Could This Be the First Crack in the PCI Scam?

A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach. The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based. PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts. The PCI Security Standards Council has stated that no PCI compliant organization has ever been breached. This is a clear fallacy – merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications. Fines are then levied against the acquiring bank and passed on to the merchant. When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer’s account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it. The card companies collect their fines with no hassle and merchants, in the meantime, are left fighting to dispute the fines and get their money back from the card companies. In this case, the retailer (Genesco) is suing Visa for violating their own policies, especially since there was no evidence that card numbers were exfiltrated or used for fraud. Watch this one closely. If it succeeds there will likely be a flood of similar cases. This case doesn’t seem to attack the root of the PCI system itself (the contract system), but I could see that easily getting wrapped into either this case or a future one if Genesco is successful. Seriously – I don’t think all of PCI is bad, but the PCI SSC claims that no compliant organization has been breached is a load of (my favorite word beginning with ‘s’). That position and their policies on fines convinces me PCI is a scam. Especially since they even try to intimidate PCI assessors who speak negatively about PCI in public (yes, direct warnings to shut up or else, I have been told). The card companies, especially Visa (who pulls most of the strings), have a chance to change course and clean up the issues that undermine a program that could be very beneficial. But PCI is currently losing what little legitimacy it has. Share:

Read Post

TripWire nCircles the Vulnerability Management Wagon

It’s funny how you suddenly remember random conversations from months ago at the strangest times. I recall having breakfast with some of my pals at TripWire at RSA 2012 (yes, 13 months ago), and them peppering me about the vulnerability management market. Obviously they were shopping for deals, but most of the big players then seemed economically out of reach for TripWire. And there was nothing economically feasible I could recommend for them in good conscience. What a difference a year makes. It seems the Thoma Bravo folks have TripWire hitting on all cylinders, and they are starting to flex some of that cash flow muscle by acquiring nCircle, one of the 4 horsemen of Vulnerability Management (along with Qualys, Tenable, and Rapid7). Both are private companies, so we won’t hear much about deal value, but with alleged combined revenue of $140 million in 2012, the new TripWire is a substantial business. As I wrote in Vulnerability Management Evolution, VM is evolving into more of a strategic platform and will add capabilities like security configuration management (as opposed to pure auditing) and things like benchmarking and attack path analysis to continue increasing its value. TripWire comes at this from the perspective of file integrity and security configuration management, but they are ultimately solving the same customer problem. Both shops help customers prioritize operational security efforts by poses the greatest risk – in concept, anyway. And for good measure, they both generate a bunch of compliance-relevant reports. The video describing the deal talks about security as business value and other happy vision statements. That’s fine, but I think it undersells the value of the integrated offering. You see, TripWire has a very good business assessing and managing devices using a device-resident agent. nCircle, on the other hand, does most of its assessment via a non-persistent agent. We believe there will continue to be roles for both modalities over time, where the agent will be installed on important high-risk devices for true continuous monitoring, and the non-persistent agent handles assessment for less-important devices. It’s actually a pretty compelling combination, if they execute the technical integration successfully. But this isn’t our first rodeo – good technical integration of two very different platforms is very very hard, so we remain skeptical until we see otherwise. In terms of market analysis, the deal provides continued evidence of the ongoing consolidation of security management. TripWire has said they will be doing more deals. Qualys has public market currency they will use to bring more capabilities onto their cloud platform. Tenable and Rapid7 both raised a crapton of VC money, so they can both do deals as well. As VM continues to evolve as a platform, and starts to overlap a bit with more traditional IT operations, we will continue to see bigger fish swallowing small fry to add value to their offerings. Our contributor Gal brought up the myth of TripWire’s ecosystem and questioned the openness and accessibility of integration, given what they have accomplished to date. I’m more inclined to put every vendor’s ecosystem in the BS camp at this point. TripWire and nCircle will be tightly integrated over the next two years. They don’t have a choice, given the drive to increase the value of the combined company. Any other integration is either tactical (read: customer-driven) or for PR value (read purple dinosaur driven). Security companies pay lip service to integration and openness until they reach a point where they don’t have to, and can control the customer (and lock them in). To think anything else is, well, naive. To wrap up, on paper this is a good combination. But the devil is in the integration, and we have heard nothing about a roadmap. We heard nothing about what the integrated management team will look like. Nor have we heard anything about go-to-market synergies. There is a lot of work to do, but at least it’s not hard to see the synergy. Even if it’s not obvious to Jeremiah. Photo credit: “Circling the Wagons” originally uploaded by Mark O’Meara Share:

