Archive for May, 2008

May 30 2008

Look to the acquiring banks, not the PCI Security Council

Published by under PCI

Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.

The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.

The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.

If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.

The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.

The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.

And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.

3 responses so far

May 30 2008

I didn’t sign nothing (NDA)

Published by under Blogging

As Public Relations folks continue to embrace bloggers and treat us more like press, I get more and more press releases and opportunities to talk to the people at security companies. I enjoy getting this information and appreciate talking to these companies as an analyst/press. But I have to laugh sometimes when they pull stupid stunts, like putting the phrase ‘Under NDA’ in the middle of a presentation. If I didn’t sign any paperwork, the only thing obligating me to that Non-Disclosure Agreement is common courtesy, something PR people need to be very careful of expecting as they dip their toes in the blogosphere.

Something that PR people, as well as bloggers, are still figuring out is the exact nature of the relationship between the two groups. PR professionals are used to building relationships with reporters and knowing exactly who they’re talking to. With bloggers they don’t have that relationship, they don’t even necessarily know the name of the person they’re dealing with. On the flip side, most bloggers have no idea how to react to invitations and press releases from PR agencies. The reactions can range from completely ignoring PR to maliciously using the information provided. I suspect most of us lean towards the ‘ignore them and they’ll go away’ camp.

I used to ignore most press releases, but I started changing that recently. Blogging is about communication and learning, both of which are the exact thing PR people are trying to provide. I’ve started responding to some press releases, letting the PR folks know if I find their press releases relevant or not. I’m trying to build some of the same relationships ‘real’ reporters have and making PR aware of my interests is part of that.

But the relationship has to go both ways; PR folks need to communicate little things like the expectation of not releasing product information prior to the products release date. In this case, it’s not a big deal: the product will be out next Monday. But when I saw the NDA statement cleverly slipped into the presentation, part of me wanted to post about it right away just out of spite. Luckily the larger, more responsible part of me decided it’d be a poor treatment of the company.

Bloggers and PR folks have a lot of learning to do about one another. We have to understand that PR professionals have access to a lot of valuable information we might not be able to get elsewhere. PR professionals need to realize that bloggers are not reporters, we don’t have the background a reporter does and in many cases a quick flash of popularity and traffic is more important to us than a ‘relationship’ with a PR firm. If you want something to be under Non-Disclosure Agreement, ask up front if a blogger is willing to respect a verbal NDA. But don’t slip it into a slide in your presentation and expect it to be honored.

3 responses so far

May 29 2008

Who you gonna run to?

Published by under PCI

Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies.

Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call.

I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past.

And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess.

One response so far

May 29 2008

Disclosing in a public forum is not whistle blowing

Published by under PCI

Last week TJX fired one of their employees for disclosing on that TJX is using blank passwords and other very insecure procedures. Posting in what he thought was an anonymous manner, CrYpTiC_MauleR was tracked down by management at TJX through his ISP, asked what he felt is wrong with the TJX network and fired. And as bad as I feel for him personally, I think TJX did the right thing.

Don’t get me wrong, I have very little sympathy for a company like TJX. They had one of the biggest credit card breaches in history, they’ve been put through the ringer and they still have the temerity to allow such bad practices as blank passwords and running servers as admin. I’m hoping TJX’s acquiring bank, PCI assessor and Visa/Mastercard get wind of these issues and call them on the carpet for it. But I don’t excuse the actions of Cryptic_Mauler.

I’ve read most of the thread on, and this appears to be an issue of venting frustration, not whistle blowing. If Cryptic_Mauler was talking to federal investigators or maybe even a reporter, I might call it whistle blowing, but by disclosing it in a security forum, it was simply a way of pointing the finger at the stupidity of his employer. It’s not a case of full disclosure either, since that usually refers to
vulnerabilities in a product or OS, not poorly designed security
implementation by your employer. He had no expectation that this disclosure would somehow improve the situation at TJX, he just wanted someone else to know about the issue. And maybe hope that someone could embarrass TJX into changing.

We’ve all been in situations where we have employers doing stupid things. We do our best to communicate with management about the problems and hope they react appropriately. The problem is, our perception of ‘appropriately’ and management’s is often very different. What we see as a horrible security hole, they may see as another minor problem that would take major money to fix. Or just as something that they don’t want to think about right now.

There’s no reporting mechanism built into the Payment Card Industry standards. To the best of my knowledge, there’s no clear cut method to report a company that has bad practices to the credit card companies or the government at all. There’s not even a press person you can talk to about the issues with to bring it to public awareness. It’s frustrating because, despite their known issues, TJX is probably far from the worst offender and there needs to be a way to make these people sit up and take notice. But that’s no excuse for posting the issues with the TJX network in a public forum.

Cryptic_Mauler isn’t a security professional. He wasn’t even a part of the IT team. But he was an employee of the company and as such was held to certain expectations. Keeping internal company issues internal is one of those expectations. I don’t like how TJX is apparently handling their problems, I don’t like that they aren’t responding more positively to internal criticism, but I don’t see that they could have taken any other action in this circumstance.

I’ve had to resign from a job before because the company wasn’t being responsible in my opinion. I’ve seen companies in the past that shouldn’t be allowed to have computers let alone an ecommerce site. I’ve been at companies that I wondered how they stayed in business, not even considering their security concerns. But I always tried to react ethically and within the bounds of my moral obligations. I’ve learned that I can do what I can do and sometimes I have to walk away and let someone else deal with the problem. Public disclosure doesn’t fit in my world view of ethics and morality.

It’s frustrating dealing with a company that doesn’t want to change. It’s hard not having leverage to make the changes that you see need to be made. How you react to that frustration is up to you. Do you scream in public like Cryptic_Mauler, keep going until you find someone who can make the change or do you move on to another opportunity? I hope Cryptic_Mauler can find a new position somewhere else; I hope the limited notoriety this incident gives him will help him further his career. But I think he made a mistake in publicly disclosing TJX’s problems, one I hope doesn’t continue to haunt him.

