My Beef with PCI

Shortcomings with the PCI specification

I am frustrated with the Payment Card Industry Specification. Perhaps it’s 9 straight days of rain that has me crabby, but as I was referencing the PCI specification v1.1 today, I found myself annoyed enough with a few things to Blog about it.

 

Metrics: PCI metrics?  Where do they talk about measurement of compliance? How do you judge? Is it a secret? For Sarbanes-Oxley you have to list the controls you have, demonstrate that they are operational, and periodically show that they are appropriate. I see no mention of controls, and no corresponding measurements in the PCI specification. Security is not a black and white issue, and there should be metrics in place to help get a handle on how you stack up, and see if you are making improvements. Security is not a destination ...

 

What data to keep? There is a list of Credit Card related items that you can store, and what you may not keep. There is no explanation of what is optional to keep, how long the information can be kept, or should be kept for that matter. To me, the best way to reduce the possibility of data theft is don’t keep it around. Why is this not discussed? Why is does the PCI standards board not place an addendum in the specification on way to reduce CC data?

 

Network focused! Is it just me or is this document written by a group of security experts from the network realm? Perhaps I am being overly sensitive, or perhaps because the word ‘network’ comes up 58 times, and the word ‘application’ 27, but the entire PCI specification seems to be looking at the problem of credit card security from the transport layer up. If I am worried about the privacy and security of Credit Card numbers and related information, I am most worried about where the data is stored, and second where CC# is used. I am far less about how they are moved. Why? Because network encryption available, it’s very effective, and is far easier to implement (and implement well) that other types of encryption. It can be retrofitted into the unsecured environment without affecting business operations, and does not require the inspection of the data that is being transported. Applications, both those that use the information and store the information, are at a distinct disadvantage in terms of complexity and threats. The focus of the standard seems backwards to me.

 

Security 101.  There is nothing extraordinary about PCI. There is nothing in here that is novel or cutting edge about the recommendations. It’s good basic security. Organizations should be doing this … already. PCI is a minimum set of best practices in my opinion, and it still falls short. And we have companies with data breaches trying to hide behind a PCI compliant moniker?  Grrrr! 

 

Data Encryption and Compensating controls. My beliefs in this area are not widely shared. Encrypt all your backups! It’s no longer an optional practice! Encrypt Credit Card information in the database if you can, but as it may not be possible without a serious issue, compensating controls can be equally effective.

 

At various ISSA and ISACA meetings I have attended, I am always shocked that a majority of IT administrators do not want to implement encryption on backup tapes. At one meeting in

San Jose

the crowd was unanimously against (well, except for me) it! The fear they voiced was not being able to locate the key and algorithm and decrypt at a future date, and not being able to recover. Yep, key management is tough, but it is part of the process.  So I am not surprised this is not happening because the people responsible for it are fearful for their jobs, but this needs to happen.

 

The last time I implemented a credit card payment application, I did not encrypt the credit card data I kept in the database. I chose to use a separate database, with separate user account, with processing constrained to a small set of stored procedures, surrounded by a small set of checks and triggers to verify security and thus allowing no person to see or use the data. In a company full of cryptographers, long before their was a PCI standard, I made that conscious choice because I could show equal security and two orders of magnitude faster processing. As far as compensating controls, if they are intelligently designed, they can be a very effective alternative to encryption.

 

I would like to see PCI offer examples and scenarios about the proper uses of encryption, key management best practices and compensating controls. If you provide guidance, some of the mystery goes away, and adoption rates climb.

 

Enough ranting. I think there is sunshine outside. Time to get some fresh air.

Yet more data losses; JC Penny & British Royal Navy

Seems that GE Money lost backup data for JC Penny's recently, with some 650,000 customers information.  JC Penny's stated they believe that there is 150,000 social security numbers contained in the backup.   

I am curious, so if there is an obvious answer I am overlooking please educate me: Why does JC Penny's have social security numbers to 150k customers?  This strikes me as odd. 

And this one is interesting also ... a laptop stolen from a Royal Navy Officer contained banking account information, mortgage payment information, medical claim information and a lot more.  And I am tired of asking this question, but why was this on a laptop outside the facility?  And it was a military officer ... why was the data not encrypted? 

