this IP* had committed internet fraud. Of course they couldn’t tell me anything, but they put the record into a ticket and gave me the ticket number. They said they would release it if they had a subpoena. I called the Georgia police back with this information and they still thought I was crazy.

I had gotten the address John had from the purchases in Georgia. Google told us it was a secluded family home outside of town nestled in the woods. I converted the address to a phone number and John called. Turned out there was a teenager at the address whose father was very interested in our tales. The father was able to correlate the appearance of items with John’s fraud activity and yes, the father did use EarthLink.

Should I have known better? Absolutely. Could I have done things differently? Sure. But I learned several valuable lessons as a result. The biggest lesson was that there was no big brother out there for me, there wasn’t an internet beat cop willing to help. They just don’t exist for small time crime. In the end my friend ended up getting his money back since they never cashed the cashier’s check (I think they waited 6 months) and the police in Georgia still thought I was nuts.

Technorati Tags: Cybercrime, Fraud

As part of our Debix contest (which is open for a few more days, if you want to enter) one reader relayed a great story on how he was scammed on eBay, and fought back. With a little ingenious detective work, he… well, I’ll just let Jay tell his own story (split into two parts)…

Back in 2001 I worked in a small ISP, it was so small that I represented half of the staff. I had offered to help a friend and his wife buy a laptop. Money was tight for them, so after doing some comparison shopping we decided to snipe a laptop off of EBay.

Shortly after winning an auction on a good laptop, the seller sent an email with a story about his brother having financial problems. It was written inconsistently and I couldn’t tell if this guy was lying or just a bad writer. The seller asked that I send a cashiers check to his brother in Indiana. I had gotten a great price on the laptop for my friend, so greed won out over logic but my warning lights were flashing. After a few more emails I sent the check and communication stopped. I waited for a few silent days before I went back to EBay. It turns out EBay had (and has) this great service where you can look up the account information of a seller. EBay provided the name and address of a person living just outside of Washington D.C. With the help of a reverse lookup, that led to a phone number which brought me to my first of many interesting phone calls.

I reached the seller, who we’ll call John, on the phone. After an awkward opening, I learned that John had been battling identify theft and had nothing to do with the EBay listing. He’s had fraudulent credit card charges from online purchases. He was just as interested in finding these folks as I was… I was stuck before I began.

I had two leads, the email address and the address in Indiana where I sent the check. I used Google maps to find the Indiana address. From the aerial photography I learned the address was at a large apartment complex. I called the local police in Indiana, “EBay?” “Yes, an online auction site.” “…On the internet?” They told me that they couldn’t help me since I was in Minneapolis and that I had to contact my local police department. I tried to get them to drive by the address and check out the mail boxes. They wouldn’t budge. My local police were a little more well versed, “Yeah, Haha, EBay again”. They told me that since I mailed the check to Indiana the crime really happened in Indiana and there wasn’t anything they could do. After a few rounds I was told I could show up at my local police to fill out a report but that they wouldn’t do anything but file it.

At this point I figured I could call the FBI because they’d have to help. I assumed since it was across state lines and it was a crime on the internet it must be against all sorts of laws I didn’t know about. Plus I’d been to DEFCON, I knew the feds were out there and watching. Turns out I was a little off about the feds. Once I found someone willing to talk about the case, I learned that fraud for the price a laptop was a little below the FBI radar by, oh, a 1000 percent or so.

Come back tomorrow, when Jay will share his efforts to track down the culprit…

Technorati Tags: Fraud

There goes another one.

According to multiple sources, the Hannaford Brothers grocery chain suffered a major breach with 4.2 million credit cards exposed. Hannaford had published an FAQ for their customers. Odds are it will be months until we find out what really happened, but I’m going to speculate anyway, pick apart the press coverage and FAQ, and see if we can learn something from this now.

As usual, the information released is incomplete and contradictory.

PORTLAND, Maine (AP) - A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

This is interesting since there is a direct tie to fraud, as opposed to many other breaches. This often means the fraud was detected in the credit system and then traced back to the retailer, which seems to be what happened based on the FAQ. As a researcher it’s always helpful to be able to tie the breach to illegal activity. This does, of course, suck for the victims, but as long as it’s credit card fraud they are protected.

Since the information was stolen during the authorization process, and was distributed over many locations, it means a compromise of the central authorizations system or the credit card processor. It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application. My money is 70% on sniffing, 30% on something in the database.

No personal data such as names, addresses or telephone numbers were divulged - just account numbers.

This can’t be true. Without names, the card numbers are unusable.

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.

