Tuesday, December 31, 2013

Encryption Technology: A Growing Need at Midsize Firms

Encryption Technology: A Growing Need at Midsize Firms

Added by on Dec 30, 2013
Topic: Security & Resiliency
A new encryption technology that protects data being moved between data centers aims to add a new level of security. This latest news is an example of the need for cryptographic technologies to protect corporate data. IT professionals at midsize firms who are considering various security measures can benefit from these latest advancements as they consider their own security needs when working with trusted IT consultants and vendors.
New Options
According to a recent article at Information Management, ID Quantique's new offering can encrypt data by tapping fiber optic networks and bending the fiber to collect data. That data is then secured as it passes from one data center to another. The article points out that many types of firms can benefit from the solution; for example, banks running multiple data centers can enjoy a stronger line of defense against hackers and cybercriminals who target fiber optic networks.
Cryptography for Midsize Firms
Cryptography and encryption technologies are key to helping firms of all sizes protect their data from being hacked. Whether that data is flowing across the Internet or fiber optic networks, these new technologies can prevent cybercriminals from reading corporate data even if they have gained access to a target network. Encryption also enables firms to securely protect classified information and personal information against identity theft, and cryptography solutions can provide additional authentication, repudiation, confidentiality and integrity controls.
IT professionals at midsize firms are tasked with protecting company data by enforcing security policies and incorporating the smartest data security solutions to keep data out of harm's way. The consumerization of IT, the bring-your-own-device movement and third-platform technologies such as cloud computing and virtualization have all caused IT managers to think about how they can best secure their data, and as a result, encryption has come to the forefront as a viable solution. A midsize firm may be striving to protect customer financial information or intellectual property from digital piracy while a smaller firm may want to secure remote user connections on its network. For both of them, encryption solutions may be the best options.
Due to their limited resources, time and expertise in the latest offerings in the market, many midsize IT professionals seek the guidance of experienced security vendors to help them encrypt their data in the most effective ways. Various algorithms are used for encryption, including hashing, private key and public key. Understanding how these algorithms work and the concepts behind cryptography-based security is essential to choosing the right solution for a particular organization's information infrastructure.
Protecting Resources
Data sent between data centers and over the Internet has a higher chance of getting hacked if the proper encryption technology solutions are not in place. IT professionals at midsize firms that combine strong encryption with other security measures can help to prevent possible hacks and breaches that can shut down productivity and hurt the firm's bottom line.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.


Sunday, December 29, 2013

Target says hackers took encrypted PIN data but can't crack it

Target says hackers took encrypted PIN data but can't crack it                       

Target Corp. said the cyber-crooks who hacked their way to approximately 40 million customer credit and debit card accounts during the holiday season accessed “strongly encrypted” PIN information.
Still, the retailer said Friday that it remains “confident that PIN numbers are safe and secure.”
The PIN data is encrypted as it’s entered by a customer at a keypad at checkout, protected with what’s known as Triple DES encryption, according to Target.
The PIN information stays encrypted within Target’s system and “remained encrypted when it was removed,” the Minneapolis-based company said.
The code can only be cracked when the data is received by Target’s external, independent payment processor, according to the retailer.
“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” the company said Friday.
The retailer didn’t address the possibility that hackers sophisticated enough to execute a break-in during prime shopping season -- lasting from the crazed Black Friday weekend through Dec. 15 -- might be able to outwit the encryption defense.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Target said.
The company said its investigation into the incident is “still in the early stages” and “is continuing and ongoing.”
Phony credit cards made with the stolen information are already being sold on the black market, according to some reports. A senator from Connecticut is calling for a probe into Target’s security infrastructure; several state attorneys general have asked for more information on the hack.
After the breach, Target’s perception among consumers hit its lowest point in more than six years, according to sentiment tracker YouGov BrandIndex.


