Tuesday, August 26, 2008
Hotel chain latest victim of cyberthieves
Hotel chain latest victim of cyberthieves
Greg MastersAugust 25 2008
The Best Western hotel chain has reportedly suffered what is being claimed as the world's largest cybercrime, the identity theft of eight million customers.
A Scottish newspaper, the Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed that on Friday, it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.
Ed Moyle, manager at CTG, which provides IT solutions to Global 2000 clients, said Best Western may be correct in its assessment of the breach's extent. But the news is already out and the company's reputation could be harmed, he said.
“It's an unfortunate outcome for what appears to be a smaller-than-reported data loss,” he said. “In an ideal world, companies ought to be looking at how they can prevent this sort of thing with the ultimate goal of not having to put out a retraction.”
Moyle said there appears to be nothing more Best Western could have done to prevent the compromise.
"Yes, they were in compliance with [PCI], it's a useful bar to meet, but that doesn't guarantee loss prevention," he said. "There are always going to be breaches."
Greg MastersAugust 25 2008
The Best Western hotel chain has reportedly suffered what is being claimed as the world's largest cybercrime, the identity theft of eight million customers.
A Scottish newspaper, the Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed that on Friday, it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.
Ed Moyle, manager at CTG, which provides IT solutions to Global 2000 clients, said Best Western may be correct in its assessment of the breach's extent. But the news is already out and the company's reputation could be harmed, he said.
“It's an unfortunate outcome for what appears to be a smaller-than-reported data loss,” he said. “In an ideal world, companies ought to be looking at how they can prevent this sort of thing with the ultimate goal of not having to put out a retraction.”
Moyle said there appears to be nothing more Best Western could have done to prevent the compromise.
"Yes, they were in compliance with [PCI], it's a useful bar to meet, but that doesn't guarantee loss prevention," he said. "There are always going to be breaches."
Wednesday, August 13, 2008
Did stores hush up credit card scam?
Did stores hush up credit card scam?
Not all retailers told their customers when hackers swiped more than 40 million credit card numbers in the biggest such heist ever.
By The Wall Street Journal
Most states mandate that companies tell their customers when their credit card data is stolen from stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft.
But when federal prosecutors disclosed last week that computer hackers had swiped more than 40 million credit card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.
That's because only four of the chains clearly alerted their customers to the breaches. Two others, Boston Market and Forever 21, say they never told customers because they never confirmed data had been stolen from them.
The other retailers -– OfficeMax, Barnes & Noble and Sports Authority –- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.
The other companies allegedly targeted by the ring charged last week were TJX, BJ's Wholesale Club, shoe retailer DSW and restaurant chain Dave & Buster's. They each disclosed to customers, shortly after the intrusions were discovered, that they were breached.
The disclosure issue emerged after the government charged 11 men in five countries, including the United State, Ukraine and China, with orchestrating a high-tech operation to steal credit card numbers from 2003 to 2008. After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen.
Companies typically have made disclosures by letter, whenever possible, and through public announcements on their Web sites and in press releases to the media.
Disclosure allows consumers to act quickly to limit losses by canceling their credit cards, changing their passwords or setting up credit-monitoring services.
The Federal Trade Commission estimates that nearly $50 billion is lost annually as a result of identity theft and credit card fraud, with part of it absorbed by banks.
The proposal, unveiled in May, would restrict rate increases on outstanding balances and revamp other lending practices. But banks and other card issuers vehemently oppose the plan."If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data-breach expert.
"If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.
Dan Clements, the chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches.
"Telling the public that they've been breached is embarrassing for them. It makes them suffer a loss of good will, and, in the case of public companies, the stock price goes down."
OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers compromised, and last week's indictments describe how the defendants allegedly broke into their networks.
Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments.
The indictments allege that one of the suspects, Christopher Scott, and another man identified only by initials broke into the wireless network of an OfficeMax store in Miami in 2004 and gained access to credit card data. Scott, through family members, declined to comment.
Authorities also said they discovered in 2005 that OfficeMax's computer systems had been breached by another group that obtained customer data and used it to make counterfeit credit cards. "We believe the (credit card) information was coming out of an OfficeMax in North Carolina," said Lt. Tom Cooney of the Hudson County prosecutor's office in Jersey City, N.J. "It turned out that a number of the victims" were customers at the same OfficeMax.
