Monday, 3 March 2014

The 6 most effective security measures for retailers

Data breaches are in the news in full force so far in 2014.
First there was the colossal Target security breach that compromised over 100 million customer accounts and may yet impact hundreds of thousands of Canadian consumers. Now Merrillville, Ind. White Lodging services Crop. reports its point of sales systems used at hotel chains such as Marriott, Holiday Inn, Westin, Renaissance, and Radisson have suffered a suspected data breach. The data may have included customer names, credit card or debit card numbers, security codes and expiration dates. Fourteen hotel locations in the U.S. are affected.
In the wake of these breaches, the US banking and retail sectors are waging vocal fights to assign blame and pin responsibility on one another.
But what if there was a better way? We hear a lot about chip-and-pin (EMV cards) and the advantages of Canadian retailers vis-a-vis security, but is it really superior? As it turns out, yes, it’s useful and effective, but only in the presence of other layers of control. So let me take a crack at a simple list that would serve to provide Canadian retailers with an effective way to protect cardholder data. As such they need to:
1.    Comply with Canadian privacy law.
2.    Adhere to the PCI-DSS 3.0 standard.
3.    Adopt EMV payment systems.
4.    Employ intrusion detection technologies.
5.    Conduct employee background checks.
6.    Deploy physical security measures.
Although few retailers will confess to it, they’re scared because that’s the kind of publicity they don’t need. I don’t believe they have a false sense of security. I believe they are experiencing uncertainty in their ability to protect payment cards, and as such they have to make a decision: to invest in data protection, or not.

10 security concerns for the public cloud: Russinovich

SAN FRANCISCO – It’s not news that businesses are moving more and more of their data to the cloud. But even as cloud storage and computing have hit the mainstream, there are a lot of questions around the public cloud – ones that not everyone is asking.
For Mark Russinovich, technical fellow of Microsoft Corp.’s Windows Azure cloud platform group, the public cloud has helped businesses grow, but there are still many concerns for data security and privacy. He pulled together a list of 10 different concerns that security professionals should consider when putting their organizations’ data into the public cloud.
“We’ve coined a name for this – ‘cloud critical’ bugs,” said Russinovich, speaking from a session at the RSA conference in San Francisco on Thursday. “The cloud is at a much higher risk of exploitation, because there’s a lot of diverse data from businesses and industries.”
Here’s a roundup counting down 10 concerns he has with the public cloud.

10. Shared technology vulnerabilities
For Russinovich, one of the difficulties of the public cloud is that everyone using it has shared technology vulnerabilities. If a breach of the cloud were to happen, that would look bad for every cloud vendor.
“We’d be notifying people, cleaning up, and bringing things back online,” he said. “But to customers, it’d be a big public cloud fail.”
For one thing, there’s no firewall attached to the public cloud, and there’s a huge variety of data in the public cloud up for grabs, if hackers were to gain access to it.
Luckily, however, the public cloud is better at responding to threats, since most businesses recognize how risky it would be to fail to defend it. Businesses need to be aware they can’t wait for patches if they know about a vulnerability – instead, they need to automate software deployment, ensure they have strong detection tools for breaches, and be determined to preserve their customers’ trust.

9. Insufficient due diligence
There’s a lot of talk nowadays about shadow IT, where employees come up with their own IT solutions and bring them to work. One of the most popular of these is the cloud. Russinovich said he’d even like to coin a phrase for it – like the bring-your-own-device trend, or BYOD, he’d name it BYOIT – bring-your-own-IT.
What IT departments need to do is to help their organizations’ employees with implementing the cloud and ensure they’re complying with security best practices, he added.

8. Abuse of cloud services
While having a public cloud can be helpful, businesses run the risk of attackers taking it over and using it as a malware platform, or becoming botmasters taking advantage of trusted IP addresses.

The public cloud can also be used as storage for illegal content, like copyrighted content being stored through Pirate Bay, or inappropriate content like pornography, Russinovich added. And increasingly, security professionals might see people using the public cloud to mine Bitcoin.

7. Malicious insiders
When hiring employees who will be able to access data within the organization, there’s always the danger they may walk away with sensitive data, Russinovich said. He put up a picture of former National Security Agency contractor Edward Snowden on his presentation slide.
“It’s a real risk, better understood by third-party audits,” he said.
Ways to mitigate this risk include doing employee background checks, as well as security controls on what data each employee can access.

6. Denial of service (DOS)
Whether this happens through an attack – like a distributed denial of service (DDoS), or through an outage, customers don’t really care, Russinovich said. What they do care about is whether cloud providers are responsible.
For example, in August 2011, a lightning storm brought down the clouds for Amazon and Microsoft in Dublin, Ireland. While that was an equipment failure, neither Amazon and Microsoft should have let that happen, Russinovich said.
That’s why it’s important for cloud providers to mitigate the chance of DOS by ensuring non-public applications are isolated from the Internet, and by setting up location-specific clouds. That way, if one cloud goes down, another can take over, he added.

5. Insecure interfaces and application programming interfaces (APIs)
As the public cloud is still so new, a lot of APIs will crop up – and not all of them are particularly secure. Organizations need to ensure their APIs use strong cryptography, for example, Russinovich said.

 4. Account hijacking and service traffic hijacking
It’s been said time and time again, but organizations need to ensure their employees’ accounts are using strong passwords.
While it’s not a problem unique to the public cloud, there’s a lot of data at stake, Russinovich said.
He added IT administrators need to turn off any unused endpoints, and that they need to ensure their employees are trained to avoid opening strange attachments or clicking on suspicious links.

3. Data loss
Whether this happens because someone accidentally deletes or modifies data so it can’t be accessed, or if an attacker steals it or uses ransomware to encrypt it until he or she is sent a sum of money, this is definitely a problem for the public cloud, Russinovich said.
And of course, there’s always the chance an organization could lose data through a natural disaster – for example, a flood or hurricane destroying its servers.
Russinovich says companies should mitigate this danger by setting up backups, as well as geo-redundant storage. There’s also the practice of deleted resource tombstoning – by ensuring it’s possible to recover deleted data by removing a tombstone, organizations can return data to their customers.
“This is something we’ve learned through painful lessons,” Russinovich said.

2. Data breaches
While this appears to be a very general heading, Russinovich said it’s an important one.
“Data is at the heart of the matter. The data is the company. If there’s no data, there’s no company,” he said. “It’s the most important asset, so there’s the highest risk of loss.”
For example, if an attacker gains access to data’s physical media – for example, a disc holding the data – that’s a problem. A fix might be to encrypt that data and to set up extensive physical controls, like a strict rule not to allow any employees to take data out of a data centre. Or, an organization might make a rule saying any discs that are no longer used should be crushed by a disc-destroying machine.
At Microsoft Azure, no data is allowed to leave the building, and the company also uses third-party certifications like FedRamp to ensure its employees are handling the data properly.

1. Self-awareness
In giving his presentation at the RSA conference, Russinovich asked the audience whether they could hazard a guess to his final concern on the public cloud.
No one could, but he said as the public cloud grows more and more sophisticated, the data in that cloud may take over and we may stop focusing on what we need to do to secure it.
“This is new technology. We’re learning as we go,” he said.

