There's Never Safety In Numbers

Real Time Social Engineering

2010-10-21T12:46:00.002+01:00

In "information gathering" circles the terminology "Open Source" refers to information that can be gathered overtly and in the public domain (rather than today's definition of code licensing). I have been wondering just how easy it is to perform social engineering tasks using open source information in the sort of time that one could operate in conversation.

Whilst social engineering is pretty unethical and it's not the business RapSec is in; I was attending a seminar about social engineering and attempted to see how much open source information I could attain about the speaker in less than 15 minutes whilst standing at a back of a crowded room.

Here is my methodology:

Listen. Clues are available from the subjects demeanour (middle class? got kids? clothing style, name, job, title, engagement ring, wedding ring, phone type etc)
Plan. If this is being performed in a short time then there are only certain facets of information that will be relevant - there is no point doing a normal graph of attack because there isn't the time and drawing out a plan will incite suspicion.
Gather. One must never believe everything you read on the internet. When I do this, I assign probabilities to each bit of data and then only follow high probability routes or indeed try to double check information from another source. I multiply probabilities when working with data depending on other data.

Gathering is quite hard on a mobile phone/small device. So I have been wondering if it is worth creating an 'app' to field specially crafted requests to various sites to aggregate the response quickly and for the user to assign probabilities to each leg of the outcomme in order to quickly prioritise the investigation. This has to be very fast. The target data would then be given an overall percentage probability that the user could act on, or dismiss. For most people, probably only useful at parties - but whilst performing a social engineering attack it would be very useful to be able to do this quickly from a standard mobile handset using open source information.

example
For the case mentioned above, I was just testing to see how much data I could find from my phone and in the end got close to the financial KYC minimum in 15 mins.

checked the name of the speaker. speaker was female and many females use maiden names in a professional context. I missed the first part of the talk so had to google "speaker first name" and company name to double check surname. came up with one hit. probability 100% (there was a photo and a movie)
the speaker was introduced to being a lot of things (in a humorous "maybe I have been suckered" way) but one crucial word "director" was mentioned. If one is a director of a UK Ltd company then there will be an AP01 or a CH01 form at companies house. Have WebCheck bookmarked into phone with spare credit and do a lookup. This 9 times out of 10 provides home address and also age. In my case I got a 100% probability but typically this is not so certain if you have had no direct contact with the target. For me this got a crucial middle name.
double check the address: directors often don't update their address (this target had). I tend to use 192.com which is quite good for getting previous addresses and date or birth. Obviously previous address (especially shared flats) is very useful as legs of the investigation but in a real time situation they have to be forgotten about. I got a hit on the targets name and middle name with a recent address. Same as the one in companies house. 100% probability.
I was at the back of the room and so I saw a rather large engagement ring. There was another name at the main address so googled that to find a rather nice story about engagement on a university alumni website and so with reasonable precision I could say they were married - and here is where I made a wee mistake - I presumed that the target was operating under a maiden name (as many professionals do) and in fact, there wasn't a wedding ring hiding there, just engaged.
time ran out, but I would have gone back to 192. and looked for the wedding registration to treble check for better probability of outcome.
Made for an amusing question at the end of the seminar, job done.

so summing up: I got name including middle name, date of birth, employment company including a little extra information about the company, current address, previous address (20% probability), partners name on a mobile phone, in 15 minutes.

Websites that are useful for UK searches:

LinkedIn
facebook advanced search and the facebook search sites
friends reunited (not so good as it used to be)
192 - voters roll, telephone directory, companies house data
companies house webcheck
Skype Diretory
Google - but be smart. Common names bring up to many false positives. So include favourite sports, industry, company names and so on. use Google crafted urls (see previous blog article)
Google maps and streetview can provide contextual information but aren't that useful.

Proper social engineers use a far wider scope than this and will follow up and interact with high probability leads through the investigation using pretty much unregulated techniques and methods. Be aware that the new data Protection rules prevent "Blagging" but the act does not include using the above websites.

Pen testers, secure email and sexy vulnerabilities

2010-09-30T08:38:00.005+01:00

Email has been likened to writing a postcard to a friend, in pencil and sending through the post. It can be read and altered at any point along the way. The postal metaphor encouraged by email clients such as Outlook, Notes, Thunderbird etc is that of a closed envelope so that users are trained into thinking that sending an email is secure.

