Heartland steps up to the challenge…

Heartland Payment Systems announced yesterday that they are taking a much more aggressive posture in response to last years breach of their systems for credit card processing. According to Computer World Heartland has developed an end to end encryption solution utilizing AES to protect card data transmitted to them from the merchants who use them for card processing. Computer World even suggests this is intriguing enough that Visa is interested in adopting it above and beyond the PCI/DSS standard that Visa has a major stake in defining.

As usual, I don’t comment if I don’t believe there are some problems with this situation. Don’t get me wrong, I am very pleased that Heartland is stepping beyond the lowest common denominator and potentially forging a new path in securing consumers information in transit in the North American market. The concern I have is that this “multi-million dollar technology” they have developed is not subsidized to the merchant, creating a dual-tier system where only those with the highest margins can afford to adopt the technology. Additionally, this is only one part of the issue. In general, I do not believe the simple modem-based terminals many merchants use to communicate with Heartland are vulnerable in any serious way to begin with. The bigger issue is Visa, Mastercard, and the other credit card mafioso requiring communications between card processors like Heartland and their networks NOT be encrypted. Good on Heartland, albeit too late to protect those that have already been victimized. Hopefully this will inspire the industry to reconsider its checkered past, and do what we all assumed they already were doing.. The right thing.

Conficker the reason for Woz’s success? (humour)

As is my Sunday afternoon ritual, I am tuned(?) into TWiT Live watching Leo LaPorte, John Dvorak and Becky Worley discuss the weeks tech news. After chatting about the Woz’s performance on Dancing With the Stars (dancing tele-tubby anyone?) she jokingly mentioned that Conficker must be behind the quantity of online votes that propelled Woz to the next round. After hearing this, I couldn’t help but post a note up here, as the press has been chattering non-stop about what Confickers’ operator will do with the botnet starting April 1 when its new domain contact mechanism kicks into gear. Graham Cluley of Sophos a colleague of mine posted about this phenomenon on his blog this week, as did many others.  Even 60 Minutes is airing a segment about it, and I am getting quite annoyed as the public will be whipped into a frenzy over absolutely nothing. Whether Conficker’s herders do anything on April 1 is yet to be seen, yet a simple shifting of gears in a piece of malware is not indicative of anything whatsoever (other than a change in its behavior which has already occurred a few times in its lifecycle).

And for those of you who want to know more, you can read a couple articles where I was used for a reference…

Lastwatchdog.com and USA Today

Macaroni and Cheese.. Ultimate comfort food, done family style

Thought I might share my recipe for the family Mac and Cheese I made this weekend with any of you looking for a traditional home-style recipe.

Homemade Mac and Cheese

Macaroni and Cheese

4 C. Macaroni (dry)

5 Tbs. Butter (divided)

4 Tbs. All Purpose Flour

1 Tsp. Salt

5 C. Milk (Room temperature)

3 C. Shredded Cheese (Fresh. At least 2 types, one strong (Gruyere, Cheddar, etc) and one mild and creamy.

1/2 C. Bread Crumbs (Fresh from stale bread)

Paprika to garnish

Cook Macaroni to slightly less than done (6 Minutes). In medium pot (2 QT.) melt 4 Tbs. butter and bring to medium heat. Once at temperature, add flour and make a roux. Add salt, milk, and shredded cheese. Proceed to produce a cheese sauce. Place macaroni in a casserole/baking dish and add cheese sauce.  Melt remaining 1 Tbs.  butter in a cast-iron or stainless steel skillet over medium heat. Add breadcrumbs and toast lightly in butter. Sprinkle toasted breadcrumbs on dish and add paprika for color as needed. Bake at 375 degrees for 25 minutes.

Parking Malware? Is nothing safe?

While reading through my bloglists this week I ran across this article from SANS: Malware Infection That Began with Windshield Fliers. I have to admit the cleverness of the approach, and the covering of tracks by blurring the license plates with Paint Shop Pro (If we knew whose car it was, perhaps there is footage from a parking lot camera of the criminal?). The message that no surfing is without risk unfortunately seems to be playing out in more and more areas of our daily life. As a security professional I sure would not have suspected the URL of being malicious, and would likely have surfed to the address to see what the story was… Of course I wouldn’t click to load a plugin, nor likely use Windows or Internet Explorer, but that alone does not ensure my safety. What if the exploit were in a PDF photograph of your supposed illegal action? Would you be safe and cozy on your Mac?

