You only lose it once

Whenever there is mention of "an agent" and "spying" in a story; the popular press seems to collectively turn into a pre-pubescent teenager when reporting the facts with images of sports cars and shady manoeuvres in hot climates.

Recent allegations of a female agent in Columbia losing her handbag containing a USB key full of potentially secret information has cropped up on all the press wires. Newswire stories are appearing simply mixed up and redrafted (here, here and here) are floating the opinion that somehow a handbag was left on a bus from the airport and the data was lost in 2006. Other press sources such as The Times throw a little more light on the matter quoting the shadow home secretary in a small chance to make a political quip. A little inter-service squabbling can be found as some news sources quote MI6, others are quoting it as a SOCA problem.

What astounds me is that the IT Security press are jumping on the "She should have had an Encrypted USB stick" and some are even mentioning products. No, they are missing the point. If the story facts as we have them are true (and that's something I seriously doubt) then the problem is not about secure storage but about security controls on the information in the first place.

• That information should have been protectively marked (it sounds like SECRET from the press reports) . There are plenty of rules about couriering protectively marked documentation - these should have been enforced.
  
• The quantity of information should not have been made available to an individual agent - who, after all, according to the press stories isn't a sworn in employee of HMG and could have sold it.
  
• For what operational reason would an individual be travelling with this amount of data? Why not send it by secure comms? It's cheaper and the data receipt would have been repudiable.
  

If I were to choose between conspiracy and cockup - the latter always wins. Especially with a poorly setup new organisation lacking adequate controls and poor discipline. Also, I thought it would be common knowledge that a handbag owned by a single travelling female at El Dorado airport (one of the busiest in S America) is going to be a target...

I hope no one died because of the information loss.

Forbidden Planet - not disclosing Credit Card Fraud

In a similar subject to my previous blog post about the data loss at Impulse Group; Forbidden Planet (UK) managed to have their customers credit card details breached. In what seems to be norm nowadays, Forbidden Planet (UK) have not sent messages to their customers to report the problem, instead, a rather strange message was left on the 'closed' Dr Who forums by the site owner - but the statement is available at Blogomatic 3000

The data is being used by fraudsters - one customer I spoke to said that £10 transactions had gone through his Maestro card. Fraudsters use "taster" £10 transactions because they are small and confirm the card is still active before selling the details on.

The big question that I'm seeking an answer to:

• Why wasn't the system PCI DSS compliant? because if it was then the card numbers would have not been available to those that stole the data. The 3rd PCI DSS data security requirement specifically says that cardholder data has to be 'protected' - were not just talking database passwords; it has to be encrypted wherever the PAN + data is used, including log files.
  
• Why was credit card data older than 2 months still be stored? The 3rd PCI DSS also says that cardholder data must not be stored for longer than necessary.

more information on PCI DSS can be found here: http://www.pcisecuritystandards.org

Securing Business to Business Email in the Pensions Industry

The UK life assurance and pensions industry sends huge amounts of confidential documents 'B2B' between product providers, intermediaries and advisers. The majority of the big providers have bought into portal-style platforms where advisers can conduct business across many different players (such as Norwich Union, Legal & General, Zurich etc) - however, more than 60% of the business is conducted over the phone between adviser and product provider with the provider emailing, posting or faxing the resultant client documents back to the adviser. Documents usually are client agreements, quotes or illustrations on how financial products such as pensions pay back depending on a clients circumstances.

The life and pensions industry in the UK typically revolves around Financial Advisers who are independent or tied to an organisation. The majority of IFA's are one or 2 man bands with little IT knowledge and little gumption to learn how to use IT assets properly. The FSA has included data loss as an "reportable breach" and certainly, all staff who work at financial organisations have to pass regular training to detect what has to be encrypted.

The problem the industry has is that IFA's who work with many financial product providers have to remember lots of credential-sets and remember how to use multiple mechanisms for receiving quotes and illustrations for pensions, investments and annuities from each of the main product providers. The majority of secure email solutions are considered difficult to use and are not popular with recipients of secure email who have to browse to, register, and retrieve email through a web front end.

To make matters worse - some of the core intermediaries are trying to dictate their secure email solutions are the only mechanism that they will do business. One particular Wealth division of a big player has suggested "Password Encrypted Winzip" (crikey!) whilst others are moving to PGP/MIME solutions through products like Tumbleweed, Trend Micro and Cisco Ironport.

We need a worldwide solution for securing email communication that the big organisations will buy into. The solutions that involve plugins and proprietary solutions will just never work in the long term.

Sophistication in PayPal Phishing Scams - name and address

The content of phishing emails tends to skew to the generic so imagine my surprise when a paypal scam email started as "Dear CALLUM WILSON" and included my full address and postcode.

Dear CALLUM WILSON ,
PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue

regarding your account:
...
- A clear copy of a recent bank statement or utility bill on which your name and address (NNN XXXXXX STREET,STIRLING,STIRLING,FK8 XXX) are clearly visible and less than 3 months old.
...

The email suggests that victims send compromising information such as copies of both sides of debit cards, passport, utility bills etc to secure@paypalcompany.com - this, hosted on a compromised host [89.255.10.39] at a Dutch ISP. The host redirects port 80 HTTP traffic to the real Paypal.com site but has SMTP, POP3 and IMAP daemons running suggesting tools to take in and process victims emails sent to the domain. The server also has a copy of MySQL running, allbeit locked down for out of domain access. The site is running Plesk [http://en.wikipedia.org/wiki/Plesk], a cpanel like ISP hosting platform on port 8443. Firefox is now showing the site as a forgery - but how many internet users have anti-phising browsers?

So what is the root of this scam?
I always use unique usernames for any access to online shops - the interesting thing about my email was that whilst it had the correct name and address for my PayPal account, the email address was not correct. The data had come from http://www.brother-store.co.uk - a UK based retailer of print stationery for the fabulous Linux compatible Brother QL-550 that runs in our office printing labels.

The Impulse Group Ltd (Cambridge, UK) [http://www.impulse-group.ltd.uk] run a set of affiliate sites that retail various printer supplies share a common platform for sales enquiries and orders: http://www.enquiry-system.co.uk and http://www.secure-internet-payment.co.uk (irony not included).

Some 24 hours after the breach, some of the sites are still not functioning. I rang Impulse Group Ltd this morning and they confirmed there had been a breach and that they would inform their customers through the website: see the Impulse news site for more information.