Longtime RSA conference speaker cancels in light of NSA revelations

Longtime RSA conference speaker cancels in light of NSA revelations

When Reuters broke a story revealing that the RSA entered into a $10 million secret agreement with the NSA to continue using a flawed algorithm as an NSA backdoor, some people scheduled to speak at RSA Conference USA 2014 said they would cancel their sessions if it were true.
A statement released days later by the RSA was not enough for longtime RSA conference speaker Mikko Hypponen, chief research officer with F-Secure.
“Your company has issued a statement on the topic, but you have not denied this particular claim,” Hypponen said in an open letter posted online on Monday. “As my reaction to this, I'm cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.”
The speech Hypponen was scheduled to deliver was titled, “Governments as Malware Authors.”


Saturday, December 28, 2013

Data breach at Target highlights need to focus on cyber security


Data breach at Target highlights need to focus on cyber security

12/27/2013, 6 a.m.
As big banks and credit card companies scramble to protect consumers after a massive data breach at retail giant Target, small-business owners also should be concerned about cybersecurity.
Between Nov. 27 and Dec. 15, cyber thieves made off with data from 40 million credit and debit card accounts of people who shopped at Target’s 1,800 stores in the United States and 124 in Canada.
As stolen data flood the underground black market, at least three class-action lawsuits have been filed.
The U.S. Small Business Administration says cyber threats are an issue for everyone, and small businesses are becoming more common targets for such threats and crimes because they often have fewer preventive or responsive resources.
It offers some of the essentials in “What is cybersecurity?” its latest online training course.
With the help of technology and best practices, cybersecurity is the effort to pro-tect computers, programs, networks and data from attack and damage.
Why is cybersecurity important?
Consider all the information you have that needs to be secure – personal information for employees, partner information, sensitive information for customers/clients, and sensitive business information.
It’s essential to do your part to keep these details safe and out of the hands of those who could use your data to compromise you, your employees and your small business.
CNN reports that nearly half of the data breaches that Verizon recorded in 2012 took place in companies with less than 1,000 employees. A Symantec report showed that 31 percent of all attacks in 2012 happened to businesses that had less than 250 employees, and another Symantec report showed cyber attacks were up 81 percent in 2011.
Common cyber threats and crimes
There’s a broad range of information security threats. Some of the most common include Web site tampering, data theft, denial-of-service attacks and malicious code and viruses.
Website tampering can take many forms, including defacing your site, hacking your system and compromising Web pages to allow invisible code that will try to download spyware onto your device. Data theft also can come in various forms, and the problems depend on what kind of data is stolen. Examples include theft of computer files; theft of laptops, computers and devices; interception of emails; and identity theft.
A denial-of-service attack happens on a computer or Web site and locks the computer and/or crashes the system, resulting in stopped or slowed work flow. Malicious code and viruses are sent over the Internet and aim to find and send your files, find and delete critical data, or lock your computer or system. They can hide in programs or documents and make copies of themselves – all without your knowledge.
What can I do?
The first step to protecting the information in your business is to establish comprehensive security policies – and keep them up-to-date. Make sure your employees know and adhere to your policies and best practices for Internet, email and the desktop.
Tips to keep in mind:
n Don’t respond to popup windows telling you to download drives.
n Don’t allow Web sites to install software on your device.
n Don’t reply to unsolicited emails.
n Use screen locks and shut off your computer at the end of the day.
Ensure that your computer hardware and software are updated regularly. Change passwords periodically and use firewalls to protect your systems. You also should back up your data on a regular basis so that if anything is compromised, you have a copy.
To learn more about how to help make your business more cyber secure, check out the self-paced online training course “Cybersecurity for Small Businesses” at www.sba.gov.

Target: just 'cause it's 3DES doesn't mean it's secure

Target: just 'cause it's 3DES doesn't mean it's secure
In a blogpost referring to the recent breach of millions of debit cards, Target claims there is no danger, because the PIN is encrypted with Triple-DES at the terminal, and decrypted at the payment processor. Since hackers stole only the encrypted PINs, Target claims the debit card info is useless to the hackers.

This is wrong. Either Target doesn't understand cybersecurity, or they are willfully misleading the public, or they are leaving out important details. In all probability, it's the last item: they left out the detail of there being salt.

Yes, Triple-DES cannot be broken by hackers. If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value.

