Monthly Archives: May 2012

The slow rise in POS terminal attacks

Late last year there was conversation about the increasing frequency of point of sale (POS) terminal fraud, especially in the US. An extremely high-profile case that was discussed by security professionals with cyber security jobs and no doubt those on the hunt for IT security contract jobs concerned four Romanian nationals and a multimillion dollar scheme to commit POS fraud, which would have resulted in hundreds of merchants being swindled as well as compromising 80,000 US citizens.

They were attempting to do this remotely by hacking into POS systems and stealing data and payment from credit cards, debit cards and prepaid cards, but were, luckily, nabbed by the authorities. They face five years in prison if convicted.

“The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs,” Wired.com reported at the time.

It’s a serious threat, which the security industry most certainly has on its radar. Roll on the start of this month and the dialogue about POS attacks is still as topical as ever.

Speaking to SC Magazine, Bill Farmer, chief executive officer of Mako Networks, turned the discussion to “rogue terminals”, which exist outside of the central network, and are used as a mechanism to “harvest data” out of a business and into the hands of cyber criminals. What’s interesting is that adept criminals operate in a very surreptitious way.

“The cyber criminal will modify the device to steal the information and transmit it out to be stored,” he said. “It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.”

They then collect this data, keep onto it for months, then use it for small transactions a few months later and then at cash machines where lots of cash is extracted, Mr Farmer added.

What then can be done to eliminate this threat? Simple security measures can be effective – all of which deny cyber criminals easy access into a system. You wouldn’t leave your back door open at home or in your office would you? Apply the same concept to POS terminals.

One of the recurring themes is for organisations not to “affiliate” the name of the business with a Wi-Fi network. This is like handing swindlers the golden key.

Another strategy includes making sure that payment systems conform to the Payment Council Industry (PCI) Data Security Standard. The PCI Security Standards Council is a most useful asset given that it is responsible for the development, management, education and awareness of industry standards.

Carry out penetration tests as a form of risk assessment to identify weaknesses in the system. Especially vulnerable organisations are those that have POS terminals in a variety of locations and with a sizeable workforce who may, on occasion, leave terminals unattended.

Finally, keep one step ahead of the game, be leaders and innovate. Technology in the digital age doesn’t stop for anyone and neither should you. Invest in new equipment, get regular software updates. Change is good and it puts cyber criminals on the back foot. We’ve got competition, they lament. Indeed they have.

You can’t predict a riot

Last August, England was subject to five days of rioting. The spark for the unprecedented interlude of social unrest was the shooting of Mark Duggan in Tottenham by the police. London erupted – there was widespread looting, disturbances, violence and arson.

The riots then spread to Birmingham, Liverpool, Manchester and Bristol. For a tiny period of time, it felt like the country was petering on the edge of social disintegration. Luckily, in much the same way it started up, it died out unknowingly.

It was novel in many ways. There was, for example, no direct correlation between the death of Mr Duggan, a young black man, and many of the subsequent acts of violence. While some people did in fact conduct peaceful protests, for the large part, the riots took on a feverish quality, leaderless and without a cause.

Even now it is hard to define the root causes of the turbulence. A generation lost perhaps, with no opportunities to move? Sure. But, there were oddities, middle class kids rebelling against…well, what?

Another fascinating facet of the riots were the utilisation of social media and the use of instant messaging via mobiles to organise squads of rioters. Social unrest had become very (digitally) social.

Earlier this month, an unemployed man was sentenced in Wood Green Crown Court, London, to two years imprisonment at a young offenders’ institute. It is thought to be one of the first cases of its kind.

Terry Balson, 20, set up a page on Facebook entitled For the Riot (F**K the feds), which was “capable of encouraging or assisting the commission of one or more of a number of offences, namely riot, burglary and criminal damage”.

The police, though already monitoring social media websites actively, have in the wake of the riots, stepped up the level and intensity. Naturally, people are concerned that this kind of monitoring equates to a kind of Big Brother state, “the eye” ever-watchful of every movement you make in the digital world.