“We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

This reinforces the likelihood of a network breach and sniffing, assuming the statement is true. How was the network breached? Could be any one of hundreds of ways. Targeted phishing and compromise of the central network from a remote location are common. I can’t add anything more than pure speculation on this one.

The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

Actually, card issuers should reissue the cards and just eliminate the chance of greater fraud. This is irresponsible. Since this is just loss of credit cards, there is no need for identity theft protection.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.
“I had expected there would be more than we’ve heard of,” Walker said. “But it’s still too early for us to tell.”

Strange- I consider 1,800 to be a large number. It could be that the fraud was performed directly in the Hannaford system or something. Or this is an erroneous statement.

The FAQ gives us a little more information and narrows things down.

What happened?

Hannaford announced containment of a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. This data was illegally accessed from Hannaford’s computer systems during the card verification transmission process in transactions. Further, Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected

Somewhat contradictory, with a mention of data security and network, but I don’t expect everyone to be as picky about those details as we are. I suspect the last sentence means fraud alerts are in place, and cards are probably being reissued to some extent.

When did you discover the intrusion?

Hannaford was first made aware of suspicious credit card activity on Feb. 27, and immediately initiated a comprehensive investigation with the assistance of leading computer security experts

Bingo. It was detected by the banks or credit card companies, then brought to Hannaford.

Is it safe to continue shopping in your stores?

We have continually devoted significant round-the-clock resources to ensure Hannaford has comprehensive data security systems in place. For example, our security measures meet industry compliance standards and many go above and beyond what is required by industry standards.

In other words, PCI is worthless.

In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.

How to prevent this?

We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.

Technorati Tags: Data Breach, Hannaford

While I sometimes get annoyed with various security technologies, there are very few I consider to be complete snake oil.

However, those remote “data destruction” tools or “Lojack for laptops” are complete crap when it comes to security. Absolute bullshit, and I don’t use language like that here very often.

They might have some value in recovering the physical asset, but as this case shows they sure as hell won’t protect you from a data breach:

Horizon Wednesday said it has notified about 300,000 of its members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5.

A security feature on the stolen laptop automatically deleted all of the confidential information on Jan. 23, a company spokesman said. But it is not clear whether the thief who stole the computer accessed the data on the system before then, he said. The data on the laptop was unencrypted but password-protected.

I guarantee you’ll see some of these companies at the next security conference you go to. If you want to use them to help with physical recovery, that’s fine. But for data security? No fracking way.

Technorati Tags: Data Breach, Laptop Encryption

Over on BoingBoing, Cory Doctorow is doing his best to raise awareness of data breaches in a post entitled, “Database leaks are as immortal and toxic as nuclear spills — let’s start acting like it“.

If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor.
Every gram - sorry, byte - of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop’s CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughed up a month’s worth of travelcard data, there will be no containing it.

And what’s worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government’s personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.

On the off chance Cory makes it over to this humble site, I’d like to propose some more creative thinking to solve the problem.

The truth is we can never completely protect the data for many of the same reasons consumer DRM fails- it only has to leak once for it to appear everywhere. Assets in physical crime are self limiting; there are only so many ways for a horse thief to chop up a horse. Digital assets are nearly infinitely renewable and reusable.

We need to keep defending our data, but accept the bad guys will get it. Thus we need to limit the impact of those leaks. I see two options (one focused on a specific issue in the US, the other more generalized), and I’m sure there are more:

1. Release all Social Security Numbers. Then they can no longer be used as a “secret” identifier for financial transactions. This will stop most forms of identity theft in the US, forcing bad guys to shift to more focused account-level fraud. This post explains the difference.
2. Create systems for multi-factor transaction security. Fraud monitoring on credit card accounts is a basic example of this, but there’s a lot more we can do. Placing a fraud alert on your credit report so the monitoring company has to call you before creating a new account is another example. Having your bank verify major account transfers through back channels is another. I call this “Dynamic Authorization” (part of Dynamic Trust) and it leverages the power of real-time technology to change how we perform transactions and authenticate individuals. There are so many creative and effective layers we can add here I get pretty excited just thinking about it.

We accept that data will leak, then build security controls to minimize the damage. We’ve barely scratched the surface. Consider this anti-exploitation for financial transactions: we can’t eliminate the vulnerability, but we can reduce the exploitability.

There are exceptions. Health care data is one example where the private market won’t solve the problem; we’ll probably need government regulation to reduce the financial value of that data (e.g., forcing insurance companies to provide coverage despite prior conditions). Protecting consumer privacy, such as limiting data collection on buying habits, is another tough area. But right now the biggest problems are financial in nature, and that’s one area where we can make a big dent with some creative approaches.

There will always be criminals, but we can sure make their lives harder. Simply storing data in nuclear bunkers and hoping it doesn’t leak isn’t the answer.