For example, let's say that the hacker shopped at Target before stealing the database. The hacker's own debit card information will be in the system. Let's say the hacker's PIN was 8473. Let's say that this encrypts to 98hasdHOUa. The hacker now knows that everyone with the encrypted PIN of "98hasdHOUa" has the same pin number as him/her, or "8473". Since there are only 10,000 combination of PIN numbers, the hacker has now cracked 1000 PIN numbers out of 10 million debit cards stolen.

This just gets one debit card. The hacker can crack the rest using the same property. The hacker simply starts at PIN number "0000", and then using online sites, starts using that number, trying one card at a time, until s/he gets a hit. On average, the hacker will have to try 10,000 before a good result is found. Once found, all debit cards with the same encrypted PIN of "0000" are moved aside to the "known" category. The hacker then repeats the process with "0001", "0002", and so on for all combinations.

This process is further simplified by the fact that some PIN numbers are vastly more common than others. People choose simply patterns (like "0000"), birthdays, and so on. The hacker can create a popularity distribution among the cracked PINs. Since "1234" is the most popular PIN number, the hacker can look at the most popular encrypted PIN and try that first. It'll probably work, but if not, s/he can try the next most popular encrypted PIN, until a match for 1234 is found. The top most popular 100 PINs can be discovered with only a few thousand attempts, giving over a million cracked debit cards to work with. This is something that can be done even if a person had to stand in front of an ATM for hours trying one card after another.

One way to correct this is to salt the encryption, such as using the credit card number as part of the key that encrypts the PIN, or as part of additional data prepended to the PIN. Done this way, every PIN number now decrypts to a different value. If they did this, then it would indeed be the same as if no PIN information were stolen at all.

As Mathew Greene describes, the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did.

It's nice that Target gives intermediate results of their investigation. Transparency like this should be commended. But they should just give us the raw information, like the specific PCI standard they follow, without the marketing spin about whether it's secure or not. I suppose I should've just known the PCI standard off the top of my head and filled in the blanks myself, but when I see incomplete info like this, it makes me distrust their honesty/competence instead.

Can hackers decrypt Target's PIN data?

Friday, December 27, 2013

Can hackers decrypt Target's PIN data?

Short answer: probably not.

Slightly longer answer: it depends on whether they have access to the encryption key, or to a machine that contains the encryption key.

In case you have no idea what I'm talking about: there was recently a massive credit card breach at Target. If you're like many people you probably heard about this three times. First in the news, then again in your email when Target notified you that you were a victim, and finally a third time when you checked your credit card bill. Not a proud day for our nation's retailers.

The news got a bit messier today when Target announced the thieves had also managed to get their hands on the PIN numbers of unfortunate debit card customers. But this time there's a silver lining: according to Target, the PIN data was encrypted under a key the hackers don't have.
Snyder said PIN data is encrypted at a retail location’s keypad with Triple-DES [3DES] encryption and that data remains encrypted over the wire until it reaches its payment processor. Attackers would have to have compromised the point-of-sale system and intercepted the PIN data before it is encrypted in order to have accessed it.
Several folks on Twitter have noted that 3DES is no spring chicken, but that's not very important. Aside from a few highly impractical attacks, there isn't much to worry about with 3DES. Moreover, PCI standards appear to mandate unique keys for every payment terminal, which means that the attackers would need to compromise the terminals themselves, or else break into the back-end payment processor. If Target is to be believed, this has not happened.

Others have pointed out that PINs are pretty short. For example, there are only 10,000 4-digit PINs -- so surely the attackers can "brute-force" through this space to figure out your PIN. The good news is that encryption is decidedly not the same thing as password hashing, which means this is unlikely to be a serious concern. Provided that Target is being proactive and makes sure to change the keys now.

