[SecurityRatty] tag: cow

The Commercialization of Anti Debugging Tactics in Malware

Mon, 29 Sep 2008 12:55:54 +0000

Commoditization or commercialization, Themida or Code Virtualizer, individually crypting or outsourcing to an experienced malware crypting service offering discounts on a volume basis next to detection rates of the crypted binary offered by a trusted online scanner that is NOT distributing the samples to the vendors? These are just some of the questions malware authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging everyone to start taking advantage of commercial anti-reverse engineering tools to make their malware harder to analyze. Once again, just like we've seen before, a legitimate commercial application can come handy in the hands of the wrong people :

"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed."

With Cyber-as-a-Service business model becoming increasingly common, the entire quality assurance model in respect to malware is slowly maturing from individual malware crypting propositions, where the seller of the service is basically taking advantage of a diverse set of public/private tools, into DIY web services offering crypting discounts on a volume basis, and perhaps most importantly - improving the customer's experience by letting him take advantage of the inventory of crypting tools and bypassing verification services. Within the tool's inventory are naturally lots of (pirated) commercial anti-reverse engineering tools.

As we've seen before, whenever someone starts commercializing what used to be a self-selving process, others will either follow, or disintermediate their services by persistently releasing crypting tools for free in the wild. At the end of the day, it's all a matter of how serious they're about commercializing this market segment, and taking into consideration that a spamming vendor is offering malware crypting services "in between" the rest of the services in their portfolio, this underground cash cow is yet to prove itself in the long term.

(ISC)2s Newest Cash Cow: The CSSLP Certification

Mon, 29 Sep 2008 11:08:38 +0000

Earlier this week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.

You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.

Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:

Upload a resume showing three years of experience related to software security, or four years if you don’t have a college degree
Write short essays (500 words maximum) discussing four CBKs of your choice
Get a CISSP to vouch for you
Pay $650

Let’s examine these requirements one at a time.

Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.

Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2’s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.

Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.

Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.

As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.

In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?

Follow the Yellow Brick Road

Sat, 19 Jul 2008 15:57:20 +0000

Marc Adler follows on from Muddy Waters to The First Annual Fluffies for CEP where Marc also calls into question the transparency, credibility and accuracy of the various fluffy “awards” we see from time-to-time.

When I discussed this openly with Waters in Muddy Waters comments they kindly replied that “customers are loath to be a reference client for a vendor,” like this fact somehow justifies having 600 people, most who have never actually used the software in practice, vote on how great it is.

Follow the Yellow Brick Road.

Or, as Mark Adler pointed out in his well written blog post The First Annual Fluffies for CEP , a secretive “panel of renowned judge” is going to tell us, via Jolt, who has the better solution? Holy Cow Batman! Let me buy a nice layout in your magazine or web site, please, so “my software company” will be on the short list for the “the awards”.

Follow the Yellow Brick Road.

All this smoke-and-mirrors. share-the-love, marketing reminds me of The Matrix a bit, where the world as we observe it, is a complete artificial construction, where most people in the Matrix believe they are “real” because they do not know that they really just a computer generated program designed to keep humans happy as they sleep in some cold goop with electrodes stuck up their you-know-what, really just bio-batteries insuring the light bill is paid.

Follow the Yellow Brick Road.

Or better yet, these fluffies are similar to most of the Webinars we see where there are questions from “the audience” but we know that most of these questions did not come from the “audience” - yet we all seem to continue ”the audience” myth just like Santa Claus and the Easter Bunny!

Follow the Yellow Brick Road.

The Easter Bunny, Santa Claus, the Tooth Fairy and the Fluffy Awards are real, if you want them to be real. Just close your eyes and click your heels three times….

Follow the Yellow Brick Road. Follow the Yellow Brick Road.
Follow, follow, follow, follow,
Follow the Yellow Brick Road.
Follow the Yellow Brick, Follow the Yellow Brick,
Follow the Yellow Brick Road.

We’re off to see the Wizard, The Wonderful Wizard of Oz.
You’ll find he is a whiz of a Wiz! If ever a Wiz! there was.
If ever oh ever a Wiz! there was The Wizard of Oz is one because,
Because, because, because, because, because.
Because of the wonderful things he does.
We’re off to see the Wizard. The Wonderful Wizard of Oz

Wee-Fi: Weekend-Fi in NYC, Oakland County Halts, Helio Sold to Virgin

Fri, 27 Jun 2008 06:33:34 +0000

The New York Times takes guided Wi-Fi tour: An interesting article by Seth Kugel avoids the usual, "here's where you find Wi-Fi approach." Rather, he tours the city, pairing Wi-Fi with historical and political details you can find around you. Kugel, like our faithful correspondent Klaus Ernst, has found that CBS MobileZone is a no-show. The advertising group told him that they were improving the signal. I love the idea of super-local information, too. With Google Maps, Google Earth, Flickr, Dopplr, and other services, you can pair your current location with what's happening right around you in the past or right now.

