Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a scheme to buy and resell cases of vintage French wine, Louis Vuitton handbags, Cartier jewelry and even a Roy Lichtenstein lithograph of Marilyn Monroe.

Seven waiters, he said, used lipstick-size electronic “skimmers” to extract data from the magnetic strips of American Express Centurion, or “black,” cards and other high- and no-limit credit cards belonging to patrons. Such customers, used to high credit card bills, would probably not have immediately noticed or been alerted by card companies to any suspicious activity on their accounts, Mr. Vance said. (“28 Indicted in Theft of Steakhouse Patrons’ Credit Card Data“, Noah Rosenberg, New York Times)

Patrons who kept their credit limit private were safe, as those who ate at Peter Luger’s, because Luger’s only accepts, nice, private cash.

Oh, and since I want to post this to New School, we would be unable to discuss this data point anecdote if the police hadn’t disclosed the modus operandi. And without disclosure from American Express, we can’t tell if this was caught by Common Point of Purchase analysis or something else. (It sounds like purchase type analysis would likely not work.) Maybe we’ll learn that during the trial, or maybe they’ll discuss it in meetings with their competitors at Visa and Mastercard.

Twitter Updates from Adam, 2011-11-19

Powered by Twitter Tools

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of a problem. And it seems that Wim wants to make things better. And so we’re encouraging all four of our CISSP-holding readers to go vote for him, because we think that a whole lotta shaking going on would be, at worst, a not-bad thing.

How’s that for a heartfelt endorsement?

Ok, more seriously. ISC(2) offers up a certification in information security. There’s a big infosec community that doesn’t take that certification very seriously. That’s a problem that I’ve never had a motivation to try to solve, but Wim does, and I wish him the very best of luck. I think that that CISSP could do substantially better, and the first phase of that is to elect some outsiders to communicate a message that change is needed. What’s more, Wim is not a joke candidate, and he’s campaigned effectively for the role, getting lots of endorsements from people who are both worth listening to and who take this seriously enough that they wouldn’t open with a jokey lead.

And so Emergent Chaos is endorsing Wim, and hoping that some chaos and other worthwhile things start to emerge. You can read his statement on Jimmy Blake’s blog, and vote here.

Twitter Updates from Adam, 2011-11-18

Powered by Twitter Tools

Block Social Media, Get Pwned

At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead)

A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones that allow free use of sites like Facebook and Twitter.

Counterintuitive? Maybe, but it makes perfect sense when you consider how hooked most of us are on social media, say the study’s authors.

Rotman professor Dr. Walid Hejazi says employees banned from social networks often download software onto company computers allowing them to circumvent firewalls and access forbidden sites. Those programs let employees to tweet on the job but also create security gaps hackers are happy to exploit. (“Being hacked? Your social media policy might be to blame“, Morgan Campbell, The Star)

A quick skim indicates that this study is based on a survey of Canadian companies which received 649 responses. Parts of the study are worrisome. (For example, their classification of breaches types shows 46% had “Virus/Worms/Spyware” but only 9% had “bots,” and 20% had “phishing/pharming” while only 5% had “social engineering attacks”) However, it seems plausible that organizations know that they’re hacked, and that organizations know if they have a social media policy, so the conclusion of a correlation or even causation may be reasonable. At the same time, it may be that there’s a causative effect of security conscious organizations having both better intrusion detection activity and social media policies, or organizations that are more likely to be hacked having more social media policies. I’m going to tentatively discount those hypotheses because the Verizon DBIR tells us that most organizations don’t detect their own hacks.

I also wanted to comment that a great many companies publicise their social media policies, and it’s probably possible to re-do this study with DatalossDB data.

I haven’t read the study in any detail (really!) but since it confirms my biases I decided to blog it early. Those biases include thinking that Angela Sasse’s “personal compliance budget” idea has a lot of explanatory power. Thanks to Bob Blakely for the pointer.

And there may be many others but they haven't been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London.

They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 protons, named after the discoverer of X-rays Wilhelm Conrad Roentgen; and Copernicium, or Cn, which has 112 protons and is named after the Polish astronomer Copernicus, who disrupted the view that the Earth was the center of the universe.

Breach disclosure and Moxie's Convergence

Two weeks ago I finally got a chance to see Moxie’s Convergence/Trust Agility talk in person. (Since this was at work, let me just re-iterate that this blog is my personal opinions about what I saw.) It’s very good stuff, and Moxie and I had a good side chat about enhancing the usability of Convergence in some little ways. But what I want to talk about is something that struck me as I listened to Moxie tell the story. He talks about how Comodo’s CEO talks about the attack, and how in order to prove it was Iran, Comodo released an IP address. That IP address enabled Moxie to discover that someone coming from the same IP address had downloaded his SSLSniff tool, and dragged him down a rabbit hole that led him to create Convergence. It also led him to see some of the search terms that the attacker used, and allowed him to assess their likely skill level.

Let me say that again: the attacker IP address being revealed revived and revitalized the debate about PKI and certificate authorities. Without that, the motivators and even the truth of the claim of clinical Advanced Persistent Cyber Ninja Dudes would have been hard to contest. Without that, we might have believed for a few more years the bizarre hypothesis that Certification Authorities are a useful part of internet trust. With the IP address Moxie was able to test those ideas, and show exactly how flawed they are.

Before I say the rest of what I want to say, let me say that I like Moxie. I think he’s a good guy, does really good work, and I always enjoy talking with him. But Moxie isn’t the “sort of person” who’s going to “fit in” at a London meeting with the Prime Minister. He might not have an easy time getting “read in” for “information sharing programs” operated by people who work for three letter agencies and think that a background check every year is a normal way to live. But we need different perspectives, backgrounds and approaches to learn as much as we can from data. If we limit it to those who “fit in,” then we implicitly limit the perspectives, frames and orientations which are brought to bear.

But let me give benefit of the doubt to those information sharing folks. They deserve it. Many of them are quite smart and hard-working. Several of the ones I met with recently had really interesting things to say. A fellow named Paul had fascinating things to say about the economics of information sharing–things I hadn’t heard before. And folks like Mudge are getting read in. So perhaps Moxie could get access to those meetings and mailing lists. If he agreed to limit how he distributed information, he could have maybe had access to those 4 bytes of Internet Protocol address.

If we treat that IP address like a nugget of treasure, he’s unlikely to see it, and if he sees it, he may be unable to talk about it. Moxie was able to analyze the attack because the information was published, not shared. Moxie was able to publish share his analysis of the attack because the information was published, not shared. Moxie was able to tell a convincing story because the information was published, not shared. And I’m able to talk about and expand apon what he said because (wait for it!) the information was published, not shared.

We need to publish more data about what goes wrong, because when do, we can share new ideas, let them cross-fertilize and sometimes even converge into progress.

[Update: thanks for the correction, Nicko.]