Of course you shouldn't take my word for this. It helps to take a quick look at the PCI PIN encryption standards themselves. Before you encrypt a 4-digit PIN, the PIN is first processed and in some cases padded to increase the complexity of the data being encrypted. There are four possible encryption formats:
  • Format 0. XOR the PIN number together with the Primary Account Number (PAN), usually the rightmost twelve digits of the card number, not including the last digit. Then encrypt the result using 3DES in ECB mode.
  • Format 1. Concatenate the PIN number with a unique transaction number and encrypt using 3DES in ECB mode.
  • Format 2. Pad with some fixed (non-random) padding, then encrypt in 3DES/ECB with a unique, derived per-transaction key (called a DUKPT). Update: only used for EMV cards.
  • Format 3. Pad with a bunch of random bytes, then 3DES/ECB encrypt.
Notice that in each case the encryption is ECB mode, but in Formats 0, 1 and 3 the plaintext has been formatted in such a way that two users with PIN "1234" are unlikely to encrypt exactly the same value under the same key. For example, consider the Format 0 encryptions for two users with the same PIN (1234) but different PANs:
(PIN) 0x1234FFFFFFFF ⊕ (PAN) 0x937492492032 = 0x81406DB6DFCD
(PIN) 0x1234FFFFFFFF ⊕ (PAN) 0x274965382343 = 0x357D9AC7DCBC
Notice that the values being encrypted (at right) will be quite different. ECB mode has many flaws, but one nice feature is that the encryption of two different values (even under the same key) should lead to effectively unrelated ciphertexts. This means that even an attacker who learns the user's PAN shouldn't be able to decompose the encrypted PIN without knowledge of the key. Their best hope would be to gain access to the terminal, hope that it was still configured to use the same key, and build a dictionary -- encrypting every possible PIN under a specific user's PAN -- before they could learn anything useful about one user's key.

This does not seem practical.

The one exception to the above rule is Format 2, which does not add any unpredictable padding to the plaintext at all. While the PIN is padded out, but there are still exactly 10,000 possible plaintexts going into the encryption. PCI deals with this by mandating that the payment terminal derive a unique key per transaction, hopefully using a secure key derivation function. Update: this one probably isn't used by Target.

All of this is a long, dull way of saying that encryption is not like password hashing. Provided that you can keep the keys secret, it's perfectly fine to encrypt messages drawn from even small message spaces -- like PINs -- provided you're not an idiot about it. The PCI standards clearly skirt the borders of idiocy, but they mostly steer clear of disaster.

So in summary, Target debit card users are probably just fine. Until tomorrow, when we learn that the thieves also have the decryption keys. Then we can panic.

Friday, December 27, 2013

Hundreds of thousands of card numbers stolen in casino company breach

Adam Greenberg                    

Hundreds of thousands of card numbers stolen in casino company breach

Thousands of credit and debit card numbers were stolen in the breach.
Thousands of credit and debit card numbers were stolen in the breach.
It was no classic Sin City heist, but the end result was the same when hackers compromised the payment system of Affinity Gaming in a potentially months-long attack and made off with hundreds of thousands of credit and debit cards belonging to gamblers at any one of the company's casinos.
An investigation is currently ongoing, but Affinity made the announcement on Friday, almost 24 hours after retail giant Target announced that 40 million of its customers may have had credit and debit cards and CVV codes stolen in a hacking incident.
Even though Affinity is notifying individuals who visited any of its Nevada, Iowa, Missouri and Colorado gaming facilities between March 14 and Oct. 16, the group still has not confirmed the exact date the attack initially began.
Affinity attorney Jim Prendergast said between 280,000 and 300,000 cardholders were impacted, according to reports. Some of those impacted individuals used their cards at Affinity-owned Primm Center Gas Station in Nevada, according to a notification on the company website.
Affinity learned of the incident on Oct. 24, after law enforcement contacted the Las Vegas-based group regarding fraudulent charges possibly linked to a data breach of the Affinity payment system, according to the notification.
An immediate investigation involving outside data forensics experts revealed that the payment system had been infected with malware, resulting in the compromise of the credit and debit cards. The system was quickly secured to protect customer accounts, according to the statement.
The notification did not indicate if the company will be offering anything to affected individuals, nor did it highlight steps taken to prevent a similar incident from occurring, but Affinity is encouraging all impacted individuals to monitor accounts for suspicious activity.
An Affinity spokesperson did not immediately respond to an SCMagazine.com request for comment.


Security 'PGP' Encryption has had Stay-Powering but Does it Meet Today's Enterprise Demands?