However, as Stuart Hyde, deputy chief constable, informed the Counter Terror Expo last month, the new age of openness entitles them the liberty to do so: “If your Facebook is open and you allow people to come in — tough, we will do it.”

More worrying, especially for stern advocates of freedom of information and civil liberties, was calls – or at least discussion points – about the viability of putting into motion social media blackouts in the event of similar rioting.

Last year, for example, the Conservative MP Louise Mensch, who is herself an active online communicator – Twitter is her preferred medium – backed such a measure.

“I don’t have a problem with a brief temporary shutdown of social media just as I don’t have a problem with a brief road or rail closure,” she said at the time. “If short, necessary and only used in an emergency, so what. We’d all survive if Twitter shut down for a short while during major riots.”

However, as Greater Manchester Police explained, social media, though a powerful tool for rioters is equally beneficial. Not only are officers able to communicate directly with people on the street, they can use online networks to project positive messages and put out “hearsay fires” before they turn into something more damaging.

It’s a debate that has yet to come to any sort of logical conclusion. After all, in the context of Blackberry users messaging via BBM (its messenger service), surveillance is, by virtue of privacy, denied. To then block it in its entirety during a crisis would cause lots of problems.

This technology is supposed to liberate us. To deny that is to take a step backwards. There has to be better options out there. “Targeted blackouts” could be one option, using hashtags to identify conversations and then perpetrators another. It’s about being creative.

A little chat about penetration testing

Like ethical hacking, penetration testing – or pen testing to use its more popular name – is a way of assessing the security credentials of a network and/or system. Not to be confused with testing whether your dried up bic biro still works, it “tests” a system’s ability to keep information and data secure by identifying weaknesses that can be exploited. Therefore, what does work is commendable, but it doesn’t figure in this strategy. Recognising what doesn’t work is the goal of pen testing.

It can be argued then that professionals with a penetration testing job adopt the purported persona of cyber criminals and hackers. To beat ’em is to join ’em, so to speak: “If I was a hacker, what would I be looking to do to infiltrate or compromise a network?”

Pen testing is a proactive strategy rather than a reactive one, its philosophy being that preventing attacks is better than cleaning up “the mess”.  And many organisations swear by it. If you can spot what your system is lacking in terms of data protection before a criminal does, well, you put yourself in the enviable position of being one step ahead of the game.

However, for all its merits and popularity, there are questions within the industry as to whether the high-tech evaluative method is running out of steam, and entering into the murky world of bubbles. Is it, argue some professionals, reaching the zenith of its powers?

Arguments about the limits of pen testing would be of that conclusion. Limit is the buzzword. For example, a pen tester is restricted in the amount of access they have to assess, geographically speaking. While an internal test can be carried out, it can’t, for example, evaluate the vulnerabilities of outside interference. Equally, local access wire points are negligible when testing via the internet. Limits, limits and limits.

In an engaging LinkedIn discussion two years ago, H Wayne Anderson, managing member of General Business Consulting, LLC, commented:  “You might develop a false sense of security from addressing the wrong vulnerabilities, since an angry, incompetent or malicious insider often poses a greater risk to your data than outsiders do.”

That said, he did concede that proper penetration testing can identify such practices, so long as it is not the “starting place” for boosting the security of any given system.

“The basics must already be in place,” he wrote. “You should have a proper, tested backup regimen, patches tested and installed up to date, properly-sanitized SQL inputs, properly configured firewalls, network monitoring, and other preventative measures in place long before you start pen testing.”

However, in an intriguing and recent article from John Yeo, director of Trustwave SpiderLabs EMEA, he revealed is optimistic about the future of pen testing, its relevance to companies big and small and, accordingly, its strength.

He points out, cannily, that penetration testing and vulnerability scanning’s relationship is often confused, therefore, one assumes, criticism of pen testing might be misleading.