Edward DeFazio, a Hudson County prosecutor, says investigators in the joint federal-state probe notified OfficeMax and other retailers that their systems had been breached in a card-theft ring. Fourteen people were arrested in March 2006.
That month, OfficeMax acknowledged in an SEC filing an "ongoing federal investigation involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S." But the filing added that "we have no knowledge of a security breach at OfficeMax."
In a statement after last week's indictments, the Naperville, Ill., company said, "It would be inappropriate to express our views relating to an ongoing criminal investigation." It said it has cooperated with authorities in their probe and is "confident in the integrity and security of our systems." Last week's indictments also describe "attacks on Forever 21," which operates more than 350 clothing stores. Prosecutors allege that sometime this year, Damon Patrick Toey of Miami broke into Forever 21's system and shared access with Albert Gonzalez, the group's alleged ringleader, "for the purpose of downloading credit card information of customers of Forever 21." Lawyers for Gonzalez declined to comment. Toey couldn't be reached to comment.
Larry Meyer, a spokesman for Forever 21, says that last spring, federal authorities notified the Los Angeles company that it was among several retailers whose computer systems were "potentially infiltrated" by a crime ring. Authorities "asked us to investigate for a breach," he says.
He says Forever 21 conducted an internal investigation but didn't find a sign of a breach. Therefore, Meyer says, the company didn't notify customers that their credit card information was potentially at risk. "There was no breach," he says. "There was nothing to tell people." He says Forever 21 believes it is obligated to make a disclosure only if it finds a breach.
He adds that as a result of last week's indictments, the company is in discussions with federal authorities.
The proposal, unveiled in May, would restrict rate increases on outstanding balances and revamp other lending practices. But banks and other card issuers vehemently oppose the plan.The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 of a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."
Proctor now says it isn't likely the company will inform consumers, "because there is no way for us to identify customers who might have been affected." She adds, "The consumer always does have an opportunity to report fraudulent activities" to credit card companies.
Bookseller Barnes & Noble issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." A spokeswoman for the New York company declined to comment further.
Sports Authority didn't return phone calls to its headquarters in Englewood, Colo.
TJX, the owner of stores including the T.J. Maxx, Marshalls, HomeGoods and A.J. Wright retail chains, says it has spent $202 million in expenses related to the breach, which compromised the cards of millions of its customers. Most of the money is being used to settle lawsuits brought by consumers and banks and to pay settlements with credit card associations.
This article was reported and written by Joseph Pereira, Jennifer Levitz and Jeremy Singer-Vine for The Wall Street Journal.
Not all retailers told their customers when hackers swiped more than 40 million credit card numbers in the biggest such heist ever.
By The Wall Street Journal
Most states mandate that companies tell their customers when their credit card data is stolen from stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft.
But when federal prosecutors disclosed last week that computer hackers had swiped more than 40 million credit card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.
That's because only four of the chains clearly alerted their customers to the breaches. Two others, Boston Market and Forever 21, say they never told customers because they never confirmed data had been stolen from them.
The other retailers -– OfficeMax, Barnes & Noble and Sports Authority –- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.
The other companies allegedly targeted by the ring charged last week were TJX, BJ's Wholesale Club, shoe retailer DSW and restaurant chain Dave & Buster's. They each disclosed to customers, shortly after the intrusions were discovered, that they were breached.
The disclosure issue emerged after the government charged 11 men in five countries, including the United State, Ukraine and China, with orchestrating a high-tech operation to steal credit card numbers from 2003 to 2008. After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen.
Companies typically have made disclosures by letter, whenever possible, and through public announcements on their Web sites and in press releases to the media.
Disclosure allows consumers to act quickly to limit losses by canceling their credit cards, changing their passwords or setting up credit-monitoring services.
The Federal Trade Commission estimates that nearly $50 billion is lost annually as a result of identity theft and credit card fraud, with part of it absorbed by banks.
The proposal, unveiled in May, would restrict rate increases on outstanding balances and revamp other lending practices. But banks and other card issuers vehemently oppose the plan."If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data-breach expert.
"If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.
Dan Clements, the chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches.
"Telling the public that they've been breached is embarrassing for them. It makes them suffer a loss of good will, and, in the case of public companies, the stock price goes down."
OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers compromised, and last week's indictments describe how the defendants allegedly broke into their networks.
Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments.
The indictments allege that one of the suspects, Christopher Scott, and another man identified only by initials broke into the wireless network of an OfficeMax store in Miami in 2004 and gained access to credit card data. Scott, through family members, declined to comment.
Authorities also said they discovered in 2005 that OfficeMax's computer systems had been breached by another group that obtained customer data and used it to make counterfeit credit cards. "We believe the (credit card) information was coming out of an OfficeMax in North Carolina," said Lt. Tom Cooney of the Hudson County prosecutor's office in Jersey City, N.J. "It turned out that a number of the victims" were customers at the same OfficeMax.
Edward DeFazio, a Hudson County prosecutor, says investigators in the joint federal-state probe notified OfficeMax and other retailers that their systems had been breached in a card-theft ring. Fourteen people were arrested in March 2006.
That month, OfficeMax acknowledged in an SEC filing an "ongoing federal investigation involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S." But the filing added that "we have no knowledge of a security breach at OfficeMax."
In a statement after last week's indictments, the Naperville, Ill., company said, "It would be inappropriate to express our views relating to an ongoing criminal investigation." It said it has cooperated with authorities in their probe and is "confident in the integrity and security of our systems." Last week's indictments also describe "attacks on Forever 21," which operates more than 350 clothing stores. Prosecutors allege that sometime this year, Damon Patrick Toey of Miami broke into Forever 21's system and shared access with Albert Gonzalez, the group's alleged ringleader, "for the purpose of downloading credit card information of customers of Forever 21." Lawyers for Gonzalez declined to comment. Toey couldn't be reached to comment.
Larry Meyer, a spokesman for Forever 21, says that last spring, federal authorities notified the Los Angeles company that it was among several retailers whose computer systems were "potentially infiltrated" by a crime ring. Authorities "asked us to investigate for a breach," he says.
He says Forever 21 conducted an internal investigation but didn't find a sign of a breach. Therefore, Meyer says, the company didn't notify customers that their credit card information was potentially at risk. "There was no breach," he says. "There was nothing to tell people." He says Forever 21 believes it is obligated to make a disclosure only if it finds a breach.
He adds that as a result of last week's indictments, the company is in discussions with federal authorities.
The proposal, unveiled in May, would restrict rate increases on outstanding balances and revamp other lending practices. But banks and other card issuers vehemently oppose the plan.The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 of a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."
Proctor now says it isn't likely the company will inform consumers, "because there is no way for us to identify customers who might have been affected." She adds, "The consumer always does have an opportunity to report fraudulent activities" to credit card companies.
Bookseller Barnes & Noble issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." A spokeswoman for the New York company declined to comment further.
Sports Authority didn't return phone calls to its headquarters in Englewood, Colo.
TJX, the owner of stores including the T.J. Maxx, Marshalls, HomeGoods and A.J. Wright retail chains, says it has spent $202 million in expenses related to the breach, which compromised the cards of millions of its customers. Most of the money is being used to settle lawsuits brought by consumers and banks and to pay settlements with credit card associations.
This article was reported and written by Joseph Pereira, Jennifer Levitz and Jeremy Singer-Vine for The Wall Street Journal.
Monday, August 11, 2008
Goodbye, Passwords. You Aren’t a Good Defense.
Goodbye, Passwords. You Aren’t a Good Defense.
By RANDALL STROSS
THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before. Some admirable people actually do memorize random strings of characters for their passwords — and replace them with other random strings every couple of months.
Then there’s the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever.
I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.
That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).
This procedure — which now seems perfectly natural because we’ve been trained to repeat it so much — is a bad idea, one that no security expert whom I reached would defend.
Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.
The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
In short, we need a log-on system that relies on cryptography, not mnemonics.
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.
And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.
We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google, I.B.M., Microsoft and Yahoo are on OpenID’s guiding board of corporations. Last month, when MySpace announced that it would support the standard, the nonprofit foundation
OpenID.net boasted that the number of “OpenID enabled users” had passed 500 million and that “it’s clear the momentum is only just starting to pick up.”
Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.
Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.
When I asked Scott Kveton, chairman of the OpenID Foundation’s community board, about criticism of OpenID, he said candidly, “Passwords, we know, are totally broken.” He said new security options, such as software that works with OpenID that installs within the browser, are being offered. When it comes to security, he said, "there is no silver bullet, and there never will be.”
Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”
Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.
BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.
The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.
Unlearning the habit of typing a password into a box on a Web page will take a long while, but it’s needed for our own protection. Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.
No more relying on our old companion “LetMeIn.”
Randall Stross is an author based in Silicon Valley and a professor of business at San Jose State University. E-mail: stross@nytimes.com.
By RANDALL STROSS
THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before. Some admirable people actually do memorize random strings of characters for their passwords — and replace them with other random strings every couple of months.
Then there’s the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever.
I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.
That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).
This procedure — which now seems perfectly natural because we’ve been trained to repeat it so much — is a bad idea, one that no security expert whom I reached would defend.
Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.
The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
In short, we need a log-on system that relies on cryptography, not mnemonics.
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.
And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.
We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.
OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google, I.B.M., Microsoft and Yahoo are on OpenID’s guiding board of corporations. Last month, when MySpace announced that it would support the standard, the nonprofit foundation
OpenID.net boasted that the number of “OpenID enabled users” had passed 500 million and that “it’s clear the momentum is only just starting to pick up.”
Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.
Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.
When I asked Scott Kveton, chairman of the OpenID Foundation’s community board, about criticism of OpenID, he said candidly, “Passwords, we know, are totally broken.” He said new security options, such as software that works with OpenID that installs within the browser, are being offered. When it comes to security, he said, "there is no silver bullet, and there never will be.”
Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”
Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.
BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.
The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.
Unlearning the habit of typing a password into a box on a Web page will take a long while, but it’s needed for our own protection. Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.
No more relying on our old companion “LetMeIn.”
Randall Stross is an author based in Silicon Valley and a professor of business at San Jose State University. E-mail: stross@nytimes.com.
Friday, August 01, 2008
The Biggest Security Threat for 2008 and Beyond
The Biggest Security Threat for 2008 and Beyond: End Users
Back to Online Version
E-Mail Article
Reprints
By Mike Wittig
TechNewsWorld
01/30/08 4:00 AM PT
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars -- if not billions -- is a nonstop cycle.
Using Software-as-a-Service to Meet Compliance Requirements
This free white paper looks at a strategic approach to comprehensive compliance, which will reduce associated costs and provide a more complete security infrastructure to corporations grappling with compliance regulations. Learn more.
Study after study continues to reveal a fundamental truth about the shifting landscape of IT security today: The biggest threat to proprietary systems and information is not the traditional cyber-criminal writing malicious code in a virtual location, but rather trusted employees.
Savvy administrators recognize that because end users are privy to an organization's sensitive data, they represent a significant risk factor. However, mitigating this threat is something that security pros continue to struggle with. While no single "silver bullet" solution exists, there are steps organizations can take to ensure that corporate policies are effectively enforced and insider threat is neutralized.
Where the Risks Lie
Users represent a security risk for several reasons. Corporate boundaries continue to expand as the number of mobile workers increase, which also ties in with the convergence of personal and professional use of corporate endpoints. Laptops and PCs are becoming more personal, loaded with non-business applications that potentially expose an organization to spyware , keyloggers and other threats.
There are also mounting threats that prey on end-user curiosity. Tactics include Web site or e-mail spoofing designed to trick employees into performing actions detrimental to the organization's security or divulging confidential information. What's more, employees are constantly moving between competitive organizations, and competitors angle to hire key personnel for their skills as much as for the confidential information they can bring with them. Overall, the insider threat --whether malicious or inadvertent -- is something that cannot be overlooked.
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars -- if not billions -- is a nonstop cycle. As a result, security administrators must take action to protect their organizations against these threats.
Meanwhile, protecting against employee errors or accidents requires policy enforcement so that end users are not solely relied upon to make intelligent security decisions. Most non-malicious employees accidentally make improper choices when it comes to handling corporate data. For example, as iPods, digital cameras, PDAs and other gadgets continue to see rapid adoption among business users, security administrators must remember that these are devices that spend most of their lives plugged into far less-secure home computers. This makes it incredibly easy for employees to unintentionally download a nasty virus or destructive code onto an enterprise machine.
Mitigating Threats Step by Step
Organizations can protect themselves against these malicious and accidental employee actions through the combination of people, processes and technology. They must clearly define and socialize policies, automate policy enforcement and provide detailed auditing and reporting. Here are some fundamental steps that organizations can take to achieve this:
First, they must accept the reality that employees are not security experts and will always engage in risky behavior. They will open unsolicited attachments, browse a wide assortment of Web sites, click on links in e-mails and instant messages, utilize outdated and unpatched versions of software, and plug in personal devices or removable media without understanding (or caring) about the potential impact of these decisions. Since they are not security experts and do not generally understand the criticality of some software and operational vulnerabilities that require immediate remediation, relying upon end users to rapidly install the latest patches is leaving a lot to chance.
In a perfect world, written corporate policy would be enough to dictate employees' interactions with technology. While a policy is an important step, the reality is that even the most stringent policies need a solution to support and enforce them. Trying to force policies where the employees are responsible has proven ineffective.
The second step to mitigating the threat from within is to remove the organization's reliance on end users as security experts. The organization must provide a way to develop and enforce policy that enables users to focus on their task at hand, but also reduces the risk of their day-to-day decisions when they interact with technology. This includes understanding which employees need access to specific applications, devices and data. Also, enforcing policies that give users access only to what is required in order to successfully complete their job functions can help in ensuring that the applications in use are up-to-date with the latest patches.
By enforcing application and device control, organizations can flexibly control execution of specific files or removable devices all the way down to the user level. This takes the decisions away from the users and enables them to be focused on the job at hand. Also, by enforcing mandatory baselines for critical patches and configurations, organizations can automate the remediation process throughout the enterprise instead of relying upon their users. This ensures that proper security configurations are maintained and takes work off the employee's hands. Employing technology that automates the enforcement of acceptable resource use while preventing and reporting unacceptable use that could put the enterprise at risk is a flexible yet secure approach.
A third step is to ensure that policies are socialized throughout the organization and enforced as transparently as possible so as not to impede end user productivity . Without proper socialization, end user understanding and buy-in of these policies, they will be viewed as a hindrance to productivity, and users will find a way to get around them. Though an organization should never expect or rely upon its users to become security experts, engaging in security training and socializing corporate policies is a key step to finding that balance between security and user productivity. Communication is extremely important in educating users and preventing disruption in employee productivity. Explaining why a policy exists is a key success factor. Once end users know what you're doing and why you're doing it, they're usually more than willing to help out.
The final step to addressing insider threat requires the CIO and others within the IT department to have access to a continuous report of the organization's environment, what policies are working and which ones are not, and adjust policies accordingly. Automated auditing and reporting functions give security personnel the flexibility to conditionally allow certain devices, applications or configurations while still maintaining visibility into user activity. For example, if an organization allows only accounting personnel access to specific finance-focused applications, it needs to know if a developer was attempting to gain access to these applications. Either there is malicious intent, or there is a legitimate need.
From a best-practices perspective, policy compliance should be reviewed on a regular basis as organizational needs may change and user activities might highlight a policy loophole. This includes continuous surveillance of the enterprise environment and user activities and using the gathered information to update policy as necessary.
In Summary
An organization's end users represent a significant amount of risk due to the proliferation of threats that target individuals and the rising value of corporate IP, customer, employee and financial data. What's more, criminal organizations are targeting end users as a way to gain access to valuable data, and some internal employees target this data for personal financial gain. While it should be the duty of every user to protect the company's assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data.
Through transparent policy enforcement, technology that puts substance behind the documented words, socialization of policies and awareness of sound security practices, and continuous and actionable auditing information, organizations can take a big step forward in protecting their network and data from the inside out.
Back to Online Version
E-Mail Article
Reprints
By Mike Wittig
TechNewsWorld
01/30/08 4:00 AM PT
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars -- if not billions -- is a nonstop cycle.
Using Software-as-a-Service to Meet Compliance Requirements
This free white paper looks at a strategic approach to comprehensive compliance, which will reduce associated costs and provide a more complete security infrastructure to corporations grappling with compliance regulations. Learn more.
Study after study continues to reveal a fundamental truth about the shifting landscape of IT security today: The biggest threat to proprietary systems and information is not the traditional cyber-criminal writing malicious code in a virtual location, but rather trusted employees.
Savvy administrators recognize that because end users are privy to an organization's sensitive data, they represent a significant risk factor. However, mitigating this threat is something that security pros continue to struggle with. While no single "silver bullet" solution exists, there are steps organizations can take to ensure that corporate policies are effectively enforced and insider threat is neutralized.
