Gotta love this...

The simplicity and maliciousness of this one is pretty incredible... For those of you worried about the perimeter may need to spend more time looking inside...


NEWTON, Mass.--(BUSINESS WIRE)--Cyber-Ark, the privileged identity management specialists, says that the ongoing FiberWAN network lockout situation in San Francisco - where a network administrator has changed system passwords and is refusing to hand them over to administrators - could have been avoided if managers had operated a high-security approach to master passwords.

“This is yet another example of the power privileged identities, such as administrative passwords have and the havoc they can cause in the wrong hands,” said Adam Bosnian, a vice president at Cyber-Ark. “Hackers, or rogue employees such as this case, are savvier on how to create the most damage with the least effort these days, and the use of admin passwords does just that. Unfortunately, the San Francisco department left themselves wide-open by not taking their privileged identity management seriously.”

The San Francisco Chronicle reported Monday that Terry Childs, a discontent computer network administrator for the Department of Technology, tampered with the FiberWAN, which contains the San Francisco’s sensitive data, and created an administrative password that provided him access to the network. Childs refuses to give the elusive password to authorities, even after his arrest.

The city is estimating that this issue will cost millions in repairs. Though the network is running, there is still no way for IT administrators to access it.

“It is critical to take a more proactive approach to secure company back doors,” Bosnian adds, “Companies install complex systems for personal passwords and overlook the more numerous privileged passwords and identities that provide even more system access. These security breakdowns will continue to occur until these keys to the kingdom are securely centralized and managed.”

The San Francisco crisis follows numerous scandals within the last year such as the TJX disaster where millions of users’ data was compromised due to a breach involving administrative passwords.

IDaas is Garnering more discussion...

My buddy Matt Flynn and Matt Pollicove were exploring the topic of IdM as a Service which we had been discussing back in this post a while back...

While at Burton Group's Catalyst this year I had the chance to speak to some folks about this topic and the mindshare was very clear - automate everything you possibly can and use IdM to do it.

IdM products have matured to the point where they can log and gather thousands of events that feed reports that drive compliance (or non-compliance). The gotchas as I see them are this:

IdM is positioned horizontally and cuts across audit, security, and business process (operations) so it can become a political hot potato quickly

Organizations capture a ton of data today, where the wheat and chaff are separated is making the data useful data, and this is a subjective art project that masquerades as science a lot of the time. I'd be curious to see if data mining would and/or could do the same as IdM in reverse - look at raw data of what happened to build a better workflow based in actual events vs. what we think happened

Bottom line is the bottom line. Automation helps us get smarter, behave more efficiently and lower costs while improving the service to the business cash registers.

Right?

The Yankees suck in a whole new way...

I had to share the following experience from my travels this week, because it goes to show that while we think we are secure we're not, and a good impersonation can get you places and a horrible one will get you close enough to touch Derek Jeter, A-Rod Posada, and Mo Rivera.

I was at a partner event in NYC Monday that was taking place at Yankees Stadium where it was 100+ degress on the field that day. I got to the stadium early and was told my ticket would be next to the press area so I went to find it. I hiked around for a bit until I cam to a barricaded area and stopped to see where I was and why it was barricaded. I couldn't figure it out, but I did see the big PRESS awning in back and so I walked around the barricade past two cops and over towards the press area.

I ask how I get my ticket, is there a list, etc etc. and they said stay put so I hung out and watched the police mill around, the yankees personnel get ready and the press people with legitimate credentials stroll by.

After a bit I notice a parking area where a nice car just went into and I watched as it parked and the driver got out - it was Posada. He walked right by me 10 feet away. It was starting to register that they had the area barricaded because this was where the players came in. Nobody said boo, nobody asked me anything and I was chatting up cops, EMT's the works.

Next player to walk by me - Rivera - who incidentally gave up the game losing run that day - then Jeter, then A-Rod then Abreu. All within 10-20 feet nodded their heads to a guy standing there with a shirt with a company logo on it, and a computer bag.

My point to all of this - that the cops and presence of no less than 100 people there to keep idiots like me out did not. My identity was assumed to be the press because I was carrying my Vignette bag (which must have been the dead giveaway) and had a golf shirt on with a logo on it (second clue). If our IT assets were this loose we'd be in even worse shape.

My second point is that the Yankees suck in a whole new way for me - their identity management and controls...

