Credit Card Security

I recently had a miserable experience with credit card fraud and am not looking forward to having more high tech credit cards in my pocket as a result. I was pumping gas at a Chevron station in East Palo Alto. All seemed rather benign and safe. I swiped my credit card in the embedded machine in the pump. It asked me for the usual zip code info, approved and on I went with pumping the gas. I finished, took my receipt and drove off. About an hour later I get an email from Barclays Bank who handles the Virgin America VISA card (really cool looking card) stating that I had possible fraud activity on my card. I checked it online and noticed that there were two charges at that same Chevron station: my first legitimate one and another larger, fraudulent one for $120. I promptly cancelled it and the Barclays Bank folks were really good on the phone.

I asked around with several friends as to how this might possibly have happened. It’s not definitive but it’s theorized that there was someone at the gas station with a wireless device that somehow had activated the embedded chip in my credit card and somehow got access to information that obviously made them capable of a making a fraudulent charge on the card. Another possibility is that the gas pump somehow could have gotten hacked or intruded upon allowing access to be gained to the cards that get swiped through it.

So there are many credit cards with the embedded chips in them for contactless payments with the terminals at several merchants. Are we headed full speed ahead into a brick wall of a security hole with this embedded technology? What else is at risk?

  • Our healthcare with smart tags or cards that carry our health information?
  • Our passports with the new smart chips in them?

Will the move to using our smartphones or cellphones be safer for doing payments and commerce?

Tanks to Thinktanks: Migration to Cyberwar

For quite some time there has been speculation and vehement discussions around how the war of the future won’t be fought on the traditional battlefield (at least not there alone) but online and in cyberspace. This statement is no more true as of lately due to the advent of the battle of giants: Google and China! Additionally this morning on IT-Harvest there are a multitude of compelling pieces on how cyberwar is expanding “to a new front”.

“This is a watershed moment in the cyber war,” James Mulvenon, director of the national-security firm, Center for Intelligence Research and Analysis at Defense Group Inc., said last week. “Before, the Chinese were going after defense targets to modernize the country’s military machine. But these intrusions strike at the heart of American innovation community.”

201001260922.jpg

The proposals aren’t just ending at making statements about where the new front is being fought, but high level military officials are actually now saying to revector military budgets partially away from tanks and planes to high tech cyber defense and potentially even cyber offensive capabilities. General David Richards, Great Britain’s army chief, is of this mindset.

Britain’s armed forces are facing a new “horse versus tank moment” in dealing with the challenges of modern warfare, he told the weekly broadsheet. “People say I’m only talking about war with non-state actors,” Richards said, such as the Taliban insurgents currently being fought in Afghanistan. “I’m not. I’m saying this is how even war between states is more likely to be fought in the future.”

Let’s think about the facts here.

  1. Conventional and mechanized war is expensive; cyber threats are cheap.
  2. The skills to fight conventional war take time to develop; cyber criminals can be high school kids in any part of the world.
  3. There are significant barriers to entry and obtaining tools for fighting conventional warfare; cyber threats are available in open source and scalable tools.
  4. Conventional reconnaissance mostly finds the conventional threats; new cyber threats using wireless devices and technologies may NEVER be detected until it was already too late.
  5. Who has been investing longer in their cyber skills? The criminals! The good guys need to catchup and look at this problem in a very different way than how they’ve been trained in the past. Throw out the old rule book!!!

We certainly can’t move completely from equipping our soldiers and Marines with headphones and keyboards rather than helmets and rifles. But the relatively unsophisticated new enemy “combatant” is working on very novel, subtle and inexpensive ways of affecting our economy, national security and critical infrastructures to our nation. We need to take a lesson or two from them to beat them at their own game.

GSM Hacking Trial

This week on Dark Reading there was more talk of the cracking of the GSM A5/1 over the air encryption. There is certainly a lot of attention swarming to this topic, rightly so given the pervasiveness of mobile. In addition the hacker community is making statements of the A5/3 encryption who is built into some of the 3G standards.

I think that the biggest concern does lay solely with the cracking of A5/1, but that there is a HUGE community of software programmers interested in “seeing” how vulnerable these encryption protocols actually are and if they can break them. In general this is a good thing to overcome the Kool-Aid Syndrome (where carriers and mobile technologists because too enamored with legacy and the status quo) and get telecom vendors, standards bodies, and carriers to think innovatively and out of the box. However it’s only a good thing if malicious behavior does not reign supreme.

Imagine if the confidential mobile communications of a government official or corporate CEO were intercepted and held for ransom. Imagine if terrorists were somehow to exploit this vulverability to their advantage. As with any socially and globally impactful technology, there are two sides to the coin: the good side and the dark side!

How do we solve this both near term and long term? Do we ban cellphones in certain instances or environments? Is this even feasible given the human appendages that cellphones and smartphones have become?