The recent IT cockup at ACS:law, a law firm specialising in intellectual property theft has now made public what senders and recipients clearly assumed would be private for ever. ACS:Law's website was left mis-configured allowing anyone visiting their home page to right-click download an entire tar.gz archive file of their emails. individuals have taken the database of emails and made websites (e.g. http://ueof.co.uk/acslaw/ [now offline]) allowing various groups to mine the data.

A sample of the data included

national insurance numbers
bank account details
data that would be classified as personal information
and a lot of internal emails that may well prove inflammatory for various regulators and opposition groups to this firm.

Not only is the data now public - but it is public forever. The data has been spread far and wide over geo-political domains and like garden weeds, it will be difficult to eradicate and will keep coming back.

Clearly, for security researchers, communicating the level of risk inherent in system configurations should be part of the work that they do but all too often I see penetration testers chasing the sexy exploits rather than inform the business of actual risk. It takes skill for a security consultant to communicate the risk in terms that the business will understand without scaremongering.

One client of mine has just implemented a "Secure Email" system using Cisco Ironport. The Cisco product is market leading and has been implemented in a robust way. However, the pen tester (not us!!) brought in to look at the system focussed primarily on the Cisco product, and to their credit found some sexy-yet-minor Information and data leakage vulnerabilities HOWEVER, they totally failed to advise their client about the wider picture and thus missed client-built bespoke addons that were full of holes.

BMI sends out diamond club emails to wrong members

2010-07-23T11:20:00.002+01:00

A simple mistake: BMI (British midland Airways) sent all of its Diamond Club members an email this morning - but, they sent the wrong data in the emails so that:

emails are addressed to the right individual who owns the email address
have the wrong diamond club information, including membership number
but have direct HTTP GET links to update promotional choices for the incorrect diamond club account

So, I rang them up and the telephone operator even told me the name of the account holder whose information i received. So, I'm sorry Mr Mason - when I clicked on http://bmi-email.co.uk/re?l=5uh9yaI1nklj0xI1I5sdpup&req=dcnumber%3D00000710196 - I opted for your account to receive status miles instead of destination miles...

Separating a fool from their money

2010-04-13T08:56:00.002+01:00

It's never been easier. The UK Gov (including the HMRC) have made it's online systems and telephone services so complex to get advice that many individuals are turning to the web for advice and support. What astounds me however is the information that people are adding as comments to blogs.

On this blog, the following information was given out by one individual:

name
address
age
national insurance number
some tax code history

Another, offered their change of address - as a comment? There are at least 5 national insurance numbers & names. Did they really think that the dailydigit blog was the HMRC? Has none of the advice given out about web surfing and verifying the site identity got through to people - and more importantly, why are blogs like this moderating comments like this to appear?

It's also here; where a retired police officer volunteers even more information after being asked (well enough for an identity fraud)

For more information - google popular queries - "my NI number is", "my tax ref no is", "my passport number is"

Argos Sending Private Data in Receipt Emails

2010-03-08T10:41:00.002Z

TheRegister has a great story about Argos using receipt emails that have HTML embedded in them that contains parameters including full unencrypted card number, CVV code, expiry date, name as printed on the card and address. Clearly a massive breach.

However, it gets more interesting when you look at one of these emails, Chris Geek Guy has copied one to his blog. Whilst it is clear that Argos have copied lots of personal data to the HTML email, I think there are bigger problems. The data is embedded in a GET html link. To me, this shouts out XSS and CSRF risk and also, if you look at the link, this data would always be sent across the internet in the clear - usually being cached as it travels through the internet - if the user did in fact click on the link in the email.

Potential targets for exploitation (and I haven't tried) would be: includeName, the com.ibm.commerce.context.experiment.ExperimentContext which looks like it is directly referencing an object (!!!) outside the context of the system. It would also be worth exploring what this link actually does and whether manipulating the receipt and performing a replay attack changes anything on the Argos server.

Googling for Protectively Marked PDF's

2009-11-24T08:50:00.006Z

The number of protectively marked PDF's on the web is staggering, try these:

Try other protective markings from other countries to see more. Clearly searching for "Top Secret" will incur a lot of separating chaff from wheat. The biggest surprise is the number of government protectively marked papers that are searchable - these are typically papers that are being passed between departments and the paper is being mis handled down the line of recipients.

