Articles from last posting

News update and link to Globe & Mail article- Decrypting the Future of Security

US banks required to report security breaches

Microsoft face $5 million a day fine from EU Commission

Chip based bank cards open to attack

Ericsson hacker gets three years

A 26 year old Hungarian hacker who accessed top secret Ericsson (the Swedish teleco) documents on their Intranet was sentenced to three years in jail. He broke into the system as a 'provocation', inexplicably with the hope that his wiliness would entice Ericsson to offer him a job.

However, his stated motivations for the attack do not appear to fit well with the facts, as he came a cropper when Swedish police busted him at Malmo airport, in the course of an undercover sting operation - after he attempted to sell some of the information he gleaned from Ericsson on the internet.

Would someone please tell all aspiring hackers that selling confidential corporate information - of keen interest to unscrupulous competitors - on the internet- will never, ever result in anything less than a criminal conviction. It will most certainly not place you in the corner office- except in handcuffs.

But the fact remains- how did he get in? No doubt some soul searching at Ericcson.

Biometric device costs Malaysian accountant his finger

An accountant in a Kuala Lumpur suburb in Malaysia had the top of his finger chopped off by a machete wielding carjacking gang when they couldn't get around the high tech biometric security system protecting his S- Class Mercedes.

They initially forced him to put his finger on the reader to start the vehicle, but later grew impatient when they couldn't restart it without his assistance, chopped off the end of his index finger and left him naked and bleeding on the side of the road.

Despite all the hoopla about the wonders of biometric devices, there is little attention paid to the methods determined criminals will use to subvert the technology.

Update - US banks required to report security breaches

Last week, we reported that the board of the FDIC (a US banking regulator) - as well as the OCC and the OTS - approved a proposal to require US banks to notify customers about security breaches that expose their data, in certain circumstances. The final rule can be located here.

I was gratified to read in the explanatory notes that a number of my comments filed during the submission process were taken on board, and are mentioned in the text- most expecially my suggestion that account monitoring (at a particular institution) may not reveal the full picture, as id thieves will routinely target additional financial institutions- to spread the risk of being caught, and maximize their illicit returns.

The FDIC response was not to mandate account monitoring and freezing in the final text of the Guidance (the credit check agencies were upset about freezing and anything that impacts their business model- see the Tips section for more on this theme). This may not have been the optimal response to a difficult problem, but probably was inevitable with the financial institutions generally in dread of the final proposal in any shape or form.

New risk based approach

The final Guidance - drawing heavily on the tough Security Guidelines under the Gramm Leach Bliley Act (GLB) - provides financial institutions with greater flexibility to 'design a risk-based response program tailored to the size, complexity and nature of its operations'. It requires them, broadly speaking, to prevent unauthorised access to customer data, and to alert regulators and customers in defined circumstances when there has been a breach.

Contract changes mandated with service providers

This obligation to protect customer data extends to contracts with third party service providers. Existing contracts that do not contain suitable provisions - requiring service providers, for instance, to notify their clients in the event of a breach - have not been grandfathered, but 'best efforts' have to be made to add such a clause. New contracts 'should include such a provision'.

Missed opportunity to solve dearth of data problem

Regulators must be advised in the event of a security breach that impacts 'sensitive data' (as defined).

As a result, can we expect a spike in the amount and quality of data available on security breaches- at least in the financial services sector? The absence of reliable data on the extent and frequency of the problem has been a long standing security conundrum.

Unfortunately, the final Guidance does not present a solution as whether or not an Agency will track the number of incidents reported 'is left to the discretion of individual Agencies'.

Notifying customers of a breach

The final Guidance provides that when an institution becomes aware of an incident of unauthorized access to sensitive customer information, 'it should conduct a reasonable investigation to determine promptly the likelihood that the information has been or will be misused. If the institution determines that misuse of the information has occurred or is reasonably possible, it should notify affected customers as soon as possible.

The notification can be delayed in the event of an ongoing criminal investigation.

Encrypting data no defence

Unlike security breach reporting laws such as SB 1386 in California, the Guidance does not exempt institutions from reporting incidents when the compromised data is encrypted. It acknowledges a reality those statutes ignore- that not all encryption is equal:

' The Agencies also believe that a blanket exclusion for all encrypted information is not appropriate, because there are many levels of encryption, some of which do not effectively protect customer information'.