Where the Risks Lie
Users represent a security risk for several reasons. Corporate boundaries continue to expand as the number of mobile workers increase, which also ties in with the convergence of personal and professional use of corporate endpoints. Laptops and PCs are becoming more personal, loaded with non-business applications that potentially expose an organization to spyware , keyloggers and other threats.
There are also mounting threats that prey on end-user curiosity. Tactics include Web site or e-mail spoofing designed to trick employees into performing actions detrimental to the organization's security or divulging confidential information. What's more, employees are constantly moving between competitive organizations, and competitors angle to hire key personnel for their skills as much as for the confidential information they can bring with them. Overall, the insider threat --whether malicious or inadvertent -- is something that cannot be overlooked.
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars -- if not billions -- is a nonstop cycle. As a result, security administrators must take action to protect their organizations against these threats.
Meanwhile, protecting against employee errors or accidents requires policy enforcement so that end users are not solely relied upon to make intelligent security decisions. Most non-malicious employees accidentally make improper choices when it comes to handling corporate data. For example, as iPods, digital cameras, PDAs and other gadgets continue to see rapid adoption among business users, security administrators must remember that these are devices that spend most of their lives plugged into far less-secure home computers. This makes it incredibly easy for employees to unintentionally download a nasty virus or destructive code onto an enterprise machine.
Mitigating Threats Step by Step
Organizations can protect themselves against these malicious and accidental employee actions through the combination of people, processes and technology. They must clearly define and socialize policies, automate policy enforcement and provide detailed auditing and reporting. Here are some fundamental steps that organizations can take to achieve this:
First, they must accept the reality that employees are not security experts and will always engage in risky behavior. They will open unsolicited attachments, browse a wide assortment of Web sites, click on links in e-mails and instant messages, utilize outdated and unpatched versions of software, and plug in personal devices or removable media without understanding (or caring) about the potential impact of these decisions. Since they are not security experts and do not generally understand the criticality of some software and operational vulnerabilities that require immediate remediation, relying upon end users to rapidly install the latest patches is leaving a lot to chance.
In a perfect world, written corporate policy would be enough to dictate employees' interactions with technology. While a policy is an important step, the reality is that even the most stringent policies need a solution to support and enforce them. Trying to force policies where the employees are responsible has proven ineffective.
The second step to mitigating the threat from within is to remove the organization's reliance on end users as security experts. The organization must provide a way to develop and enforce policy that enables users to focus on their task at hand, but also reduces the risk of their day-to-day decisions when they interact with technology. This includes understanding which employees need access to specific applications, devices and data. Also, enforcing policies that give users access only to what is required in order to successfully complete their job functions can help in ensuring that the applications in use are up-to-date with the latest patches.
By enforcing application and device control, organizations can flexibly control execution of specific files or removable devices all the way down to the user level. This takes the decisions away from the users and enables them to be focused on the job at hand. Also, by enforcing mandatory baselines for critical patches and configurations, organizations can automate the remediation process throughout the enterprise instead of relying upon their users. This ensures that proper security configurations are maintained and takes work off the employee's hands. Employing technology that automates the enforcement of acceptable resource use while preventing and reporting unacceptable use that could put the enterprise at risk is a flexible yet secure approach.
A third step is to ensure that policies are socialized throughout the organization and enforced as transparently as possible so as not to impede end user productivity . Without proper socialization, end user understanding and buy-in of these policies, they will be viewed as a hindrance to productivity, and users will find a way to get around them. Though an organization should never expect or rely upon its users to become security experts, engaging in security training and socializing corporate policies is a key step to finding that balance between security and user productivity. Communication is extremely important in educating users and preventing disruption in employee productivity. Explaining why a policy exists is a key success factor. Once end users know what you're doing and why you're doing it, they're usually more than willing to help out.
The final step to addressing insider threat requires the CIO and others within the IT department to have access to a continuous report of the organization's environment, what policies are working and which ones are not, and adjust policies accordingly. Automated auditing and reporting functions give security personnel the flexibility to conditionally allow certain devices, applications or configurations while still maintaining visibility into user activity. For example, if an organization allows only accounting personnel access to specific finance-focused applications, it needs to know if a developer was attempting to gain access to these applications. Either there is malicious intent, or there is a legitimate need.
