Largest Breach Ever

Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred.  It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards.    The data captured include names, credit and debit card numbers and expiration dates.

There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected.  Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked.  Routers, switches and other network components are often never looked at once they have been installed.  These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed.  This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.

Another item to consider is what monitoring was in place to detect any suspicious behaviour.  Again this is often something I find clients overlook as part of their information security infrastructure.  The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour.  However, until more details are available we can only rely on speculation at the moment.

No doubt questions will be asked as to whether or not Heartland was PCI compliant.  To me this is a non-issue.  If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit.  As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.

I await more details on this breach with interest.  As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.

Technology Is Not The Silver Bullet

broken-link.JPGThe raft of data breaches involving lost laptops and mobile devices that occurred last year, both in the government and private sector, led to a rash of organisations running out to encrypt these mobile devices.  While an effective tool in helping to secure data on mobile devices, encryption by itself is not a silver bullet nor the answer to the problem.  You still need to ensure that people minimise the amount of sensitive data they store on mobile devices and most importantly that they are properly trained and educated in how to use the technology employed to protect that data. 

This story from the Lancashire Evening Post is a prime example of where security is the effective combination of People, Process and Technology.  The story reports on how a USB key containing medical details of over 6,300 prisoners was lost.  The good news is that the USB key was encrypted, however the bad news is that the pass-phrase to decrypt the information was attached to the USB key.  This in reality makes the encryption worthless and provides no security to that data.

So remember when deploying technology to enhance the security of your organisations remember to ensure that those who will be using that technology are properly trained in its use.

Responsible Disclosure

The ran a story on Friday that highlighted a security defect on the Department of Agriculture’s website.  Apparently the reported vulnerability enables anyone to browse details of any farmer who has received money from the EU Common Agriculture Policy payments scheme.

The article claims that the Department of Agriculture were not aware of the security hole and according to this report they do not believe this is a security breach.  This seems to indicate that the person who found the problem did not notify the department directly but instead chose to go to the press with the details.  It seems a strange motive as the person has also asked to remain anonymous, so the motive for such a move may not have been to seek their 15 minutes of fame. 

Irrespective of the motive I would hope that those in the Information Security profession here in Ireland would have the proper ethical training and raised the issue with the Department first rather than go to press with the details.  This also begs the question how many people who claim to be Information Security professionals here in Ireland actually are aware of the ethical standards associated with our profession?

Data of 17 Million Mobile Phone Users Exposed

It appears that a security breach at Deutche Telekom in 2006 exposed personal details of over 17 million customers of its mobile phone division, T-Mobile.  The company claims that no credit card or financial details were exposed but that information such as email addresses as well as mobile numbers and addresses was exposed.

The company claims that they found no evidence of the data being used or traded on the Internet or any data exchanges.  Well I am sure that will make those affected sleep better at night.  However, German newspapers are claiming that the data is already in the hands of criminals.  In particular the data belonging to some celebrities, politicians and well known business people.

This issue does beg the question who decides when individuals should be notified that their data has been exposed?  The company who suffers the breach or an independent third party?  I guess if you have read this Blog for any period of time you know where I stand on this.

Lost Laptop Exposes 380,000 Records

Following on from last week’s announcement that the office of the Comptroller Auditor General lost a laptop containing sensitive data at a bus stop, today the CAG announced that it lost a laptop in April 2007that contained information from the Department of Social and Family Affairs on over 380,000 welfare recipients.  The laptop was stolen from the office of the CAG and to compound the problem further, while the data was send to the CAG from the Department of Social and Family Affairs in encrypted format it was subsequently stored on the CAG laptop in plaintext form.  The compromised data included personal details such as bank account numbers, names and addresses of people, in fact the perfect data an identity thief would pay a lot of money for.

Questions have to be asked why did it take so long for those affected to be informed of the breach?  It is nearly 17 months since the laptop was stolen but details are only being made public now.  Why were those affected not made aware that they were at risk of identity theft?  And by the way the argument that the data has not yet been abused is not a valid one. 

Yet again this is another example of why we need mandatory breach disclosure laws in this country.  While we have had a number of good examples of how to deal with breaches too often we have had too many bad examples.  The time of people relying on organisations to do the right thing is over and we need to introduce regulations organisations that mandate the appropriate steps an organisation should take in the event it suffers a breach.

Digital Rights Ireland have a post that covers some of the legal aspects regarding this breach.  If you feel as strongly about breach disclosure as I do then they also have details on how you can add your voice to the debate.

11 Charged in US with Cyber Crime

Eleven people have been charged in connection with a major hacking ring that allegedly compromised over 40 million credit card records at TJX Corporation, which also runs the TK Maxx stores here in Ireland.  Three Americans are amongst those arrested with two other individuals held in Turkey and Germany.  The remaining six people are still at large, two are from the People’s Republic of China, two from the Ukraine, one from Belarus and one other whose true identity is not known.

The above demonstrates the international nature of cyber crime with people involved from around the globe.   This makes the fight against online criminals even more difficult as law enforcement have to deal with inter-jurisdictional issues.  Given this we should congratulate the various law enforcement agencies who made this possible.

I was interviewed today regarding the above by The SiliconRepublic.Com and also on today’s luchtime news on RTE Radio 1.

I blogged about the original TJX breach when it first broke back in January 2007.  There is excellent overage of the recent details on the CyberCrime & Doing Time Blog.

Irish Times Interviews me

Wednesday’s edition of the Irish Times contains a follow up story to the recent data loss in Bank of Ireland.  I was asked for my thoughts and opinions on what happened and whether or not encryption would have prevented the loss.  Those of you who know me and regularly read my Blog know that I do not believe that technology by itself is the solution.  It is equally as important to ensure that people and processes are also taken into account.   The article (requires paid subscription) highlights that a poor or easy to guess passphrase (or indeed a passphrase written on a post-it note on the laptop) will undermine the encryption protection.