I've seen a lot of misuse of confidentially marked papers in commercial organisations - I see them regularly sitting on a printer in open plan offices. Largely because staff working for big financial companies do not have information security drilled into them. They have to sit computer based training tests regularly - but there is little comeback for employees who regularly flout the rules.

Independent Financial Advisers oblivious to data protection

2009-09-08T10:58:00.007+01:00

Who has the most information about you, as an individual?

your doctor?
your lawyer?
your bank manager?
the HMRC?
your local council?

No - it is likely to be an Independent Financial Adviser. If you consider what is "personal data" (see the ICO Web pages) then the IFA pretty much ticks off more data categories than any other professional relationship in your life except for UK Gov vetting. Classification of personal data is not listed, but is classified by asking 8 questions:

Can a living individual be identified from the data? Yes, all forms carry name, address, date of birth and often National insurance Number. IFA's will also ask for proof of identity such as bank cards, passport, drivers licence. For regulatory reasons, all of this information is stored by the IFA.
Does the data 'relate to' the identifiable living individual, whether in personal or family life, business or profession? Again, yes it does. Joint Life cover and family health schemes will typically hold data about family members and the business that the policyholder works in.
Is the data 'obviously about' a particular individual? Yes, it has to be!
Is the data 'linked to' an individual so that it provides particular information about that individual? Yes, quotes, policy numbers, national insurance numbers, passports, bank account details all help link and identity an individual. These are all needed for commencing many policys. Often bank details are used for some types of investments.
Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? Yes, policies with Life Cover options will have varying costs depending on the health, location of their home address. Income will play a part in pensions and other investments such as bond products.
Does the data have any biographical significance in relation to the individual? yes, in particular medical history reports for health cover will cover the individual in detail. Income history, previous addresses and knowledge of past and current financial products build a picture of the individual. Even, for some individuals, country of residence (for tax purposes) adds more colour to the picture.
Does the data focus or concentrate on the individual as its central theme? Yes, pretty much all products concentrate on the individual - particularly once anti-money laundering legislation came in.
Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity? Yes, for example a rejection for life cover on medical grounds could have an impact. As would knowledge of an individuals financial situation. Especially for targeted identity theft etc.

So given that IFA's have ticked all the boxes for data categories deemed 'personal' by the ICO, then surely the must have stringent measures in place for data security?

Well no, actually they don't.

Larger firms and the product providers (Aviva, L&G, Prudential, Standard Life etc etc) will have strict enforcement of data security - but the majority of IFA's are independent and will operate as a small business with no formal IT strategy and no formal training on data security. Many IFA's will buy laptops from retail stores like PC World and Dell retail online and configure them themselves. They are also using Blackberry's and Apple iPhones with no knowledge of how data is secured or not. Potentially - all of your data is being stored on unencrypted, unsecured devices.

The FSA regulates IFA's but it is my view that many IFA's play lip service to the "regulated by" statement on their business cards. It is only a matter if time before the FSA gets some teeth and in combination with the ICO (which will soon be allowed to prosecute) will close down IFAs that have non-existent security.

A Moment of Realisation during Registration

2009-08-18T14:10:00.003+01:00

I was registering the birth of our new baby boy last week and, as you do, noticed a huge problem with the way registration of births are carried out in Scotland. The Scottish system for registration of births, deaths and marriages is different from England and Wales, with registrations being made at the General Register of Scotland and not Somerset House.

Whilst registering my wee boy; I was left alone in an interview room with an unlocked PC. I didn't have my phone on my but I would have taken some photos. The PC was linked and logged into the GROSfer application which, in Scotland, is on the GSX Government Secure Extranet system. The UK Government uses various classifications of network for various types of traffic according to its own data classification. I presume birth data must be protectively marked as restricted and so GROSfer is on the GSX.

I had approximately 3 to 4 minutes of "own time" in the office with the unlocked PC, plenty of time to attack a keylogger to the USB keyboard, whilst the registrar took the payment for the birth certificate. I also had access to GSX which could pose threats. All pretty disturbing - a simple flick of Cntrl-Alt-Del and a little bit of desk & cable management would reduce the threat.