4 responses so far

May 29 2008

As if you needed more reasons to use NoScript: Flash

Published by under Malware

I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue.

The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits.

Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does.

2 responses so far

May 27 2008

Network Security Podcast, Episode 106

Published by under Podcast

Short show tonight folks, Rich is under the weather and our guest had to bail at the last minute due to a personal emergency. We’ll work at getting Jeremiah Grossman from White Hat on in the next couple of weeks. In the mean time Rich and I dug up a few news stories to talk about.

Show Notes:


Network Security Podcast, Episode 106, May 27, 2008

Time: 25:47

2 responses so far

May 22 2008

Google Health

Published by under Privacy

Eric Irvin, Senior Consultant at IrvTech, suggested I blog about Google’s recent announcement of Google Health and I countered by challenging him to write up a post of his own, and here it is. Eric doesn’t have a blog, so if you want to get in touch with him, leave a comment or contact me and I’ll forward it on to him. Without further ado:

Google Health by Eric Irvin:

Google has recently offered a service to track and monitor your own personal health records. Google Health provides a centralized manner of health information management, utilizing Google’s signature API. Google has assured users that they will protect and secure the data. The problem is the Health Care Industry already has a standard of privacy and protection with HIPAA.
Health portability and privacy has always been a problem in the Health Care Industry. This has been largely due to the industry facing lawsuits due to a lack of privacy regulations, and/or questions relating to how data should be shared between insurance companies, hospitals, and other medical care providers. Out of these legal questions, and lack of clarity, the Health Insurance Portability and Accountability Act was passed in 1996.

Google believes that it should not be regulated by HIPAA because they are not a health care provider. Google addresses this in a post from a development blog.

“Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”

I disagree with Google’s not wishing to comply with HIPAA regulations, which would apply a baseline of security checks and safeguards to protect customer information. With other industry requirements (such as PCI, SOX), privacy and protections extends itself towards anyone exchanging customer information. While the law, in itself, does not require Google to do so, I think it sets a standard of expectation for people who choose to use the service. Because Google is not subjecting itself to HIPAA, there is no legal requirement for them to keep your information private, other than the terms of service.

Google could begin providing information to pharmaceutical companies as to who has which medical problems, and allow them to target advertisements to them. This would be a horrible invasion of privacy, and breach of a basic trust. While Google has not announced any plans to do so, their own terms of service allow them to change their own policies at any time without notice. At least HIPAA requires a vote from Congress to extend, withdraw, or modify any protections or use of said information.

While HIPAA was established for the sake of protecting patients rights from Health Providers, Insurance Companies, et al., the question remains, should a third-party company who has access to Health Information be governed by those same rules?

3 responses so far

May 21 2008

How are you meeting PCI Requirement 6.6?

Published by under PCI

The deadline for meeting requirement 6.6 of the PCI-DSS is quickly coming up, June 30th as a matter of fact. So how is your business meeting with this requirement? Do me a favor and take this quick poll to let me know what you’re up to; it’s as completely anonymous as anything on the Internet can be, but I’m curious how people and companies are taking this requirement. Something to remember, whether you’re a Level 1 merchant or a Level 4 ‘mom and pop’ store, you’re still responsible for meeting this requirement.

For more information on meeting PCI 6.6, read the PCI Security Council guidance here.

Edit:  I’m just having a bad day and the poll doesn’t seem to be working.  I’ll try again when I have the time to deal with it.  Please leave a comment instead of taking the poll.

2 responses so far

May 21 2008

Rich almost made the list

Published by under General,Humor

Amrit Williams has written up the Top 5 Abused/Misused/Misconstrued Terms in Information Security and Rich Mogull made the list of ‘also rans’. I’m pretty sure Rich’s name is just there as link bait, but it’s amusing none the less. Amrit is a good writer and always sprinkles a large amount of sarcasm and cynicism in his writing, so this is worth taking a few minutes to read.

The thing that puzzles me slightly about this list though is that four of his top five have fallen out of general usage, at least in my experience. “Paradigm Shift” got so overused a few years ago that no one I know uses it unless they’re making a joke. Or if they’re in marketing, then the joke’s unintentional. The same goes for “* is dead”; at least I hope people who are still using the term are joking. Maybe not and I should take some of those articles seriously.

The one inclusion on the list I have some issue with is “Security ROI”. The term itself is definitely overused, but the concept it’s trying to capture is something we need to pay more attention to, security’s role as a core part of business. ROI is poorly suited to measuring success for security, but we do need to move away from the concept of security as a technology and towards including security as a core part of business. This includes ways of measuring success and failure, though failure is much easier for us to identify. On the other hand, maybe I just proved Amrit’s point, that it’s an overloaded, overused term and we should find something better suited to the concept.

Language is fluid and we’re constantly creating new terms and adding new meanings onto old terms. Maybe Amrit can revisit this article and come up with another list next year. Of course, that’d mean he’d actually have to come up with real criteria, rather than just listing the terms that made him grumpiest this morning.

2 responses so far

May 20 2008

Network Security Podcast, Episode 105

Published by under Podcast

Rich and I were joined tonight by a Phoenix local and fellow security blogger, Adrian Lane. Adrian is the CTO at IPLocks and blogs about data security at Information Centric Security. We had a lot of topics to talk about tonight and wrapped up by spending a few minutes discussing security at the information level. Go figure. Adrian brought two decades worth of security experience (and ‘network hair’) to tonight’s podcast. And to no one’s surprise, we had a privacy issue that we spent more time on than we probably should have.

Show Notes:

No responses yet

Next »