Oakland County, Mich., project officially "on hold": For "on hold," read, "never going to be built." The pilot area in seven communities has been turned off, and MichTel has been unable to obtain the $70-odd million they project needed to build out the county-wide service. The state's ongoing reliance on the automotive industry makes it a hard sell to commit public dollars in advance of a return on those dollars, too.

Virgin Mobile buys Helio: The last vestiges of EarthLink's three-pronged approach to fighting the wireline monopoly appears to be at an end. EarthLink pushed its 50-50 partnership with SK Telecom in mobile virtual network operator (MVNO) Helio as one prong; its municipal Wi-Fi division as another; and its DSL business as a third. The muni division is nearly out of operation, and DSL lines continue to fall in quantity quarter over quarter. Dial-up is still their cash cow. Helio lost hundreds of millions to obtain just 170,000 subscribers (that number down from 200,000 at the start of 2008). EarthLink will receive a pittance for its investment, part of the $39 million in stock that Virgin will pay for Helio; SK Telecom will invest in Virgin Mobile to obtain a total 17 percent state. Virgin itself makes just a very tiny sliver of profit. MVNOs buy minutes and data from carriers, and Virgin Mobile involves Sprint as a partner, making it the only tolerably successful MVNO.

Kiva Update

Tue, 17 Jun 2008 05:21:07 +0000

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

Kiva is focused on serving the working poor

Kiva's mission is to connect people through lending for the sake of alleviating poverty.
Kiva is the world's first person-to-person micro-lending website, empowering individuals to lend directly to unique entrepreneurs in the developing world. The people you see on Kiva's site are real individuals in need of funding - not marketing material.
When you browse entrepreneurs' profiles on the site, choose someone to lend to, and then make a loan, you are helping a real person make great strides towards economic independence and improve life for themselves, their family, and their community. Throughout the course of the loan (usually 6-12 months), you can receive email journal updates and track repayments. Then, when you get your loan money back, you can relend to someone else in need.

I really like the last pay it forward part, so the lender can elect to take the money out of Kiva's system or loan it out again, in effect the last business is putting capital back into the system to help the next entrepreneur. Additionally, big props to Paypal which supports Kiva by acting as a transaction processor and waiving fees. What's all this mean? As Tom Barnett says:

everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above.

I added the bold, because the bottom up tools that Kiva, Paypal and the Web give us are really unique, and really powerful to enable through microloans - entrepreuners who we may never meet in countries we may never go to be successful.

Web 2.0 Security - The Beginning of the End or The End of the Beginning

Thu, 29 May 2008 11:26:12 +0000

Given past performance of software security, its hard to be optimistic where things are going wrt Web 2.0 security. Granted when Web 1.0 was built out did not have the ability to use static analysis to find vulnerabilities, we didn't have good identity standards and so on. So are we at a new a beginning where new tools and mechanisms will save our bacon? Or will Web 2.0 herald some new some 21st century O'leary cow that burns it all to the ground?

Again, if we take developer innovation as a given we can see that information security has a decade worth of innovation to catch up on, its very hard to argue that infosec will just latch on to Web 2.0 and actually solve this problem when it has not addressed any of the new innovations in the last decade or so.

Andy Steingruebl went to a Web 2.0 security conference and took notes on the ideas and presentations, if you are in infosec and/or developing Web 2.0 apps (that is to say if you are reading this blog), I recommend you read it and chase the links to get an idea of what is viable or not. Now to thoroughly depress/inspire you further let me share Andy's conclusions from listening to this state of the state on Web 2.0 security

We haven't come close to solving the security problems in a Web-1.0 world

So this leaves two possible choices 1) redo Web 1.0 security or 2) leave that bridge burning and try to fix the latest. Unfortunately people are instead choosing option 3 - use the same thing that didn't work in Web 1.0 and try to protect Web 2.0 with it.

We don't know what the security policies really ought to look like for the web, consequently we don't know what the architecture and implementation look like either.

We do know it should come from a security architecture and design not from an auditor's spreadsheet though.

Browsers are lacking fundamental architecture and policy around security.

