Risque Management : Business

On giant databases

Slav — Sun, 22 Jul 2007 01:54:00 GMT

Why Wal-Mart, Tesco and other big retailers build giant databases that record every purchase and whatever else their customers are doing? Here's how Peter Dorrington of SAS, a software vendor, puts it:

Not only do firms like Tesco have good operational systems that control their costs, but they understand their customers and can offer particular product mixes which are attractive to certain groups

So this is the big idea. Businesses are sold on the hope of better understanding their customer and therefore finding better ways of taking the business to new levels. In fact, the best they can hope for is running the business efficiently as it is - without transformations. Without data that is not in the database you cannot attract new customers. You don't know how big is your customers' appetite for schinkenspeck until you offer some. And the database will not tell you that it won't be popular in Middle East because it's neither halal nor kosher unless there is appropriate database field, and you ask. And asking the right question is the hardest bit.

Banks are legally obliged to keep all information about their customers' transactions for a long period of time. That information is readily available but it doesn't help developing new products, market expansions and major investments. This is where artificial intelligence can assist. AI is bound for a big comeback.

Meanwhile, we have systems ironically classified as business intelligence and giant databases. They are surrounded by aura of mystery. Here's what Anthony Bianco writes in The Bully of Bentonville, a leftist anti Wal-Mart opus:

From their perch in the Glass center, Information systems technicians monitor the computer-to-computer interplay using software that enables them to anticipate glitches, or "exceptions", as they're known in digitese, and intervene to prevent them from occuring. "We are pretty near real time. We can tell people that they need to go do something and we are within hours, depending on the event", said Linda Dillman, who, as Wal-Mart's chief information officer, runs the Glass Center.

Funny as it is, this description of how Wal-Mart's is running their RetailLink infrastructure also gives indication how distant from reality is the perception of the giant databases.

Governments are hopeless at information security

Slav — Wed, 04 Jul 2007 09:10:00 GMT

One of the good things about BlackBerry - apart from the main client platform that will never get really damaging and widespread malware - is clever server infrastructure that routes data streams between the handhelds and the enterprise infrastructure. A mother ship in Canada handles all signaling and connections between various operators around the world so that roaming experience is really smooth (this also contributes to the business model that makes the operators hugely enthusiastic about BlackBerry). Data communication is direct between the handheld and the BlackBerry Enterprise Server, using UDP. Using Wi-Fi is possible. All is heavily encrypted.

But one thing happens over and over when governmentslook at BlackBerry security: they suddenly learn about the Canadian intermediary (for they believe it is), become concerned about non-existing snooping possibility, and place BlackBerry on hold for pointless yet lenghty review. It happened before in Australia. Now it happens in France: Blackberries nipped amid security fears. Some interesting details:

BlackBerry handheld computers, or "Le BlackBerry" as they are known France, have been called addictive, invasive, tiresome for thumbs - and, now, a threat to French secrets.

That, at least, is the fear of French government defence experts who have advised against their use by officials in France's corridors of power, reportedly to avoid snooping by US intelligence agencies and the loss of commercial and other secrets.

"It's not a question of trust," French legislator Pierre Lasbordes said today. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

...

Lasbordes, who was commissioned in 2005 by then-Prime Minister Dominique de Villepin to look into such issues, said he alerted the government about the issue months ago.

So it took two years for a politician to identify a non-issue as a problem. Apparently RIM cannot easily stand up to the politicians' stupidity:

The Canadian company "admitted that there was a certain fragility in the protection of information when you use the email system" and promised it would be resolved, said Lasbordes, adding: "That was more than a year ago."

Of course, we shall never know what exactly is that certain fragility, because it is certaintly an uncertainty - please pardon my French. And, of course, there is another official to voice the concerns:

BlackBerries pose "a problem with the protection of information" and "the risks of interception are real," Alain Juillet, in charge of economic intelligence for the government, told Le Monde.

What is the most amazing here is that the Mr. Jullet is responsible for some kind of intelligence. He should know the meaning of "real".

Pragmatism doesn't always work

Slav — Sun, 03 Jun 2007 00:28:00 GMT

Asset classification is a popular concept among security specialists. Quoting from The Pragmatic CSO:

You can’t protect what you don’t know about, so the first step is to figure out what you have. Likewise, you don’t want to spend $50,000 protecting a $2,000 business system, so in Step 1 you talk to senior management and discern how important each system is to the operations of the business. Then you can figure out how much to invest in protecting it.

Here's why it won't work:

Senior management may not think of the business in terms of particular systems facilitating it. They will rely on you to provide that information;
In today's interconnected world, a single system means nothing. Mainframes tend to be very important to the businesses using those -so should most resources be allocated to protecting mainframes? Not really, not just mainframes. Rather, their entire ecosystem - that included the mainframe, its storage system, administrative workstations, user workstations, network infrastructure linking all that, directory services that is used for authentication and authorisation to the infrastructure elements, identity management system, and supporting processes. So, what is not so important?
Underinvesting in protection of supposedly low-risk infrastructure is a big risk. Most of the multimillion dollar breaches happened through sub-$2000 systems that have had little visibility to technical staff, let alone senior management.

An alternative (yet also pragmatic) approach would be to protect everything. That requires knowing everything in the enterprise - and not allowing the unknowns.

Single authority principle

Slav — Tue, 15 May 2007 09:04:00 GMT

One of the biggest issues in today's IT architectures is overengineering. Excessively complicated solutions are bound to be less reliable and secure. Any other component in a solution is potential point of failure. Well, not necessarily in terms of reliability (clusters, you know) - but certainly from security point, as it adds potential vulnerability and attack point.

And it creates some interesting issues. An example is a popular approach to identity management: using HR database as a "source of truth" about company staff. The corporate directory (your AD, or NDS) is populated from the HR database, using middleware. If you're using same corporate directory for controlling access to the HR database, that will result in an access management chicken-and-egg problem: who is the authority? Besides, now attackers have two targets for taking control over entire enterprise infrastructure (and middleware, the identity management system, is the third equally important). The approach avoiding that situation is developed centuries ago by the world's military: use single authority.

Using HR database as the source of truth does make sense, as it contains information about those who are paid by the company. However, it so happens, incidents that are most difficult to investigate are not caused by paid staff using their own accounts. Few years ago the security industry was shifting its focus towards malicious insider. But recent events prove that classic intrusions without apparent access abuse are still big threat. Take TJX and their insecure wireless network. Nevertheless, we should soon see more close integration between business systems like HR, identity management solutions and corporate directory. Oracle is making steps in that direction already. I like Microsoft's Active Directory and would like to see some effort in that echosystem as well.

But that is a move towards identity and access management based on military principle. It would be very interesting to see a system that is based on democratic principles. That is unseen so far but may well be an interesting change in the enterprise space.

How to prevent 1% of cybercrime?

Slav — Fri, 04 May 2007 22:50:00 GMT

An interesting picture appears on the PBS Shop Web site:

Because of what it says I felt an urge to click on it. The first attempt (a right-click) resulted in the following message box:

I think the law that prohibits copying the picture doesn't exist. Otherwise my Web browser would be breaking the law by caching the picture, for example. And the trademark law, at least in Australia, USA and other Western countries, actually allows nominative fair use (as well as parody).

But I don't need to do any copying anyway. The "HACKER SAFE" picture above is provided to you directly from its source, controlscan.com (and "certifies" sites other than this weblog). Clicking on it will show a page that says, among other things:

Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.

I would be really interested in the methodology of that research. Why 99% and not 99.9%? But mentioning research is just weasel words here.

The company that brings you the "HACKER SAFE" picture provides many services related to Web security and privacy protection. Every single one comes with its own picture (they are called "trust seals"):

That, as I wrote, gives a false sense of security. Looking at the service offerings reveals more interesting facts:

The company provides vulnerability scanning for those who need to be compliant with flawed and largely useless Payment Cards Industry Data Security Standard;
The company offers vulnerability scanning bundled together with EV SSL certificates - overpriced ones, supposedly more secure and with questionable benefits;
EV SSL certificates are positioned to secure E-Mail applications among other things. Internet email standards generally don't require a browser, and current EV certificates' main distinction is the green address bar in IE7. You can encrypt SMTP using SSL but the fact that the the SSL certificate is Externed Validation will make exactly zero difference compared to any other SSL certificate. I won't be surprised though if EV flavour of mail signing certificates will emerge;
And the certificates are positioned as those giving the Highest Level of Digital Encryption available in industry - even though the level of encryption doesn't really have much to do with the type, or issuer, of the certificate.

Vulnerability scanning has its value. It's a very basic security control mechanism that allows to identify trivial system administrators' mistakes independently of their process. But it doesn't prevent 99% of security exposures. If it does, what about the remaining 1%? Is one attack out of a hundred successful? One attacker out of a hundred? That doesn't make sense.

In the example above we see how aggressive marketing can be misleading, even deceptive, and therefore diminish the value of otherwise useful service.

Crack the PIN

Slav — Mon, 16 Apr 2007 10:52:00 GMT

Security of PINs (Personal Identification Numbers) that are used in your debit and credit cards is an interesting topic. Behind the scenes, the way PINs handled evolved together with science, technology, and business. And secure operation was always number one priority here.

For example, take PIN entry devices. As IT industry struggles with the concept of endpoint security for computer systems, financial institutions have vast networks of secure PIN pads for ages. They are at least tamper-evident, initiated in secure environments and rendered unusable of someone tries to change them.

Attacks on PIN evolve too. Rapid increase in computing capacity made PIN brute forcing possible. Here's the attack against VISA PVV DES encryption. Further cryptanalysis gave us the decimalisation table attacks - which also requires quite high level of access to the systems dealing with PINs.

Along comes The Unbearable Lightness of PIN Cracking. This "attack" not only requires something like full ownership of ATM processing network, but also is using certain APIs to the hardware security modules that generally don't exist. Yes, that's an illustration of unbearable lightness of sensationalist bulldust.

