How secure is your credit card info?

In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information?

........Espousing a completely different view is Jerry Tabeling who is the president of IDP, a company that carries out vulnerability assessments of networks and online business applications."Our information is a lot more secure after all the publicity we have had about attacks," he said."But yes there are still problems that still exist though it is getting safer."These, Mr Tabeling told the BBC, tend to centre around a retailer not doing a good enough job securing its network.
...
Meanwhile Mr Tabeling, an IT security specialist, suggested that all consumers need to play a more proactive part in policing their own transactions and their credit information.

Creating a rogue CA certificate

by Alexander Sotirov

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites.

The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.

Co-authored by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

Further details:

• Detailed explanation
• Slides from the 25c3 presentation
• Demo site (set your system date to August 2004 before clicking)

Colliding certificates:

• Real certificate
• Rogue CA certificate

This work was presented at the 25th Chaos Communication Congress in Berlin on December 30, 2008.

For press or general inquiries, please contact the team at md5-collisions@phreedom.org

The Definition Of Security

There is much debate about how to define security - as in digital or IT security.

All too often IT security is spoken of as a "cost to the business". On a broader level I believe IT security is a responsibility management has it its stakeholders. That's not a definition of IT security, simply what it is.

Keeping with the concept of what IT security is - well it is not a cost to the business; rather, it is an investment by the business. It only becomes a cost to the business AFTER an exploit has taken place and digital information has been compromised or stolen.

Another fallacy I hear in my travels is that an investment in IT security is nothing more than an insurance policy; i.e. insurance that the digital information will remain safe if the proper investment is made to protect it.

A businesses' investment in IT security is not an insurance policy. An insurance policy pays the insured to compensate for a covered loss. Certainly, there are various types of business insurance a company can buy for data loss, but that is missing the point, because we're talking about IT security, not insurance.

So what then is the definition of IT security?
By Daniel Miessler on September 3rd, 2008

The process of maintaining an acceptable level of perceived risk.

There are a few things to like about this definition.

• Process. i.e. it doesn't end.
• Acceptable. This alludes to the fact that the organization's upper management decides-based on the entity's goals as a whole-how much risk to take on. The crucial piece here is that this isn't for security professionals to decide.
• Perceived. In short, "you don't know what you don't know". And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.
• Risk. As we all know, it's not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I'll clarify briefly how I define risk. In general, I prefer NIST's description from NIST Publication SP 800-30:
  

Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word "function" used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset
value to the equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.

A risk is a chance of something bad happening.

Too simple? Not really. It's instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.

So when should you use one definition vs. the other?

In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.

So, written out (i.e. without the word "risk") we arrive at:

Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.

…and once again, in it's more succinct and elegant form:

Security is the process of maintaining an acceptable level of perceived risk.

Hackers defaced collider site, say reports

Hackers defaced collider site, say reports
Published: 2008-09-12

UPDATED: A group of online vandals compromised the security of a server at the Large Hadron Collider (LHC) this week, putting up a Web page mocking the site's security but not the experiment, according to reports in two U.K. newspapers.

The attacks, which appear to have compromised a server at the European Organization for Nuclear Research (CERN), which runs the LHC, resulted in a server portal for one of the science teams being defaced by a group calling itself the Greek Security Team, according to an article in the U.K.-based Daily Telegraph. The defaced page mocked the security of the site, calling the IT staff "school kids," according to an article in the Times Online.

"We don’t know who they were but there seems to be no harm done," James Gillies, a spokesman for CERN, told the Times. "It appears to be people who want to make a point that CERN was hack-able."

CERN, the largest particle collider in the world, made history this week when the giant $8-billion machine was activated and its first beam of particles completed the 27 kilometer circuit underground. The two test beams created so far have been dumped, as the technical teams calibrated and check the performance of the large experiment. Eventually, the collider will smash two beams of particles into each other in an attempt to detect elementary particles not present since the Big Bang and gain insight into the nature of gravity.

The hackers targeted a server hosting the portal for the science team responsible for the Compact Muon Solenoid Experiment (CMS) at CERN. The organization's press office did not immediately return an e-mailed request for comment.

UPDATE: Two readers who have translated the Greek Web site have disagreed with the newspaper reports of the incident. The defaced Web page does not belittle the LHC's security, but appears to make fun of other hackers in the Greek Internet underground scene, the readers maintain. More can be found on this security researcher's blog.

If you have tips or insights on this topic, please contact SecurityFocus

Jerry Tabeling quoted in recent BBC News article

In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information?

Mr. Tabeling was interviewed by the BBC for his thoughts.

Read about it here: http://news.bbc.co.uk/2/hi/technology/7544313.stm

Final Word on DNS Chatter

Unless something of significant interest occurs, this will be my last post on the DNS flaw that everyone has been talking about for the past several weeks.

Before I leave the subject I'd like to throw out two valuable links.

1) Determine if your ISP has installed the proper patches - http://www.doxpara.com/ (click the "Check My DNS" button)

2) IntoDNS - http://www.intodns.com This site provides a very nice snapshot of your ISP's DNS configuration. Just enter your domain name and click on the report tab.

Most Security Breaches Go Unreported

Most Security Breaches Go Unreported

An RSA survey found the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance.

By Thomas Claburn, InformationWeek
Aug. 1, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=209901208

More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference.

Security incidents, as defined by the study, represent "an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address."

Some of the security incidents, such as the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance. But 29% of those answering the survey said their organizations experienced customer or employee data leakage. Twenty-eight percent reported insider threats or theft and 16% reported intellectual property theft.

"With 29% of respondents stating that they experienced the leakage of employee or customer data in 2007, it is alarming to see that only 11% of those types of incidents went reported," said Tim Mather, chief security strategist for RSA Conference, in a statement. "Security professionals need to remain cognizant of the regulations that their organizations must comply with and ensure they are taking steps to properly report the security incidents that are required by law -- whatever they may be."

Such findings echo a recent a study of over 500 data breach forensic investigations conducted by Verizon Business Security Solutions. According to Bryan Sartin, VP of investigative response at Verizon, the publicly reported breaches are "just the tip of iceberg." He said that less than 5% of the more than 500 cases covered in the Verizon study involved some form of disclosure.

In short, companies appear to be far more insecure than they acknowledge. The RSA survey indicates that 46% of companies experienced no security incidents in 2007, 19% experienced 1 to 2, 14% experienced 3 to 5, 7% experienced 6 to 10, 3% experienced 11 to 20, and 13% experienced more than 20 security incidents.

The top security challenge, according to respondents, is lost or stolen devices (49%), followed by non-malicious employee error and employee education (tied at 47%), budgetary constraints (44%), external hacking threats (38%), executive buy-in (26%), and malicious insider threats (22%).