This disturbing trend is related to the Fake-AV malware attacks, and if this method of criminal wealth distribution continues unhindered, we will see these types of attacks seeping into every aspect of our daily lives. Secureworks.com did an incredible write-up of how these scams work including the fact that some of these scammers can pull in over $150,000 USD per week. What’s new about this parking scam is that it shows how the affiliate method of criminal wealth distribution gives new techniques to small time con artists to bring home the bacon. The botnets and infected webpages are nothing new, and certainly not unexpected. The use of these systems to do highly localized and targeted attacks that literally “take it to the streets” is quite scary. What’s next? Fake classified ads in your local paper? Advertisements on cable for the Shazam-Wow with an infected URL? Postcards?

I always try to wrap up these articles with some sort of an idea of what we can do. Those of us that are potential victims (all), and those of us in the security industry. This particular nut is a tough one to crack. Most of these affiliate networks are part of the Russian Business Network, and many appear to be based in Saint Petersburg Russia. Can our governments apply pressure to the Russian authorities to take any meaningful action? Unlikely… With estimated 100’s of millions of dollars in scams/frauds/botnet service revenue per year, the Russian economy probably welcomes the additional cash infusion from the west to the struggling Ruble.

One of the only methods I see that can genuinely make a difference is to start organizing to put pressure on the Payment Card Industry. I do not have a specific bone to pick with these folks, but it does seem that they are putting a lot of us at risk recently. Somehow these affiliates are laundering millions of dollars (duly paying the card industry their illegal share of course) through the payment card system, and yet someone is always standing by to provide payment processing to known cyber-criminals. I can’t say for sure, but according to the SecureWorks analysis of the Rogue Anti-Virus referenced earlier ChronoPay doesn’t seem shy about providing card services to criminals.. For a small fee of course. They are based in the Netherlands, and I am sure MasterCard/Visa and others must see an awful lot of unusual activity from some of their customers… yet the money continues on unobstrcuted from the pockets of duped consumers. ChronoPay has an illustrious history as they also provided payment services for AllofMP3.com.

As if the collapse of the global economy isn’t enough to draw our attention to the reckless behavior of the financial services industry, I guess this is just another example or greed over responsibility. Maybe I should retire to Saint Petersberg and enjoy the residual benefits.

Heartland breech exposes major flaws in payment card processing

Over the past week there has been much discussion of the recent Heartland Payment Systems security breach that exposed millions of credit cards to theft as noted here: USA Today Heartland Breech. As the story has developed the brokenness of the current PCI/DSS standards becomes more and more apparent. What concerned me most about this incident is the industry’s response to the situation. They seem to either miss the point, or simply don’t care. The article I found most disturbing is from StorefrontBacktalk. I will quote from a few pieces that perhaps someone more familiar with payment card processing can explain to me:

StorefrontBacktalk: ‘Heartland officials said it won’t be known for certain who was behind this attack until all the investigations are complete. However, preliminary indications are pushing them to suspect a fully external attack, with no indications at this time of any help from any Heartland employee or contractor. “The existence of a key logger, that could certainly have been by an outsider,” Baldwin said.’

Why are payment card systems externally accessible at all? This seems to be a fundamental flaw of the whole system. Being that Visa, Mastercard and others require private networks for the transmission of transactions and approvals, why on earth would these have even the most tenuous connections to the Internet? I work for an anti-virus vendor and we take extreme measures to guarantee the air gaps between our research networks and anything else that could remotely come into contact with a customer or the Internet. This is even more difficult as it requires the level of complexity of emulating the entire Internet in order to research the behaviour of these worms, trojans, bots, etc. It just seems natural that payment card processing would be air-gapped in every possible way from the Internet, especially at a point where transactions are in a decrypted state.

StorefrontBacktalk: ‘End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives.’

What exactly is a secure connection? One in which a server on either end can be compromised and invalidate any supposed security this connection may possess? I don’t really understand how you can consider a connection secure when the endpoints themselves aren’t secured. This idea of security provides about the same level of protection as a warm fleece blanket… It feels nice, but swords can pierce it with the same agility as if it were not there. When people use SSL they get this warm fuzzy as well… The connection is secure! It’s safe to type all my personal details, PINs, account numbers, etc. All of that is for naught if your endpoint isn’t protected, or if you are silly enough to perform these transactions at your local library.

