Israeli Software

Two weeks ago - after I heard about 4.2 million credit card numbers being stolen at the Hannaford Bros. supermarket chain - I wrote that it looked like an inside job.

I hate to gloat but I am willing to wager that they never did a practical threat analysis of their Point of sale system and here is why.

Boston.com reported last Friday that Hannaford believes they've been the victim of a sophisticated attack of malware stealing credit card numbers at POS terminals and transferring the data overseas.

I love the overseas bit - it's so American - yeah - all the bad guys live "overseas". Ooo - "overseas" is exotic and mysterious. Get with it people - there is no "overseas" in the Internet - you can store an FTP server with stolen credit card numbers in Myanmar or in San Diego - it don't make no difference.

You can do this exploit with a 10 line shell script.

This is not sophisticated malware that some overseas attacker sneaked onto 300 servers. The attack surface for the extrusion event might be 300 stores and all their cash registers but it is far more probable that the attack surface is a single server and centralized payment authorization gateway that stores temporary files.

The essence of medicine is the ability to live independently and to use our doctors as consultants.

I was riding with my friend and neighbor, Eli Segal to an event at Intel Fab8 in Jerusalem last night - the fab was just closed (and will be converted to a factory doing die casting...) - the factory automation and IT staff were invited to a going away party - including all the employees that ever worked in Fab8 AIT.

Eli is CEO in a medical instrument startup in Nazereth and we were discussing the issue of how to ensure that older people have a better quality of life. Older people like my Mom who died of MSA, have multiple problems, take multiple drugs with multiple and sometimes life-threatening interactions. They visit different doctors, land in hospital and see doctors who have little idea what is the current status of the patient they are seeing - sometimes for the first time.

Sturm und Drang "came to be associated with literature or music aiming to frighten the audience or imbue them with extremes of emotion". The Symantec Internet Security Threat Report is a good example of sturm und drung marketing endemic in the information security industry.

Vendors like Symantec sell fear, not security products, when they report on "Rises on Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain", without suggesting cost-effective security countermeasures.

Why IT projects fail

Of course first attempts at data governance, compliance and risk management fail - it's been a fact of life for a long time that organizations find it difficult and expensive to assimilate new information technologies because of the complexities of the components and systems in the networked, distributed computing environment. Success with these technologies seems to be the exception rather than the rule. Back in the late 90s - Gartner estimated that less than 50% of projects under $750K ever succeed - the stats are not getting better.

Here are 5 reasons you will fail in your next application development, data governance, compliance, IT governance or risk management or custom application software development project:

1. Using proprietary / closed source software
If you use proprietary closed source software, you will have difficulty knowing if a given vendor's product even works let alone be sure that you can confidently roll it out in production in a scalable fashion. Ask the vendor for a phone number of a live customer that runs the product with 10x more users and transaction traffic than you need at the moment. If you get a number, make the call.

2. Under-estimating the challenges of system integration
After corporate IT took some infrastructure decisions, now you have to develop, integrate and manage the different technologies for server, client, network, security, GUI, reliability, scalability etc. Enterprise risk management projects can be the valley of death for system integrators.

3. Accepting a project schedule doomed to failure
Because of pressures to introduce products quickly and comply with external regulation by some arbitrary data (the mantra of time to market and not time to quality); many software tool and application vendors release buggy and immature products and at a rate faster than customers can match.

4. BLTB – Blind leading the blind syndrome
Many IT infrastructure and product decisions are taken without inputs from developers and technical people who actually have had real-world experience with the product. For example - a strategic decision to install a particular RDBMS product is forged between a sales person who knows nothing about SQL selling to a manager who read a report in Gartner.

5. OMS - over-management syndrome
Many organizations often turn to outsourcing companies for new applications and technology migration. The customer and contractor often have OMS - “Over-management syndrome”. A customer we know recently contracted with a large systems integrator for a small prototype in Visual Basic that would illustrate proof of concept. The System integrator assigned an account manager, a project manager, and a human factors manager who managed the two people actually doing the work ; a GUI designer who was a contractor to the SI and a VB coder with 2 years experience. This was a Kafkaesque example of an OMS afflicted organization with BLTB afflicted management supervising mediocre staff.

Let's start with the short version of the answer - use your common sense before reading vendor collateral. I think PT Barnum once said "There is a sucker born every minute" in the famous Cardiff Giant hoax - (although some say it was his competitor, Mr. George Hull.

I recently saw an interesting blog post by Kachina Dunn No Joke, Microsoft Got This Security Question Right

The gist of the post is that the Microsoft UAC-User Account Control feature in Windows Vista was deliberately designed to annoy users and increase security awareness; which is a good thing. The post got me thinking about the role of security vendors in mitigating data breach events.

Ms. Dunn quotes Carl Weinschenk in a Feb interview of a security vendor (Mr. Weinschenk is a professional journalist colleague of Ms. Dunn on the staff of IT Business Edge)

"Positive Networks surveyed IT security pros at small companies and enterprises, 20 percent had experienced a personal data breach — and 20 percent had also experienced a data breach in their companies. The consensus among those IT pros was that stronger security, specifically two-factor, was necessary but not present within their IT departments. And the breaches just keep happening."

1) " data breaches just keep on happening". Of course data breaches keep on happening because data vulnerabilities continue to be unmitigated.