Biggest Security Threats to Federal Agencies

Today an article in Dark Reading titled Federal Agencies: Online Collaboration, Cyber Terrorism, Mobility, Web 2.0 Their Biggest Security Threats outlines the results of a survey by the Ponemon Institute on what ails our government’s agencies the most in terms of security threats and concerns. The survey of 217 senior-level federal IT executives yielded some pretty extraordinary findings.

Of particular concern to me is the results of the survey regarding wireless, “Wireless devices were the most serious target in their organizations, with 57 percent pointing them out as such..“. I haven’t read the report yet, but the cyber threat potential by the fast growing security threat to information, privacy, and national security since the Internet is showing no signs whatsoever of slowing down. The Mobilization Effect on every organization (business or governmental) on the planet is affected by the increasing and insatiable desire of people to be mobile, free of location specificity, yet maintaining access to all the same information when they were tethered.

This goes both ways. The legitimate AND illegitimate or malicious doers are taking advantage of the runaway adoption of wireless devices and technologies, in particular cellphones. This week there was increased coverage of a worm affecting unlocked iPhones apparently having started in Australia but now making its way around the world. Why would that matter to an IT security professional? These same iPhones (and the growing population of unlocked iPhones with SSH holes) are accessing organizational email, being connected to PCs/laptops for charging or tethering, storing and sending documents, having access to LDAP databases through ActiveSync, storing huge caches of contact information, on and on. Not too long ago these were some of the same reasons used for securing desktops then laptops afterwards. Yet the awareness or acknowledgement of the mobile problem, or Tsunami of Insecurity, is in an early stage…albeit growing rapidly!

What’s the solution? Stay tuned for the next post on this topic…

Mobility Paradise or Cyber-Apocalypse?

A couple of very interesting articles made e-headlines last week. NextGov’s article titled Cell phones, other wireless devices next big cybersecurity targets, and GovInfoSecurity’s article titled (very appropriately, if I do say so) Tsunami of Insecurity: Safeguarding Mobile Devices brought to light what I’ve been saying for several months now…mobile devices will be the next generation of cyberthreats and cyberattack targets in a magnitude never before experienced in the information or Internet ages!!!

According to Seymour Goodman, professor of international affairs and computing at Georgia Institute of Technology, “Concern over the vulnerabilities has increased as more users worldwide shift to mobile devices in favor of desktop and laptop computers. More than 3.5 billion cell phones are now in use, vastly outnumbering traditional Internet users”.

Let’s do the math (these forecasts are per IDS, Gartner, and other analysts):
– About 150,000,000 new laptops and netbooks are forecasted for sale in just 2009.
– About 1,400,000,000 new mobile devices are forecasted for sale in just 2009.
– Approximately 20% of the new mobile devices are smartphone-class devices with powerful processors, operating systems, memory, and ALWAYS CONNECTED.
– So…there are almost twice as many smartphone-class mobile devices flooding the market this year than all the laptops!
– And yet the remaining 1,120,000,000 mobile devices are still quite capable of capturing pictures, storing megabytes and gigabytes of data, and recording audio quite easily.

Alan Paller, director of research at the security SANS Institute, a cybersecurity research and education group in Bethesda, Md., said mobile devices could become a target for hackers, although computer networks remain the subject for traditional cyberattacks. “It’s true that we all carry these devices, and I see a rapidly increasing number of attacks against these devices, particularly to make them zombies to complement the PC bots,” which spam or send viruses to other computers on the Internet, he said.

With the botnet dream-state of billions of mobile devices making themselves available to new, yet-to-be-discovered forms of malware, the scenario whereby no network or data is safe is rapidly becoming a reality. The only question is:

What are we going to do about it?

GovTrip Hacked

The US governments travel site (GovTrip) was hacked with a URL redirect method and there is fear malicious code was introduced into user’s computing devices, according to ComputerWorld and Network World articles. This site is used by several government workers in the following agencies and departments, among others: Environmental Protection Agency, the Department of Energy, the Department of Health and Human Services, the Department of the Interior, the Department of Transportation and the Treasury Department. The site is used by workers for travel planning and travel expense reimbursements.

The simultaneously novel and threatening approach taken here is that it is not the typical frontal assault at the most secure agencies of national and information security (DoD, NSA, etc.) but rather towards a seemingly benign website but one that is used by enough government workers throughout enough of the key departments, such as Energy and Treasury, to have a potentially huge impact. Don’t confuse this as admiration for the perpetrators, but rather acknowledgment of how many “holes” exist in the fabric of the US government and economy’s information infrastructure.

There are both intranet and public Internet access to this site. If any of the computing devices accessing this site from the public Internet side also have access to classified or secure networks in their respective agencies, there is where the greatest threat to the information and network security lay in the event malicious code is propagated. Imagine a botnet running without the Department of Energy network where nuclear site protection and operating procedures are stored…no, I don’t want to imagine.