“Vulnerability scanners are great at identifying ‘low-hanging’ vulnerabilities, like common configuration mistakes or unpatched systems, which offer an easy target for attackers,” Mr Yeo wrote in SC Magazine.

“What they are unable to determine is the context or nature of the asset or data at risk, but they are also less able than humans to identify unknown unknowns.”

In contrast, pen testers are much more capable of doing this. Mr Yeo elucidates that he has experience of visiting a network that has undergone an automated scan for vulnerability and still, after human pen testing has occurred, vulnerabilities have been discovered.

“By incorporating pen testing activities as part of a wider information security strategy, organisations can validate the robustness of their security controls and identify as-yet unknown risks to their business,” he concludes. “The results of a penetration test and guidance provided help organisations to better protect sensitive data from falling into the wrong hands.”

Acumin rocks into the USA

Acumin, an international information security and information risk management recruitment specialist, which has been delivering expert advice and assistance since 1998, is now expanding its operations into the US market.

The recruitment agency, which is comprised of a number of specialist consultants, delivers a comprehensive range of services across a number of platforms, catering for all sorts of professionals looking to enter the industry, change direction or move up.

This includes governance and compliance; penetration testing, forensics and intrusion analysis; technical security; business continuity management; sales engineering and executive management. Inclusive it most certainly is.

One of the things that distinguish Acumin as a quality recruitment specialist is its experience in the business. Let’s take the US director Jeff Combs as a case in point. With a decade of personal and professional development at Alta Associates in information security recruitment to boot, Mr Combs knows the business inside and out. He spreads his knowledge wide and fair, regularly contributing to CSO Online, the ISSA Journal and SC Magazine’s Skills in Demand.

As such, you can be confident that you’re going to get tailored, accurate and thorough advice, with jobs that are, in a sense, bespoke to what skills you have and where you want to go.

Below is a list of some of the positions waiting to be snapped up by either US residents or Brits looking to move abroad. As you can see from this selection, there is breadth and depth in the jobs available. For more information, visit the website.

Software Services – Product Manager (Chicago, Illinois)

Candidates who are looking to lead the charge in developing software to the exacting needs of a client, will surely agree that this position is one that will interest them greatly

One of the absolute requisites for this position is knowledge and ability to produce a product backlog, with experience in delivering quality assurance procedures.

Along with the skills to engage and work with a wide group of people – from clients to managers to team members – it is essential prospective applicants have a knack of developing swift prototypes and concepts accurately.

IT Security Architect (Sheboygan, Wisconsin)

This brilliant position will suit a talented, proactive and energetic individual looking to add vigour to their career.

You have to be a go-getter, enterprising, with the skills to find, track and manage a variety of security risks and shortcomings that can compromise the integrity of a network.

Ideally, the candidate will be a seasoned pro with a degree to boot. The employer is looking for someone who has spent at least ten plus years in the business, a decade of becoming rather au fait with IT security systems and networks.

Senior Security Consultant (San Francisco, California)

Can you add a tick to the following: CISSP certification? SANS GIAC (GREM, GWAPT) certification? Certified Ethical Hacker certification? Well then, you might be interested in the following job in the fantastic city of San Francisco.

You’ll be working with the crème de la crème of the business, delivering mobile assessments, network and penetration tests and source code reviews, among other things.

As such, the client is seeking a professional with a minimum of three year’s worth of mobile assessment experience; to be savoir-faire in scripting and tool development (for example, Python and/or Ruby); and experience in consultancy in information security.

The men in white hats

White hats; the good guys,
They are the folks that really care,
On a rally, all for charity,
Raising finance with natural flair.

All are dare devils; true thrill seekers,
To them skid pads provide no fear,
They will drive the oddest vehicles,
A strange experience they will share.

Who would think that Geeks could do this?
The men and women who by day,
Keep the black hats from your data
So that you all may safely play.

The real winners are the children,
Barnado’s gets to keep the cash.
As the chariots burn out their message
Wheels of fire make one last dash.

