Watching a breach in progress

Before I start, I have to tell you that I have deliberately obscured the names of this company to protect the sources. However, this is a live story, and absolutely true.

Let’s call the company Eckgle ltd. Eckgle make their living in call centres and other  low-level outsourcing type work, and for some of their customers they process card payments, both in person, over the phone, and through a portal. As a part of their work they get a very full profile of the card holder, including name, address, and everything else that is needed to verify (or fake) an identity.

Eckgle engaged a Qualified Security Assessor (QSA) some years ago, and this QSA did a fine job, and validated that the environment they have is compliant with PCI DSS. This makes Eckgle a PCI DSS compliant service provider, which they can proudly proclaim in their marketing, and they are also listed on VISA’s website.

Eckgle have a problem. They are in a competitive market with low margin, and their managers (under a great deal of pressure themselves) are playing fast and loose with security and information management procedures. Staff are going sick with stress continually, others are leaving. Another stress factor is that Eckgle have recently removed their internal HR team, offshoring the basic clerical work, which has left staff greivances largely ignored.

One of the challenges staff are facing is being ordered to share passwords with each other and management on systems that process card payments – this is a big no-no and I doubt that the QSA was aware of this when he gave validated their compliance. Now cash is going missing (which Eckgle are reluctant to disclose to their outsourced clients) and it seems probable that card data is going missing as well, together with the full set of identity data, which is quite valuable on the black market.

All these factors, coupled with a couple of managers who use the “beating will stop when morale improves” approach to leadership, have created what can truly be called “Insider Threats”. I’ve previously called Insider Threats a class of “Advanced Perisistent Threat” – I still believe this to be true as insiders can cause more damage when they go rogue than any external attacker. When morale is low, and security is deliberately lax, its only a matter of time before the results are very publicly reaped.

When the external fraud investigators come a-knocking, admitting that you share passwords between staff will get you that exasperated look. Worse than that, your chances of finding out who was responsible for that breach will be slim to none, and the guilty party (if challenged) will have an excellent defence that it wasn’t them. If you’re the QSA company that gave them the positive assessment, you may well find some unwelcome attention from the PCI Security Standards Council, and quite rightly so. (They don’t call it a “critical violation” for nothing).

And why did I call them Eckgle? Well, that’s the noise I made in the back of my throat when I heard about this, and I expect that you just did too.

It’s not your phone, its the wifi (and you)

I see that the Guardian have managed to re-publicise a well known flaw in WiFi. SSID’s (the name of the network you’re connecting to) are just a string of characters. Couple this with a WiFi devices propensity to reconnect to “known” SSID’s and you have the Evil Twin attack. If I want to get you, I’ll set up a fake (or real) wifi hotspot called “BT FON”, “BT OpenZone”, “Tmobile”, or if I’m really targeting, I will research your corporate environment and use that. (Mind you, if you find a WiFi network for “CORPNAME” at your local railway station and connect to it, you really do need to start staying awake in all those security awareness sessions).

There’s a technical element to this, in that it would be nice if WiFi identifiers were more robust than just a tag. But I’m quite glad that none of the esteemed pundits in that article called for mandatory registration of SSID’s (and if you don’t think that there’s an army of people hungry for more bureaucracy, then you don’t know Government).

However, there will never be enough red tape to effectively protect against lack of awareness, and lack of caution. Considering the possible real-world example: if you saw a sign saying “Free Cash here” would you stick your credit card in it?

Bad Example. And shame on you for thinking “Yea!”

The truth is we are drawn to the idea of “free” – free banking, free internet, free coffee. Getting something for nothing always has a price tag attached. And if you have responsibility for sensitive information, that could well be the price you pay for free surfing in Paddington.

iPhone location consolidated.db to Google Earth KML

Having watched the media storm over the iPhone location database erupt in the last few days, I wonder why I didn’t release this before. First credit should go to Chris Vance and Nathan Broslawsky who discovered this in Sept 2010 – they were extremely helpful when I contacted them for advice in a forensics case. We all kept quiet in the interests of “responsible disclosure” – ah well.

Now its all out in the public domain, I release the hack script which converts an iPhone database into a Google Earth KML map.

There are lots of other useful tricks for mobile forensics!

(Now on github)

Your Top-Up card has been refunded

It looks like Paypal are exiting the top-up card business. I have just seen a refund of the balance on my top-up card (which to be fair, I hardly used because of the huge charges Paypal will apply, firstly to get funds into your account, and second to get them onto the card itself!)

TopUp cards are odd beasts – in one way they are very convenient, and for going on holiday where you don’t want to risk your main card. But the charges for using them can be high, and its not certain how much protection you have with a pre-paid card (and for a start, the issuer is unlikely to be the agency who sold you the card – so where’s the contractual relationship?)

Anyway, one more plastic square into the shredder (or should I keep it to see whether they support DDA or SDA EMV?)

ICO: Time for a compliance standard?

The ICO came under some heavy fire today as it was criticised for not doing enough to enforce the penalties for information breach. But there’s a model out there that could help them right now.

In April 2010, the ICO was given the power to issue and enforce financial penalties on infringers. Since then, ViaSat has released a report listing 2,565 data compliance “issues”, 603 which are categorised as breaches, and 4 of those were actively investigated by ICO.

It strikes me that our friends at the ICO can learn a great deal from the PCI DSS compliance model – not perfect, but look at the good points:

  • Standards for People, Process and Technology controls
  • Simple-to-understand definitions of sensitive data, and what to do about it
  • A model that allows third parties to be licensed as compliance assessors

Come on ICO – now you have teeth, how about putting in some definite rules and getting the assistance of the community in implementing them?

Startup Britain serves up Malware

StartupBritain has received a lot of press attention – some positive, some negative. The security tip here is that XSS poisoning, drive-by downloading, and all the other web nasties are frighteningly easy to succumb to. What helps in this is careful monitoring by expert resources, application and infrastructure vulnerability management, and a good incident response plan to address issues before they become crises.

Title: StartUp Britain linking malware

Author: Jennifer Scott,

Source: ITPro

Date Published: 31st March 2011


‘….The StartUp Britain website has been seen linking to malware, just days after its official launch.

The website, designed to encourage and advise small businesses in the UK, got the backing of Prime Minister David Cameron on Monday.

However, late yesterday it was found to be directing visitors to sites pushing fake anti-virus software……’

To read the complete article see: