There is so much useless chatter on the Internet about Heartland, it is nice to see a well researched and written article by Bank Info Security. They report on a security road-show by Visa:

In tackling facts and myths about data compromises, as presented in the news media, Visa says:

• No compromised entity has been found to be PCI compliant at the time of the breach;
• Visa does support encryption for both online and batch files.

The presentation goes on to cover common compromise vulnerabilities, including:

• Failure to secure and monitor connected non-payment environment;
• Unprotected systems vulnerable to SQL injection attacks;
• Corporate websites targeted to gain access to network;
• Malware installed to capture passwords and cardholder data.

Perhaps most interesting is that Visa is estimating that each check card with track and PIN has a $1000 market value.

The first bullet in the second list should not be missed. Although many people are banging the drum on SQL vulnerabilities and web application vulnerabilities, as well as malware, the “it’s all connected” message is a tough one. I know this well because it was the basis of a campaign I ran a few years ago at a financial institution. Fortunately there is some help in publications like the FIPS 200 from 2006 (Minimum Security Requirements for Federal Information and Information Systems). It suggests that everything connected to a critical system should have same or higher levels of security.

This message is not an easy one to deliver because it is based upon the options of either raising enterprise-wide baseline security or building security on critical systems to the point where they are truly isolated. Either way, it’s a security project with costs determined by how the business wants to operate around risk.

Thus, the difference from the other three bullet points is that it is a question for management, rather than a strictly technical gap. You can patch and monitor to fix SQL, web applications, and malware but making a decision about information flow and minimum security requirements across the enterprise is a complex business decision. Incidentally, no pun intended, the utilities are currently dealing with this very same issue as corporate systems and control centers appear to be increasingly connected to critical assets and critical cyber assets throughout their infrastructure.

The big news last week was that more than twenty people in Romania had their homes raided very early in the morning based on charges of stealing financial identities with fake bank sites and unauthorized access to NASA systems. Nearly a hundred officers performed the operation with FBI support in Timisoara, Lugoj, Caransebes, Hunedoara and Pitesti.

Stirile Pro TV has more details:

Although this is an impressive sweep, it brings to mind some other recent news. Gabriel Bogdan Ionescu was arrested in 2007 for cloning the Italian Post Office to steal identities and money. He was convicted and sent to jail but now Balkan Insights reports that the District Attorney in Como, Italy has allowed him to take a job.

Ionescu is to be hired part-time by a company specialized in monitoring and intercepting online criminal activity and which has been contracted by the Italian government to assist authorities with preventing online crimes, which are becoming increasingly common in Italy.

Will he will be working against his former colleagues who seem to have copied his methods? Perhaps more to the point, I wonder if the new twenty-two or so suspects get a similar offer and substitute for hiring Italian computer security experts? The ethics of hiring convicted criminals to fight crime has always been debated. In the case of Ionescu, it seems the application to a university in Milano helped turn things around for him.

He finished the test in a record one hour and 20 minutes and received the highest score in the history of the faculty. More recently, Ionescu received maximum scores on two student exams.

“He’s not just the best in his generation,” fawned one of his professors. “He’s probably the best on the planet.”

Although it’s very likely he is super intelligent, I still have to wonder about the chances that he cheated.

Bank Information Security has posted an interesting interview with Alain Sheer, an attorney with the FTC working on the CardSystems breach. He gives details on the attack:

Here is what we alleged in the complaint about what happened, and this is kind of a big picture kind of way of thinking about it, but I think you will see the picture. It is, starting in September 2004 an intruder used a SQL injection attack, and I will explain what that is in just a moment, to install common hacker tools on Card Systems network. The tools were used to find the mag stripe data and to export it every four days, starting in November 2004. Through the exploit, through this attack, the intruder got information about tens of millions of credit cards, the mag stripes basically.

He then goes into the multiple complaints filed and the steps that the FTC say should have been taken by Card Systems. Towards the end he describes harm:

In Choice Point, for example, the information that was stolen in many instances was the Social Security number, which allowed the thieves to open new accounts in the consumer’s name. The evidence also showed that a significant number of people lost a significant amount of money from identity theft.

In Card Systems, the consumers experienced a different type of injury in the form of fraudulent credit and debit charges, inconvenience and time lost. Although this is a real injury, consumer’s losses in circumstances like this are limited in many respects by existing consumer protection laws. Bank dispute procedures that kind of spread the loss among the affected companies and private litigation for example. Consumers are not typically held responsible for unauthorized charges on their credit cards. So in these cases we have not been getting monetary relief because they are really different from the Choice Point type case.

It’s a very good interview that helps illustrate the perspective of investigators as well as the security controls they expect companies to use.

In my “Top 10 Breaches” webinar this past Tuesday I placed the DDoS attack on the Republic of Georgia at number 3. This was for several reasons, which I try to explain in the presentation. Here is a bit more detail:

First of all, the attack was orchestrated under a cohesive and large group. Groups involved in financial attacks usually have to be small (for margins as well as leak prevention) and are only held together long enough to make a profit. However a nationalist movement has far greater threat potential as it can spread based on pride alone.

Second, the sophistication of the organization, advance planning, tests, and forum communication show that geography currently does not provide much of an obstacle for talent or resources to stage an attack. Whereas “bot-herder” tests started in the US the eventual operation against Georgia came from within Russia.

Third, the attacks targeted sources of information such as blogs and news stations. Jose Nazario has just posted an interesting review of this effect. He explains that botnets are increasingly being used as a weapon against dissent and free speech. This expands the concept of a group threat to be much larger than nations and further emphasizes the importance of this type of breach.