The slides are now available: The Frugal CSO: IT Security Tools for Tough Times (pdf).

This presentation was to raise  awareness of the availability and quality of some of the leading free / open source and low cost security software.

Unlike the U.S. and European governments, the Canadian federal government has never officially blessed the use of open source.  There are a ton of deployments, but they tend to be isolated, small and kept really quiet.

There are many outstanding open source and low cost security products out there, and there are few, if any, valid reasons to exclude them from consideration when evaluating products.

No related posts.

Every BlackHat / DefCon has great demonstrations that jolt people awake. This time a group set up a table with an RFID reader and camera and collected data broadcast by the various cards as people walked by . The demonstration itself is not that interesting… what’s more interesting is federal officials were so surprised.

This should not be news. There’s been a lot of very public concern over RFID chips embedded in passports and building access cards. Back in 2007 NIST released Guidelines for Securing Radio Frequency Identification (RFID) Systems (pdf). And it’s been demonstrated many times that most RFID cards can be read from a distance and easily cloned: for example, the new RFID-enabled U.S. passports and driver licenses were read from 50 meters (164 ft.) and cloned. The widely used “MiFare Classic” RFID chip used in building access cards and transportation cards was cracked earlier this year, even though it uses a form of encryption.

As if the security model of credit cards wasn’t already weak enough, banks are issuing credit cards with an embedded radio frequency chip. At some stores and gas stations I can pay just by waving my card near a reader pad… no signature required. The bank will not issue a card without this unwanted feature. Guess the only option is to get a Faraday cage wallet or use a hammer.

Related posts:

• Disarming Adobe PDF Viewer

We do a lot of work helping protect small and mid-sized business (SMBs), and it’s great to see these organizations get attention.

An article over at at Dark Reading covered the Visa discussion well: Small Business: The New Black In Cybercrime. Interesting tidbits:

• Improved security at large organizations is driving criminals to target the less secure SMB business sector.
• 85% of all fraud (in Canada, at least) occurs at SMBs
• SMBs struggling to meet PCI compliance should move to using payment processing gateways and other means to avoid having to deal directly with card data.

Do you buy that first point? Sure there have been incremental improvements in large business security in recent years, but hardly enough put a dent in the number and magnitude of their data breaches.

It’s easier to attack small businesses, but they have so much less to steal. It takes a little more effort and time to crack a large business, but a success nets criminals millions of card numbers, accounts, personal identities or dollars.

If large business security improvements were having a real effect I’d expect black market prices to trend upward. Most data sold on the underground originates from breaches of large businesses, yet prices continue to fall. For example, Symantec’s Internet Threat Report Jan- Jun 07 and July to December reports show still prices falling:

Regardless of trends, small and medium business are especially at risk, but from lack of resources and lack of awareness, not targeted attacks. The security attacks we’ve dealt with at small organizations have all been from standard malware, script-kiddie exploits and untargeted phishing.

Small and medium business security is yet another security blind spot, but of a different kind. The blind spot of the organizations themselves is in failing to see where they are most at risk.

Right now, the only exposure most small organizations have to a security standard is PCI DSS. Sadly that standard is myopic: it only addresses confidentiality.

Yet the biggest risk facing most small organizations is continuity: infrequent and untested backups, no offsite storage, no fallback web presence, etc.  Most small businesses never recover from a business interruption longer than a few days. Too bad continuity and availability in general are outside the scope of PCI DSS.

Obviously, losing merchant status due to repeated breaches of card data would also shut down a business, but in reality that’s far less likely than banal incidents like hard drive failures, a smash-and-grab or a fire.

Sadly, we see organizations spend all their resources chasing PCI compliance at the expense of overall risk management.

So the third point above is good advice: if at all possible, transfer the risk of card processing to a payment gateway. It costs more per sale, but until sales reach a fairly high level overall winds up being less expensive (and risky). Plus resources are freed to identify and address higher risk security concerns such as continuity.

No related posts.

The article was originally written for Ubuntu Server 6.06 and the instructions for making failed RAID drives bootable didn’t always work in recent versions.

The Ubuntu team has made many improvements to the RAID sitution in Ubuntu 8.10 (Intrepid) and last fall backported those to the current LTS release, Ubuntu 8.04 (Hardy). Now getting a RAID1 system to boot when one drive has failed is much easier and I’ve updated our procedure to reflect that.

Since the entire world seems to have links to the original article, I’ve updated it in place at the old URL rather than post a new one.

Related posts:

• Setting up software RAID in Ubuntu Server
• Ubuntu Server 6.10 released
• Upgrading to Ubuntu Server 6.10 (edgy)

The Department claims none of the misplaced hardware had classified information, and only a few had personal or otherwise sensitive data. However, you have to wonder about such claims… if the organization has so much trouble keeping track of physical assets, how skilled are they at tracking information assets, such as what data those laptops had on them?

Related posts:

• U.S Commerce department loses 17 laptops a month?
• Protecting laptop data with TrueCrypt
• Breach notification laws now!

Interesting points:

• TJX had 802.11 wireless network in stores to support handheld inventory devices, but these were only protected by easily cracked WEP encryption. The company’s network was reportedly infiltrated in 2005 by attackers though these wireless networks.
• Once inside, a lack of firewalls and other layers of defence permitted the attackers to backdoor the network and record data in transit.
• The intrusion went undetected for at least 18 months.
• Around $20 million in fraudulent transactions are expected from the breach, with total costs for clean-up, lawyers and restoring the firm’s reputation possibly exceeding $1 billion over five years.
• Attackers also copied driver license numbers, military identification and Social Security numbers of some 451,000 customers.
• It was organized crime, not kids. The WSJ article says the intrusion “has the hallmarks” of Romanian and Russian crime groups (wonder if they were related to the group that was installing cameras and card readers on ATMs across Canada in 2005?)

The WSJ article says that by 2003 many merchants were switching from WEP to WPA encryption for wireless networks, but that may be a little unfair. For one, when bars, gas stations and other retailers first started using wireless devices for card capture and inventory, it was common practice to send data in the clear. Second, the technology available in embedded devices usually lags far behind desktop and server systems… when WPA became available, most handhelds didn’t have the CPU power to implement it.

In 2005 I did an assessment for a project at National Defence that wanted to use one of the ruggedized wireless inventory handhelds made by Symbol, one of the most popular vendors of these devices. Though the proposed handheld was new and from a major vendor, it still ran an older version of Windows CE and could only do basic WEP encryption. Since the data to be transmitted were fairly sensitive and no alternative safeguard (like a VPN client) was viable, we couldn’t recommend using the device.

It sounds like TJX should have made a similar assessment. Regardless of the weakness of their wireless terminals, it shouldn’t have been so easy for the the attackers to gain further access into the network and remain undetected for so long. The WSJ article reports that they attackers were able to create their own user accounts and move some fairly large files around, which even basic monitoring should have been able to flag. Defence in depth, anyone?

The media is calling the TJX breach the largest ever, but who knows? Retailers and banks have every reason to keep these things quiet… it’s only through mandatory disclosure laws enacted by some U.S. states that the TJX breach became public. It’s likely there have been worse breaches and will be again, but when they happen in jurisdictions without disclosure laws the public will never hear about them.

Related posts:

• (Unencrypted) site security confirmed!