How a Hacker Intercepted Secret Service, FBI Calls Using Google Maps

Unsuspecting citizens who tried to speak with the FBI and Secret Service had their calls intercepted and recorded without the hacker having to lift a finger during the call.
These callers made the hacker’s work easy; they trusted and dialed a number provided on Google maps, rather than seeking out a listing on a government website.
A hacker simply posted fake numbers on Google Maps and it took mere hours for unsuspecting users to dial the fake listings - allowing the conversation with real agents to be recorded (Image via Valleywag).
A hacker simply posted fake numbers on Google Maps and it took mere hours for unsuspecting users to dial the fake listings – allowing the conversation with real agents to be recorded (Image via Valleywag).
“Who is gonna think twice about what Google publishes on their maps? Everyone trusts Google implicitly and it’s completely unwarranted and it’s completely unsafe,” – Hacker.
Brian Seely, a network engineer and one-time Marine who has worked for tech companies like Microsoft and Avanade, used to get paid to spam Google Maps, according to Valleywag. He says he’s tried for years to shore up security gaps in the system by alerting Google engineers, but says he wasn’t taken seriously until he walked into a Secret Service office near his Seattle home Thursday.
While there, Seely says he got a notification on his phone that a call had just been intercepted: It was a Washington, D.C., police officer calling the Secret Service about an active investigation, according to Valleywag:
After that, Seely says, he got patted down, read his Miranda rights, and put in an interrogation room. Email correspondence with the Secret Service indicates that the special agent in charge called him a “hero” for bringing this major security flaw to light. They let him go after a few hours.
He claims that he faked the government listings, picking numbers with his own 425 area code so they would stand out, because Google ignored his pleas to fix long-standing flaws in the system.
Seely said he took the fake numbers down after his conversations with the Secret Service.
After Seely’s fake numbers received the incoming calls, they were seamlessly forwarded to the real offices the callers were trying to reach. Only at that point did Seely’s program capture and record the audio transmission.
But this is just one hacker who has come forward to point out the flaw. Seely told Gizmodo there are thousands of trolls using Google Maps to create fake listings for pranks or jokes, and more seriously, for scam businesses who want to divert Internet searches to their high-priced services.
“It’s polluting Google Maps with hundreds if not thousands of fake locations and businesses. (Seely) estimates that there are over 100,000 fake listings for locksmiths alone,” Gawker reported:
 So say I’m a locksmith and I want a little more business. My ranking is too low when you search “locksmith near [my neighborhood]” on Google Maps; no one ever clicks on me.
Seely says trolls, like shady locksmiths, use the Google Maps trick to get thousands of extra calls for their businesses. (Photo credit: Shutterstock)
If I find the right scammer, I can boost my presence with a couple more (non-existent) locations. Or even better, I can have a scammer change my competitors’ numbers so that the calls forward to me instead. All I have to do is pay a scammer $50 or so per call. But hey, that’s just the cost of doing (shady) business.
Seely told Valleywag people should be a little more guarded with the information they pick up from Google.
“Who is gonna think twice about what Google publishes on their maps? Everyone trusts Google implicitly and it’s completely unwarranted and it’s completely unsafe,” Seely said.
Google did not immediately respond to TheBlaze’s request for comment.
“When unsuspecting citizens utilize this incorrect third party phone number to contact the Secret Service the call is directed through the third party system and recorded,” the Secret Service told Gawker. “This is not a vulnerability or compromise of our phone system. Virtually any phone number that appears on a crowdsourcing platform could be manipulated in this way.”
(H/T: Valleywag)

Yahoo, ICQ chats still vulnerable to government snoops

In a test, CNET was able to intercept and read Yahoo instant messages because the company has still not turned on encryption, at least 10 years after the security vulnerability became public.
In a test, CNET was able to intercept and read Yahoo instant messages because the company has still not turned on encryption. It's been at least 10 years since the security vulnerability became public.
(Credit: Declan McCullagh/CNET)
Nine months after Edward Snowden revealed extreme Internet surveillance by US and British intelligence agencies, some major technology companies have yet to take rudimentary steps to shield their users' instant messages from eavesdropping.
A CNET analysis shows that Yahoo and ICQ transmit the content of supposedly private instant messages in unencrypted form, exposing them to both government spies and malicious snoops on the same Wi-Fi network. AOL's AIM service encrypts content -- but leaks metadata about who's talking to whom.
These privacy problems were highlighted by a Guardian article Thursday, which revealed that spy agencies were eavesdropping on Yahoo's unencrypted video chats. A surveillance system code-named Optic Nerve "intercepted and stored the webcam images of millions of Internet users not suspected of wrongdoing," the paper said, citing documents provided by Snowden.
That was possible because Yahoo has lagged far behind rivals Google and Microsoft in adopting a standard technique known as SSL that scrambles information before it's transmitted. SSL and similar technologies, if implemented properly, are designed to be proof against even the NSA's aggressive attempts to vacuum up petabytes of Internet traffic.
"We have ample evidence now that Yahoo doesn't really care about security or the confidentiality of its customers' communications," said Chris Soghoian, principal technologist at the ACLU's Speech, Privacy and Technology Project. "Whether it's the lack of encryption in Webmail, or the video issue, Yahoo has ignored repeated warnings from researchers, from human rights activists."

Yahoo users' vulnerability to snoops has been public knowledge for at least a decade. A 2004 article (PDF) in Hakin9 magazine described how to intercept Yahoo messages using the tcpdump utility. "There is no encryption, not even scrambling of the packets content," Hakin9 concluded.
Four years later, CNET contacted Yahoo as part of a privacy survey we conducted of companies providing instant messaging services. Yahoo told us that it uses SSL only to scramble the user's password during the initial authentication, and acknowledged that "Yahoo Messenger does not use encryption for message delivery."
It took Snowden's revelations to spur the company's chief executive, Marissa Mayer, into sealing this gaping security hole. In a blog post last November, nearly half a year after the spy agency files began to leak, Mayer said that Yahoo will "offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014." She stopped short of pledging that encryption would be turned on by default, however, a practice that Google's chat system and Skype have followed for over half a decade.
Yahoo has been equally sluggish in adopting encryption for Web e-mail: It finally activated HTTPS encryption for Yahoo Mail by default last month. By contrast, Google enabled HTTPS by default for Gmail in 2010, followed soon after by Hotmail. Facebook enabled encryption by default in 2012.
A Yahoo spokesman yesterday provided CNET with a statement saying: "We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."
"The only reason they're encrypting e-mail with Webmail now was a front-page story in The Washington Post," said the ACLU's Soghoian. "It was only then, in response to that coverage, that Yahoo turned on SSL by default." That October 2013 article revealed the NSA's Special Source Operations branch collected more e-mail address books from Yahoo than from all other e-mail providers combined. (Gmail addresses were exposed because of Apple's lack of encryption in its Address Book app, a security oversight that Cupertino subsequently fixed.)
Even today, after Yahoo turned on encryption by default for Web-based e-mail (but not instant messaging), it's using older protocols with some known security vulnerabilities. Yahoo's servers also don't support forward secrecy, which would offer an extra layer of protection against government eavesdropping. Google and Twitter do.
ICQ messages were also unencrypted, as you can see in the above screen capture from the Wireshark packet analyzer. AOL's AIM client leaked metadata about who's talking to whom.
ICQ messages were also unencrypted, as you can see in the above screen capture from the Wireshark packet analyzer. AOL's AIM client leaked metadata about who's talking to whom.
(Credit: Declan McCullagh/CNET)
How we conducted the tests We tested whether encryption was used in five messaging clients: AOL's AIM, Apple's Messages app connecting to AIM, Google Hangouts,'s ICQ, Microsoft's Skype, and Yahoo Messenger., an Internet company in Russia, where ICQ remains quite popular, bought the service from AOL in 2010.
To perform the test, we used the Wireshark packet analyzer to intercept the communications flowing between a MacBook with OS X 10.9.1 and the remote servers that each service used.
Neither ICQ nor the Yahoo Messenger Protocol encrypted the content of the communications. That meant that when we sent a message, it was transmitted across the Internet in the clear.
AOL's AIM desktop app made unencrypted connections to that transmitted unique "to" and "from" identifiers. Even if the NSA and GCHQ can't decrypt the content, the unencrypted unique identifiers could add to the agencies' vast trove of metadata charting the social connections of US and other citizens.
AOL and did not respond to requests for comment.
Google Hangouts, Skype, and Messages, on the other hand, used SSL encryption consistently. This is what we expected -- it's been reported previously, and Skype encryption has been studied in some detail -- and our tests confirmed it.
We acknowledge limitations to this test. We didn't evaluate the quality of the SSL cipher suite or its implementation. Nor did we test for certificate exploits. And we didn't test all clients; it's possible that the Windows client for AIM, for instance, behaves differently. (The protocol used by AIM supports unencrypted chats, so if you use a third-party client like Adium, be sure your privacy preferences under user accounts are set to enable encryption.)
We also didn't test mobile apps, though previous reports have pointed to some problems. A 2012 paper (PDF) presented at the Network and Distributed System Security Symposium said that Voypi, an iPhone messaging app, fails to use encryption.
Thijs Alkemade, a computer science student and lead developer for the Adium instant messaging application, posted a Python script last fall to intercept WhatsApp messages. He warned users of WhatsApp, which Facebook subsequently bought for $16 billion:
You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it.
An analysis of WhatsApp last week by information security firm Praetorian found encryption flaws, the company said, that "the NSA would love." WhatsApp has said it's fixing them.