Fear of embarrassment no answer either

The Agencies (regulators) also realize that the main reason that institutions do not currently report breaches is fear of embarrasement and bad PR. So they have explicitly stated that in cases where customer notification is warranted, 'an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so.'

Shining the light into other nooks and crannies

Banks have little choice but to comply or face the wrath of the regulators. They are inundated with compliance efforts - with teams working around the clock to satisfy corporate governance, SOX, and Basel II project requirements. Reporting security breaches is just one more to add to the list.

Perhaps it is now time- in the US at least- to look more closely at the other critical infrastructure sectors- where regulation is marked only by its absence and the threats are equally real.

And time to brainstorm ways to stop the blight of phishing and other scams.

'When the help help themselves'

A rather sobering tale in the American Bar Association Journal - that illustrates how susceptible we all are to non - technology based, good old fashioned insider fraud.

A lawyer was defrauded by his trusted office manager - who used his seal and wrote cheques in his name- to the tune of USD 1.2 million.

To add insult to injury, he only discovered the fraud when a friend told him he had been suspended from the practice of law - for failing to respond to Law Society complaints- the alleged fraudster destroyed them.

An insider threat survey (focused on the banking sector) conducted some time ago by the US Secret Service and CERT at Carnegie Mellon University was useful in highlighting the fact, albeit with the usual limited data, that insider fraud is often committed by non techies- people who simply watch and learn, and know how to work the system.

Remember- your main culprit may not be Techie Tom in the Penguin shirt, but rather seemingly gormless Molly who can barely work the coffee machine....

"Who dunnit? "- possible insider role in UK plot to steal STG 220m from Japanese bank

Insiders may have stuck again. Although happily this time they failed to execute their dastardly plan.

Security experts believe that a trojan horse key logger allegedly found on Sumitomo bank computers in London and used to send passwords and access information to criminals who intended to steal funds electronically, could only have been planted by an insider.

They maintain, quite logically (although it remains pure speculation at this juncture, details being sketchy) that it is extremely unlikely that a malicious key logger miraculously found its way onto a critical system from the outside, as a key component of the master heist plan.

They deem it far more likely that an insider played a role in installing the malicious software, and possibly covering his/her tracks. Not very well, as it turns out.

Police investigations are ongoing, but reports indicate that Yeron Bolondi, 32, was arrested by Israeli police on Wednesday after an attempt to transfer £13.9m to a bank account in the country. The UK's National Hi-Tech Crime Unit has been given credit for foiling what could have been one of the world's largest bank robberies.

A bank spokesman maintained that Sumitomo has not suffered any losses as a result of the foiled attempt to fleece them. One can only hope that such a positive prognosis extends to its customer base.

Key loggers take centre stage

Another banking scam, reported by AP, suggests that criminals are increasingly wise to the use of key loggers to perpetrate a wide range of crimes. They are particularly useful to glean banking details.

AP report that Estonian police detained a 24-year-old man suspected of 'emptying out hundreds of bank accounts in several European countries using the Internet. The suspect was detained after a yearlong investigation into what police believe could be the theft of millions of euros (dollars) from accounts in various banks in Estonia, Latvia, Lithuania, Germany, Britain and Spain'.

A spokesman for Estonia's central criminal police also stated that the suspect stole the money by infecting thousands of computers with a key logger that transmitted users bank account numbers and log in passwords to him. He got them to open the infected emails with the lure of job offers from 'apparently legitimate senders, such as government institutions, banks and investment firms'.

Yet again, human beings are shown to be demonstrably and incorrigibly weak- willed and prone to wishful thinking - with disastrous results.

Is 2 factor authentication useless?

We have often written on this site about the need for better authentication methods for online users. The simple password is just too easy to crack, and unsophisticated surfers are often a cinch to impersonate online.

Indeed, banks around the world have started to embrace the need for stronger authenication- eTrade in the US and Bank of America having recently announced plans to provide tokens to corporate customers and their wealthier clientele.

Australian banks are issuing tokens for little or no cost to their general customer base. Banks in New Zealand are also strongly considering a similar strategy after numerous phishing scams. A report in the Sydney Morning Herald indicates that 'out of 2.5 million transactions at Kiwibank, they experienced 32 cases of online fraud in the past year and recovered 97 per cent of the funds - the remaining 3 per cent was reimbursed to customers by the bank'.

It also states that 'eighteen cases involved the use of "mules" - people who are duped into channelling stolen funds through New Zealand-based bank accounts to fraudsters resident overseas', and that key-logging software was used in five of the Kiwibank frauds'.