StorefrontBacktalk: ‘CFO Baldwin was asked whether a more airtight resolution would be preferable. “The more players you have to get to change their behavior, you grow the challenge to get any change implemented exponentially,” he said, adding that “the actual amount of losses due to fraud is at a very, very low level,” which forces “an appropriate cost-benefit analysis. For the system as a whole, it just may not be worth it (to try and do a complete overhaul). We’re reducing that window rather dramatically, working with a limited number of players.”’

So what he is really saying is that this is about the cost to the industry, and that our time, emotional distress and fear don’t play into their calculations. Fraud is very, very low….? According to combat-identity-theft.com more than 10 million Americans experience this side effect of data leakage, and it costs 10’s of billions of dollars.  One estimate puts US credit card fraud as affecting 1 in 20 cardholders… Or 15 million people. Just a small problem, no worries. I hope the average 350 days you spend trying to fix your credit record from identity theft/fraud is well spent, but it didn’t cost us a dime.

Shame on you. It’s time to start carrying a secure money clip with the currency of choice contained within and tell the industry how we feel.

Google Android Dev-1, Why are simple things so complex?

So the saga began… I purchased one of the Android G1 phones from the Google Android Developer Program. Currently the G1 is not available in Canada, but I am quite excited about this platform and am interested in developing some simple apps for it. All of the coolness (if not more) of the iPhone, without Brother Jobs interfering with my experience.


It arrived on Monday, and I eagerly cracked open the packaging. The first thing you need to do if you are not on a TMobile network is program your APN. The phone comes with a handy insert with a URL to find the appropriate APN information for your local GSM provider. The more annoying thing is you cannot setup the phone without access to GPRS/EDGE/3G. Although the phone itself supports wifi, it will not allow you to set it up without the use of a carriers network (Yes, I know there are workarounds, but I didn’t know that then.).  I walked up the street to the closest Rogers Wireless to purchase a SIM chip and provision it with a generous data plan to play with on my time off for the Christmas holiday. Firstly, the Rogers store was out of SIM chips! (WTF?) They refer me to another cellular store in the mall and I go down and they have a good deal for a free SIM chip with a data contract, which I am convinced I will keep, so I go through the motions. An hour later I leave, and am told it will be active within a few minutes. I pop it into the phone and wait… And wait. The GSM goes active (full bars), but I never get the Edge icon. I am also disappointed to report that the G1 will not work on the Canadian 3G networks, as it is only dual-band and does not support the frequencies Rogers/Fido have deployed.

Later I get home, and I decide to pop in my SIM from my Blackberry, to see if it works. Sure enough, the Edge icon appears nearly immediately (confirming my APN settings are correct) and I can provision the phone and connect it to my Gmail/Google account. At least I can use it wifi now on my home network (full support for WPA2). So now I am getting puzzled. As reported by others, it will not work with a Blackberry plan, yet my Blackberry SIM chip on Rogers works fine… Still no dice on my new SIM. I call Rogers (total time spent 6 hours…) and have them change the plan to every available option (iphone, Blackberry, Blackberry BES, etc) and none of them work. It is very frusterating, and the SIM must be valid as I can make and receive phone calls. I am now waiting for the holiday rush to die down, and will start troubleshooting with Rogers again in a day or two. Any advice, please post to the comments.


UPDATE: Finally resolved, after two more trips to Rogers and essentially all the assistance of a pet rock. The issue occurs if you use an older SIM to do your activation, then purchase a newer generation SIM. Unfortunately the web is full of contradictory information, but reading all of it I got it fixed. When you create a new APN in Android, it will read the MNC and MCC from the SIM that is inserted at the time. In my case it was my SIM from my non-3G Blackberry. It read the Rogers MCC/MNC as 302-72, and of course it worked in my phone no problem.. Then I got my NEW Rogers SIM, which if you look at the end of the number on the SIM ends in .2 (3G compatible) and for these Rogers changed their MNC to 720. The APN add tool only reads the MCC/MNC on initial creation of the APN setting, and does not read it from the SIM on subsequent boot-ups, hence not allowing me to connect to the data network. After adding the missing 0 to the end, it immediately connected and worked. For more Canadian (Rogers/Fido/Microcell) information on this issue please reference the following posts: Android Forums , Numbering Plans (Global)

2005 Black Swan Shiraz — South Eastern Australia

I purchased a bottle of Shiraz this week from our local liquor store here in Vancouver, BC. The price here was quite economical ($9.99 CDN) by local standards, so I thought we should give it a try. This wine is by no means phenomenal, however it reminds me a lot of my current favourite wine the California Zinfindel. It’s quite fruity, and a touch spicy. It has that touch of pepper that makes me such a fan of Red Zin. For $10 its a great wine, although it would be better if it were a touch drier.