And everything including administrative functions run in a browser these days

Web-2.0 only makes things worse

The OWASP guide, last I checked is over 300 pages long, when I train and consult with developers, I always ask how many are familiar with OWASP. Less than 20% are in my experience, and of those percentage most only know the OWASP Top Ten. If you have not read the guide and understood the concepts, it is really hard for me to see how your app is going to have anything more than cardboard walls level of security. Sadly, a lot developers think that software security is a solved problem, Tim Bray(*):

Of course some of these get into very sensitive security issues; but actually we’re getting pretty good at providing information on the Web in a secure way.

This type of misconception leads to the worst case scenario where you actually build apps with sensitive data and functionality, link 'em all up through mashups, Rest and whatever; and do all of this without realizing that a root and branch reform is necessary in your web application security model. How'd we get here? Broken processes? Business too demanding? No security support in programming languages? Sure they all play a role, but its not the main problem, allow me to invoke the great Gerald Weinberg:

No matter how it looks at first, its always a people problem

In our case, its quite simple the security people don't know enough about software development and developers don't know enough about security. So you can look at the innovation table and see how far software technologies have advanced and how security technologies have not kept pace, and that is an admittedly terrifying thought; but what's most scary to me is to think about the generation of people that are left behind at each technical evolution working on trivial or low priority issues.

One of the reasons I teach software security training is to combat this, but in a company with thousands of developers I still may only get to teach 50 or 100. Many times when i teach we have the security people, developers, and architects in the same class; and usually they all know each other, but they don't work together, and a lot of the value in the class is them sitting together for a couple of days - finding some common ground, identifying some things each other are working on and then figuring out ways to make some joint progress. This is why I like teaching the class more at a company than as a public class -because when I am on site at a company they all have to work together.

So while we go through a ton of cool things in class like threat modeling, SAML, federation, static analysis, WS-Security and so on, the coolest thing is just facilitating interaction and in some small way helping to define some ways the groups can collaborate on tools, practices, and security architecture going forward.

When it works its really great, and sometimes we even get to flip around my earlier statement - architects, software developers and security people work together as a software security team and the software security team finds vulnerabilities we didn't even know about, leverages security capabilities we didn't even know they had and deploys security services that protect the enterprise assets. Putting aside Web 2.0 as a technology; hopefully, Web 2.0 people means that software developers are software security people and security people are software security people. On that basis Web 2.0 may actually get an answer to Andy's concerns, without that Web 2.0 will remain DOA on security until Web 3.0.

* Note: I pick on Tim Bray not because he is an idiot, quite the opposite, its because I have higher expectations and expect more regard for security out of that community. I fondly recall the days when open source took security more seriously than Microsoft.

RSA Day 2: Wednesday with JJ & the Engima

Sun, 13 Apr 2008 21:35:30 +0000

RSA Conference, San Francisco
Day 2: Wednesday, April 9th

I know, I know- it’s late- but better late than never, right?

I really tried my best to take photos as much as possible. A quick note on the photography- because of the size of the rooms, it didn’t make sense to have the flash on, unfortunately it slowed the shutter speed, making some images blurry (sorry).

So Day 2 already felt like day 5 somehow. I had flown in early to be a tourist for a day or so but caught up with partners and other event-goers early, making it an especially long week. Wednesday was an eventful day. I have a great Sins of Our Fathers session to share with you, a day with the Enigmas, and the Security Bloggers Party.

The highlight of the day’s sessions had to be the ‘Sins of Our Fathers’ breakout with an amazingly hilarious geek-filled panel including Daniel Houser, Ben Jun and Hugh Thompson. (Hugh unquestionably won the Most Entertaining Geek Award for the day). I was tweeting live from the session and took some photos of the interactive polls they intertwined in the discussion. They drew some interesting correlations between current security issues, such as SQL injections an ‘previous sins’, likening it to phone whistling. There were random notes about the inherent security risk of mixing data and coding together. View photos from session.

Then they talked about using good technology in a way that made it vulnerable. Examples, the Enigma code machines from WWII. (It was actually broken by the known plain-text gathered from repetition in contact initiation, and the mis-use of one-time-pads). They drew the line from Enigma to WEP and other algorithms that were okay, but mis-implemented.

There were a variety of other anecdotes, accompanied by audience-wide snickers, snorts and laughter. One story of tape backups, encrypted, with the key dutifully stick-noted to the case. Another of the secretary who type-writered all the 5.25” floppies. The story of the unmanned Predator aircraft flying unattended for about 5 minutes during a PC reboot. They were all tied into the topic nicely, and the guys did an outstanding job interacting and playing off one another.

One a more serious note- well, sorta- Hugh showed a clip from his participation in the documentary “Hacking Democracy” about the lack of security of electronic voting.