Mysterious 07755 International Calling

2009-07-25T23:11:00.010+01:00

Today I received an interesting postal spam - it's not one I've seen before and am still a little puzzled to figure out what the angle is with this one - if indeed there is one, here are the case notes:

A postal letter is sent to me recorded delivery - I have to sign for it.
The cost of the letter is £1.14
The postage label has been printed out by the online royal mail service.
My address, is curiously an address I use for a single paypal account.
Inside the envelope is a flyer for cheap international calls using the 07755 service - you see these all over the place - there are all sorts of similar websites such as cherry call, planet numbers and this one: 999calls.com

So where is the scam?

I have just chuckled into a whisky because I love this one. I have not totally confirmed it, but I am postulating that it is an old fashioned postage scam. I took the royal mail signed for receipt code and typed it into the track and trace facility and basically, this has come up with a duplicate signee (i.e. not me) Interestingly, the signature is for someone in Enfield, next to a local post office and the 999calls.com whois address is in E1 London (so, much closer than Scotland.) The interesting part for me is the value that UK citizens place on a postal letter that has been hand delivered and has to be signed for. We automatically filter messages sent to us using cheap mechanisms - we don't believe emails in our email inboxes anymore - we are beginning to see spam texts. The general priciple has always been that a cheap delivery mechanism usually incites fraud and spam. This one is different - it tries to look expensive.

I am still working on it, but I think the royal mail postage online service has also been hacked to produce forged address labels!
The peel off "recorded" Signed For labels have been reproduced - but not with unique numbers.
Also, one of my paypal addresses has been used for this so no doubt that has been stolen from somewhere.

I had to actually sign for this bit of spam from a smiling postman - imagine a phishing scam using this trusted delivery methodology?

Royal Bank of Scotland inviting consumers to buying protection insurance

2009-06-15T13:36:00.007+01:00

When customers confirm the receipt of a credit card at RBS; they are being invited to buy protection insurance under slightly dubious pretences. I listened into a call where a call centre operator called Daniel said:

"We notice that you do not have protection cover on your credit card. Did you know that anyone who has your name and date of birth can apply for loans and credit in your name and you will be liable for the full amount?"

Daniel at no point mentioned that he was selling a type of insurance policy until being prompted to by the caller. After some discussion the policy is subject to all sorts of small print that most consumers would not understand. He also did some rather silly scaremongering by suggesting that fraudsters could get passports etc in the name of the caller at the click of a button on a website and generally inferring that the responsibility for poor lending practices is the fault of the consumer rather than the lender. At that point I stopped him.

In the UK, the financial services distance selling rules specifically state that a name and address is required for consumer credit and the act has controls in place so that there is time to reverse a credit agreement. The Consumer Credit Act also has controls in place to ensure that the onus is on the lender to establish the identity of the creditor - crucially, it is not the consumer. The 3 large credit reference agencies in the UK are in business to help their clients do this.

This sales call was bordering on mis-selling of an insurance policy. If you are going to take out such a plan, read the small print carefully and understand your rights.

If you are the victim of identity theft then, get in touch with the credit reference agencies; here is a snippet from the house of commons written evidence:

If Experian has established that an individual is a true victim of fraud and their identity has been fully authenticated, they are provided with the following:
— A dedicated case worker (with a freephone number), who will give general and ongoing advice on identity fraud as well as dealing with the specific problems being experienced by that individual and helping to liaise with lenders on their behalf.
— A free copy of their credit report along with copies of Experian's consumer advice leaflets—Your Credit Report Explained and Identity Fraud Explained.
— A discrete password which is added to their credit report which ensures lenders are alerted to the fact that an individual has been an ID fraud victim and should therefore request the password prior to proceeding with an application for credit.
— Information about and referral to CIFAS (the UK's fraud prevention service) for Protective Registration.
— Free 12 month membership Experian's credit report monitoring service, CreditExpert.

Developing Security Requirements

2009-06-12T15:47:00.007+01:00

I've just managed to get a set of "security requirements" agreed by my large financial client.

So why write requirements at all?

In a complex organisation where there are many system delivery departments with complex commercial arrangements including outsourcers and contracting organisations - writing a definitive set of standards for designing & developing applications can be

too prescriptive,
expensive - because telling 3rd party delivery organisations to "do it my way" is always expensive
inflexible for the business.