Re: Yet more data losses; JC Penny & British Royal Navy  

 

            Comment from Christofer Hoff on January 20, 2008 7:48:28 AM PST  

 

Why does JC Penney's have SS#'s? Easy. They offer the JC Penney charge cards. Why isn't the naval officer's laptop not encrypted? Easy. Probably because there's no requirement for it to be; unless there's a rule, it won't be followed. Either that, or this information does not meet the classification level that requires encryption? (anyone know if there is a mandate/rule that the RBN's laptops be encrypted?) /Hoff

                     

                      

     

    Re: Yet more data losses; JC Penny & British Royal Navy  

 

            Comment from Adrian Lane on January 21, 2008 10:20:23 AM PST  

 

    Chris,

Thanks for the post. A couple of people have now pointed out that JC Penny's offered Credit Cards, which is also probably why GE Money was involved.  I probably should have realized that, and may have if I had not been distracted by Mr. Hirsch and Old Man Winkle having a heated argument in my living room Saturday night. 

I also should have included the other dozen rhetorical questions on the Royal Navy theft ... why was the data there to begin with, why was it un-obfuscated, etc, to which you would probably have the same response.  I keep thinking that this problem could avoided in so many ways ... it's becoming a bad joke.

      

My Business Plan Contest

Send your business plans to be judged!

A Business Plan contest is being offered at the Data Protection Summit, to be held in Irvine March of this year, with details of the  business plan contest here.  Send your business plan and you may get a prize! 

From the Data Protection Summit email, I quote "

To enter the contest, prepare a business plan related to computer security (hardware, software, peripherals, accessories, services, or systems). Plans must not exceed one page in length (10-point type) and must be submitted using the VC Business Plan  form at the Data Protection Summit website (look for the Big Red Button.

Submit your plan via  the form starting now and ending on Friday, February 15 at midnight  (Pacific Time). All submissions will be kept confidential, and no copies will be  retained by anyone.

Your business plan will be reviewed by the distinguished panel of VCs. Our panel will grade the submissions on a 1 to 10 scale (overall, technology, marketing, and organization), and we will give prizes to the top 3 at the end of the panel session."

Seriously.  First prize is a iPod! 

This is a great idea.  Especially for VC.  You may get to have some great business ideas, delivered to you, without having to run around, do research and make connections.  And you won't have to hassle with those pesky Intellectual Property Agreements, and people submitting their idea can be confident it is safe because a copy of the documents sent are not kept long term.  They promise.   

As for the submittor?  VC will be eager to invest in -you-, the wonderful, trusting person who was gullible nice enough to actually send your wonderful business plan.  Good prose and such good business sense!

I am drafting my submission now!  It's for a social engineering engine that produces business plans!

As luck would have it, I am ALSO having a business plan contest! Please send send me -your- business plans for this 1st annual contest. Please keep them to five pages or less, text or RTF documents only please.  First prize is a $10 Starbuck's gift card to the best security service or product plan;  and second prize is an IPLocks coffee mug.  I will do all of the judging, but I am going to ask Richard Hofstadter to assist should he be available.  Deadline for submissions is midnight January 15th.  Look forward to your submissions!

SAMP Stack

SUN buys MySQL

This is very interesting, and a smart move in my opinion.  Sun acquiring MySQL could shake up the database marketplace.  I have spoken with a number of executives at Sun over the last few years, and the notion of providing lower cost 'greefield' applications platform has been on their agenda for some time now.  In essence, using a LAMP stack in testing or proof of concepts, and continuing to use Oracle/ DB2 for production is a way to reduce overall software licensing costs. 

But MySQL has really started to shed it's not ready for prime time image in the last year and has become a production viable data repository option.  Couple it with a secure and scalable Solaris OS, and you have a SAMP stack that is a very enticing option.  How long before we see these environments pre-packaged for virtualized servers, tailored for specific business functions?  Not very is my guess.

Boeing nuttiness.

Coffee? Tea? Hacked Control System?

One of the more interesting stories this week had to do with published reports of the Boeing 787 control system being shared with a passenger Internet connection.  I did not make any Blog posts on this week on the Boeing 787 control system fiasco because I thought it was some Internet hoax; I mean, no one could be this stupid. Right? 

But here is the quote in the San Jose Mercury news, with Boeing representative Lori Gunter telling us how it's secure because we have both software -and- hardware protection. Golly, that sounds super secure, just like my computer and network, cause ...oh wait, that’s not very secure.  

 

Of course details cannot be discussed because "One of the things you do to ensure security is not talk about the protections in any great detail". Strike two.

 

And the FAA is thoroughly satisfied.  Uh, OK. Strike three.

 

And thanks to Chris Hoff for catching the Polish Train derailment by a teenage hacker. Just in case you think the security professionals of the world are ‘crying wolf' on this subject.

 

I think Bruce Schneier’s quote is perfect: "It's possible Boeing can make their connection to the Internet secure. If they do, it will be the first time in mankind anyone's done that."

