Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Hitachi ID Systems Blogs

Consumer credit card data breaches

January 14th, 2014

Another day, another breach, or so it seems.

Both Target and Neiman Marcus have been victims of large scale compromise of customer data, including credit card data:

Aside from the large size of these compromises — tens of millions of payment card numbres — is the fact that they seem to have been carried off in the physical retail environment.

For a long time, the pattern of breaches we see reported in the press has been compromises of web sites or back office operations, and consumers have probably come to believe that if they were at risk at all (probably not many worry about this, given the volume of online purchases), they were at risk when shopping on-line but not in person.

The reality, however, is that a lot of fraud and identity theft happens in the physical world. Low tech attacks include “dumpster diving” to get personal information (discarded bank statements and the like), telephone based “social engineering” attacks (I call your bank or a retailer and pretend to be you) and in-person attacks (I visit the bank and try to impersonate you or I use a stolen truck to literally break off and haul away an entire ATM).

Now we are seeing mixed attacks. Point of sale systems are under attack, but sophisticated IT technology (such as RAM scrapers and code that sends home stolen data) are used as well.

This means that corporations have a much larger physical perimeter to protect — including their retail operations and “road warrior” users. However, the defenses have not really changed. They begin with physical security. In this case, that means hardened devices and locked server rooms, including in the retail world. Electronic defenses are the same as they have been for years — Encrypt filesystems, authenticate/authorize/audit both regular and privileged users, encrypt storage and transmission, deploy and maintain anti-malware and patches, etc.

The payment card industry actually has excellent standards for this stuff. “Payment Card Industry, Data Security Standards V2″ (PCI-DSSv2) is clear, reasonable and explit:

One would hope that these retailers, and anyone else that touches credit card data, actually complies with these standards.

For those that need help, we do offer some assistance:

  • Hitachi ID Privileged Access Manager to secure access to root, admin, DBA and service accounts.
  • Hitachi ID Identity Manager to ensure users get appropriate access rights and have that access deactivated promptly and reliably when they leave the organization (a big deal in retail!)
  • Hitachi ID Password Manager to securely and efficiently manage corporate credentials, lowering the risk of a user’s (weak) password being compromised and that user’s access then being abused.

The bad guys have upped their game. The good guys must follow suit.

Adobe hack

October 30th, 2013

Reports are circulating today that a recent hack of Adobe and exfiltration of customer data was larger than thought – data about 38 million active users was compromised:

nakedsecurity.sophos.com

This raises some interesting questions:

  • There is a fundamental risk to a subscription-based business model, which is what Adobe.com has moved to. If you want to charge your customers monthly, like a utility, to use your products or services, then necessarily you have their contact info, credit card numbers, etc. That makes for quite an attractive target for compromise!
  • Clearly the data in question should be secured very carefully — encrypted, access controlled (e.g., using a privileged access management system, monitored, etc. Something in these controls clearly failed at Adobe.

This is a warning to customers to beware sharing CC and similar data with firms that have to retain the indefinitely. It is also a warning to firms that have such practices to be incredibly careful.

PCI-DSS includes lots of good guidelines about how to protect such data — I wonder which rules Adobe managed to not follow?

Finger prints again

September 23rd, 2013

Interesting. How long as the iPhone 5S been on the market? 2 weeks?

Unsurprisingly, the finger print scanner has already been “hacked” — meaning that if someone can take a photo of your fingerprint, for example from your beer glass, they can photo manipulate it and cover it in latex or just plain glue to make a working pattern that will sign them into your phone.

The Guardian

Chaos Computer Club

This is no big deal – most and perhaps all consumer grade finger print scanners are vulnerable to this kind of thing. It’s just evidence that:

  • A finger print scanner is all about convenience, not about security
  • If you want security, combine multiple authentication factors.

I wonder if that basic advice shows up anywhere on Apple’s marketing material or user guides? Probably not.

Fingerprint scanners: a sign of the end of growth?