So villains used key logger software in 5 cases out of 32 in an attempt to commit fraud - making it a trend that bears watching.

Key loggers stump tokens

To muddy the already murky waters, Bruce Schneier recently waded in and pronounced 2 factor authentication to be generally a waste of space, and derided that fact that the banks are about to blow millions on, well, nothing.

Now Bruce is an avowed and professional contrarian, but his point - albeit self evident- is well taken.

Tokens and one time passwords will not vanquish bad guys with key logger software in their arsenal, intent on scaming hapless users out of their internet banking passwords. If the evil malware finds its way onto their PCs, as it invariably will, whatever is typed in will be captured. Tokens add little to the equation, except for more expense that the banks usually pass back to the customer in some shape or form.

That is not to say that tokens are useless in all circumstances, but it does pose a dilemma if the concern is that key loggers are the weapon of choice for today's villains.

However, all is not lost and a company in Australia has posited an alternative approach.

The simple fact- which dawned on me years ago when I first sat through a blindingly complex PKI 101 presentation - is that there is much smoke and mirrors in the security space, a whole lot of fudding and tons of complex technology that is desperately seeking a problem to solve, or simply making a bad situation worse.

Plus, there is the realization that the necessary interface between humans and technology remains the weak link in all existing security solutions.

Microsoft resorts to dissing dinos

Microsoft's latest print ad campaign takes aim at a perennial favourite - our good pals the dinosaurs - beloved of adults and children alike.

They may be extinct for 65 million years, but lest MS forget, they dominated the earth for more than 165 million years, and still have a firm hold on our imagination.

Can MS hope for similar longevity? Will it's software endure over a similar timeframe?

It would appear not. In fact the lifespan of flagship MS products, such as the venerable Office suite, is pitiful by comparison to that experienced by our much maligned, scaly, dino friends. Says who? Well, MS says so.

The latest creatively challenged MS ad shows what appears to be office workers (although they could be aliens for all I can tell) with their heads encased in plastic dinosaur heads- the tag line being that business people still using Office 97 are - yes, you guessed it dinosaurs.

Although it has not been definitively established why the dinosaurs disappeared so many moons ago, my dino research has revealed that paleontologists and extinction specialists believe it is always " the big, active animals that get whacked".

MS be warned.

Plus, you might recall the untimely and unsanitary end that persons mean to dinos suffered in the last Jurassic Park movie. That fact combined with the news that US scientists are believed to have recently extracted live cells from dino bones (a comeback is therefore not entirely out of the question) might encourage MS to consider giving the dinos just a 'tad' more respect.

Spat with EU ongoing

Meanwhile MS has agreed with the EU Commission to mark the EU mandated Media Player- less Windows OS product with the letter 'N'- to distinguish it from it's Media Player enhanced sister.

You may recall in previous postings, we pointed out that MS's plan to call the gummy product 'Lousy Product that No- One Should Buy' (roughly paraphrased) not surprisingly fell foul of the EU, and they were forced to rename.

However, MS may still have the last laugh as Dell recently announced it will not ship the 'N' Windows version, and while HP will stock it, they reportedly stated that they do not expect 'much of a demand for it', or words to that effect.

Depressing news to EU regulators convinced that the competitive landscape would be drastically improved if MS had to strip the OS of Media Player. A miscalculation, it would appear.

Meanwhile, discussions continue on access to MS code and a plethora of other issues.

MS engineers eat, sleep and breathe security

A new whitepaper by MS states that its engineers are firmly dedicated to creating secure software in a cradle to the grave secure software development life cycle.

The 19-page document, titled The Trustworthy Computing Security Development Lifecycle suggests that Bill and Steve are on side and that there has been a sea change in the way code is designed, developed and tested within MS.

I have been told the same in interviews with senior MS executives, so there must be something in it, or it must at least be the new party line - and no-one is breaking ranks on this one.

I believe it is likely true, and that releasing the whitepaper is a response to critics who have challenged MS to put their money where their mouth is and show their hand when it comes to their efforts to write better code - going forward.

Of course, any such initiative does little to help businesses or consumers running legacy systems -with neither the money nor the inclination to upgrade.

But for the future, MS has no choice but to up it's game. Every position paper that comes out of the US government, and elsewhere, points the finger squarely at insecure, buggy code as a significant risk factor that exposes critical infrastructure to the threat of cyber- attack.

For MS- the dominant mass market purveyor of code - x clearly marks the spot.