PCI compliant but still hacked

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

It looks to me like Hannaford made the mistake of allowing "multi-level access" in a "single level" network. Servers that handle payment card data must be prevented from access to an unauthorized network or end-point.

These servers and the processors they communicate with should have been in a "PCI trust zone." All other systems would have been in an "untrusted zone." Then it would be a simple matter for IDP/NAC appliance to detect and prevent this type of breach.

Virtualization Security Getting Some Attention

My response to "Who Owns Virtualization Security" blog:

Virtualization absolutely presents us with the possibility of avoiding past mistakes and making virtual infrastructure (VI) more secure than the physical infrastructure it replaces.

Why?

1. Virtual security appliances and hypervisor APIs have made it possible for us to build security into the VI fabric at all layers.
2. The virtualization platforms give us the tools to automate deployment of primary controls, secondary controls and separation of duties throughout the virtual data center.
3. Virtualization means we can simplify security management and make true defense-in-depth affordable for everyone.
4. Secure hypervisors, their APIs and the right application of security smarts means we can build agent-less security that protects against rootkits, spyware and almost all forms of malware.
5. Virtual security appliances allow us not only to write good security policy but also to automatically enforce policy and provide continuous compliance auditing for the VI.
6. All of the above means, we can create tools for secure life-cycle, trust zones, trusted data paths and secure management in ways never possible with physical infrastructure.

We (as vendors) have a responsibility to educate the IT community to the myths and realities of VI security. The platform OEMs must recognize that simply saying virtual is more secure than physical – is a disservice to all of their customers. Then, when the manufacturers provide the security community the tools and support we need _and_ intelligently inform the market about real risks, then, and only then can we make virtual more secure than physical.

(more to come)

French bank details $7.2 billion loss

This sort of thing makes me think that in some cases it is more than greed. It must also be the "thrill" of beating the system.

Being smarter -- thinking you can out-smart everyone else?

Michael
---------------------------

French bank Societe Generale described Sunday how one of its traders allegedly carried out a $7.2 billion (€4.9 billion) fraud, how the loss came to light and what it is doing to ensure such a case does not recur.
The 31-year-old trader, Jerome Kerviel, started working at the bank in 2000 and spent his first five years there overseeing traders, the bank said in a five-page summary of events.

"Consequently, he had a very good understanding of all of Societe Generale's processing and control procedures," it said.

Kerviel apparently put that knowledge to use after he became a trader for the bank involved in arbitrage -- the practice of buying a portfolio of financial instruments in one market and selling a similar offsetting portfolio at the same time that had a slightly different value. The idea is that, in such trades, the risk of major loss would be minimized.

In fact, Kerviel's first portfolio of financial instruments -- in his case futures -- included genuine operations -- but the offsetting portfolio proved to be "fictitious," the bank said.

"As a result, the trader was able to hide a very sizable speculative position, which was neither consistent with nor related to his normal business activity for the bank," Societe Generale said.

French police questioned Kerviel on Friday and searched his apartment in a Paris suburb Friday night. Efforts to reach his attorneys for comment have been unsuccessful.

Finance Minister Christine Lagarde said Friday that she would meet with banking regulators Monday to establish a timeline of events that led to the massive trading loss.

According to Societe Generale, Kerviel used his early banking experience "to successfully circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders, and consequently their real existence," it said.

For example, it said, Kerviel chose operations that had no cash movements or margin call and that did not require immediate confirmation and he canceled certain operations by using access codes assigned to other bank employees.

In addition, it said, he falsified documents and made sure that his fictitious operations involved different instruments from the ones he had just canceled, thereby reducing his chances of being controlled.

But about mid-January, bank officials detected "abnormal counterparty risk," and Kerviel's explanations led to additional controls being placed on his activities, the bank said.

Then, on Friday, January 18, Kerviel's bosses were informed and an investigation had begun.

The next day, after a large bank told Societe Generale that it did not recognize an operation, the trader "acknowledges committing unauthorized acts and, in particular, creating fictitious operations," his employer said.

By early afternoon on Sunday, January 20, the bank's fraudulent position had been calculated at approximately 50 billion euros ($73.6 billion), and "the unwinding of the fraudulent position begins in particularly unfavorable market conditions."

In fact, the timing was terrible. On Jan. 18, European markets had swooned and two days later, the Asian markets tumbled, too. By January 23, "the unwinding" was completed and the total loss calculated at 4.9 billion euros ($7.2 billion).
Since then, the bank said, it has tightened its controls to ensure such an operation cannot recur.

Virtualised desktops will end laptop management

With virtual desktop infrastructure (VDI) there are at least three modes of operation:

1. IT controls VDI completely, desktop is "thin" only IT approved virtual machines are allowed
2. IT does not completely control the desktop, options get complicated fast:
   a) user virtual machines are allowed
   b) user controls the host
   

Looking at option 2a, we could have rogue guests, infected guests, any kind of guest ... telling them apart and acting accordingly will be fun!

Looking at option 2b, I can buy a Macintosh or linux or windoze and as long as I can run the IT approved virtual machine, then IT is happy. But what if my Macintosh is owned by the Uzebek barbarian horde? Have I just given the Horde access to my corporate network?

Lot's of interesting questions arise. We have our own use case right here at Catbird. The "approved" IT image is Windows XP with Microsoft Office.
We allow a VDI where an employee can use a Macintosh to run Windows in a vm. We're happy until there is a mac worm!

For example, an organization using Active Directory to lock down their desktops ... Active Directory does nothing to lock down a Macintosh.

How is a windows savvy IT team going to cope with users running Ubuntu, Fedora, Macintosh ... VDI is going to lead to an explosion of host operating system diversity. This will be very exciting for those of us running Windows under duress.

Their will be a huge value in giving IT the tools to manage and secure a highly diverse and constantly changing environment.

Another one from SANS newsbites

A vulnerability scan would have warned them that their Cerberus implementation was open to attack. Either they were not validating their security compliance, or they were not following an effective process for curing their vulnerabilities.

--Layered Technologies Customer Data Stolen (September 19 & 20, 2007) An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details.
Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.
http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038040&source=rss_topic17

Highlights from a recent SANS News bites

From SANS ... note that bank account details are now worth $400/per account.

TOP OF THE NEWS

--Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007) Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.
http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036639&source=rss_topic17
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807006

--Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007) Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data.
Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.
http://www.technewsworld.com/story/59374.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036819&source=NLT_SEC&nlid=38
http://www.itnews.com.au/News/61398,fraudsters-go-all-out-for-social-networkers.aspx

The Game Is Not Over -- Security for your web site

1. Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
2. Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
   
3. If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),
   

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

• Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)
  
  
• Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can
  
  
• Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card
  
  
• Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help
  
  
• Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!