September 12th, 2013

Finger print scanners may have seemed high tech once upon a time, but they became commodity technology years ago. In fact, for years PC makers were adding bells and whistles, and it was around the time that they ran out of useful ideas (and added finger print scanners) that growth in the PC business seems to have come crashing to a halt.

Now the PC makers weren’t doing anything wrong — it’s just that the market had saturated and they ran out of useful things to offer, with finger print scanners being the last, mostly-useless gadget they could think of to throw in for minimal incremental cost. By when these things showed up, laptops were powerful, had lots of disk, CPU and RAM, had built-in gigabit Ethernet and Wifi, speakers and microphones, webcams, etc. i.e., quite nice machines, for not much money.

Apple just released new iPhones today, and one of them has a fingerprint scanner. I think that marks the end of growth in the smart phone hardware market, just as it did for PCs. Smart phones today are nice — high resolution colour screens, decently fast CPUs, lots of RAM and storage, WiFi, GSM, LTE, tethering, apps, music, video, document processing, GPS/navigation, accelerometers, light sensors, response to speech input, light sensors, front and back cameras, etc.

I don’t think there’s all that much left to add – just slightly better, faster and cheaper with each generation.

This is a big problem for the phone manufacturers, as their volumes will (or perhaps already have?) flat-line and their margins will compress.

The only growth left is to saturate developing country markets – China, India, etc. That won’t be easy for the major players, as China at least has quite strong domestic manufacturers who play well in a market where relationships with the telcos matter a lot and where consumers are very price conscious.

So I’ll stick my neck out and make some predictions:

  • Apple revenues will stay flat and they will become a utility, as Microsoft, Cisco and Intel have before.
  • Samsung has a bit more runway (better product mix and geographic diversity) but in a couple of years they will flat line too.
  • We won’t see any major innovations in smart phones for years.
  • Maybe others will pick up on the finger print gimmic, and maybe not – I don’t think anyone cares.

By the way, this is only peripherally an identity-related blog entry. :-) Finger print scanners are a biometric authentication device, so fair game. But really, it’s about the rapid maturation and saturation of the smart phone market, which is interesting in its own right.

Governments are getting increasingly hamfisted

August 19th, 2013

Interesting reading here:

The Guardian

Basically two incidents related to the Snowden disclosures:

  • The UK government demanded (and got) destruction of physical media through intimidation of a newspaper organization.
  • The partner (read: boyfriend) of the journalist covering the story was intimidated at Heathrow and had media and personal electronics confiscated.

So what’s interesting about all this?

  • This is the UK government acting badly. I guess they take their orders from Washington now? How far has the British Empire fallen!
  • They don’t seem to realize that networks and cryptography make information
    basically indestructible. You cannot contain this thing – honesty is the only recourse going forward, like it or not.
  • It seems not to have occurred to them that if you hassle a journalist or their friends, they will write about it, and you will look even dumber in the public eye.

Get over it guys. The cat’s out of the bag. Everyone knows that Western governments snoop on their citizenry in a fashion not unlike that of dictatorships. Bullying people about it after the disclosure has already happened just reinforces in everyone’s minds that the government is rife with over-eager spooks with not a care for civil liberties.

How to suck at security

August 19th, 2013

I stumbled on this recently – it’s fun, and all true! :-)

http://zeltser.com/security-management/suck-at-security-cheat-sheet.html

Enjoy.

Microsoft in trouble…

August 17th, 2013

It seems that Microsoft can do no right these days.

In the public space, they seem to be an all too eager accomplice with the NSA, violating the privacy of their customers.

In the gaming world, they had dreams of device lock-in and always-on Internet for their next console, but have had to back-pedal due to consumer outrage.

In the operating system space, I recently purchased two PCs and my experience getting each to a working state was telling.

* The first PC was a laptop for my kid. I picked up a used “professional class” Lenovo – same thing I use myself at work on eBay for a few hundred bucks. Add a mail-order SSD and voila- a backpack-friendly notebook for my little girl. So what to install on it? I handed her a USB drive with a recent Ubuntu on it (12.04 LTS) and asked her to install the OS herself. 10 minutes later, and my 13 year old was done: a fully functional machine, with a full suite of apps (including an office suite), which she was starting to personalize. 10 minutes from “that’s a new SSD” to “OK, the machine is ready to be used.” Impressive.

