Category Archives: Security

Articles analyzing other security related blog posts, or advising on new security related matters.

Heartland steps up to the challenge…

Heartland Payment Systems announced yesterday that they are taking a much more aggressive posture in response to last years breach of their systems for credit card processing. According to Computer World Heartland has developed an end to end encryption solution utilizing AES to protect card data transmitted to them from the merchants who use them for card processing. Computer World even suggests this is intriguing enough that Visa is interested in adopting it above and beyond the PCI/DSS standard that Visa has a major stake in defining.

As usual, I don’t comment if I don’t believe there are some problems with this situation. Don’t get me wrong, I am very pleased that Heartland is stepping beyond the lowest common denominator and potentially forging a new path in securing consumers information in transit in the North American market. The concern I have is that this “multi-million dollar technology” they have developed is not subsidized to the merchant, creating a dual-tier system where only those with the highest margins can afford to adopt the technology. Additionally, this is only one part of the issue. In general, I do not believe the simple modem-based terminals many merchants use to communicate with Heartland are vulnerable in any serious way to begin with. The bigger issue is Visa, Mastercard, and the other credit card mafioso requiring communications between card processors like Heartland and their networks NOT be encrypted. Good on Heartland, albeit too late to protect those that have already been victimized. Hopefully this will inspire the industry to reconsider its checkered past, and do what we all assumed they already were doing.. The right thing.

Conficker the reason for Woz’s success? (humour)

As is my Sunday afternoon ritual, I am tuned(?) into TWiT Live watching Leo LaPorte, John Dvorak and Becky Worley discuss the weeks tech news. After chatting about the Woz’s performance on Dancing With the Stars (dancing tele-tubby anyone?) she jokingly mentioned that Conficker must be behind the quantity of online votes that propelled Woz to the next round. After hearing this, I couldn’t help but post a note up here, as the press has been chattering non-stop about what Confickers’ operator will do with the botnet starting April 1 when its new domain contact mechanism kicks into gear. Graham Cluley of Sophos a colleague of mine posted about this phenomenon on his blog this week, as did many others.  Even 60 Minutes is airing a segment about it, and I am getting quite annoyed as the public will be whipped into a frenzy over absolutely nothing. Whether Conficker’s herders do anything on April 1 is yet to be seen, yet a simple shifting of gears in a piece of malware is not indicative of anything whatsoever (other than a change in its behavior which has already occurred a few times in its lifecycle).

And for those of you who want to know more, you can read a couple articles where I was used for a reference… and USA Today

Parking Malware? Is nothing safe?

While reading through my bloglists this week I ran across this article from SANS: Malware Infection That Began with Windshield Fliers. I have to admit the cleverness of the approach, and the covering of tracks by blurring the license plates with Paint Shop Pro (If we knew whose car it was, perhaps there is footage from a parking lot camera of the criminal?). The message that no surfing is without risk unfortunately seems to be playing out in more and more areas of our daily life. As a security professional I sure would not have suspected the URL of being malicious, and would likely have surfed to the address to see what the story was… Of course I wouldn’t click to load a plugin, nor likely use Windows or Internet Explorer, but that alone does not ensure my safety. What if the exploit were in a PDF photograph of your supposed illegal action? Would you be safe and cozy on your Mac?

This disturbing trend is related to the Fake-AV malware attacks, and if this method of criminal wealth distribution continues unhindered, we will see these types of attacks seeping into every aspect of our daily lives. did an incredible write-up of how these scams work including the fact that some of these scammers can pull in over $150,000 USD per week. What’s new about this parking scam is that it shows how the affiliate method of criminal wealth distribution gives new techniques to small time con artists to bring home the bacon. The botnets and infected webpages are nothing new, and certainly not unexpected. The use of these systems to do highly localized and targeted attacks that literally “take it to the streets” is quite scary. What’s next? Fake classified ads in your local paper? Advertisements on cable for the Shazam-Wow with an infected URL? Postcards?

I always try to wrap up these articles with some sort of an idea of what we can do. Those of us that are potential victims (all), and those of us in the security industry. This particular nut is a tough one to crack. Most of these affiliate networks are part of the Russian Business Network, and many appear to be based in Saint Petersburg Russia. Can our governments apply pressure to the Russian authorities to take any meaningful action? Unlikely… With estimated 100’s of millions of dollars in scams/frauds/botnet service revenue per year, the Russian economy probably welcomes the additional cash infusion from the west to the struggling Ruble.