From a best-practices perspective, policy compliance should be reviewed on a regular basis as organizational needs may change and user activities might highlight a policy loophole. This includes continuous surveillance of the enterprise environment and user activities and using the gathered information to update policy as necessary.
In Summary
An organization's end users represent a significant amount of risk due to the proliferation of threats that target individuals and the rising value of corporate IP, customer, employee and financial data. What's more, criminal organizations are targeting end users as a way to gain access to valuable data, and some internal employees target this data for personal financial gain. While it should be the duty of every user to protect the company's assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data.
Through transparent policy enforcement, technology that puts substance behind the documented words, socialization of policies and awareness of sound security practices, and continuous and actionable auditing information, organizations can take a big step forward in protecting their network and data from the inside out.
U of M Study: Most Bank Web Sites Flawed
U of M Study: Most Bank Web Sites Flawed
WWJ Newsroom Reporting
Ann Arbor (WWJ) -- Is your bank's website safe?
A new University of Michigan study finds that more than 75 percent of bank websites had at least one design flaw that could make customers vulnerable to cyber crooks.
Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, along with a pair of doctoral students, examined the Web sites of 214 financial institutions in 2006.
The flaws center around the layout of websites and the placement of log-in boxes and contact information, as well as the failure to keep customers on the initial website they visited. The flaws are not things that can be fixed with a patch.
Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement. He got the idea for the study after noticing problem with his own bank's website.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The FDIC says computer intrusion is a growing problem for banks and their customers.
They will present the findings for the first time at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University July 25.
WWJ Newsroom Reporting
Ann Arbor (WWJ) -- Is your bank's website safe?
A new University of Michigan study finds that more than 75 percent of bank websites had at least one design flaw that could make customers vulnerable to cyber crooks.
Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, along with a pair of doctoral students, examined the Web sites of 214 financial institutions in 2006.
The flaws center around the layout of websites and the placement of log-in boxes and contact information, as well as the failure to keep customers on the initial website they visited. The flaws are not things that can be fixed with a patch.
Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement. He got the idea for the study after noticing problem with his own bank's website.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The FDIC says computer intrusion is a growing problem for banks and their customers.
They will present the findings for the first time at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University July 25.
Largest caches of stolen hacker data ever reported
JUNE 30, 2008 |
ATLANTA -- SecureWorks announced today that SecureWorks’ Director of Malware Research, Joe Stewart, has uncovered one of the largest caches of stolen hacker data ever reported, if not the largest.
The hacking scam involves thousands of employees of hundreds of organizations worldwide who have been infected with the bank and information -stealing trojan Coreflood, also known as AFcore. SecureWorks already had countermeasures in place for its clients to protect against the Coreflood Trojan and its variants and immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the scam.
What makes this hacker scheme so unique is that it has flown under the radar for years and the hacking group behind it has been able to go in and infect hundreds of employees of individual organizations via network administrator privileges. Essentially, the hackers infect one employee’s workstation and then lie in wait for the organization’s network administrator to log on to that infected workstation. Once the administrator logs on, then the hacker will run the trojan under the administrator’s username and password and subsequently infects all the workstations that the administrator has privileges to.
The trojan not only captures usernames and passwords, but also grabs the text content of the page at the same time. This would allow the criminal to possibly find credentials that he/she may not have even realized was valuable, as well as giving a quick way to determine value of credentials for instance, by displaying the bank account balance of the infected user. Not having to log in to each account to determine its balance can be a huge time saver for a criminal. Although it would take a great deal of time to determine just how much money the Coreflood group has illicit access to, based on numbers seen in the database it is easily in the millions of dollars.
ATLANTA -- SecureWorks announced today that SecureWorks’ Director of Malware Research, Joe Stewart, has uncovered one of the largest caches of stolen hacker data ever reported, if not the largest.
The hacking scam involves thousands of employees of hundreds of organizations worldwide who have been infected with the bank and information -stealing trojan Coreflood, also known as AFcore. SecureWorks already had countermeasures in place for its clients to protect against the Coreflood Trojan and its variants and immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the scam.