* The second PC was ordered a few weeks later. Also a cheap box – to replace our recently dead home Windows PC. A refurb Asus i7 with lots of RAM, a big HDD and a mid-line video card. Similarly priced to the laptop, also for light domestic duty. So how did this one go? 15 minutes to complete the half-installed OS install procedure. 2 hours to burn backup DVD media. 1 hours to decrapify the OS. Another 1 hours to download useful apps. Several reboots to apply tons of patches and “updates.” Total time to bring this machine to a similarly useful state? About 18 hours elapsed, 3-4 hours of intermittent human attention. Brutal.

Why would consumers put up with this? Microsoft: this is why Apple is eating your lunch! People pay hundreds of dollars to not put up with this. I even happen to think that the Win7 UI is *better* than the MacOS one and comparable to the Ubuntu one, but come on guys – hours of BS just to turn a consumer PC from a thrashing pile of almost-malware to a useful machine? And you pay $50 to $100 for the privilege of suffering that. Wow.

I don’t really know how Microsoft gets themselves out of this mess, either. Their whole commercial model depends on two franchises: Windows and Office. The rest, if I understand it right, is financially immaterial. The Office franchise is at risk from cloud apps (Google) and free apps (LibreOffice). The Windows franchise is under attack by mobile (Android, iOS) and cleaner desktop alternatives (Linux, MacOS). I get that Windows is a more robust enterprise desktop solution, able to be locked down, with central management features, but users, burned once or twice by the consumer experience, will certainly hate it. I also get that Windows is the premiere gaming platform, but are the enterprise and gaming markets enough?

To add insult to injury, I recently installed a trial of Windows 8.1. Wow – that is not a friendly desktop OS. Flaky/crashy with the main app I have Windows for (WebEx) and that whole Start page is definitely as crappy as everyone says. Who needs it? I just want to open a file or launch an app. And get this: the OS wants me to sign in with – not local creds – but creds to Microsoft’s online platform. Can you imagine if *that* credential database get compromised? What enterprise would allow such a dumb idea? What consumers are comfortable with this? Crazy.

If I were a Microsoft shareholder, I’d be up in arms.

XKeyscore

July 31st, 2013

Just read the latest bit from our friend Mr. Snowden:

The Guardian

Interesting slides. Some thoughts:

  • This is an internal training deck, from 2008.
  • It shows full data capture – emails, VPN connections and more — in many countries around the world.
  • Data remains local — it’s not practical to feed all this stuff back to the US. Sensible architecture.
  • Interesting to see which countries are collaborating with the NSA on this kind of snooping and which are not.
  • This is from 2008. Imagine how much more they can do today!
  • Not snooping on US citizens/residents? Yeah, right.
  • Cool to see that Canada (where I live) is not on the list of cooperating states.
  • They claim ability to decrypt VPN traffic. I wonder how that’s done? Is there some secret key leakage/disclosure going on in popular VPN client packages? This may be the most worrying bit in the presentation
  • They claim 300 terrorists arrested using this platform. If true, and if they have convictions, this would go a long way towards justifying the whole thing. Privacy invasion to support theoretical security is one thing. To support concrete security results is something else again.

Bottom line: if they are actually putting away real terrorists with this stuff (as claimed) and are basically doing pattern match searches (almost certainly true), I’m not sure this is all that bad for my privacy or that of any other “honest citizens” — seems like a reasonable program, on that basis.

Just my $0.02. Let the flame war begin. :-)

– Idan

Floods in Calgary

July 1st, 2013

Normally I write about IT security or identity and access management.

Today I’ll take a break from that and talk about disasters and disaster recovery. Unfortunately, from first hand experience.

