Category Archives: Security

Security

Audio Files and Breaches

Leave a comment

I on occasion get asked whether the data that is stored in call center systems, such as audio recordings and screenshots, is also regulated. Lately I have been asked if there is some way to easily find just the sensitive information in audio or video files and encrypt or hash it without affecting the rest of the data.

At first I thought this a strange question. It is the kind of question where I have to wonder if the person asking already has the answer but they hope for some kind of miracle or change in the laws of physics that will save them a huge headache. Then I came to hear about a massive breach that involved 57 hard drives with call center data.

The Blue Cross Blue Shield story is tragic. The Eastgate Hard Drive Theft has cost over $7 million thus far and required nearly six months of dedicated forensics work to clarify who is affected. A press release from BCBS revealed more than a half million customers had their information on the drives.

As of February 18, 2010, the total number of current and former members having been identified remains at 521,761, with 220,133 members in the Tier 3 category and 301,628 members in the Tier 2 category.

The tiers are set by risk level, meaning the amount of data exposed. Tier 3 is the highest risk with name, social security, date of birth and address.

Throughout the press releases, stories, and official breach letter it is hard not to see a clear theme of encryption. Although some may have continued to question how best to secure call center data up until now, this breach essentially puts the discussion in a whole new light. The use of drive or full database encryption for systems with audio and help files like screen-shots will from this point on have a much more clear risk profile. In fact, it now will no longer be sufficient to encrypt. I expect pressure now to rise to remove sensitive information from the audio files altogether, or prevent it from being archived. The PCI security standard under Requirement 3.2 is already headed this direction.

This also reminds me of the RAF incident last year.

The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories — information the military needed to determine their security risk. The recordings were stored on three unencrypted hard drives that disappeared last year.

Time to raise the bar and introduce better controls for media storage.

Security

Ticket-hackmaster

Leave a comment

The curious thing about the ticket sales model is authorization. Ticketmaster was authorized to sell tickets, but when a group bought all the tickets and resold them for profit, they fell into trouble with the law. SFGate reports on the Alameda man charged in ticket-hacking scam:

Lowson and Kirsch were part owners of Wiseguys, while Stevenson was the company’s chief computer programmer and Nahdi was chief financial officer, authorities said. The men created computer programs that bombarded online ticket vendors including Ticketmaster.com and purchased tickets automatically by impersonating individual visitors, investigators said.

Joel Stevenson faces a 43-count indictment and charges of wire fraud — his work earned an estimated $25 million.

Food, Security

Starbucks’ Security Policy

Leave a comment

The Associated Press ran a story called Buzz and bullets: Gun fans cheer Starbucks’ policy that gives a good indication of a hot topic in the US:

Dale Welch recently walked into a Starbucks in Virginia, handgun strapped to his waist, and ordered a banana Frappuccino with a cinnamon bun.

Sounds like the start of a bad joke, right?

They make a banana flavored “Frappuccino” now? People drink this? A cinnamon bun on the same order and a case can easily be made that some Americans have lost their senses.

Perhaps he needed the gun to help convince the staff to put the two items on the same order. “Give me as much corn-sweetener as possible, to go, now!”

You think that is funny? There is more, like this sentence:

…about 100 activists bearing arms had planned to go to a California Pizza Kitchen in Walnut Creek, Calif., but after it became clear they weren’t welcome they went to another restaurant.

Walnut Creek? A wealthy white suburban conservative neighborhood was the target of a pro-gun rally? Hardly risky territory for a pro-gun groups, but even with stats in their favor they backed down. Why? Perhaps they realized they didn’t like pizza anyway.

This reminds me of how basic rights are lost on private property. You lose your First Amendment freedom of expression if you step into a Starbucks. Do gun activists feel they should get special treatment for a later Amendment? Start with the first. I have seen some say they believe this is about individual rights, but I doubt they really want to share a stage at Starbucks with speech activists.

Moreover, a security perspective sets aside individual rights and brings it all back to a question of how to manage risk. When those allowed to carry guns are clearly known to have a service role (federal, state, etc.) you have a very different situation. A police officer with a weapon has a uniform, a badge with a number, etc. to make them easily identified as someone trained and trusted with a weapon. This is common around the world because service personnel are essentially trusted. The idea of a random individual carrying a gun onto private property (the individual rights argument) opens a whole different can of worms related to authentication and authorization. How do you, as a customer, let alone a shop owner, make a risk judgment in a world of individuals carrying firearms? In other words if free speech already has been deemed too risky and not allowed on private property for random individuals, one would presume carrying a firearm would be treated the same or even more caution.

Seriously, though, when you think about chain pizza, syrupy coffee and cinnamon rolls this is hardly a story about fundamental rights or even security. Those are just a cover. It tastes more like a marketing campaign with some free press to promote expensive designer fashion food to a group most likely to pay for it — customer relationship management.

Security

Bad Auditors and PCI

Leave a comment

Evan Schuman tries to take a cheap shot at the PCI council on StorefontBacktalk. It’s a strange article called PCI Council And Passwords: Do As We Say, Not As We Do

First, to be fair, what’s being protected is not especially sensitive. Specifically, the password is not intended to keep out prying eyes. Rather, its sole purpose seems to be to keep meddling fingers away.

That caveat is extremely important. You really do not need to read any further since the rest of the article is misleading. I’ll try to explain here why it is also wrong.

Companies that must adhere to PCI should take a risk-based approach. This guidance is supported by the PCI Council. This means, in brief, that the most critical assets should be protected while the non-assets or non-critical ones should get less attention and effort. Payment card data is the focus of the Council and that is why you see a great deal of money, time and talent focused on keeping payment card information safe. You should not see, and usually do not, security efforts focused on things that can be easily replaced, are not vulnerable, and have a low likelihood of attack. This can be expressed with the formula: Risk = (Asset Value x Vulnerability x Threat) / Countermeasures

Mr. Schuman again raises this obvious point:

As mentioned earlier, these documents don’t include credit card numbers or other sensitive information. But if the decision is made to lock them down, there’s presumably a reason. If the concern is that QSAs or merchants can change the document, then the Council needs to choose a password that will indeed create the desired protection

Perhaps they put the password on the document as a test to see who would be foolish enough to complain about it.

The article should not have continued past the point that there is no payment card information in the Word document. I would wager they have already succeeded in creating the desired protection. What would the author suggest as a replacement, given that there is clearly no sensitivity, it’s trivial to crack a Word password and it has to function as a shared secret?

The article, contrary to Mr. Schuman’s claims, raises neither irony nor interesting points.

It reads is like someone standing outside a bank complaining that the flowers next to the sidewalk can be stepped on, therefore the bank is not following appropriate precautions to protect its money. Smart auditors know where to draw the line on scope. The author of this article does not show an ability to draw any lines; he awards himself the honor of appearing like a really bad auditor.

Companies that handle payment card information do not need this kind of noise and nonsense from an auditor. They need to hear opinions that reflect the reality of today’s threats and vulnerabilities, and to work with someone who understands how information assets are valued before issuing edicts for every pebble they stumble upon.