Security 'PGP' Encryption has had Stay-Powering but Does it Meet Today's Enterprise Demands?
By Ellen Messmer, 27-Dec-2013

PGP encryption, as industry old-timers know, started out as "Pretty Good Privacy" invented by Phil Zimmermann in 1991, and since then, was sold on to various corporate owners until it ended in the hands of Symantec in 2010. While it is a widely used vintage brands, does PGP public-key encryption still meet today's enterprise demands, given the rise of cloud computing and mobile? PGP encryption, as industry old-timers know, started out as "Pretty Good Privacy" invented by Phil Zimmermann in 1991, and since then, was sold on to various corporate owners until it ended in the hands of Symantec in 2010. While it is a widely used vintage brands, does PGP public-key encryption still meet today's enterprise demands, given the rise of cloud computing and mobile? Enterprise managers are somewhat mixed on that, though PGP, over two decades old, is so well known that Symantec, which dropped the PGP moniker in favor of "Symantec Encryption," still reminds everyone it's "powered by PGP technology." In addition, there's "OpenPGP," the IETF standard that was championed by Phil Zimmermann, that can be implemented by companies without licensing. Symantec declines to discuss how many customers it has exactly in the PGP realm, but it does point out that Symantec has invested resources in developing what it inherited with PGP. For example, Symantec offers client app software for both Apple iOS and Google Android devices as part of its Desktop Email Encryption. Symantec says its email encryption encrypts e-mail directly from an end user machine. The result, according to Symantec, is encrypted mail is delivered directly to a user's device and they use the Symantec Mail Encryptor App to reply. +Also on Network World: The weirdest, wackiest and coolest sci/tech stories of 2013 | The worst security SNAFUs of 2013 + But despite this kind of PGP-related development work, one sticking point is managing the digital certificates needed for end-to-end encryption and decryption, especially when it comes to sharing files securely between two separate companies as outside business partners. "It's too problematic," says Yuval Illuz, associate vice president and head of global infrastructure and IT operations at network equipment company ECI Telecom about digital certificate management among business partners. "It's not something you need today. You change suppliers all too often." Illuz said his company has migrated off the PGP-based Symantec Encryption e-mail and filing sharing software that the firm once used for secure communications with business partners. Instead, ECI adopted a different type of exchange, the RSAccess product from Safe-T, in which two nodes are set up on each side of a firewall to support requests for sensitive data from suppliers, business partners and customers. It can also create directories for the cloud-based Dropbox service. Everything is encrypted but it doesn't depend on certificates, but strong passwords, to get information, he says. But ECI is sticking with Symantec Encryption for some things, particularly for in-house use. "The laptop encryption for PGP, we are still using it," he says, expressing confidence about the security and manageability involved in it. Since acquiring PGP, Symantec has released secure file-sharing with Dropbox in what it calls its File Share Encryption integration with Dropbox. Symantec says it works by simply checking a box in the management server so anything sent to Dropbox is automatically encrypted with the appropriate keys. Not everyone, however, feels the need to migrate away from managing certificates with business partners. "We have a lot of business partners," says Dylan Taft, systems engineer at Rochester General Hospital, who says he relies on managing separate PGP-based encryption keys for secure file sharing. "PGP is not an issue." The hospital uses the Ipswitch MOVEit File System which makes use of the protocol OpenPGP. The hospital uses what's called MOVEit Central from Ipswitch for exchange of business-to-business documents. "PGP works at the application layer," says Taft, saying the hospital can encrypt with its PGP key and the recipient can decrypt with theirs. "The data we send is long files, and it's not a problem." Some complaints about Symantec Encryption have been heard related to the need to renew VeriSign certificates each year in order to be able to decrypt old e-mail if it's held encrypted for an extended period of time that way. VeriSign was also acquired by Symantec, and like PGP, VeriSign s a vintage brand that is now officially referred to as Symantec "powered by VeriSign." Asked if this is a general practice at Symantec in terms of certificate renewal associated with Symantec Encryption (PGP) products, Symantec responded, "No, the need for certificate renewals is based on the user using VeriSign certificates vs. self-signed certificates created with the Symantec Encryption Management Server." Symantec points out, "Symantec Gateway Email Encryption and Symantec Desktop Email Encryption both allow certificates to be used to store keys. The certificates are self-signed certificates, created and signed by Symantec Encryption Management Server." Symantec points out that using a self-signed certificate, rather than a certificate with a trusted root, would eliminate the need to pay to renew the certificate. Symantec keeps some of the old traditions around PGP alive by publicly making the source code publicly available for peer review. Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security.
Twitter: MessmerE.
E-mail: emessmer@nww.com
Read more about wide area network in Network World's Wide Area Network section.