Real Player & SQL Injection Attack

Bad software is not Free

Real Player has a fairly severe security hole.  Sigh.  It seems there is no such thing as ‘free’ software any longer. While you may not pay for it with cash or credit cards, it’s not really free if you pay for it through Spyware or security holes.

 

I was in the process of registering for Rich Mogull’s  eSeminar , presented by Ziff Davis and sponsored by Oracle,  on the 25th of this month.  Once I signed up I needed to verify that my system met the minimum requirements. I ran the diagnostic, and I met all but one of the system requirements: Real Player needed to be installed. Argh!

 

My bias to not installing some of these applications like Quicktime, Real Player, AOL Instant Messenger, anything Yahoo or most of the other ‘free’ tools is not just because I don’t trust them. I don’t. My main reason is they have zero respect for me or my machine. I want one specific function … ONE … and I get (what seems like) 50 that I don’t want. I don’t want these other ‘features’ installed, don’t want them automatically turned on, don’t want resident in memory, don’t want them scanning my machine for software and versions, don’t want them communicating with other software or servers, don’t want them attempting to update themselves, don’t want them installing into the start menu, don’t want them updating the MS registry, don’t want them automatically popping up services and ‘news’ items about Soulja Boy’s baby or Britney Spears latest stupidity.

 

So I installed it … clearly because I am a moron, and I also have some business needs that require Real Player … like this and other e-Seminars. An easy install, but sure enough, it was flagged by AVG and SpyHunter because some of the DLLs are considered Spyware. I quarantined them and I hope that there is nothing else I need to worry about and that the application functions now that I disabled some of the DLLs.

 

Worry got the better of me and I started searching the web about what sort of vulnerabilities or Spyware is also present. I did not get far. A quick Google Search revealed this: http://isc.sans.org/diary.html?storyid=3810 . So it opens up a hole on the machine.

 

OK, fine. Are there known exploits? In fact there is, as documented here: http://isc.sans.org/diary.html?date=2008-01-04. Which is a pretty well executed SQL injection attack, with some well done obfuscation of the code itself, making it harder for the average person to detect. In a nutshell, the SQL statement queries Sysobjects table looking for all user tables, and recursively scans all of the table references it finds. For every Varchar column in the tables found, the program appends a small piece of code.  I was not curious enough to find out what that code does.  I do not believe the injection attack is smart enough to auto-alter itself depending upon the type of database present, this one looking for SQL Server, but I am sure that enhancement will be in the next release of the attack.

 

OK, is there a patch? Not that I can find. CVE-2007-5601 talks about a buffer overflow attack, but the arbitrary execution of code in this attack does not appear to be reliant on a buffer overflow to initiate. My guess is the author of the first Blog post is correct and there is no patch available. I un-installed it and selected and older version as I figured that the Spyware was not as evolved in the older versions. Sure, it may have vulnerabilities as well, but I needed to pick my threat model, so I picked the unknown threat instead of the known threat.

 

It’s ironic that I want to watch a database security presentation, and I need to introduce a vulnerability onto my computer to do so, one with known exploits and no patches at this time. Yippee.

Re: Real Player & SQL Injection Attack  

 

            Comment from Anonymous on January 11, 2008 3:22:49 PM PST  

 

I sort of understand how SQL injection attacks gain database access. What I don't understand is how they insert code into the database.  How do they get dba-level access?

                     

                      

     

    Re: Real Player & SQL Injection Attack  

 

            Comment from Adrian Lane on January 12, 2008 3:55:37 PM PST  

 

That is a good question, and I should have actually mentioned how to fix this in the initial post ... sorry about that.  Typically this is caused by a common mistake of allowing applications, or running the desktop user, with administrative rights.  So when a SQL injection attack comes in, it has an elevated level of privileges.   Shameless plug alert … this is one of the basic operational policies that IPLocks offers with out Vulnerability Assessment product.  You want separation of duties between the OS admin, the database admin and the web services admin, so they should not be the same user, nor should any one have elevated access rights to the other accounts.  We offer another dozen or so checks for this type of weakness.

But this is a good example of how tiered or multiple levels of security helps catch and stop problems.   It's also one of the reasons why I am an advocate of spending as much time and attention to detail on back end infrastructure security as firewall and front end security.

      

 

Sears

Corporate Sponsored Spyware

A big thanks to Benjamin Googins at Computer Associates for his Sears Spyware post, drawing attention to what I consider to be the electronic equivalent of a prowler.  Come into your home, rummage through your drawers, wallet & purse.  What are you reading, what are you watching on TV, when you do it, and using this information for profit or gain.  And it is shocking, shocking stupidity that Sears would do this. 