Which got me thinking - are PINs really so secure? And I came to conclusion that one trivial attack - namely, distributed manual brute forcing - is largely overlooked. the idea is simple: as most PINs have four-digit PINs and the card's magnetic stripe is easily copied, massively parallel brute forcing yields certain success. Either the scenario is thought to be too hard to implement (ATMs were quite rare just few years back), or the risk is considered low for anothe reason - I don't know. Still the attack doesn't seem to be publicly discussed anywhere - so I have published an article about it in 2600 - The Hacker Quarterly. Also I think that fraud monitoring systems may not be be much of a help in certain situations - namely, if PIN is verified against PIN verification value stored on the card before the transaction is sent to the issuer for authorisation (funds available checks, etc). If that is the case, unsuccessful PIN tries aren't visible to the bank - and the whole distributed PIN brute forcing attempt will be virtually undetectable.

Similarly to Windows security, backwards compatibility is going to be risky for the banks for a long while.

Alliances of incapable

Slav — Sun, 08 Apr 2007 02:13:00 GMT

Anyone remembers United Linux? An attempt of few Linux distro makers to take on Red Hat, the market leader, by creating a common product core, it has become a spectacular failure.

Apparently many didn't learn the lesson. There are two other industry alliances, both working in the information security space, that look very much like the abovementioned failure.

The first one is called Liberty Alliance. The stated goal is to create open standards for federated identity management as well as business and deployment guidelines, and the best practices for managing privacy. The real goal was to respond to Microsoft's Hailstorm (or .Net My Services). Microsoft's initiative never meterialised but the Liberty Alliance drags on, without focus and with really good and viable alternatives available. They even release specifications - as useful as Microsoft® .NET My Services Specification, also available (from $0.01).

The other alliance is OATH - the Initiative for Open Authentication. The stated goal is to address issues like theft of information and unauthorised access with a set of open standards. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. The real goal is to counter RSA Security (and its really good proprietary one-time password solution) advances in the market.

Here's the issues with the alliances: they are created based on marketing considerations; they try all-encompassing solutions and position themselves as best practice from the beginning, before gaining any credibility outside of the alliance members and their customers; and their strategy is dictated by their competition.

Grassroots movements with no obvious corporate alignment produce much more valuable outcomes.

Forbes on public Wi-Fi: You Get What You Pay For

Slav — Sun, 18 Mar 2007 17:24:00 GMT

Forbes, a respectable business magazine, writes about wireless security in the issue of 26 March 2007:

Computer security firm Authentium in Palm Beach Gardens, Fla. warns about an emerging Wi-Fi fraud aimed at air passengers. What road warriors sitting in a departure lounge think is a free authorized Internet connection turns out to be an "ad hoc" network broadcasting from the laptop of a scamster sitting nearby. Besides collecting passwords and credit card numbers, the crook might even install software that will later forward other private data. One tip-off: The wireless connection window the unwary traveler often sees labels the tainted free site a "computer-to-computer network".

Threats from rogue wireless access points aren't new - I wrote about disabling Windows firewall and exploiting Intranet zone using those a while ago. However, this Forbes article highlights two important problems with communicating technology issues to the businesspeople: wrong assessment and wrong advisory. I am under strong impression that by using executive summary language, consultancies, research companies and the press fail communicating real issues to the decision makers. That's because they often those translating the original information into executive summaries and press releases, often are saying what their audience want them to say - and without much understanding of the information in question. And if quality of the original research is substandard (which I think is the case with Authentium's Wi-Fi alert), the things only get worse.

Another evidence - IDG's PC World's take on the same Wi-Fi issue:

The next time you're at an airport looking for a wireless hot spot, and you see one called "Free Wi-Fi" or a similar name, beware -- you may end up being victimized by the latest hot-spot scam hitting airports across the country.

You could end up being the target of a "man in the middle" attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.

If you're a Windows Vista user, you're especially susceptible to this attack because of the difficulty in identifying it when using Vista...

The problem is that it's not really a hot spot. Instead, it's an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you're using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.

In addition, because you've directly connected to the attack PC on a peer-to-peer basis, if you've set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.

Such a pile of rubbish - as usually, with a twist of Vista-bashing.

Now, let's analyse:

Positioning the rogue AP attack as happening mostly in airports is wrong. We get those rogue access points everywhere now, the last one I saw in the lobby of Westin hotel in Seattle. Municipal Wi-Fi projects will set expectation for wireless service being available not just in select spots, but in entire business districts;
Name of the service/access point, or the fact that the service is free, is irrelevant. Title of the article in Forbes - You Get What You Pay For - falsely attributes the attack to free services. In fact, paying customers of T-Mobile access points (found in Starbucks all over the States - I'm using one in SFO airport right now), and other commercial operators, are perfectly susceptible to the attack;
It's not only computer-to-computer networks that may exploit unsuspecting users - access points are equally dangerous;
There is no "free authorized Internet connection" that is mentioned by Forbes. The word "authorized" doesn't make sense here.

Keeping your system locked down, and using SSL or VPN for sending credentials and accessing private information will make the man-in-the-middle attack much harder if possible at all - and Vista does help here. I challenge black and white hats of the world to compromise my laptop using a rogue wireless connection. I'm afraid, fixing communications around information security issues will be at least as difficult.