Thursday, December 26, 2013

NSA paid 10M$ to RSA to insert an encryption backdoor in its solution

by paganinip on December 21st, 2013
Last revelation based on the documents leaked by Edward Snowden is related to the allegedly encryption backdoor inserted by RSA in the BSafe software.
Is it possible to insert an encryption backdoor in one of most popular cryptographic products?
Probably it is just a question of money if the request came from the NSA, according a recent report apparently the fee is $10 million. This is our weekly revelation from document leaked by Edward Snowden, a mine of scaring information that is shaking the IT industry and in particular the world of Intelligence and Security.
Reuters agency revealed that as a key part of a campaign to embed encryption backdoor into widely used computer products, the U.S. National Security Agency signed a secret contract with RSA, the cost of the coperation si $10 million.
“Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.” states the Reuters article.
It is a new earthquake, the RSA received $10 million (more than a third of the revenue that the interested division of  RSA had earned during the last year) to set the buggy NSA formula as te default method for number generation in the BSafe software.
RSA-BSafe encryption backdoor
Two people familiar with RSA’s BSafe application revealed to Reuters that the company had received the money in exchange for making the NSA’s cryptographic formula as the default for encrypted key generation in BSafe.
The reputation of the RSA is seriously impacted, in September Snowden leaked documents that demonstrated that NSA intentionally inserted flaws in RSA’s encryption tokens.
NSA acted by weakening encryption standards, inserting encryption backdoor into encryption products of main vendors, in this way the Agency using supercomputer-backed password crackers is able to break encryption used to back popular technologies including HTTPS and SSH.
“Now we know that RSA was bribed,” “I sure as hell wouldn’t trust them. And then they made the statement that they put customer security first,” is the comment of the popular security expert Bruce Schneier “You think they only bribed one company in the history of their operations? What’s at play here is that we don’t know who’s involved,” he added.
The revelation raise many doubt on the relationship of US Government and private IT companies that provide common used encryption solution like Symantec and Microsoft.
“You have no idea who else was bribed, so you don’t know who else you can trust,” Schneier said.
RSA did not return a request for comment, and did not comment for the Reuters story.

Wednesday, December 25, 2013

Target hackers might have encrypted PINs

By  Jim Finkle REUTERS
David Henry REUTERS

Wednesday December 25, 2013              
The hackers who attacked Target Corp. and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.
One major U.S. bank fears that the thieves will be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke anonymously.
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say whether that included encrypted PINs.
The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season.
Target has not said how its systems were compromised, although it described the operation as “ sophisticated.” The U.S. Secret Service and the Justice Department are investigating. Officials have declined to comment.
The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.
While bank customers typically are not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co. and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.
The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.
Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.
While the use of encryption codes might prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is that it might not stop the kind of sophisticated cyber criminal who was able to infiltrate Target.

Tuesday, December 24, 2013

Target: Breach Caused by Malware

Retailer Confirms Attack Infected POS System

By , December 24, 2013.
Target: Breach Caused by Malware
Target CEO Gregg Steinhafel