Since mandating the implementation would be a risky endeavour - I've created requirements at a higher level that each of the organisational departments can take and use it to derive their own:

training and awareness processes
coding standards and quality gateways
testing approaches and automatic review

Clearly, some of the departments will be more efficient by co-operating but some of the 3rd party suppliers will simply wind these requirements into their own delivery mechanisms. My clients audit staff then have a clear set of requirements to measure delivery projects and also measure the 3rd party suppliers themselves.

Rating and Prioritisation
My plan involved taking the OWASP Top Ten list, the PCI DSS standards and the FSA Treating Customer Fairly legislature and turning them into requirements; with each sub requirement rated with a MoSCoW rating. The MoSCoW rating system is standard for requirements in that it not only prioritises requirements but also allows the author to set custom measurement:

Must Have: means that it the system does not meet this security requirement then the project has to stop as soon as it is known - the project cannot move forward.
Should Have: means that the system has to design in to meet this requirement. If it cannot meet the requirement then the project can only go ahead if there is business, tech & risk agreement that the project can carry on.
Could Have: means that the project have got to consider the requirement in the plans, but may drop it if it is too expensive. They have to give a reason and any risk exposure explained - but this is not scruitinised in the same way as a should have.
Want, or Would Have: Aspirational security requirements that the business recognise as important but understand they will cost more, or might not be possible with todays technology etc.

I find it surprising that many security professionals that I deal with do not recognise RISK. They automatically will say YES, WE MUST HAVE all the security features without realising that the selection of the security features is a risk balance.

e.g. one organisation I worked for mandated fibre to every desktop because the risk or ethernet radiation leakage would be too damaging for their business. Clearly desktops in a financial insurance company do not require this - although, if the price was right then the business would have this extra security. So for one organisation it was a MUST, the other a WOULD HAVE.

What about the requirements that have been missed?
Sure, there will be some that have been missed. However, in my experience, the online applictaions that will generate huge breaches tend to show signs very early on that anti-patterns existed. Over-worked teams, poorly educated, poor communication etc etc,

By focussing the requirements on the OWASP etc, it gives auditors concrete foundations to measure the security quality of projects in a commercial context.

Example Requirement
ID: Z1.1 (in the AntiXSS chapter)
Name: Strong output encoding
Description: Ensure that all user-supplied data is appropriately entity encoded before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the various Anti-XSS libraries. Also, set the character encodings for each page output, which will reduce exposure to some attack vectors.
Type: Security requirement
Source: OWASP Top 10, 2007
MoSCoW: MUST
Measure of Success: All input and output data must be encoded appropriately with the output encoding specified, e.g. UTF-1, ISO 8859-1

In The Field: Keylogging

2009-05-14T22:14:00.009+01:00

I've never actually had to use keyloggers out in the field on assignment - I don't normally take on the all-out 'break in' jobs because they are fraught with mishap and, if I'm going to be a bit snooty, they are usually more 'private investigator' than proper security researcher. I do however give presentations to organisations about the dangers of these wee devices and how easily they can be smuggled in and out of data centres and the workplace.

Keyloggers are a real threat because they have come of age:

They're cheap, a pair can be had for less than GBP40.
They are small and inconspicuous.
They are easy to use and easy to get data from.
Standard anti-virus software will not pick them up.
They typically have 2Mb to 4Mb of text memory (which could be several years worth)

The standard MO is to plug the relevant keylogger into the PS/2 or USB port and then the keyboard into the keylogger. it acts as a man in the middle and records the input from the leyboard and also looks out for a keyword entered from the keyboard that will activate the text based user interface. They typically come with a predetermined work such as 'keylog'. When the keylogger sees that word being typed in, it sends characters to the PC and that is how the inetrface works. So long as you are in a text editor then the text will roll onto the screen. No software is required.

In fact, here is a sample from kate, the KDE text editor. This output is from a 2Mb PS/2 type keylogger used in Fedora Linux. Typing keylog into kate has automatically typed in the interface menu. The attacker can change the keyword and some of the behaviour of the data recovery. In this sample you can see a URL that has been typed into a browser. Obviously as part of the job recon, the duration of time the logger has to be carefully assessed so that drops can be organised with minimum disruption (people crawling under desks create suspicion), but also, most users will log on once a day to systems and so day start is a critical time.

