Saturday, January 19, 2008

Hackers threaten elecric supply

Needed: Dynamic! Security for Utility Companies.
 
Can Con Ed be made safe for America? The article from Washington post tells us:
 
In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities....
 
Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm....
 
Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.
 
But to do that, the companies have installed wireless Internet connections to link the devices to central offices....
The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.
 
"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."
 
Dynamic! Security to the rescue, with regional syndication, location and time sensitive security and fool-proof authentication.
 
 
Hackers Have Attacked Foreign Utilities, CIA Analyst Says
 
By Ellen Nakashima and Steven Mufson
Washington Post Staff Writers and Washington Post Staff Writers
Saturday, January 19, 2008; A04
 
In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities.
 
"We do not know who executed these attacks or why, but all involved intrusions through the Internet," Tom Donahue, the CIA's top cybersecurity analyst, said Wednesday at a trade conference in New Orleans.
 
Donahue's comments were "designed to highlight to the audience the challenges posed by potential cyber intrusions," CIA spokesman George Little said. The audience was made up of 300 U.S. and international security officials from the government and from electric, water, oil and gas companies, including BP, Chevron and the Southern Co.
 
"We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge," Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further.
 
The remarks come as cyber attackers have made increasingly sophisticated intrusions into corporate computer systems, costing companies worldwide more than $20 billion each year, according to some estimates.
 
Cyber extortion is a growing threat in the United States, and attackers have radically increased their take from online gambling sites, e-commerce sites and banks, which pay the money to prevent sites from being shut down and to keep the public from knowing their sites have been penetrated, said Alan Paller, research director at the SANS Institute, the cybersecurity education group that sponsored the meeting.
 
"The CIA wouldn't have changed its policy on disclosure if it wasn't important," Paller said. "Donahue wouldn't have said it publicly if he didn't think the threat was very large and that companies needed to fix things right now."
 
Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm.
 
It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups.
 
Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.
 
But to do that, the companies have installed wireless Internet connections to link the devices to central offices.
 
"In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck," Logan said. "Now they can read it from headquarters. But it allows attackers a gateway into the system."
 
In addition, within the companies' main offices, control equipment can be accessed from more computers than in the past.
 
The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.
 
"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."
 
On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security "perimeters," physical security of critical cyber equipment, incident reporting and recovery.
 
The U.S. electricity grid has always been vulnerable to outages. "Cybersecurity is a different kind of threat, however," Joseph T. Kelliher, the commission's chairman, said in a statement this week. "This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid."
 

Wednesday, November 28, 2007

The man in the browser and how to starve him

According to Computerworld, the 'Man in the browser' is a new threat to online banking, but we have a solution. Here is the problem:  
 
Criminals infecting PCs with malware that is only triggered when they access their bank accounts are the latest threat to online banking, according to security software supplier F-Secure.
 
Perpetrators act as a 'man in the browser' by intercepting HTML code in the Web browser. As bank security measures curb more traditional threats such as keystroke logging, phishing and pharming, F-Secure warned, the 'man in the browser' attack will increase.
 
Once a user's PC is infected, the malicious code is only triggered when the user visits an online bank. The 'man in the browser' attack then retrieves information, such as logins and passwords, entered on a legitimate bank site. This personal data is sent directly to an FTP site to be stored, where it is sold to the highest bidder.
 
Security products using behavioral analysis were the best solution against such attacks, because the malware was only distributed to the users of specific banking sites, said Mikko Hypponen, chief research officer at F-Secure. This meant anti-malware software vendors were unlikely to be able to quickly release code to tackle all the new threats.
 
Following the enhancements that banks have made to authentication on their sites, "phishing attacks are becoming less and less effective and attacks of the 'Man in the Browser' are set to increase," he warned.
 
The man in the browser is just a variant of the horse in the browser. The thief in the browser, human or equine, gets cusomers' identity information and uses it to empty their bank acount or stock brokerage account. The thieves can invent new software devices faster than the problem can be fixed for the most part.
 
There is one solution that is thief-proof: IDentiWall from Made4Biz-security. IDentiWall can require users to insert a unique one time password that is sent by SMS to the user's cellphone. If a thief tries to access the account, the user will get the same SMS with the one-time password, and has the option of blocking access to the account until username and password can be changed.
 
IDentiWall can also send users a summary of the transaction for confirmation:
 
"You asked to debit acct # ____________ by $999.
 
Press Yes to continue or No to cancel"
The prinicple implemented by IDentiWall is that it gives users control over their online account through a separate, secure channel - their cellphone.
 
The man installed by thieves remains in the browser, but he isn't being fed anything.
 

Wednesday, October 24, 2007

Fingerprint system fails to identify black-listed soccer fans

Published 23 October 2007

Dutch researchers test the reliability of finger print biometrics by placing finger print scanner at three Dutch soccer stadiums for the purpose of identifying more than 6,000 "black listed" volunteers; the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list

This is a story about football, but it has implications beyond the beautiful game. A fingerprint recognition system failed to prevent black-listed fans from entering football grounds and was easily fooled by simple spoofing techniques, according to a trial by Dutch research organisation TNO (organization's motto: "Kennis voor zaken"). Jurgen den Hartog, who undertook the research, said that with a false positive rate of 0.1 percent -- a low rate being a requirement for such a system, given the number of supporters and the fact that false positive could make for trouble -- the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list, recruited to test the technology, a level he described as "unexpected." "This has serious implications for a lot of other negative identification scenarios," den Hartog told a session of the Biometrics 2007 conference in Westminster last week. "It's very easy not to look like yourself, so I wonder what the impact of these results will be on other programmes."

InfoSecurity's S. A. Mathieson writes that negative identification fails if a black-listed person can fool the system into thinking they are not on that list, involving technically challenging one-to-many checks. Identity verification checks, such as with passports, require only a one-to-one check that the biometric recorded matches the individual, and fails only if someone else's identity is hijacked. Den Hartog said that fooling the fingerprint systems, LScan 100 scanners provided by NEC and HSB, proved easy for the volunteers, who were asked to attempt such spoofing. They used techniques including latent fingerprints on sticky tape and a layer of glue on fingers: "The trick is, do not press too hard," he said of the latter. Both techniques also fooled a spoof-resistant scanner from Lumidigm in TNO's labs. Furthermore, the tests brought up other problems: the devices could check twelve fans a minute at best, but as few as four or five a minute on one occasion when it was in direct sunlight by Feyenoord's ground (Giovanni van Bronckhorst, one of our favorite footballers, is playing for the Rotterdam club). "The french fries stand outside the stadium couldn't do business any more, because of the queue for our gate," den Hartog said. "The live system did not meet important requirements of speed, accuracy and robustness against manipulation," den Hartog concluded. "I think speed and accuracy can be solved, but robustness against manipulation really remains a challenge."

The research involved 6,400 checks at 26 matches at three Dutch football clubs. TNO chose fingerprints in preference to iris or facial recognition, on a range of criteria including speed, reliability, and proof against being fooled.

 

Wednesday, May 16, 2007

Yet another example of absence of Dynamic Security's protection

TJX breach-related expenses: $17M and counting

Jaikumar Vijayan

 

May 15, 2007 (Computerworld) The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January.

The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement.

The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.

The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob's Stores.

In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data.

The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs.

Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.

There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.

"This is something that is going to play out over years," he said.

 

Tuesday, May 8, 2007

IDentiWall is poised to resolve the credit card payment security

Restaurant Chain Beefs Up Payment Card Protections

Jaikumar Vijayan

 

May 07, 2007 (Computerworld) In the past, credit and debit card security wasn’t a huge concern at The Steak n Shake Co., which operates more than 450 restaurants in the Midwest and Southeast. But it has been a top priority for the chain’s IT organization since last August, when the number of card transactions that Steak n Shake processes annually passed the 6 million mark.

That put the Indianapolis-based chain into the category of businesses that are subject to the most stringent requirements of a data security standard mandated by the major credit card companies.

Moving into the Level 1 classification under the Payment Card Industry (PCI) Data Security Standard had big IT implications for Steak n Shake, said Sean Smith, its director of strategic technology services. The company had been accepting card payments for only about two and a half years, and before August, it was considered a Level 4 merchant — the lowest tier on the PCI scale.

Requirements Multiplied

“We went from ground zero to Tier 1 in a very short period of time,” Smith said. “Our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold.”

PCI requires all entities that handle payment cards to implement a set of 12 security controls, including data encryption, logical and physical access controls, and activity monitoring and logging. Companies are classified into four groups, depending on the number of card transactions they process annually. Businesses that are in the top group like Steak n Shake are required to undergo quarterly network security scans and an annual on-site security audit.

Some of the biggest changes at Steak n Shake had to be made at the restaurant level. For instance, the generic usernames and passwords used in the past to access point-of-sale systems were replaced by a log-in system based on Active Directory that can be centrally monitored and managed. Under PCI, Smith said, “we need to know who is accessing what, when and where.”

The company also had to roll out tools for centrally managing the IT assets in its restaurants and pushing out software patches and anti­virus updates to the systems. In addition, Smith said, Steak n Shake can now log and audit all restaurant-level transactions involving payment card data, as required by PCI.

In another facet of the compliance effort, Steak n Shake is replacing its VSAT satellite communications links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections. And to better secure its network perimeter, the chain is adding intrusion-prevention and -detection tools, plus security event management technology with centralized logging and correlation.

Smith declined to disclose what the security upgrades are costing Steak n Shake, which has hired Qualys Inc. to do the required quarterly vulnerability scans of its network perimeter. Qualys will also conduct similar assessments of its internal network to help mitigate potential security threats from insiders.

Implementing and demonstrating the controls needed to comply with PCI at Level 1 can be challenging, said Terry Ramos, director of strategic development at Redwood Shores, Calif.-based Qualys. That’s especially true for a company like Steak n Shake, whose compliance level has abruptly changed, Ramos said. He noted that at Level 4, the PCI mandates are little more than best practices, with no specified validation requirements.

Getting reclassified on the PCI scale “can often be a rude awakening for organizations,” said Chris Noell, president of TruComply, an Austin-based consulting firm that focuses on the payment card industry. Level 4 companies, he added, “are rarely aware of their compliance obligation, much less doing anything about it.”

“The difference can be like night and day,” agreed Gartner Inc. analyst Avivah Litan. “Level 1’s come under a much bigger magnifying glass.”

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc