Visa has released an updated report on security breaches. It shows clearly that, within the retail industry, level 4 franchises are being breached the vast majority of time (96-97% from January 2009 to June 2010). Restaurants and lodging/hotels make up about 35% of those breaches.

A proposed explanation for this is “Many Corporate Franchisors have traditionally fallen outside the scope of Merchant and Agent PCI DSS validation programs”. One might conclude from that statement that those who fall inside the scope of compliance are breached far less than those who are outside.

The most common breach attack vector is said to be keyloggers and memory parsers. Default accounts, mis-configured network settings (e.g. direct remote access to a database with cardholder information), and single-factor remote access also are cited as contributing factors. Web attacks are relatively low. Eight countermeasures are suggested:

• For remote access, consider two-factor authentication
• Utilize host / application / network based Intrusion Detection Systems (“IDS”). Ensure sound notification system is in place
• Utilize host / application / network based Intrusion Prevention Systems (“IPS”). Ensure sound notification system is in place
• Ensure antivirus, anti-spyware and anti-malware software are up-to-date. Ensure sound notification system is in place
• Implement file integrity monitoring to detect and alert security personnel of unauthorized file changes
• Periodically reboot Point-of-Sale systems to clear volatile memory
• Include patch management, password management and the overall security configuration
• Regular application penetration tests are essential in combating known vulnerabilities (including SQL injection, Cross-site scripting, etc.)

A new category has thus been created by Visa (Corporate Franchise Servicer) to address these breaches. It will not increase requirements for any entity already validating PCI DSS compliance.

The scanner in question was not used for air travel. Perhaps even more ironic, it was in a courthouse. Gizmodo took a cue from an EPIC lawsuit (PDF of complaint to the US DoJ) and filed a Freedom of Information Act (FOIA) request for 35,000 images saved by this one scanner under odd circumstances.

Their report shows quite clearly how hard it will be to trust anyone running these systems; it is called “One Hundred Naked Citizens: One Hundred Leaked Body Scans”

A Gizmodo investigation has revealed 100 of the photographs saved by the Gen 2 millimeter wave scanner from Brijot Imaging Systems, Inc., obtained by a FOIA request after it was recently revealed that U.S. Marshals operating the machine in the Orlando, Florida courthouse had improperly-perhaps illegally-saved images of the scans of public servants and private citizens.

Reminds me of when I worked many years ago to protect Radiology images and detect leaks by staff. Anyone working in health care should hold the safety and welfare of the patient in highest regard, and yet there is a nearly constant risk of breaches and leaks to the media. The celebrity, Farah Fawcet and Octomom etc., cases may be the most known but there are many many others. Any image that was remotely interesting (imagine things swallowed, for example) quickly became a very high-value asset. You know what will happen when a professional sees something really interesting or funny and wants to show just one really close friend…and so information security again becomes the key to whether a product can survive.

I stopped going through body scanners a couple months ago and so far so good. It has actually been without incident. Then again, I was not trying to taunt TSA staff and see how they can handle passenger resistance.

A day after launch the BBC quoted the engineering manager in charge of the messages product. He was not optimistic:

I think we will have a little bit of an adoption problem…We’ve noticed that even for us, it takes a week or two before you really grab on and get this system.

What really happens in the cloud of data? How private and protected (confidential) is your data and how well is it protected from manual processes that could corrupt it (affect the integrity)?

Every time we turn on a new set of users we have to move their data from the old system to the new system – so one by one we have to run that process. Right now we are moving the first set of users over.

That does not sound well designed. He says it was really started as a way to copy the iPhone SMS interface to their site:

We were also frustrated about how SMS works. And we were fascinated by how the iPhone works. How those things funnel into Facebook. We wanted to do the same things for people without iPhones as well. We really wanted to pull those communication channels together and the rest kind of fell into place

That certainly explains why there are no subject lines. They, of course, are calling it the next generation and a big change, etc. but I have yet to see any discussion of the security features in the system. Subject lines do more than just add overhead. They create segmentation. Where do users need segmentation most to protect their information? In the cloud, on Facebook, and in communication.

What do I mean by segmentation? Remember when you could tell that a message was spam because of the subject? It provides an additional data point that separates the wheat from the chaff, the Alices from the other Alices. The cost of SMS makes spamming on it prohibitive (or so I’ve been told endlessly by the carriers). What is proposed for the control framework on Facebook Messages, given they have adopted the iPhone SMS user interface (which, to be fair, was an adaptation of the Google Mail user interface) but removed the controls that are inherent to SMS and email?