For corporates protecting against this - I have only ever used one solution. Glue. One client I advised filled the USB slots with araldite and glued the PS/2 connectors in place. This may sound insane, but software based solutions won't work when the PC is switched off and also USB drop detections and so on will create huge amounts of noise.

Laptops are less risky - however, ZIF solutions that sit between the keyboard ZIF scket and the keyboard connector are not impossible and will one day be mainstream.

Secure Email solutions and Phishing Email

2009-05-08T21:47:00.005+01:00

One of the main problems with the secure email products (Cisco Ironport, Tumbleweed, Trend Micro) is that there is still no internet wide standard for securing email. So if a large corporation wishes to send data to its consumers then it has either got to:

Distribute identities to its customer base out of band, e.g. on the last statement or by letter.
Invite customers to sign up (low return rates).
Implement a shared key secure email system (fraught with danger and a big deployment cost)
Implement a public key system like PGP/MIME (customers don't understand it + who should own the key directory?)
Implement a secure pick up solution by emailing out a link

The problem is that many of the solutions implement the latter because of the technical and cost limitations of the other strategies. Another key problem with all of these strategies is that the Government and the Banking Industry are aquite rightly advising the public not to click on links that offer to retrieve messages etc - this flies in the face of the secure email product strategy and shows a clear weakness. A 'secure email' with a constructed link to pick up the email looks too similar to a phishing scam to be useful.

At present, only PGP/MIME is an email encryption strategy that I support because it maintains the postal metaphor in that "I send you an email" and that you can open it in your email client. All the other schemes break the metaphor by requiring the recipient to go and find a webserver to get the message with credentials 'owned' by a third party leaving the recipient with an enormous number of schemes and credentials to remember. However, until PGP public keys become ubiquitous and key management made to be usable by an ordinary user then secure email will continue to be a mish-mash of unique solutions across corporations and product providers.

You only lose it once

2009-04-28T13:04:00.011+01:00

Whenever there is mention of "an agent" and "spying" in a story; the popular press seems to collectively turn into a pre-pubescent teenager when reporting the facts with images of sports cars and shady manoeuvres in hot climates.

Recent allegations of a female agent in Columbia losing her handbag containing a USB key full of potentially secret information has cropped up on all the press wires. Newswire stories are appearing simply mixed up and redrafted (here, here and here) are floating the opinion that somehow a handbag was left on a bus from the airport and the data was lost in 2006. Other press sources such as The Times throw a little more light on the matter quoting the shadow home secretary in a small chance to make a political quip. A little inter-service squabbling can be found as some news sources quote MI6, others are quoting it as a SOCA problem.

What astounds me is that the IT Security press are jumping on the "She should have had an Encrypted USB stick" and some are even mentioning products. No, they are missing the point. If the story facts as we have them are true (and that's something I seriously doubt) then the problem is not about secure storage but about security controls on the information in the first place.

That information should have been protectively marked (it sounds like SECRET from the press reports) . There are plenty of rules about couriering protectively marked documentation - these should have been enforced.
The quantity of information should not have been made available to an individual agent - who, after all, according to the press stories isn't a sworn in employee of HMG and could have sold it.
For what operational reason would an individual be travelling with this amount of data? Why not send it by secure comms? It's cheaper and the data receipt would have been repudiable.

If I were to choose between conspiracy and cockup - the latter always wins. Especially with a poorly setup new organisation lacking adequate controls and poor discipline. Also, I thought it would be common knowledge that a handbag owned by a single travelling female at El Dorado airport (one of the busiest in S America) is going to be a target...

I hope no one died because of the information loss.

Forbidden Planet - not disclosing Credit Card Fraud

2009-04-27T08:49:00.007+01:00

In a similar subject to my previous blog post about the data loss at Impulse Group; Forbidden Planet (UK) managed to have their customers credit card details breached. In what seems to be norm nowadays, Forbidden Planet (UK) have not sent messages to their customers to report the problem, instead, a rather strange message was left on the 'closed' Dr Who forums by the site owner - but the statement is available at Blogomatic 3000

The data is being used by fraudsters - one customer I spoke to said that £10 transactions had gone through his Maestro card. Fraudsters use "taster" £10 transactions because they are small and confirm the card is still active before selling the details on.