One of the only methods I see that can genuinely make a difference is to start organizing to put pressure on the Payment Card Industry. I do not have a specific bone to pick with these folks, but it does seem that they are putting a lot of us at risk recently. Somehow these affiliates are laundering millions of dollars (duly paying the card industry their illegal share of course) through the payment card system, and yet someone is always standing by to provide payment processing to known cyber-criminals. I can’t say for sure, but according to the SecureWorks analysis of the Rogue Anti-Virus referenced earlier ChronoPay doesn’t seem shy about providing card services to criminals.. For a small fee of course. They are based in the Netherlands, and I am sure MasterCard/Visa and others must see an awful lot of unusual activity from some of their customers… yet the money continues on unobstrcuted from the pockets of duped consumers. ChronoPay has an illustrious history as they also provided payment services for

As if the collapse of the global economy isn’t enough to draw our attention to the reckless behavior of the financial services industry, I guess this is just another example or greed over responsibility. Maybe I should retire to Saint Petersberg and enjoy the residual benefits.

Heartland breech exposes major flaws in payment card processing

Over the past week there has been much discussion of the recent Heartland Payment Systems security breach that exposed millions of credit cards to theft as noted here: USA Today Heartland Breech. As the story has developed the brokenness of the current PCI/DSS standards becomes more and more apparent. What concerned me most about this incident is the industry’s response to the situation. They seem to either miss the point, or simply don’t care. The article I found most disturbing is from StorefrontBacktalk. I will quote from a few pieces that perhaps someone more familiar with payment card processing can explain to me:

StorefrontBacktalk: ‘Heartland officials said it won’t be known for certain who was behind this attack until all the investigations are complete. However, preliminary indications are pushing them to suspect a fully external attack, with no indications at this time of any help from any Heartland employee or contractor. “The existence of a key logger, that could certainly have been by an outsider,” Baldwin said.’

Why are payment card systems externally accessible at all? This seems to be a fundamental flaw of the whole system. Being that Visa, Mastercard and others require private networks for the transmission of transactions and approvals, why on earth would these have even the most tenuous connections to the Internet? I work for an anti-virus vendor and we take extreme measures to guarantee the air gaps between our research networks and anything else that could remotely come into contact with a customer or the Internet. This is even more difficult as it requires the level of complexity of emulating the entire Internet in order to research the behaviour of these worms, trojans, bots, etc. It just seems natural that payment card processing would be air-gapped in every possible way from the Internet, especially at a point where transactions are in a decrypted state.

StorefrontBacktalk: ‘End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives.’

What exactly is a secure connection? One in which a server on either end can be compromised and invalidate any supposed security this connection may possess? I don’t really understand how you can consider a connection secure when the endpoints themselves aren’t secured. This idea of security provides about the same level of protection as a warm fleece blanket… It feels nice, but swords can pierce it with the same agility as if it were not there. When people use SSL they get this warm fuzzy as well… The connection is secure! It’s safe to type all my personal details, PINs, account numbers, etc. All of that is for naught if your endpoint isn’t protected, or if you are silly enough to perform these transactions at your local library.

StorefrontBacktalk: ‘CFO Baldwin was asked whether a more airtight resolution would be preferable. “The more players you have to get to change their behavior, you grow the challenge to get any change implemented exponentially,” he said, adding that “the actual amount of losses due to fraud is at a very, very low level,” which forces “an appropriate cost-benefit analysis. For the system as a whole, it just may not be worth it (to try and do a complete overhaul). We’re reducing that window rather dramatically, working with a limited number of players.”’

So what he is really saying is that this is about the cost to the industry, and that our time, emotional distress and fear don’t play into their calculations. Fraud is very, very low….? According to more than 10 million Americans experience this side effect of data leakage, and it costs 10’s of billions of dollars.  One estimate puts US credit card fraud as affecting 1 in 20 cardholders… Or 15 million people. Just a small problem, no worries. I hope the average 350 days you spend trying to fix your credit record from identity theft/fraud is well spent, but it didn’t cost us a dime.

Shame on you. It’s time to start carrying a secure money clip with the currency of choice contained within and tell the industry how we feel.