Read Post

Email-based Threat Intelligence: Quick Wins

We are big on Quick Wins at Securosis. Mostly because we know how hard it is to justify new technology (or processes or people), and that if you can’t show value quickly on a new project, every subsequent request gets harder and harder to get through. Until you have a breach, that is. Then your successor gets carte blanche for a honeymoon period to do the stuff you were trying to do the whole time. Ultimately disrupting a phishing attack is an application simple economics. If it costs more for attackers to phish your brand, their margins will go down and eventually they will look to other attacks (or other targets) that return more profit. So for Quick Wins, focus on making phishing campaigns more expensive. That means messing with their sites, more effectively helping customers protect themselves, and ultimately shortening the window attackers have to monetize your customers. Your quiver is filled with the key intelligence sources we discussed in Analyzing the Phish Food Chain, so what comes next? How can you use information like phisher email addresses, IPs, and domains to disrupt and/or stop attacks on your brand? Taking the Phish out of the Pool The first and most common remediation remains the phishing site takedown. Obviously phishing attacks are frustrated if the evil site is not available to harvest account credentials and/or deliver malware. But this is not an immediate fix – it takes time to prepare the documentation ISPs need, domain registrars, domain owners, browser vendors, telecom providers, and any other organization that can take the site offline. But remember that many phishing sites are hosted on legitimate – albeit compromised – web sites, so site takedowns inflict collateral damage on legitimate sites as well. We are not in the excuses business, so it’s not like we would feel bad when a compromised site is taken down until fixed, but keep in mind that the cost isn’t only to the phisher. One of the keys to dealing with advanced malware is determining whether it makes more sense to observe the attacker to gain intelligence about tactics, objectives, etc., than to remediate the device immediately. Phishing sites demand a similar decision. If you have identified the phisher as a frequent attacker, does it make more sense to observe traffic from those sites? Or to monitor the attack kits and analyze the malware downloaded to compromised devices? The answer varies, but this kind of analysis requires sophisticated incident response and malware analysis capabilities. A few other tactics can be helpful in disrupting phishing attacks, including directly notifying browser vendors of malicious sites because all major browsers now include real-time checks for phishing and other malware sites, and warn users from visiting compromised sites. Similarly, communicating with the major security vendors and submitting IP addresses and domains to their security & threat research teams, can give these sites and IPs negative reputations and block them within web and email security gateways. If you have been able to identify the email address the phisher uses to harvest account credentials, you can work with their service provider (typically a major consumer email provider such as Google, Yahoo!, or Microsoft) to limit access to the account. Or work with law enforcement to track the attacker’s identity as they access the account to collect their spoils. All these tactics make it harder for phishers to lure victims to their phishing sites, steal information, and then harvest it. Speaking of law enforcement, much of the information you need to gather to facilitate phishing site takedowns, such as IP addresses, domains, email addresses, and phishing kit specifics, is directly useful for law enforcement’s ultimate efforts to prosecute the phishers. Prosecution is rarely job #1, especially because many attackers reside in place where prosecution remains difficult, but if you need to gather the data anyway, you might as well let law enforcement run with it. Other Tactics for Disrupting Phishing Taking down the phishing site isn’t your only means to disrupt attacks. You can also use active controls already in place in your environment to minimize the damage caused by the attack. Let’s start with the network: your intelligence efforts have yielded a number of data points, such as IP addresses and domains associated with an attack. You may be able to work with the network operations team to block devices connecting to your site from these IPs or domains. At least you should be able to tag these devices and monitor their transactions for suspicious activity. When dealing with fraud attacks against millions of customers, being able to focus your efforts on accounts more likely to be compromised really helps. Another tactic is to adaptively require stronger authentication for accounts exhibiting suspicious activity. Phishers collect account numbers and passwords, rarely worrying about security questions or additional authentication factors. So if you see a login attempt from a suspicious IP address or domain, you can further challenge the user attempting to login by requiring additional authentication details. Attackers generally attack the easiest targets, so this is a great way to make attacks against you more expensive, and is likely to drive phishers elsewhere. Finally, you can work harder to stop the original phishing emails from reaching your customer’s inboxes in the first place. Leverage new standards like DMARC, which enables service providers and other large-scale senders to leverage DKIM and/or SPF message authentication technologies to provide more accurate sender authentication. Combined with traditional anti-spam analysis techniques, these technologies can minimize false positives and ensure phishing messages get tossed before customers get an opportunity to hurt themselves. Addressing the Root Cause Ultimately, much of what you can do to disrupt phishing is reactive. But it may also make sense to try reducing the likelihood of compromise at the point of attack: your customer. You can start with security education, working to help customers identify phishing domains and recognize the security mechanisms most consumer brands apply to email they send to customers. We are painfully familiar with the frustration of security awareness training, but

Read Post

Compromising Cloud Managed Infrastructure

The Nibble security blog had a very good post on Subverting a Cloud-based Infrastructure with XSS and BEEF. They essentially constructed an XSS attack to issue network infrastructure management commands without user knowledge. The idea is pretty neat: all network devices and security appliances (wired and wireless) can be managed by a cutting-edge web interface hosted in the cloud, allowing Meraki networks to be completely set up and controlled through the Internet. Many enterprises, universities and numerous other businesses are already using this technology. As usual, new technologies introduce opportunities and risks. In such environments, even a simple Cross-Site Scripting or a Cross-Site Request Forgery vulnerability can affect the overall security of the managed networks. There are two important takeaways here, so don’t get caught up with a specific vendor’s vulnerabilities or the specific tool used to craft this attack. The management interfaces for all cloud services are browser-accessible, and browsers – and the web services they use – are open to these attacks. XSS and CSRF are major issues, and we have considerable evidence – the Mandiant report being just one source – that browser-based attacks are one of the top two current attack vectors. These are problems that most organizations don’t consider when building web applications, so they are common vulnerabilities. Which leads directly into the second issue: that all cloud services, by definition, offer broad network access. That means applications and management interfaces are both browser accessible. The beauty of cloud services for IT management is that you can access all cloud management functions from any browser, anywhere. And from that single connection you do just about anything. Very convenient! For attackers too – once they compromise a customer’s management plane for a cloud service, that is equivalent to root access. Only in this case it’s the entire cloud infrastructure, not just one server. Because the attack originates from your browser, it does not matter whether you restricted management access to in-house IP addresses – your system has one of the approved IP addresses. There are not many quick and easy ways to protect against this type of attack, but use a dedicated browser for management if you can. Other than that … be careful what you surf for. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.