Most security breaches are attacks by insiders and most attackers are trusted people that exploit software system vulnerabilities (bugs, weak passwords, default configurations etc...) . Neither security awareness nor UAC are effective security countermeasures for trusted insider attacks that exploit system vulnerabilities - premeditated or not.

2)"two-factor authentication is necessary"

As a matter of fact, two-factor authentication is a not an effective security countermeasure for internally launched attacks on data performed by authenticated users (employees, outsourcing contractors and authorized agents of the company). It is understandable that vendors want to promote their products - Positive Networks and RSA are both vendors of two-factor authentication products and both have vested interests in attempting to link their products to customer data security breach pain.

Unfortunately for the rest of us, the economics of the current security product market are inverse to the needs of the customer organizations. Security vendors like Positive Networks and RSA do not have economic incentive in reducing data breaches and mitigating vulnerabilities, since that would reduce their product and service revenue.

Au contraire - the best marketing strategy for companies like RSA, Positive Networks and Symantec is to stimulate market demand with threat indicators and place the burden of proof of effectiveness of their security countermeasures on the end user customers. If the customers don't buy - it's their fault and if they do buy but remain vulnerable, we can always blame overseas hackers.

3) "white listing applications is an effective tactic"

At this year's RSA conference, Microsoft officials spoke of layering "old-school (but effective) offensive tactics like white-listing applications".

White-listing a vulnerable application doesn't mitigate the risk of an authorized user using the application to steal data or abuse access rights.

One would certainly white list the Oracle Discover application since Oracle is a trusted software vendor. Users with privileges can use Oracle Discover to access the database and steal data. Since Oracle Discover generally transmits the password in clear text on the network, we have an additional vulnerability in the application.

Application/database firewalls like Imperva do not have the technical capability to detect or mitigate this exploit and therefore are not an effective security countermeasure.

None of the vendor marketing collateral and FUD, riding the wave of compliance and Facebook, IT security franchises built around standards like PCI DSS etc are replacements for a practical threat analysis of your business.

Your business, any business, be it small, medium or global enterprise needs to perform a practical threat analysis of vulnerabilities (human, technical and software), threats to the most sensitive assets and ascertain the right, cost-effective countermeasures dictated by economic constraints.

Short answer - develop a security mentality. Be alert. Be aware

I've noticed that almost every press report of a customer data breach confuses the damage to the consumer with the damage to the business. In my last post I recommended that before acquiring any security products - the first thing a business should do is perform a practical threat analysis. Don't buy security countermeasures based on vendor claims or fancy white papers. Download our free risk assessment software and you'll see what I mean.

Last week I received an engaging email from Daniella Sevilla. I usually delete mails like this, but she managed to pique my interest.

Dani has been working on a project called MyDataIsMyData, which, as the name suggests, is trying to protect online data privacy. The past two weeks have seen a lot of press on Israeli soldiers uploading pictures to Facebook so this particular threat vector has been on my mind.

The project was started in direct response to Facebook user's concerns about the Beacon controversy. Basically, they've developed a simple IE browser plugin that politely notifies you whenever you are surfing on a Facebook collaborator site that has access to your personal Facebook profile information. The MyDataIsMyData plugin installs in about a minute and it appears to be well behaved and stable on my Windows XP/SP2 notebook - ( I use Ubuntu Gutsy Gibbon for work...).

What I liked about their approach is that it's:
a) simple
b) light-weight and
c) it does a good job of maintaining a high level of awareness for potential exposure of personal information to Facebook affiliates.

One of my biggest problems with bloatware for Windows from companies like Symantec is that it takes over your machine and then your life.

MDIMD is a simple and effective way to help consumers develop a security mentality and protect their personally identifiable information.

Awareness is not a sufficient security countermeasure for malicious insiders or outsiders in a business, but for consumers it goes a long way.

Hannaford is spending millions of dollars on new IT security tools. But they might not have prevented the theft of payment data from its systems. Jaikumar Vijayan from Computerworld online is beginning to ask the right questions in his article Paying breach bill may not buy Hannaford full data protection

The article says that the supermarket chain is spending millions of dollars on IT security upgrades and has replaced all the store servers.

The Hannaford customer data breach is troubling in itself but even more troubling is how the company and the industry relate to the event. Mr. Vijayan is correct to ask if all the new investments in IT security would have prevented the data breach.

What exactly happened here? Does anyone know? Neither the company, the State nor Visa are disclosing information. Yet, the company has gone ahead and awarded a multi year contract for millions of dollars to IBM.

What is the security and economic justification for such a large scale investment? (or is it a large scale exercise in fig leaves, public relations and spin).

A telemarketer called me at the office today with a pitch for a series of lectures for people aged 50+ - she knew my office number, my age, my marital status and home address. The pitch was for a series of lectures on quality of living.

Her next question was a request to "verify" my personal information.

All kinds of bells went off in my head; She was using a standard MO for phishing personal information. When I asked how they had my age etc,,, she said that the information was provided by the city of Modiin (where we live). Now it began to sound more like a customer data privacy issue.

I asked to be transferred to a supervisor, but she was unable to transfer me to someone who could supply an explanation. The web site - www.club50.co.il doesn't have a privacy statement and contains links to two external web sites that do web development and online content management; the nature of the relationship between Club 50 and the two other companies is unclear.

A phone call to Club 50 yielded little more besides an apologetic answer that the bosses are out.