Here was something amusing… Their crypto list of
If you hear any of these, RUN!
Cryptography is expensive.
We have this guy that’s reallllly smart…
Wired EQUIVALENT encryption… .
It’s “proprietary” security
It’s revolutionary NEW cryptography technology!
It uses DES- so its FIPS 140 compliant

Some of the sins from the session…
Engineering, Development & Management sins
Using a good technology in a bad implementation
Lack of metrics to indicate misuse
Feature/mission creep - using item A for solution B
Not teaching people how to use security
Teaching them, but teaching bad habits
Normalization of deviancy

I’ve spent long enough on that, there’s plenty more to share, but that session was so good, I thought it deserved some special attention. I did stay for the Cyber Storm II Panel, but that left more than ‘a little’ to be desired. I would have liked more anecdotal stories and a little more personality. The panel participants were knowledgeable, and I’m sure they were doing what they had been told, but it made for a very dry session, little content of interest, and much repetition. There’s a little live Tweeting from that session too.

Playing with the Enigma
At the Sins of Our Fathers sessions, I believe it was Ben that mentioned we had at our disposal not one- but TWO Enigma machines on the expo floor here are RSA. And BOTH were for our playing! They had it set so we could set the key and encode a message at the NSA booth, then take the encrypted message to the Cryptographic Research booth and use that Enigma to decypher the message. HOLY COW!!!!!! If their session hadn’t been so great I would have left right then. The only time I’ve seen these beautiful little pieces of crypto history, they’ve been fully encased in glass, and not for the touching. They actually let you set the rotors and punch the code in yourself so my buddy Eric and I ran right over to take full geek advantage of the situation.

YES, that’s me with an Enigma, and I have more photos of the two Engimas.

The big highlight of the evening? The Security Bloggers Party of course! You get a whole post just for this topic, so stay tuned for that. I didn’t take photos here, because I felt pretty sure someone would be walking around with a camera. I need to find @ajolly (Apneet Jolly) and see if he has any- he’s usually fully equipped with a very nice camera…

# # #

Personal member information on The Dental Network website

Thu, 20 Mar 2008 09:05:14 +0000

Technorati Tag: Security Breach

Date Reported:
3/10/08

Organization:
The Dental Network (TDN)

Contractor/Consultant/Branch:
None

Victims:
Members

Number Affected:
Unknown

Types of Data:
Names, Social Security numbers, addresses and dates of birth

Breach Description:
"On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth."

Reference URL:
The New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

This letter is to inform you of a privacy incident affecting residents of your state. We have been hired by The Dental Network to notify and provide identity theft protection to the population of persons whose personal information was compromised as the result of a recent security breach that occurred on The Dental Network's public website.
[Evan] The letter is written by Identity Safeguards, not TDN.

On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth.

Identity Safeguards and The Dental Network wanted to inform you of this privacy incident and make you aware that The Dental Network has secured robust protection for those who were affected. In addition to making sure that The Dental Network properly notified those whose information was compromised, our company is also providing a one-year membership in our identity theft protection and restoration program. The service includes 12 months of credit monitoring, as well as fraud restoration services and a $30,000 insurance reimbursement component should anyone experience ID theft as a result of this incident. This membership is paid for entirely by The Dental Network.
[Evan] It's good to see that that The Dental Network has notified the affected individuals (which they are probably obligated to by law) and arranged for some protection, but is this an Identity Safeguards brochure or is this a breach notification?

Our company has been providing identity theft services to individuals and organizations since 2003. We have been a leader in the industry since then, and we also recently received a blanket purchase agreement from the General Services Administration (GSA), to provide independent risk analysis to state or federal agencies in the event of a data breach. We have serviced over 100 data breaches and millions of victims in this time.
[Evan] Holy cow! This is a sales brochure. How "independent" is it really, when the company providing the risk analysis of a breach also markets and sells additional protection services?

Please be assured that your data is now secure and that a careful and thorough investigation into the potential risk to members has been our top priority since this was first discovered. TDN understands the value of your personal information and the potential risk that such a breach presents
[Evan] How can one secure confidential information that has been disclosed? Can you "undisclose" it?

Has my personal information been stolen or compromised?
At this time, we have no evidence that anyone has used the personal information that was maintained on our website. You are only being notified because, for approximately two weeks, your personal data was accessible to the public. While such exposure does not necessarily mean that your personal information was taken, any risk -regardless of how slight -should be taken seriously.
[Evan] Has the information been stolen? I would guess probably not. Has the information been compromised? Yes. In this case, if the confidentiality of information can not be reasonably assured, then I consider the information "compromised". Risk is very difficult to judge in this case due to lack of available information.