Technorati Tags: Cory Doctorow, Cybercrime, Data Breach, Dynamic Authorization, Vulnerabilities

Supervisory Control and Data Acquisition systems are the technology connection between control systems and the switches, pumps, and motors that run our automated physical world. SCADA is the basis of everything from power plants to train systems. It’s also one heck of a security risk.

I’ve talked about SCADA before in a few posts, including this, this, and this. In general, it seems obvious that running these things on standard IT technology, then connecting them to the Internet (no matter how many firewalls you have) isn’t the smartest idea in the world. This is highly contested by SCADA traditionalists who constantly assure us that the odds of a successful attack resulting in physical impacts are extremely low. Methinks those traditionalists might need to pull their heads out of either the sand or a rather unattractive orifice, since there are more than enough examples these days to prove them wrong.

The latest, courtesy of Hoff and Stiennon, is that the CIA released a report that hackers have caused unspecified power outages on multiple occasions (overseas is my guess):

CIA: Hackers to Blame for Power Outages
By TED BRIDIS – 3 hours ago

WASHINGTON (AP) — Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.

All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in “several regions outside the United States.”

“In at least one case, the disruption caused a power outage affecting multiple cities,” Donahue said in a statement. “We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

Both Hoff and Stiennon predicted SCADA attacks this year (and I made fun of them for it, but that’s another story).

Now before you SCADA defenders get your panties in a bunch, over my career as an analyst and consultant I was privy to more than one successful and physically dangerous SCADA attack communicated to me by clients. I’ll never talk details, but they really happened, putting lives at stake.

I’ll still talk SCADA, but there’s enough evidence now of real problems that I don’t see the need to waste time trying to prove how important it is. If you don’t get it by now, you never will, and I hope you don’t have anything to do with my corner of the power grid.

Okay, just a quick primer on the major risks of connecting a process control network with the business network:

1. Loss of communications due to a non-SCADA failure or attack disrupting network communications. Inability to monitor and control remotely.
2. Exploitable vulnerabilities on SCADA systems running on standard platforms, e.g. Windows. You often can’t patch a running SCADA system or install antivirus, HIPS, or other defenses. Vulnerable to mass exploits that have nothing to do with SCADA.
3. Direct attack on SCADA software/systems.
4. Exploitation of a control workstation which is then used to access/control the SCADA system. Has the added advantage that the attacker can remotely monitor normal activity to determine how to commit malicious actions on a proprietary system they don’t have prior knowledge of.

Technorati Tags: Cybercrime, puppy

(Thanks to Marcin)

Thanks to some good old hardware hacking, a Polish teen built an infrared device that let him switch around the tracks.

Twelve people were injured in one derailment, and the boy is suspected of having been involved in several similar incidents.

Miroslaw Micor, a spokesman for Lodz police, said: “He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks.

“He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.

Wow.

I guess I don’t get to rant about SCADA security today.

I just posted on switching to Debix, and it reminded me there’s something I keep forgetting to cover.

When reading the news, both mainstream and industry, I’m appalled at the abuse of the term “identity theft”. And don’t get me started on vendor marketing materials.

Identity theft is a serious crime with potentially severe repercussions for the victim. It’s when a bad guy uses your personal information, often including Social Security Number, to use your identity for nefarious purposes. It’s most often financial, taking out new credit (which never gets paid), but can include fake ID cards (and thus driving/criminal records), passports, and more. Yes folks, there are bad guys with stolen IDs who get caught by the cops, use the fake ID, get bail, and run for it- leaving you with a nice bench warrant out in your name (really rare, but it happens).

A former co-worker once applied for a new mortgage and the bank asked him about the one in default. Oops. That’s identity theft.

(BTW- this is a problem far more endemic in the US than most other nations. They don’t rely on a single, not-secret-secret-number (SSN) to manage credit, making ID theft more difficult).

Credit card fraud is serious, but not nearly as serious. That’s when someone steals your credit card number and uses it to make fraudulent purchases. Nearly every credit card in the world (but not debit cards- for those you need to check with your bank) includes fraud protection. You, the consumer, are not liable for the fraud if you identify and report the erroneous charges. You don’t bear the costs of getting a new card if you need one. Merchants and banks (but not the credit card companies, of course) bear the costs of credit card fraud, not you.

That’s why I don’t care that my wife shops at TJX- we know to monitor our bills and if something happens we won’t be liable.

Both are crimes, but in protecting yourself it’s important to understand the difference. As a business I worry quite a bit about credit card fraud since I could bear the cost (if I accepted credit cards). As a consumer I worry more about ID theft.