What makes this hacker scheme so unique is that it has flown under the radar for years and the hacking group behind it has been able to go in and infect hundreds of employees of individual organizations via network administrator privileges. Essentially, the hackers infect one employee’s workstation and then lie in wait for the organization’s network administrator to log on to that infected workstation. Once the administrator logs on, then the hacker will run the trojan under the administrator’s username and password and subsequently infects all the workstations that the administrator has privileges to.
The trojan not only captures usernames and passwords, but also grabs the text content of the page at the same time. This would allow the criminal to possibly find credentials that he/she may not have even realized was valuable, as well as giving a quick way to determine value of credentials for instance, by displaying the bank account balance of the infected user. Not having to log in to each account to determine its balance can be a huge time saver for a criminal. Although it would take a great deal of time to determine just how much money the Coreflood group has illicit access to, based on numbers seen in the database it is easily in the millions of dollars.
Study: Online banking possibly dicier than assumed
Study: Online banking possibly dicier than assumed
By JORDAN ROBERTSON, AP Technology Writer
Wed Jul 23, 3:05 PM ET
SAN FRANCISCO - Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.
The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they've been conditioned to ignore potential clues about whether the banking site they're visiting is real — or a bogus site served up by hackers.
That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.
The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.
"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said the paper's lead researcher, Atul Prakash, a professor of computer science and engineering.
The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses — which an outsider can figure out — as default user names.
All of those banking tactics put users at risk.
"Conventional wisdom is that the clients — or PCs — are inherently insecure devices," said Avivah Litan, a banking security analyst with Gartner Inc. "What this study shows is that the servers — or the bank and other consumer-facing Web sites — are also inherently insecure."
The research didn't uncover vulnerabilities in the Web sites themselves, or problems with the sites' coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.
One of the biggest problems: Even if the login boxes on banks' pages are properly secured — meaning they send and receive encrypted data through a technology known as Secure Sockets Layer — if the full page itself isn't protected with the same technology, it's more difficult to tell whether the site is real or fake.
SSL-equipped sites show a padlock icon in the address bar and signal not only the encryption technology but also that the site's owner is legitimate.
Also: If users aren't notified that they're being taken to another site — say a bank uses a partner site for online bill-paying — then it's hard to determine if the new site is trustworthy, because the online registration certificate carries a different company's name.
So even if they were inclined to dig that deep, consumers could still fall victim to "phishing" scams because they're accustomed to entering personal information into a site that isn't their bank's — and hasn't been clearly vouched for by the bank.
Hackers could take advantage by sending them bogus pages dressed up like the bank's Web site. That site would then redirect to another site under the criminal's control, and users might not question the redirection.
To fight that, the best protection remains: Don't click on links sent in e-mails.
By JORDAN ROBERTSON, AP Technology Writer
Wed Jul 23, 3:05 PM ET
SAN FRANCISCO - Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.
The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they've been conditioned to ignore potential clues about whether the banking site they're visiting is real — or a bogus site served up by hackers.
That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.
The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.
"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said the paper's lead researcher, Atul Prakash, a professor of computer science and engineering.
The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses — which an outsider can figure out — as default user names.
All of those banking tactics put users at risk.
"Conventional wisdom is that the clients — or PCs — are inherently insecure devices," said Avivah Litan, a banking security analyst with Gartner Inc. "What this study shows is that the servers — or the bank and other consumer-facing Web sites — are also inherently insecure."
The research didn't uncover vulnerabilities in the Web sites themselves, or problems with the sites' coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.
One of the biggest problems: Even if the login boxes on banks' pages are properly secured — meaning they send and receive encrypted data through a technology known as Secure Sockets Layer — if the full page itself isn't protected with the same technology, it's more difficult to tell whether the site is real or fake.
SSL-equipped sites show a padlock icon in the address bar and signal not only the encryption technology but also that the site's owner is legitimate.
Also: If users aren't notified that they're being taken to another site — say a bank uses a partner site for online bill-paying — then it's hard to determine if the new site is trustworthy, because the online registration certificate carries a different company's name.
So even if they were inclined to dig that deep, consumers could still fall victim to "phishing" scams because they're accustomed to entering personal information into a site that isn't their bank's — and hasn't been clearly vouched for by the bank.
Hackers could take advantage by sending them bogus pages dressed up like the bank's Web site. That site would then redirect to another site under the criminal's control, and users might not question the redirection.
To fight that, the best protection remains: Don't click on links sent in e-mails.