So what data are they collecting? Every piece of information they can, and if that includes sensitive information like Social Security Numbers, so be it.  In fact, if they are targeting HTTPS sessions, they are in fact targeting sensitive personal information. There is no such thing as “commercially viable efforts” to filter personal information from key stroke loggers or Internet session capture. And stating “automatically filter confidential personally identifiable information” is specious, because if this was in fact your intention, you would not willfully capture HTTPS sessions. 

 

Where is it being sent?  None of your business! It will be sent to one or more places they are not going to tell you about. The statement “stored in a confidential database owned by myshccommunity.com and is never delivered to a client” is also troubling. Wholesale delivery is not what I am worried about.  I am worried about any and all access. Even if you sell a report of the data that you can view, you in essence have a copy, that’s the way electronic data works.  What about hackers?  What  happens if Google 'bots discover it?  You, as the consumer, have no control over who gets to view it. Can you delete it?  No.  Can you edit it?  No. 

 

It’s going to be secured by, wait, we do not know that it is going to be secured. It might be it might not be. The database where it is stored is ‘confidential’, but is it secure?  How do we know their IT systems are secure? Does the act of installing the proxy on my computer open up other holes in my firewall?  Has the agent being installed on the ‘customer’ machine have any security at all? Probably not, if you consider the data collected is re-sent over the wire unprotected.  And I see no reason why they get the benefit of the doubt.  Some marketing organization installed it, so there is no reasonable expectation that this will not be trivial to hack, subvert, alter and do whatever with. If it was secure, I am certain they would be marketing their security certifications, but most likely there was not even a security portion of the specification to this virus.

 

But it’s for your benefit … right!  There is no possible way that you can justify this as good for the consumer. Nada. It is only for the company to collect intelligence. Consumers are perfectly capable of browsing & searching on line; we do not need our email searched and our checking account balanced investigated to see what else can be shoved at us. We do not need a Sears agent installed onto our computer, sucking up our resources so Sears can try to get more of our money. It goes back to my earlier posts on inept marketing organizations putting code on people’s computers invites liability, that certain tell tales show how companies focus on making a buck without care or regard for their customers, and the custodial responsibility of collectors of information.  This is reckless behavior that compromises YOUR security for THEIR benefit.

###Update###

So it appears that the 'confidential' database is not confidential at all, in fact it is leaking data like a sieve: http://blog.washingtonpost.com/securityfix/2008/01/searss_privacy_promises_broken_1.html article shows you can pretend to be anyone who shops at Sears and see their entire buying history.  I wonder if they have other vendors sales records their as well?

TJ Maxx case study: Anyone?

Data breaches are a problem that all companies potentially face, and information security is a general commercial problem. A community issue if you will. But when a company is breached, responses seem to fall into one of two responses: non-disclosure or non-informative press spin. They either do not disclose publicly, or if obligated in some way, we get the “we are deeply concerned but we are on top of it” response from press or legal teams.  Security through anonymity is what this is, and it does not do anyone a lot of good.

 

TJ Maxx is in the news again, and that is what got me thinking about this.  Some of the most important security lessons I have learned are from other security professionals talking about the weird things they have seen. It is the practical experience that lets you discover how criminals think, with simple but highly clever subversions of security systems, and more than anything else has shaped the way I approach security and how I model security solutions.  I have also learned by experience from with various cryptographers that the best algorithms are the ones that have stood up to peer review.  Awareness & discussions of security in practice is tremendously beneficial.

 

We all want to read about what really happened at TJ Maxx, and we want to learn from the breach and see what was done, what worked, what they would have liked to have done differently, or where they made their best guess and moved forward.  Like a many security professionals, I have heard many rumors about breaches and what was in involved, but we really do not know what happened.  There are other cases where I have spoken to firms under NDA, some who admit to a breach, while others steadfastly refuse to admit any such  thing, all while asking highly detailed and specific ‘what if’ questions. Right. Ignore the Secret Service agents in the next conference room over.  A very Officer Barbrady “Move along people, there is nothing to see here” response. There is a large body of knowledge out there and few people are talking. 

 

The September 2007 issue of the Harvard Business Review had an excellent data breach case study. It raises a lot of good issues and the difference in the viewpoints on how to handle the breach is startling. But it stops short of discussing what was done and what might have been done differently from a more forensic view. This is great for considering how to prepare your breach response, not so great on how to guard against the breach itself.

 

I would love to see a case study of TJ-Maxx breach, or perhaps as part of the settlement that they be made to disclose what happened in exchange for immunity from further legal penalties.   If I was an investigative journalist, I would be looking for some way to get a behind the scenes look at what is going on. 