So if you see them, give them money,
As they drive through middle earth,
Watched by Brummie Orcs and Goblins
Faces filled with joy and mirth.
Dave Brooks, vice president at Credit Suisse, has kindly penned a charming, expressive and astute poem on what The White Hat Rally is all about. There’s a career in the art of rhythmic verse for Mr Brooks should he consider it because the poem really hits home what this event is all about.
To deconstruct the narrative of the prose, the participants of the charitable cannonball-esque adventure, which takes petrol head enthusiasts and adventure seekers on a scenic tour across the UK, will this year be raising cash for Barnado’s. Well, when we refer to the attendees as being zealous motorcar aficionados, we perhaps embellish. They are not as ardent as say a Fast & Furious character but, they are jovially enthusiastic lovers of cars nevertheless.
This event has caught the attention of the actress Tina Hobley, The UK actress best known for being in Coronation Street and Holby City. As an ambassador for Barnardo’s, a well-known children’s charity, she appreciates the importance of such an event. Beyond the fun, the dressing up of cars, the wonderful lingering conversations after a long day’s drive and the opportunity to network, there is the very real and positive outcome – the raising of funds which help make a difference.
“I hope everyone taking part in the White Hat Rally has a fantastic time,” Tina has said. “I wish I could join you as it looks amazing. I hope you blaze a trail for Barnardo’s and raise lots of money for a cause that’s very close to my heart.”
There are a few ways you can help. You can either get your inner “Vin Diesel on” and bring together a motley crew of brooding car aficionados from your workplace, donate some cash or kindly sponsor the event.
We at Acumin are participating because one, we like to have fun, two, we love road trips, three, we believe in the charity, and four, we love a good catch up with the InfoSec community. We would be thrilled for you to join us on this amazing journey through a beautiful slice of picturesque England. Note, the last date for registering is 11th May, so put your foot to the metaphorical pedal and get things organised.
White Hat Rally is on the look out to add more corporate sponsors and trust us, it’s worthwhile. You get to promote your brand to relevant people in the information security industry, you get to network with likeminded people and you get to do your bit for charity. There are now two packages to choose from: bronze (minimum donation of £350), or silver (minimum of £1,000). The Gold package has recently been snapped up by NCC Group, so please get in touch if either Bronze or Silver are of interest.
Everyone’s a winner. With faces filled with “joy and mirth”, who can say no?
The event runs from June 22nd to 24th.
For more information, visit the official website or give them a tweet over on Twitter and see our earlier post here.
Equally, get in touch with Gemma Paterson, marketing manager at Acumin and White Hat Rally Committee member. She can be contacted at gpaterson@acumin.co.uk or gpaterson@whitehatrally.org and is more than happy discuss sponsorship details.
P.S. Although we utterly adore Only Fools and Horses, three-wheeled Reliant Regal vehicles, a thing of understated beauty if ever there was one, are not allowed. You got to have four wheels. It’s a tough world, we know.

