The first Cyber Security Workshop was held in Auckland last week, and was an unqualified success. Feedback has been excellent and we are looking to hold this again in other regions thoughout Australia and New Zealand.

Andrew will be facilitating a two day Security management workshop with Liquid Learning in Auckland and Wellington:
Auckland: 17 & 18 August
Wellington: 22 & 23 August

We will be examining:

• Emerging trends
• Aligning Security with organisational Goals

The press release for a recent ISACA International survey says that almost half of the respondents believe that the security risks with cloud computing outweigh the benefits. Interestingly, 30% of the respondents said they did “not know the details of [their] cloud computing plan” implying that these may not have been the best people to have asked.
 
Is this a fair reflection of reality? It really depends on each company’s circumstances, and the information and applications they would considering hosting externally. For many organisations, securing their own computing infrastructure is difficult and costly, and ultimately futile because of it. Often the most valuable information assets a company has are their debtor’s ledger and customer contact list. For these organisations it may be a notable improvement in their security position to host their data, or even their infrastructure, externally.
 
Other organisations may have dedicated budget and resources to securing their critical information assets. Some of these organisations may find the uncertainty of external hosting unpalatable, but others still struggle with maintaining a secure computing environment.
 
That isn’t to say that cloud computing providers are necessarily secure, but they may be more secure than self-hosting.

News has broken that chip and PIN credit cards are finally to be introduced to New Zealand, with Visa announcing that all cards issues from April this year will be fitted with chips, and a plan to replace all cards over the next four years. Chip and PIN has been compulsory in many overseas countries, notably the United Kingdom, for several years in an effort to cut down on credit card fraud.

Will this cut down on card-not-present fraud?

No. Card-not-present transactions are where the party accepting payment does not see or have access to the card being used, such as with Internet or phone payments. Chip and PIN has no effect on this type of fraud. Instead, the Card Verification Code (CVC/CVV) printed on the back of most current cards was introduced to protect transactions performed remotely. The idea is that the CVV cannot be cloned by fraudsters, so by using the CVV as part of the card validation the merchant or processor can be assured that the transaction is legitimate and authorised. This is coupled with requirements that the CVV is never stored by merchants or credit card processing facilities.

So what is it good for?

Absolutely noth.. no. Wait up.

A cynical, but valid, viewpoint is that this provides card issuers and banks with protection from liability for fraudulent transactions. It also provides improved protection for card holders, but it is not perfect. As far back as 2006 there was significant fraud involving chip and PIN. In 2007 researchers had found vulnerabilities in the chip and PIN system which could allow fraud to be carried out. Techniques have been published for compromising chip and PIN terminals using paperclips.

Indeed, in 2008 UK Police uncovered a counterfeit card factory in Brimingham, where chip and PIN terminals in up to 20 retailers had been modfied to allow capture of the chip data. More recently those wacky researchers at the University of Cambridge have found a way for criminals to use stolen chip and PIN cards without knowing the PIN. This has lead them to question the reliability of chip and PIN evidence in banking disputes.

The problem

The problem we, as consumers and credit card users, may face is that the credit card industry still seems to be treating chip and PIN as a fool proof solution for credit card fraud. The ability for the consumer to challenge fraudulent charges will be dramatically impaired. Card issuers are still treating the chip and PIN system as if it were infallible, and using evidence such as till receipts, which we now know are not reliable, as proof that the legitimate PIN was used, and therefore the card holder is liable. Until this situation changes, chip and PIN is as much a liability for the card holder as it is a protection. Until then, the largest beneficiary of chip and PIN remains the banks.

In his TaoSecurity blog, network security expert Richard Bejtlich gives a definition of Advanced Persistent Threat in information security:

Let me put on the flight cap of a formally trained Air Force intelligence officer and try to briefly explain my understanding of APT in a few bullets.

• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Richard Bejtlich is a recognised expert in network monitoring, incident response and forensics. He has written several entries recently relating to the apparent attacks by Chinese government against up to 30 large U.S. corporations including Google, Adbode and others.

This article just popped up on the Risks Digest, affecting a number of popular AES encrypted USB drives. It appears that Kingston, SanDisk and Verbatim hardware encrypted USB memory sticks have a weakness whereby a successful login can be trivially forged, thus unlocking the drives without the passphrase. IronKey is not affected, so those of you using them can rest assured that the money was well spent (so far!).

It looks like time to update my SanDisk Cruzer Enterprise!

Updates:
SanDisk: http://www.sandisk-enterprise.com/update2/
Kingston: http://www.kingston.com/driveupdate/
Verbatim: http://www.verbatim.com/security/security-update.cfm

Here at Plinth Consulting we have long held the belief that security controls need to be usable and relevant for the end users if we're to expect them to use those controls. Too often corporate security policies require 8 character passwords with letters, numbers and special characters - just to log in to your desktop in the morning. Couple this with the admonishment not to write it down and you have a nearly impossible task for most users. Surely it would be more sensible to suggest people write this password down and stick it in their wallet? That's exactly what I do with non-critical passwords.

A recently published paper from Microsoft Research looks at three specific areas; password policies, anti-phishing advice and SSL certificate errors:

In this paper we argue ... that users' rejection of the security advice they receive is entirely rational from an economic viewpoint. The advice offers to shield them from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones they reject this bargain. Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and
is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.

It's not all gloom:

Better advice might produce a different outcome. This is better than the alternative hypothesis that users are irrational. This suggests that security advice that has compelling cost-benefit tradeoff has real chance of user adoption. However, the costs and benefits have to be those the
user cares about, not those we think the user ought to care about.

Source: Microsoft Research via Bruce Schneier

A recent study by SquareTrade has looked at the failure rate of laptops over a three year period. They found that over 30% of all laptops surveyed suffered a failure after three years, with approximately 20% being hardware failure, and 10% being accidental damage.

Click for larger image

Asus and Toshiba came out on top, with a projected three year failure rate of 15.6% and 15.7% respectively. Sony was in third place at 16.8%, and HP was the worst of all brands surveyed with a projected 3 year failure rate of over 25%.

Another interesting finding supports the old saying that "you get what you pay for." Netbooks were expected to suffer a 25.1% failure rate, low-end laptops 20.6% and premium laptops 18.1% failure rate.

Source: SquareTrade via Stuff

There is an excellent blog post at The New School of Information Security looking at the validity of what is commonly called "Best Practice".

I think he is fundamentally correct when he asserts that the phrase "best practice" often means "rules" and is used as a way of avoiding the effort of thinking about the actual risks. It is my experience that organisations will often define "best practice" as "what everybody else does", as in "We're secure, because we did what everybody else does", or "If we get taken to court we can defend it because we did what everybody else does". I don't, however, think that the concept of "best practice" is necessarily worthless. If you are considering deploying a wireless network, for example, there are certain things that just won't cut it, like WEP or SSID hiding. You don't really need to perform a formal risk assessment to conclude that WPA2 with strong authentication is the only safe way to go. You probably do want a risks assessment before you decide to go wireless in the first place.

InfoWorld have published an article discussing dirty vendor tricks, from rigged product demos to botched billing. I know I've seen a few of these before. Have you?