For those of you going to Catalyst, look for the guy in the kilt and the Red Sox hat and we can exchange barbs about the Yankees and my beloved Red Sox at the opening reception.

Ira Winkler says 'No' to Hannaford Inside Job

Ira winkler has refuted my comments about Hannaford being an inside job:


I can tell you first hand that a breach of that scope is very “relatively” easy to commit when there is a motivated attacker with the time available. Again, I have broke into many of the top companies in the world, always having tremendous success in relatively short periods of time.


Ira, what have you seen in terms of those companies who have submitted their PCI audit reports? Are they easier to break in? Harder? I am curious if the PCI spec has helped or not. I have to believe that by its nature it has helped make systems more secure and harder to break into.


With regard to many servers being compromised, it sounds like the experts have not heard about automated attack tools. Nor have they considered that servers are generally installed identically throughout an organization, and that if you can compromise one of those systems, you can compromise many. Similarly given that there tends to be password reuse, if you compromise the password on one server, you have compromised many servers. Similarly, if there are trust relationships between the systems, the compromise of one system actually compromises many systems.


I have seen, played with, and heard of automated attack tools - it's what the script kiddies and lazy grey or black hats use to accelerate the desired results. You can buy a great set on Ebay now and of IRC is the Devil's playground, but I digress...

The PCI spec which Hannaford said it had met is designed to take care of the low hanging fruit of a breach. Passwords, no consistent and measured or documented processes, and poor encryption are all targets the PCI spec is designed to mitigate and keep us lazy wannabe hackers out of systems.

Take a look at my other blog for more info on PCI...

Hannaford CEO Ron Hodge - Class Act

I just caught wind of the latest from Hannaford, and I hope Ron Hodge starts a trend amongst CEO's - accepting responsibility and dealing with a breach head on.

Nice work Mr. Hodge!


Hannaford Bros. CEO offers apology online, in leaflets

Hannaford Bros. supermarket shoppers are getting an apology in their shopping bags for a security breach that was disclosed two weeks ago. Chief executive Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help guard against any further attacks. He says the company is also considering, on a case-by-case basis, the out-of-pocket expenses faced by customers who had to cancel their cards. (AP)

More on Hannaford...

So they uncovered some more data on the Breach at Hannaford this week and it was reported that software was installed on every server in their 300 stores, and that they weren't sure how the software was installed.

Let me give you my top 3 guesses:

1. An insider
2. An Insider
3. an insider

It was also reported that the software was installed at the point of sale to capture the swipes and the information. It was also reported that Hannaford did not store the credit card data.

If they had truly met the PCI standard then the entire chain would have been encrypted and the endpoints would be locked down, and this wouldn't have happened. If retailers do not work with their vendors that make up the processing chain then this kind of thing will continue to happen.

I can point fingers at the PCI spec, at Hannaford, at the manufacturer of systems, but the bottom line is there is one person at Hannaford whose responsibility it is for this - the CEO. This is his puppy and if his puppy is running around crapping in the neighbors yards, biting kids, etc. just beciase he didn't see it happen doesn't mean you don't put a leash on the dog. Common sense dictates that.

Had their authentication and identity audit practices been regularly tested and reviewed, after the second install of software had taken place or after they realized that 1 person accessed 1,000 servers and 300 endpoints, that they were an admin based in Scarborough, and they had given themselves root access on New Years eve, wel, hopefully you get the idea. This is common sense to most of us with or without lots of letters after our names a la CISSP, CISA, CISM, etc.

When all is said and done, this will be the work of an insider. Who it was is less interesting than Why they did it.

Here is a reprint of the aritcle in the Boston Globe:

The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.

The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

Hannaford Supermarkets - Welcome to the Club

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.

Why?

It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard. I have done the same for Tiffany, LL Bean, and a dozen more online and brick and mortar retailers too.

Why?

Mathematically speaking, every US Citizen's identity has been compromised.

So to the Management at Hannaford -

(Mr. Ron Hodge) here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the doo doo hit the fan, or to bail before they were called out by someone in the industry like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud reported thus far will soon include me.

Oh, and an official welcome to the Level 1 PCI Club because of Breach. Hannaford was already there handling more than 6M transactions, (wonder when they filed) and now this breach insures some new expenses every quarter that will be passed onto consumers and tourists in a few weeks...

identitystuff@gmail.com