Has TDN resolved the issue that allowed this breach to occur?
Yes, upon learning of the breach, the TDN website was taken offline immediately. The data is now secure, and the issues leading to this breach have been corrected.
[Evan] What were the issues that lead to this breach? Why was personally identifiable information, and especially Social Security numbers available on the website to begin with?

We have set-up a dedicated website - ids.thedentalnet.org/ - that offers a one-stop site that features answers to questions you may have

Commentary:
This is the first time I can recall (in recent memory) that a contractor (Identity Safeguards) issues the breach notification completely, on the behalf of the organization that experienced the breach. If I were a victim, I don't know how this would make me feel. Identity Safeguards wasn't responsible for the breach, The Dental Network was. Maybe I would rather hear from them, it's hard to say. I was also a little disappointed by the Identity Safeguards sales pitch.

After reading the breach notification and letter to affected individuals, I am left with more questions than answers. The personally identifiable information belongs to the person, not the organization. This being said, I hope affected persons are getting all of the answers they should demand.

Past Breaches:
Unknown

Visa and Mastercard warn of breach at "major retailer"

Mon, 17 Mar 2008 12:27:42 +0000

Technorati Tag: Security Breach

Date Reported:
3/17/08

Organization:
unnamed "major retailer"*

*Update pending as details become available

Contractor/Consultant/Branch:
Unknown

Victims:
"consumers in Massachusetts and northern New England states"

Number Affected:
"MBA estimates that hundreds of thousands"**

**MBA is the Massachusetts Bankers Association which represents approximately 200 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.

Types of Data:
Credit card information

Breach Description:
"BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”"

Reference URL:
Massachusetts Bankers Association press release
CNN Money

Report Credit:
The Massachusetts Bankers Association

Response:
From the online sources cited above:

MASSACHUSETTS BANKERS ASSOCIATION ALERTS CONSUMERS ABOUT ANOTHER RETAIL DATA BREACH

BOSTON, March 17, 2008 – The Massachusetts Bankers Association (MBA) said today that Visa and MasterCard have contacted 60 to 70 banks in Massachusetts about a large data breach occurring at what the card companies characterized as “a major retailer.”
[Evan] Who the "major retailer" is could be anyone's guess.

The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts.
[Evan] Ugh. A "major breach" at a "major retailer", which will probably lead to a "major lawsuit" from which lawyers will make "major money".

The retailer has not been named by the card companies and the bankers association wants customers to know that this was not a problem caused by banks.

The data breach is reported to have occurred between Dec. 7, 2007 and March 10, 2008.
[Evan] Holy cow that's a long time! The breach itself took place for three months and took that long to detect? Assuming the "major retailer" report is true, just think about how many credit card transactions must have taken place. Chances are good that the retailer never noticed the breach and only became aware after a slew of fraudulent charges were reported by consumers.

The MBA said that each bank that received an alert from the card companies will make its own decision whether or not to issue new cards or to monitor the accounts for the time being. In either case, customers need not worry and can protect themselves by monitoring their accounts.
[Evan] Customers will still worry.

“With lack of specificity at this point, or even when the name of the retailer becomes public, customers do not need to call their bank,” said Forte (Daniel J. Forte, president and CEO of the MBA)
[Evan] Customers will still call their bank

“If cards are to be replaced, consumers will be notified by their bank. In the event that fraud does occur due to a data breach, even though our banks did not cause this breach, the banks will hold each customer harmless, refunding any lost money.”

Visa and MasterCard, according to their own policy, have not released the name of the company responsible for the data breach, reporting to the affected banks only that it was “a major retailer.”

The MBA has been in discussions with the card companies as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer.
[Evan] Seems to me that a law like this passed last year in Minnesota.

“Releasing the name of the retailer would make all of our lives easier and safer,” said Forte. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect customers. It is an important issue and one that we are vigorously pursuing.”
[Evan] Absolutely! I completely agree with Mr. Forte. I do not understand how disclosing the retailer would affect a criminal investigation, and I disagree with Visa's and Mastercard's crock policy that serves no interest to the consumer.

Commentary:
This will be "major news" when the retailer becomes known. It is not even known if this breach only affects Massachusetts and New England consumers either. MBA did the prudent thing by issuing a press release. Stay tuned.

I am interested in reading more details. From an information security perspective, I probably won't like what I read.

Past Breaches:
Unknown

Google Vulnerability Scanner

Tue, 04 Mar 2008 09:12:22 +0000

We've all known for years that you can use Google to scan for vulnerabilities. Well, now the process has been automated.

Presenting: Goolag Scanner from the Cult of the Dead Cow.

I've seen a lot of pre-release scanning results from these guys, and it's pretty amazing what they've found.