The big question that I'm seeking an answer to:

Why wasn't the system PCI DSS compliant? because if it was then the card numbers would have not been available to those that stole the data. The 3rd PCI DSS data security requirement specifically says that cardholder data has to be 'protected' - were not just talking database passwords; it has to be encrypted wherever the PAN + data is used, including log files.
Why was credit card data older than 2 months still be stored? The 3rd PCI DSS also says that cardholder data must not be stored for longer than necessary.

more information on PCI DSS can be found here: http://www.pcisecuritystandards.org

Securing Business to Business Email in the Pensions Industry

2009-04-24T19:07:00.003+01:00

The UK life assurance and pensions industry sends huge amounts of confidential documents 'B2B' between product providers, intermediaries and advisers. The majority of the big providers have bought into portal-style platforms where advisers can conduct business across many different players (such as Norwich Union, Legal & General, Zurich etc) - however, more than 60% of the business is conducted over the phone between adviser and product provider with the provider emailing, posting or faxing the resultant client documents back to the adviser. Documents usually are client agreements, quotes or illustrations on how financial products such as pensions pay back depending on a clients circumstances.

The life and pensions industry in the UK typically revolves around Financial Advisers who are independent or tied to an organisation. The majority of IFA's are one or 2 man bands with little IT knowledge and little gumption to learn how to use IT assets properly. The FSA has included data loss as an "reportable breach" and certainly, all staff who work at financial organisations have to pass regular training to detect what has to be encrypted.

The problem the industry has is that IFA's who work with many financial product providers have to remember lots of credential-sets and remember how to use multiple mechanisms for receiving quotes and illustrations for pensions, investments and annuities from each of the main product providers. The majority of secure email solutions are considered difficult to use and are not popular with recipients of secure email who have to browse to, register, and retrieve email through a web front end.

To make matters worse - some of the core intermediaries are trying to dictate their secure email solutions are the only mechanism that they will do business. One particular Wealth division of a big player has suggested "Password Encrypted Winzip" (crikey!) whilst others are moving to PGP/MIME solutions through products like Tumbleweed, Trend Micro and Cisco Ironport.

We need a worldwide solution for securing email communication that the big organisations will buy into. The solutions that involve plugins and proprietary solutions will just never work in the long term.

Sophistication in PayPal Phishing Scams - name and address

2009-04-24T18:54:00.007+01:00

The content of phishing emails tends to skew to the generic so imagine my surprise when a paypal scam email started as "Dear CALLUM WILSON" and included my full address and postcode.

Dear CALLUM WILSON ,
PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue

regarding your account:
...
- A clear copy of a recent bank statement or utility bill on which your name and address (NNN XXXXXX STREET,STIRLING,STIRLING,FK8 XXX) are clearly visible and less than 3 months old.
...

The email suggests that victims send compromising information such as copies of both sides of debit cards, passport, utility bills etc to secure@paypalcompany.com - this, hosted on a compromised host [89.255.10.39] at a Dutch ISP. The host redirects port 80 HTTP traffic to the real Paypal.com site but has SMTP, POP3 and IMAP daemons running suggesting tools to take in and process victims emails sent to the domain. The server also has a copy of MySQL running, allbeit locked down for out of domain access. The site is running Plesk [http://en.wikipedia.org/wiki/Plesk], a cpanel like ISP hosting platform on port 8443. Firefox is now showing the site as a forgery - but how many internet users have anti-phising browsers?

So what is the root of this scam?
I always use unique usernames for any access to online shops - the interesting thing about my email was that whilst it had the correct name and address for my PayPal account, the email address was not correct. The data had come from http://www.brother-store.co.uk - a UK based retailer of print stationery for the fabulous Linux compatible Brother QL-550 that runs in our office printing labels.

The Impulse Group Ltd (Cambridge, UK) [http://www.impulse-group.ltd.uk] run a set of affiliate sites that retail various printer supplies share a common platform for sales enquiries and orders: http://www.enquiry-system.co.uk and http://www.secure-internet-payment.co.uk (irony not included).

Some 24 hours after the breach, some of the sites are still not functioning. I rang Impulse Group Ltd this morning and they confirmed there had been a breach and that they would inform their customers through the website: see the Impulse news site for more information.