Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."
This could be a big deal.
In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."
According to the authors:
"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."
Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls. We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."
By the end of this year, we will likely all be sick of the phrase “systemic risk.” Referring to the complex and interconnected nature of risks that brought down the financial services sector, the phrase has been a focal point in the discussions on how to prevent such failures in the future. (And in my experience, this increased attention means that service and software vendors will be using the term in their marketing literature with increasing frequency in 2010.)
Policy makers are recommending systemic risk solutions such as new oversight bodies to assess for systemic risks or penalties for companies that are perceived to threaten the system. European Central Bank president Jean-Claude Trichet even suggested that financial institutions help avoid systemic risks by "putting aside their own profit" and being "moderate in remuneration behavior," in order to reinforce their balance sheets.
Details such as product integration and go-to-market strategy will trickle out slowly of course, but so far, this is a significant deal for a couple of reasons:
Archer fills a substantial void in EMC’s product offering, which included many elements of GRC, but no central platform to pull it all together.
EMC will introduce the Archer products to a much larger set of potential customers...most notably as a platform to manage security and compliance, but also to customers with requirements for related areas like vendor management or business continuity.
It brings another IT heavy-weight fully into the GRC space, with substantial engineering resources to work on product development (but only if Archer continues to be seen as a top priority within RSA).
As we watch this acquisition come together, as well as other upcoming announcements that will make the GRC space even more competitive, here are a few questions to consider:
2010 is going to be an interesting year with economic concerns impacting the security business. I suspect that businesses will need to regroup and think about their security spend again next year. Companies will probably remain gun-shy and hold budgets close to their vests. This could set up a shootout between increasing security threats and the desire to continue to control costs. Who will win? Your thoughts?
Happy Holidays y'all and here's wishing you a Secure New Year!
Case in point, the SEC announced this week the approval of new rules that will, among other things, require companies to disclose the relationship between their compensation policies and risk management, as well as describe the board of directors’ role in risk oversight.
Understanding what compensation policies have a material impact on an organization’s risk and developing policies for board-level oversight of risk will require guidance from internal and/or external risk experts... good news for any risk experts who appreciate gainful employment. And of course, many additional regulations and SEC rules expected to come together early next year are also likely to continue this trend.
A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones.
The article has the catchy subtitle "$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected." It discusses how the insurgents are using the software to intercept the Drone's unencrypted video stream, "potentially providing them with information they need to evade or monitor U.S. military operations."
According to the article, the military has been aware that this type of attack was posssible for some time: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."
Let's hope that the Pentagon has learned what happens when you ass-u-me things...
As the debate continues between what’s best for businesses and consumers as we look for economic recovery, a few of the amendments expected to come to a vote today involve the creation of a new consumer financial protection agency, a Sarbanes Oxley exemption for small firms, and new power for the Government Accountability Office to audit the Federal Reserve.
While this debate is going on, the Organization for Economic Cooperation and Development released a framework last week to guide policymakers in the reform of international financial markets. According to the announcement, “Increasing transparency is key. The complexity and opaqueness of products made risk assessment difficult for firms and investors and hindered market transparency, a major cause of the crisis.”
The framework’s explanation of the financial landscape includes principles for 1) A definition of the financial system, 2) Transparency, and 3) Surveillance and analysis. Responsibilities for the collection and distribution of relevant data are described for government authorities, industry groups, and international organizations. These principles mirror the focus of other potential regulatory changes and will have a substantial impact in the way organizations document and track a wide range of business processes and transactions if they are carried out in legislation.
A couple of network televisions shows have lately caught my eye.Now I’m not a television critic but there were things in these shows that have security implications that warrant some attention.These episodes came just as I had finished some hacking training and provide an opportunity to share some interesting new tools and attack scenarios.
First, Alex Baldwin pimped Cisco’s TelePresence system on 30 Rock.In the episode “The Audition,” Baldwin’s character Jack has bedbugs and is forced to use TelePresence to attend a meeting.There is a very funny bit that takes product placement to a new tongue-in-cheek level:
TelePresence Screen: “Do you like the Cisco equipment?”
Jack:“Of course, it continues to be the gold-standard by which all business technology is judged.Cisco, The Human Network.”
It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”
But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.