Update:

As this discussion has popped up over on the Information Week Blog, here is the reference for anyone who is interested.  And yes, they may have gotten through a wireless access point, but that is just the entry point.  Scanning for services, injection of code, and the retrieval of data are all other aspects of the break in that are not discussed, and other layers of defense that failed ... or were absent.

Lies My Vendor Told Me

Fact, Fiction or FUD

The book Lies My Teacher Told Me blasted away at legends our primary school teachers had taught us. Those mistruths propagated by our teachers and parents can easily be forgiven as the real story often involves complications and concepts that we don't want tiny tots dealing with. Should we forgive our vendors so easily?

 

I bring this up because last week I went apoplectic when reading a paper on database auditing written by a network-oriented security company. The paper claimed that use of database audit regularly resulted in overhead of 30-50%. What?! Monkeys banging on a keyboard could do better, let alone a skilled Oracle DBA. Initially, I cut the vendor some slack as I thought they had the decimal point in the wrong place – 3-5% is in-line with my experiences, and I know many DBA's who see the same results. But, then the vendor built an entire cost of ownership model on this false premise!?

 

OK, I get it, spreading FUD is a common practice. But, overly aggressive competitive practices aren't beneficial to anyone, least of all prospects. I'd like to think that vendors are better off focusing on helping prospect's solve problems and less on beating up the competition, but the amount of FUD we see in the security spaces says that isn't so. Do prospects notice that some companies are focus more on solving problems and less on waging negative competitive campaigns? Does that affect buying decisions? I hope so.

Data Security Mentality

Its the Database, *@&%#$!

Network World has a nice post about the recent breach at Certegy Check Services, the wholly owned Financial Services firm Fidelity National Information Services (NYSE: FIS).   

The data theft, as described in the Certegy press release, was by a Certegy employee.  The employee owned a business selling data to marketing firms, who were in turn using the list for phone solicitation.  Detected not by internal systems or personnel, it was brought to the attention of Certegy by customers, to which “Certegy launched an immediate investigation … Unable to detect any compromise to its firewalls and other system security measures, Certegy requested that the U.S. Secret Service to assist.   “The employee was a senior level database administrator who was entrusted with defining and enforcing data access rights”.    I find this case very interesting, but a couple of concepts hit me concerning fraud detection and the insider threat.

As Certegy’s business model is to help detect fraud in check and credit card transactions, this is a company I would expect has high level of understanding in fraud detection and analysis.  And while check processing has its own unique set of issues pertaining to fraud and fraud detection, the general concepts and statistics remain the same.  Certegy’s own description, the reaction to the event was to examine the firewall software to see if the breach had occurred there, while more often than not data theft is an insider crime.  While I would expect many IT professionals to make such a quote, emphasizing the firewall as a primary area of exploration for a data breach, I did not expect this from a company who detects fraud as their business model.  While incidents of data theft by external parties are still on the rise, insiders are still the primary culprit.   

Looking at the CSI/FBI reports from 2003-2006, the insider threat is consistently the leading cause of data theft and misuse.  Year in, year out, insider theft of data ranks in the top 5 of corporate IT security problems, but never does it make the top 10 list of security spending.  The database is a primary target for hackers and insiders alike as it is rich with intellectual property and sensitive financial data.   It is the primary target.  But with security measures focused on network level measures to keep the outsiders out of the enterprise, these statistics are not likely to change any time soon.

It is hard for me to imagine a more fitting example as to why IPLocks, the product and the company, was created.  In 2002 database security meant access controls and, for some, data encryption.  Naturally you trusted your employees, so the goal was to ‘keep the bad guy out’.  But it is exactly this type of weakness in security philosophy and software that drives our product development.  Vulnerability assessment, monitoring and auditing are the three key offerings created to help not only deal with the deficiencies in database security, created from the perspective that this is not just an external threat, but the threat of employee theft as well.  And I cannot think of a more pertinent example than “…a senior level database administrator who was entrusted with defining and enforcing data access rights”.  Firewalls are great, but if you’re not looking at the database and the applications that use the database, you will miss exactly this kind of activity.

I am unsure if any other announcement about the breech has been made at the time of this writing.  If anyone reading this Blog received a letter from FIS or Certegy in conjunction with disclosure laws, such as California SB-1386, please let me know. I have read through Blogs and press releases that they have been contacting those parties whose information was sold.  I would be interested in knowing what additional information they are providing to their customers, and what assurances they are providing about the extent of data misuse and fraud detection.

The Certegy data breach is yet more evidence that attitudes must change before security will improve.  No, Bill Clinton was never a DBA, but I think about that quote when security practitioners seem to miss the basic issue in data security.  If data theft is the threat, why is there so little security in and around databases?