As some of you know, Hitachi ID Systems is headquartered in Calgary and we’ve recently had some very serious flooding here. Calgary is a pretty dry place situated at the confluence of two small rivers – the Bow and Elbow. When we get really heavy rains (always in June), it’s not unusual for a few basements to get wet, but what we just experienced is something else entirely. In a city of just over a million people, 100,000 were evacuated from their homes. Water levels in both rivers rose by several meters. Many square kilometers of the city were inundated. The damage is estimated at five billion dollars.

Calgary did not even get the worst of it. There is a nearby town called High River (yes, the irony in that does not escape anyone…) where all 13,000 residents were evacuated and most are still unable to return — some homes there are still completely submerged, about 10 days later.

Dealing with this has been quite the learning experience. It certainly puts into perspective things we see in the news, about Hurricane Sandy that recently hit the East Coast, the Fukushima disaster in Japan, Hurricane Katrina, etc. To be clear, what we suffered here was miniscule in comparison to those disasters – but seeing something like this first hand is certainly eye-opening.

First, the good: the evacuation of 10% of the city’s citizens took place over just 6 hours, in the most calm and orderly fashion imaginable. A laudable combination of responsible, effective government with clear-headed and compliant citizenry. I can just imagine that such an evacuation order, had it taken place in other parts of the world, might not have gone over as well as it did here.

Next, the bad: unimaginable damage throughout the city. Areas that are nowhere near either river and maybe 5m above it got flooded. For safety, power was cut to 20 neighbourhoods and much of it remained off for 5-7 days. Our office lost power for the full 7 days, being situated in one of the worst-hit areas.

Once the water started to recede, something really cool started to happen. Citizens descended on the affected areas by the thousands, to help with clean-up. One day, the mayor called for 600 volunteers at our football stadium. Thousands turned up. The number and energy of volunteers has been so great that the municipality could no longer help orchestrate their efforts, and instead started giving guidelines on what to do and where. Other cool stuff: effective use of social media to keep everyone appraised of road closures, flooding, cleanup processes, power cuts and recovery and more. This is one coordinated city!

We’ve had more than our share of volunteers helping to restore access to our offices too, both employees and contractors responsible for our elevator, electrical system, site security, etc. Thanks everyone!

We’re all very glad of our mayor Nenshi too. While Toronto deals with allegations that its mayor smokes crack with Somali drug dealers in low income housing, and Montreal and Laval have each replaced mayors twice in the past year or so, due to corruption allegations and charges, we have a solid guy working hard, keeping everyone up to date and keeping the recovery moving along smoothly.

So how did we do in maintaining service during this disaster? Our web site, e-mail and other essential services were knocked off-line for about half a day. We brought those up before we could even get back to our buidlding. After about a day and a half, we brought up more services by moving some of our core servers to a co-location site and got all of our Calgary staff to work from home. Everyone was getting in on the disaster recovery, including our hosting data center partner, who got us operational over the weekend.

In short, not too bad. I hope to never have to do this again, but I also know that we learned lots and will undoubtedly do even better next time.

And living through this sure gives me new appreciation for the need for geo-diversity of core services. The software we make does that: for example, our Privileged Access Manager customers routinely deploy servers on different continents and ensure that each server contains a full set of data, so that no single-site disaster would interrupt their access to privileged accounts at other locations. That’s a great sales pitch, but man, it sure feels more concrete when you have to live with the loss of a major data center yourself.

PRISM

June 12th, 2013

The recent disclosure by Edward Snowden about the NSA’s PRISM surveillance system has been quite interesting. It seems certain that they are collecting meta data about all phone calls that pass through US infrastructure (or perhaps even infrastructure of US domiciled telcos that is located elsewhere). There are also claims that they have access to content from major B2C cloud providers such as Facebook, Google, Microsoft and Skype.

First, was anyone seriously surprised? Surely not! The US government is in a siege mind-set and both surveillance and development of a social graph to find accomplices are reasonable approaches (never mind legality) to defend against terrorism.

