Network Security Blog

Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.

The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.

The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.

If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.

The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.

The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.

And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.

As Public Relations folks continue to embrace bloggers and treat us more like press, I get more and more press releases and opportunities to talk to the people at security companies. I enjoy getting this information and appreciate talking to these companies as an analyst/press. But I have to laugh sometimes when they pull stupid stunts, like putting the phrase ‘Under NDA’ in the middle of a presentation. If I didn’t sign any paperwork, the only thing obligating me to that Non-Disclosure Agreement is common courtesy, something PR people need to be very careful of expecting as they dip their toes in the blogosphere.

Something that PR people, as well as bloggers, are still figuring out is the exact nature of the relationship between the two groups. PR professionals are used to building relationships with reporters and knowing exactly who they’re talking to. With bloggers they don’t have that relationship, they don’t even necessarily know the name of the person they’re dealing with. On the flip side, most bloggers have no idea how to react to invitations and press releases from PR agencies. The reactions can range from completely ignoring PR to maliciously using the information provided. I suspect most of us lean towards the ‘ignore them and they’ll go away’ camp.

I used to ignore most press releases, but I started changing that recently. Blogging is about communication and learning, both of which are the exact thing PR people are trying to provide. I’ve started responding to some press releases, letting the PR folks know if I find their press releases relevant or not. I’m trying to build some of the same relationships ‘real’ reporters have and making PR aware of my interests is part of that.

But the relationship has to go both ways; PR folks need to communicate little things like the expectation of not releasing product information prior to the products release date. In this case, it’s not a big deal: the product will be out next Monday. But when I saw the NDA statement cleverly slipped into the presentation, part of me wanted to post about it right away just out of spite. Luckily the larger, more responsible part of me decided it’d be a poor treatment of the company.

Bloggers and PR folks have a lot of learning to do about one another. We have to understand that PR professionals have access to a lot of valuable information we might not be able to get elsewhere. PR professionals need to realize that bloggers are not reporters, we don’t have the background a reporter does and in many cases a quick flash of popularity and traffic is more important to us than a ‘relationship’ with a PR firm. If you want something to be under Non-Disclosure Agreement, ask up front if a blogger is willing to respect a verbal NDA. But don’t slip it into a slide in your presentation and expect it to be honored.

Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies.

Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call.

I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past.

And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess.

Last week TJX fired one of their employees for disclosing on ha.ckers.org that TJX is using blank passwords and other very insecure procedures. Posting in what he thought was an anonymous manner, CrYpTiC_MauleR was tracked down by management at TJX through his ISP, asked what he felt is wrong with the TJX network and fired. And as bad as I feel for him personally, I think TJX did the right thing.

Don’t get me wrong, I have very little sympathy for a company like TJX. They had one of the biggest credit card breaches in history, they’ve been put through the ringer and they still have the temerity to allow such bad practices as blank passwords and running servers as admin. I’m hoping TJX’s acquiring bank, PCI assessor and Visa/Mastercard get wind of these issues and call them on the carpet for it. But I don’t excuse the actions of Cryptic_Mauler.

I’ve read most of the thread on sla.cers.org, and this appears to be an issue of venting frustration, not whistle blowing. If Cryptic_Mauler was talking to federal investigators or maybe even a reporter, I might call it whistle blowing, but by disclosing it in a security forum, it was simply a way of pointing the finger at the stupidity of his employer. It’s not a case of full disclosure either, since that usually refers to
vulnerabilities in a product or OS, not poorly designed security
implementation by your employer. He had no expectation that this disclosure would somehow improve the situation at TJX, he just wanted someone else to know about the issue. And maybe hope that someone could embarrass TJX into changing.

We’ve all been in situations where we have employers doing stupid things. We do our best to communicate with management about the problems and hope they react appropriately. The problem is, our perception of ‘appropriately’ and management’s is often very different. What we see as a horrible security hole, they may see as another minor problem that would take major money to fix. Or just as something that they don’t want to think about right now.

There’s no reporting mechanism built into the Payment Card Industry standards. To the best of my knowledge, there’s no clear cut method to report a company that has bad practices to the credit card companies or the government at all. There’s not even a press person you can talk to about the issues with to bring it to public awareness. It’s frustrating because, despite their known issues, TJX is probably far from the worst offender and there needs to be a way to make these people sit up and take notice. But that’s no excuse for posting the issues with the TJX network in a public forum.

Cryptic_Mauler isn’t a security professional. He wasn’t even a part of the IT team. But he was an employee of the company and as such was held to certain expectations. Keeping internal company issues internal is one of those expectations. I don’t like how TJX is apparently handling their problems, I don’t like that they aren’t responding more positively to internal criticism, but I don’t see that they could have taken any other action in this circumstance.

I’ve had to resign from a job before because the company wasn’t being responsible in my opinion. I’ve seen companies in the past that shouldn’t be allowed to have computers let alone an ecommerce site. I’ve been at companies that I wondered how they stayed in business, not even considering their security concerns. But I always tried to react ethically and within the bounds of my moral obligations. I’ve learned that I can do what I can do and sometimes I have to walk away and let someone else deal with the problem. Public disclosure doesn’t fit in my world view of ethics and morality.

It’s frustrating dealing with a company that doesn’t want to change. It’s hard not having leverage to make the changes that you see need to be made. How you react to that frustration is up to you. Do you scream in public like Cryptic_Mauler, keep going until you find someone who can make the change or do you move on to another opportunity? I hope Cryptic_Mauler can find a new position somewhere else; I hope the limited notoriety this incident gives him will help him further his career. But I think he made a mistake in publicly disclosing TJX’s problems, one I hope doesn’t continue to haunt him.

I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue.

The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits.

Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does.

Short show tonight folks, Rich is under the weather and our guest had to bail at the last minute due to a personal emergency. We’ll work at getting Jeremiah Grossman from White Hat on in the next couple of weeks. In the mean time Rich and I dug up a few news stories to talk about.

Show Notes:

• How LifeLock works – In their own words, they tell you most of what they do can be done by you for free.
• Announcing your social security number on national radio is a bad idea – That’s a no brainer.
• Legal experts wary of MySpace hacking charges
• Adobe Flash zero-day exploit in the wild
• NSS Labs PCI Suitability papers
• Tonight’s Music: With Arms Outstretched by Rilo Kiley

Network Security Podcast, Episode 106 [ 25:48 ] Play Now | Play in Popup | Download

Network Security Podcast, Episode 106, May 27, 2008

Time: 25:47

The deadline for meeting requirement 6.6 of the PCI-DSS is quickly coming up, June 30th as a matter of fact. So how is your business meeting with this requirement? Do me a favor and take this quick poll to let me know what you’re up to; it’s as completely anonymous as anything on the Internet can be, but I’m curious how people and companies are taking this requirement. Something to remember, whether you’re a Level 1 merchant or a Level 4 ‘mom and pop’ store, you’re still responsible for meeting this requirement.

For more information on meeting PCI 6.6, read the PCI Security Council guidance here.

Edit:  I’m just having a bad day and the poll doesn’t seem to be working.  I’ll try again when I have the time to deal with it.  Please leave a comment instead of taking the poll.