This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week.  Guess how they got in?  They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software.  The attackers were mostly from foriegn countries and the companies attacked in the US.  So at some point someone must have been in the country to physically scan the networks. 

David Maynor’s WarShipping trick solves this “need to be there” problem  to do wireless attacks.  Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely? 

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public.  I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed.  I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements.  Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind.  PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time).  I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week. Guess how they got in? They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software. The attackers were mostly from foriegn countries and the companies attacked in the US. So at some point someone must have been in the country to physically scan the networks.

David Maynor’s WarShipping trick solves this “need to be there” problem to do wireless attacks. Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely?

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public. I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed. I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements. Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind. PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time). I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

• They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers...
• Apparently this is the single largest and most complex identity theft case ever charged in this country

OK, the database cluster is back up and playing nice after its petulant episode.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. MoD implements new data security measures | PC Advisor
2. Do natural human traits make us more vulnerable to computer malware? | Hexus
3. The staff, the thief, the device and its data | Network World
4. Credit card firms wave stick at retailers | The Australian
5. Merchants call credit card industry’s bluff on compliance | The Register
6. Chairman: Computer Hacking ‘Much More Widespread’ | WYFF 4
7. Fired Houston organ bank worker accused of hacking into system | Houston Chronicle
8. PCI standard ‘ignores’ insider threat | vnunet
9. Student suspended after hacking emails | Stuff NZ

Tags: News, Daily Links, Security Blog, Information Security, Security News

So my next iteration of fun reading on security, logging and other topics.

1. "Security-as-control" vs "security-as-assurance" - a very useful idea (more here), which is often confused with bad results (e.g. "secure" software = has password authentication OR has has no overflow bugs)
2. Rich Mogul grabs GRC by the balls and kicks it, hard, again. A Burton Group guy comes and helps him by doing a nice roundhouse kick in its butt. Still, it doesn't die, as more people kick it ... Maybe 'cause Andy "loves or hates it?"
3. Good advice from Andy IT Guy: "We need to step back from time to time and evaluate what we are doing to determine if it still makes sense." (more)
4. BBC on cloud security, actually interesting. More on the same subject, albeit with a dumb name
5. Breach disclosure laws and security study by CMU, that SANS called idiotic ("What a silly study. It measures the wrong outcome. What matters about data breach notification is what it does to the quality of defenses.") AND "badly flawed" as well. More fun comments on it are here.  More discussion of this complicated subject. Rick kicks it too here.
6. Along the same line, "Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20% of all incidents." Wow!
7. "The biggest issue in both Audit and IT is a lack of strategic thought." (maybe) When I read it, it reminded me of the old wisdom from Ms Trunk: "if you think you are a 'strategist' - check maybe you think that 'cause your execution sux"
8. A very fun read: "Facing The Monster: The Labors Of Log Management." I am happy that log management has been granted a monster status :-)
9. Role of compliance for SCADA security puzzles me: think about it - you need a law to make people protect systems that control utilities EVEN THOUGH you already demonstrated (kind of) that hackers can explode generators remotely. So, people fear fines from regulators more than exploded power generators? Yep.
10. Is it time to regulate the security of cloud computing?
11. "How to Sell Security" by Bruce Schneier - a MUST read. BTW, FUD is NOT dead, and won't be dead. Ever!
12. OMG, this is huge and will grow: PCI Compliance and Virtualization (think "only one primary function per server" mandated in PCI). Same source on costs of PCI (also fun!) - still, IMHO, PCI is cheaper than properly securing your environment ... And while we are on the subject of PCI, check out Rich's "The Good (Yes, Good) And Bad Of PCI" and the discussion that followed.
13. New wave of compliance is incoooooooooooooming. Take cover!!!
14. Please shut up about ALL security being rolled into the network. Hoff says it best here.  If you want to join this bandwagon, say "all NETWORK security will be in the network."  (you'd probably still be wrong, but less embarassed :-))
15. Finally, some "Unintentional hilarity" from David: this is sooooo the world we live in :-)