To name and shame

Let’s call it a concept. To name and shame, it goes without saying is an interesting moralistic tool, used to punish those who are purported to have committed a crime or wandered off the path that keeps society together.
Like those Ronseal adverts, name and shame does exactly what it says – in this case – on a metaphorical tin, it punishes those that affronted others by revealing what their misdemeanours were.
So, for example, earlier this month, Anne Widdecombe, the former Conservative MP, said she wants to name and shame those who get excessively drunk on the weekend and breach the peace.
“Then people going out specifically to get drunk would risk finding themselves in court on the Monday with their names and photographs in the papers,” she explained.
The idea being, of course, that having experienced public humiliation, people subsequently clean up their acts. It acts as a deterrent.
On the flip side, the argument against it is that it can be construed as a sort of witch-hunt, unjustly embarrassing people. For example, last month, students at a school in Oxfordshire went on protest after such a policy was introduced. Larkmead School felt that putting up a notice board with the photos of underperforming students. Needless to say it backfired.
In our industry, such a thing is going to be piloted by the Trustworthy Internet Movement (TIM), a non-profit, vendor neutral organisation that looks to bring innovative solutions to the many tricky problems that exist in the digital world of the internet.
What it is proposing to do is publish the names of websites that perform well in terms of security and those that fall short of what TIM deems to be acceptable. The obvious outcome, it hopes, is for those who are grace the “wall of shame” to remedy whatever security faults they have.
It aims to focus the initial testing on a website’s use of secure sockets layer (SSL) to encrypt data between a user’s web browser and the website. Or, in short, it obfuscates some of your internet traffic. As the BBC reports, it is often used to protect, for example, sensitive data that people want kept private for obvious reasons, like credit card numbers that zip along the virtual highway when people purchase goods or access a service.
The reason for choosing SSL as a barometer of a website’s security is because it is “one of the fundamental parts of the internet,” explained Philippe Courtot, founder of TIM and chief security officer at the security firm Qualys. Indeed, it’s a fair point, we can’t argue much with that.
Using ethical hacking techniques, TIM will ethically hack selected websites to gauge how secure they are, the results of which, good or bad, being published online for everyone’s perusal. The web being the web, you’ve got a global readership. This will matter. After all, when you have a rep to protect, it pays to ensure one’s name lives up to it.
Do let us know what your thoughts are on this blog and whether you think naming and shaming in this context is an innovative step forward or a sort of misadventure that might fuel animosity if anything.

The problem with everyone knowing who you are

The more successful you are, the wider your reach, and, sadly, the more likely it is that the number of critics and opponents you have is going to significantly multiply. You can’t please everyone.

This is the fate of governments, of big corporations, of uber-rich sports stars and people in the public sphere. They have to contend with the tough duality of being extremely popular and visible, while also being the object of loathing.

Why? Well, haters, they are most certainly going to hate. It then comes as no surprise that the number of large organisations have been hacked into. In the last year alone, one in seven organisations of this stature has had its security breached. On average, a large organisation faces a noteworthy attack every week, whereas a small business is liable to being hit at least once a month.

You see, it’s a basic science – if no-one knows your business, if your scope is limited, your audience even smaller, you simply ‘lose yourself’ amidst the crowd. It’s not that you’re insignificant, far from it. It’s just that everything you do is on a miniature level. Thus, it’s fair to say that if and when you break into the public consciousness and widen the net, with the good times will come challenges. You’re the ‘apple of my eye’ to some and the ‘ants at a picnic’ for others.

The findings of the 2012 Information Security Breaches Survey from PricewaterhouseCoopers (PwC), the global professional services firm, confirm that a new age is upon us: “the number of large organisations being hacked into is at a record high”. The cost of this to companies in the UK now runs into the billions.

In spite of this, many organisations are still not treating this, it seems, as seriously as they should. The poll above found that 20 per cent of organisations spend less than 20 per cent of their IT budget on information security, with 12 per cent of the opinion that senior management give it a low priority.

As professionals in our industry appreciate, this has obvious consequences, something which the researchers of this study reported. Businesses that have experienced very serious incidents of hacking spend, on average, 6.5 per cent of their IT budget on security.

“The key challenge is to evaluate and communicate the business benefits from investing in security controls,” observed Chris Potter, PwC information security partner.

“Otherwise, organisations end up paying more overall. Given that most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy. The cost of dealing with breaches and the kneejerk responses afterwards usually outweigh the cost of prevention.”

He did accept, rather perceptively, that with security, it is difficult to measure the benefits of any system because it is doing its job and keeping threats at bay, no-one notices. It suggests, therefore, that come a board meeting, when the powers that be are discussing a return on investment, it might be difficult to measure the value of the financial investment that has gone into security measures.

But, if anything, the threat is very real and indeed, cyber crime, as Mr Potter has noted in the survey, is a rising risk to business. This is the status quo. It’s better to be proactive than reflexive, the latter a response when an attack has been achieved. These haters, they’re gonna keep on hating, c’est la vie. Rain on their parade and beef up your security.