Target Corp. has confirmed that a payments breach that likely exposed some 40 million U.S. debit and credit accounts was caused by a malware attack that infected its point-of-sale system (see Target Breach: What Happened?).
Target CEO Gregg Steinhafel confirms the company is working with the Secret Service and the Department of Justice to investigate the incident. "This unauthorized access is a crime, and we are taking it very seriously," the company states in the latest notice on its its website.
Although Target is not issuing any details about the forensics investigation, Andrey Komarov, CEO of cyberintelligence firm IntelCrawler, says card numbers compromised in the Target breach are flooding underground forums and continued to be posted for sale as recently as Dec. 20. For now, forums with URLs based in Asia and Eastern Europe are being closely monitored for carding activity linked to compromised Target transactions, he says.
"It is important to analyze online underground shops for presence of compromised data in order to find any relations between bad actors trading the data and real hackers who made the intrusion," Komarov says.
Fraudsters know the compromised card numbers won't be good forever, he says, so fraud associated with compromised accounts will likely occur immediately. "In my opinion, this incident is very similar to the RBS WorldPay hack and Heartland Payments intrusion," he says.
Brian Krebs, the cyber-security blogger who broke the Target breach story Dec. 18, also blogged this week about cards associated with the Target attack appearing for sale in underground forums.

Bank Action

Banking institutions, including JPMorgan Chase, are working directly with their customers to address card fraud risks.
On Dec. 21, Chase told customers that debit and reloadable debit accounts identified as being at risk because of the Target breach would have temporary cash withdrawal and purchase restrictions of $100 and $300, respectively, until new cards could be issued. On Dec. 23, the bank issued a revised statement, noting that those cash and purchase limits had been raised.
"To minimize inconvenience to our customers, we raised those reduced limits today to $250 at ATMs and $1,000 in purchases per day in the United States," Chase states. "We may continue to change these limits if we think it makes sense, so please check chase.com for updates."
Consumers also have filed a series of class action lawsuits seeking millions in damages from the Minneapolis-based retailer, according to published reports.
Also, attorneys general in Connecticut, Iowa, Massachusetts, New York and South Dakota so far have requested Target provide more information about the breach. On Dec. 19, New York Attorney General Eric Schneiderman also requested that Target provide one year of free credit monitoring to all impacted New York residents.
Target notes on its breach FAQ page, which is constantly being updated, that it is offering free credit monitoring to anyone impacted. "We are in the process of establishing the service and will be reaching out to guests in the coming weeks with more information," Target says.

Lots of Attention

Shirley Inscoe, a financial fraud analyst with the consultancy Aite, says Target's breach is getting more attention than previous retailer breaches.
"When the TJX breach occurred just a few short years ago, I don't recall consumers filing class action suits against the company, nor were state attorneys general as knowledgeable or as litigious as they are today," Inscoe says.
"It certainly shows how quickly society's outrage over these data breaches is growing, and that consumers, and state AGs, are more proactive and litigious than in the past," she adds. "Surely companies will realize it is preferable to be more proactive in addressing security gaps going forward than to incur all the fallout and negativity associated with a breach."

Communication Efforts

Target has continued to issue statements and updates on its website and Facebook page about the breach. The retailer has directly contacted its REDCard accountholders, telling them that Target will provide free credit monitoring and cover any fraudulent charges linked the breach that are not covered by their banking institutions.
In its most recent statement, Target says it has invited state attorneys general to participate in a call with the company's general counsel, "to help bring them up to date on the data breach that has impacted Target and our guests."
Target also says its call center continues to get a high volume of inquiries, so it has doubled the number of team members staffing the center to meet the demand.
"We have communicated to 17 million guests via e-mail and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call," Target notes in its Dec. 23 statement. "We also continue to push tips to our guests via social media."
The retailer also has provided instructions on its site for REDcard accountholders to set up automated alerts for each transaction conducted with their cards.