I consider this a 3 out of 5 on the warped taste scale that is so unique to each of us.

Bittersweet Chocolate Marquise with Cherry Sauce

After getting off to a slow start, here is my first entry in the food category of the new blog here. Some folks might find some value in this, but one of my primary motivations for creating this is to track where I’ve been, how well it worked, and improvements I might make.

I was entertaining for my wife and a friend last night (rfb) and decided to make this dessert recipe on a hot summer day. We had summer favourites like shish-kabob’s and some homemade macaroni salad as well. It was all good, we finished up, rested and it was time to try out the cake(?).

Preparation: This recipe basically results in a mousse like chocolate loaf. The recipe recommends using a loaf pan, buttering it well, and then lining it with “smooth aluminum foil”. This worked, and it didn’t… Being that you need to refridgerate this for 4 or more hours, the butter solidifies, making it near impossible to remove from the loaf pan. It’s also very dificult to get the foil smooth enough to create a visually appealing result. I think that the foil isn’t a bad idea, but I would use something that wouldn’t harden quite as much next time I do it (Spray oil?) Ideally you could use a silicone or non-stick loaf pan and avoid both the lubricant and the foil.

Taste and Presentation: It was wonderful. Not too sweet, and nice and cold on a hot summer evening. The cherry sauce pushes it over the top! I would consider putting in a bit more kirsche in the sauce, but it was really great exactly as written. Even after sitting out it didn’t melt, and seems to taste just as fresh the day after. After the tough time I had removing it from the pan, the loaf didnt look perfect, but once cut and served it looked very appetizing.

I will make this again, and recommend it as an excellent end to a summer meal.

China, Spam, SPF, and Freedom to mail

Hello Friends,

This weekend, I was reading through the copious list of emails I subscribe to when I stumbled upon an article at ARS Technica concerning China’s recently passed law requiring e-mail servers to have a license. When considered in the context of an authoritarian regime, it’s a bit chilling. Spending more time thinking about it though, and doing that thing I do at work (Internet crime fighter!) it started to look like not such a bad idea…
The whole spam problem comes down to a few inherent design problems:

  1. E-mail protocols were designed at a time when the number of machines on the Internet could be counted with fewer than 3 digits.
  2. Only universities and research institutions were online; you didn’t need to confirm the sender’s identity (and when someone forged a message it was for entertainment purposes and considered a great prank).
  3. The volume of mail was low, filtering was unnecessary, and individuals who abused the system were either booted off, or made into pariahs.
  4. DNS cannot be used reliably to determine anything. It can only passably be argued that it does forward lookups properly.

Which all leads to my dilemma: licensing of email servers is a very interesting idea when not used for the wrong reasons. The most useful way of determining the legitimacy of an email today is the reputation of the sending organization/mailer/person. But there is no reliable mechanism to determine this, and no way for your reputation to follow you. Today it is accomplished by using IP addresses, which invariably leads to more mistaken identity, rather than truly securing email traffic. IPs change and organizations are compromised, resulting in their IP addresses appearing to be bad (Stolen Identity anyone?), not to mention IPs are very easily forged.

Technologies like SPF are interesting, but there is still no way to actually hold the owners of the domains using SPF responsible for their abuse of the system. Any spammer worth his salt can publish a valid SPF record without allowing you to know who they are… And so they abuse it, and you decide that domain is not reputable and they buy another domain and publish another valid SPF record to hit you again. It’s cheap, fast, and easy.

So, you might say, why trust a domain with no reputation? Well as of July 21st, 2006 there are 72,680,308 registered domains (http://www.domaintools.com/internet-statistics/) that are valid. Do you want to miss out on email from ~70 million domains because you haven’t seen them?

Licensing domains when the purpose is censorship and control is wrong. There is no doubt that if we implemented something similar, the politicians would warp it into a scheme that none of us would like… But it does stimulate some neurons in my brain that suggest, that as a world community we might begin to find ways to tame the wild wild web.