Archive for April, 2012

Apr 24 2012

Network Security Podcast, Episode 272 v2

Published by under General,Podcast,Risk

As a follow up to last week’s episode, Martin was joined last week by Josh Corman to talk to Wade Baker about the 2012 Verizon Data Breach Investigation Report.  Wade talks to us about how the information for the report was gathered, some of the strengths and weaknesses of the analysis and finally how the amazing puzzle that is the front cover was concieved.  The episode is a little longer than normal, but worth the time.

When this podcast was first release, it was mistakenly seen by iTunes as the PDF of the DBIR as being the podcast.  Subsequent attempts to upload were similarly misidentified.  Here’s hoping that a remix of the podcast will be significantly different enough that it doesn’t try keying on the DBIR again

Network Security Podcast, Episode 272v2

No responses yet

Apr 18 2012

Something to think on from Source Boston

Published by under General,Government,Privacy,Risk

“The Internet will never again be as free as it is this morning” – Dan Geer at SOURCE Boston

Think on that for a while.  If it doesn’t scare you, it should.

Update:  Here’s the full text of Dan Geer’s talk at SOURCE Boston

No responses yet

Apr 17 2012

Network Security Podcast, Episode 274

Published by under Podcast

The gang is scattered to the wind.  Rich is off at some random Margaritaville and Zach is pretending he has a real life and a new job or something.  So Martin called out the cavalry and is joined tonight by none other than Dave Lewis, aka Gattaca on twitter (I bet many of you didn’t realize he had a ‘normal’ name).  We talk a lot about privacy (go figure), the TSA (big surprise) and the difference between Canadian and Amercian veiwpoints on a few things.  A good time was had by all.  Or at least by Martin, which is what really matters.  And let’s not forget BSides Chicago coming up soon!

Network Security Podcast, Episode 274, April 17, 2012

Time:  30:00 (Exactly, which may be a first)

Show notes:

No responses yet

Apr 12 2012

This is why CISPA scares me

Published by under Government,Privacy

Unlike it’s brethren, SOPA and PIPA, CISPA doesn’t scare me because it’s aimed at shutting down piracy and giving the media companies unheard of powers. CISPA scares me because it is aimed at letting companies share information between each other and with the government in order to stop bad guys, which is a noble cause. Unluckily, CISPA is written in such a way that 1) it tramples on the very basic rights of due process and privacy to combat these threats and b) it includes clauses that name intellectual property and private information as reasons for this sharing. Which places us right back in SOPA/PIPA land, because it now the media companies are back in the thick of things.

Let’s have some laws to promote information sharing. But let’s not give up our civil liberties and make our government into more of a surveillance state than it already is.

Update:  At the suggestion of a co-worker, I sat down and read the entirety of the CISPA bill, only to find it had changed significantly from when I’d first skimmed over it.  Several of the clauses that would have allowed the media companies to share information freely if they suspect piracy have been changed to clarify that it’s only if there is an attempt at network compromise that the CISPA sharing would be invoked.  Of course, that might not stop businesses from claiming they’re justified in sharing, which is a fairly likely event given previous experience with many media companies.  It also got a little worse in some ways, including the power infrastructure companies and limiting the liability of companies even more and making it nearly impossible to claim a violation, provided you can even find out there was one in the first place.  Techdirt has a good explanation of some of the changes.  There’s improvement, but not enough that we shouldn’t do everything we can to stop this law in it’s current form. 

CISPA Infographic by Lumin ConsultingInfographic designed by Lumin Consulting

3 responses so far

Apr 10 2012

Network Security Podcast, Episode 273

Published by under Podcast

Zach is off settling in to the new job and prepping for Source Boston, but Rich and Martin managed to get together to discuss travel, the latest security news, and Rich’s rant on the whole Mac malware thing.  And Martin apologizes to listeners for the mixup with episode 272.

Network Security Podcast, Episode 273, April 10, 2012

Time:  40:20

Show Notes:

No responses yet

Apr 05 2012

Network Security Podcast, Episode 272

Published by under Podcast

As a follow up to last week’s episode, Martin was joined last week by Josh Corman to talk to Wade Baker about the 2012 Verizon Data Breach Investigation Report.  Wade talks to us about how the information for the report was gathered, some of the strengths and weaknesses of the analysis and finally how the amazing puzzle that is the front cover was concieved.  The episode is a little longer than normal, but worth the time.

Network Security Podcast, Episode 272, April 3, 2012
Time:  40:37

2 responses so far

Apr 02 2012

Global Payment Systems delisted by Visa

Last Friday Brian Krebs broke the story that MasterCard and Visa were warning of a major processor breach.  Later in the day it was announced that the payment processor was Global Payment Inc. and that approximately 50,000 card numbers had been compromised, a number that was later revised to 1.5 million card numbers.  Global Payment took such a pummeling in the stock market that they had to halt trading in the middle of the day on Friday, and appears to not have resumed trading as I’m writing this post.  They have a press conference this morning, but the initial reporting shows that Global Payments isn’t saying anything that’s not already in a press release.  And to add insult to the injury that Global Payments has had their listing as a compliant service provider yanked as of Friday, pending the security review of the compromise and a new assessment, a process that could take months.

The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer.  When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor.  The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf.  The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks.  That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day.  At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day.  The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea.  For more information, there is a wiki page.

On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005.  CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence.  But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly.  Global Payments’ relative silence and the updates to the number of records compromised add to this impression.  Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself.  Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?

We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised.  But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on.  A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue.  The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis.  As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.

I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg.  If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time.  Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop.  My money is on the latter.

 

Update:  I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet.  Yeah, that can’t be at all related to the Global Payments breach, could it.

6 responses so far