Why the siege mentality? Because of the ominous terrorist threat! Never mind that the number of people killed or injured in the western world, by terrorism, is statistically indistinguishable from zero and that no government can point to any successful prevention despite billions in spending. The best the US government can point to is a few dead terrorists, thanks to the drone assassination program over Pakistan. And a lot of dead soldiers in Afghanistan and Iraq. Tragic.

So given that wire-tapping without a court order is supposed to be illegal in the US, how might the government justify the legality of this program?

One approach might be to collect all the data, store it, but only analyze any of it with a court order. Another approach might be to run analyses on the social graph, generate reports on interesting sets of people but without identifying who they are and get a secret court to approve display of identity data for the people identified in a report.

Who knows? I am not a lawyer. It’s fun to speculate, though!

So is any of this useful?

As an IT security practitioner, my first instinct is to say “yes” — i.e., it seems plausible that you would find some bad guys this way.

The trouble is, have the US feds found any bad guys? I can’t imagine politicians resisting the urge to brag about the success of this kind of effort if they actually caught someone. They haven’t really done that, so I have to conclude that the program has been a dud. Very much like the video surveillance in London – sounds good on paper, but where is the data to show that it had an impact on crime rates? (hint: there is no such data).

I’m a big believe in “if you can’t measure it, it doesn’t exist” – and extreme surveillance like PRISM or like the London camera system have yielded no measurable value, as far as I can tell.

But what about 9/11 you might ask? It’s a single event, and it could be prevented by better doors on cockpits (done). Seriously – you don’t need a TSA or DHS to prevent it. Even if you include 9/11, in objective terms, terrorism still poses a lower risk than slippery bathtubs (On an average, 370 persons of all ages sustain injuries from bathtub/shower daily in the United States.).

If you accept my thesis that all this anti-terror activity is a huge waste of energy, then what effect does it actually have? Well, if the purported $200,000/year salary for high-school-educated Edward Snowden is any indication, it has an impact on the IT labor market. As does the fact that the NSA and its contractors certainly employ tens of thousands (perhaps hundreds of thousands, collectively) of talented individuals in work that has no economic benefit. This isn’t good for the US economy (diverting labor away from productive work) or for the US federal budget deficit (this isn’t cheap folks!).

Another impact is on cloud computing. While US-domiciled firms may continue to be comfortable moving their corporate infrastructure and apps to the cloud, firms domiciled elsewhere will either not feel comfortable using US-based cloud providers (such as Amazon, Salesforce, etc.) or may even be legally prohibited from doing so (I’ve heard that medical researchers in Canada cannot host their IT on US servers). This means that all the surveillance has the unintended effect of making otherwise world-leading US cloud providers uncompetitive.

Another angle on all this is that it makes US government behaviour uncomfortably similar to Chinese government behaviour. Extensive surveillance? Check! Ability to block content? Check! (the US do this with DNS take-down orders due to claimed IP violations, but still…). Did the moral high ground just making a whooshing noise as it disappeared?

What else could they monitor? Full speech-to-text of voice calls comes to mind. The technology almost certainly exists (I have heard that the Israeli government has had this capability for years). You could use same legal cover to add this feature.

Why the fancy new data centers in Utah and Maryland? Well, if you collect this kind of voluminous data, you have to store it somewhere. Surely the telcos and cloud B2C web site companies won’t want to spend their own money to store all this data on their servers, in their facilities. Violating customer privacy is one thing. Spending big money to do so is something else again.

The US public seems to be sanguine about all this surveillance. That’s an uncharacteristic trust in government’s good intentions, quite at odds with the recent IRS abuse of power scandal. Nishant Kaushik pointed out something really smart today — Americans would likely respond quite differently if they clued in to the idea that PRISM could probably be used to create a gun owners registry. Imagine the NRA‘s response! LOL.

So is this just a US problem? Well, obviously more repressive regimes like China and Russia do the same thing. I think we should assume, by default, that other Western countries (including my home in Canada) do so too. That’s gotta be the safer assumption.

That’s what comes to mind. Quite a lot. ;-) We certainly live in interesting times!