Target's Outreach

Some breach response experts say Target, under the leadership of Steinhafel, the CEO, is doing a good job with post-breach communication.
Andrew Walls, a social media expert who's an analyst at the consultancy Gartner, says Target's communications with consumers have been appropriate and highlight the need for more organizations to bake social media policies into their incident response and disaster recovery strategies.
"This is just about communications at the end of the day," he says. "It's important to have one policy that applies to all communications, whether it's a phone call, a tweet, a Facebook post or an e-mail. Most organizations are too focused on the technology, and not the message."
Al Pascual, an analyst with consultancy Javelin Strategy & Research, says Target's response has been exemplary.
"Target has been quite forthcoming, which is a benefit to them, their customers, and affected issuers," he says. "Advising the public of the breach and the type of information compromised so immediately after the event occurred allowed consumers and issuers to act quickly. While the forensic investigation is ongoing, the release of details surrounding the breach likely depends on whether or not any of these lawsuits make their way to court."
Cyber-security attorney David Navetta, a partner at the Information Law Group, says the Target incident will raise breach awareness.
"People often think of hacking situations online or losing your credit card information at e-commerce sites," he says. "But now, here we have a situation where people are physically going into the store, using their card ... and their data is being taken."
And Alan E. Brill, senior managing director of risk mitigation firm Kroll Advisory Solutions, says the Target breach will serve as a wakeup call for others, especially when it comes to the need for cyber-insurance.
"With the changes in the types of coverage available and the increasing sophistication of the insurance industry, periodic re-evaluations of cyber-insurance is just good business," he says.
"It's vital for organizations to [determine] if the same kind of attack could happen to them, and what steps they can take to mitigate the risk," Brill adds. "It could be anything from a high-tech attack on the POS system to some action by an insider. But whatever it is, everyone has to say: 'What could I do to not have this happen to me?'"


Monday, December 23, 2013

Will 2014 be the year of encryption?

Will 2014 be the year of encryption?

Researchers Find Way to Extract 4096-Bit RSA Key via Sound

A trio of scientists have verified that results they first presented nearly 10 years ago are in fact valid, proving that they can extract a 4096-bit RSA key from a laptop using an acoustic side-channel attack that enables them to record the noise coming from the laptop during decryption, using a smartphone placed nearby. The attack, laid out in a new paper, can be used to reveal a large RSA key in less than an hour.
In one of the cleverer bits of research seen in recent years, three scientists from Israel improved on some preliminary results they presented in 2004 that revealed the different sound patterns that different RSA keys generate. Back then, they couldn’t figure out a method for extracting the keys from a machine, but that has now changed. The research, which involves Adi Shamir, one of the inventors of the RSA algorithm and a professor at Weizmann Institute of Science, and two other academic researchers from Tel Aviv University, lays out a method through which an attacker can use a smartphone placed near a laptop to record the sounds generated by the machine during a decryption process using the GnuPG software.
The attack relies on a number of factors, including proximity to the machine performing the decryption operation and being able to develop chosen ciphertexts that incite certain observable numerical cancellations in the GnuPG algorithm. Over several thousand repetitions of the algorithm’s operation, the researchers discovered that there was sound leakage they could record over the course of fractions of a second and interpret, resulting in the discovery of the RSA key in use.
“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption. We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer, within an hour, by analyzing the sound generated by the computer during decryption of chosen ciphertexts. We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer, and using a sensitive microphone from a distance of 4 meters,” the paper says.
To test their attack, the researchers performed it against GnuPG using OpenPGP messages containing their chosen chiphertext. OpenPGP will, in some cases, automatically decrypt incoming email messages.
“In this case, an attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption, thereby closing the adaptive attack loop,” the researchers said.
Their attack works against a number of laptop models and they said that there are a number of ways that they could implement it, including through a malicious smartphone app running on a device near a target machine. They could also implement it through software on a compromised mobile device of through the kind of eavesdropping bugs used by intelligence agencies and private investigators.
The developers of GnuPG have developed a patch for the vulnerability that the Israeli researchers used, implementing a technique known as blinding. The patch is included in version 1.4.16 of GnuPG. Shamir and his co-authors, Daniel Genkin and Eran Tromer, said that they also could perform their attack from a greater distance using a parabolic microphone and may also work with a laser microphone or vibrometer.
Image from Flickr photos of Tess Watson

Latest Tweet from:

Lock Three Doors To Protect Your Data


Lock Three Doors To Protect Your Data
Tom Quillin
Director of Cyber Security Technology & Initiatives- Intel Corporation

Data is at risk when it's at rest, in motion, or in use. Here are some tips for approaching data protection in each state

If Willie had been born in the 1980s instead of in 1901, he would have been a cybercriminal looking to steal data. Why? Because that's where the money is. Intellectual property, trade secrets, sensitive customer information, user credentials, patient information -- all of these are forms of data that are as valuable as money in the bank. And the risks associated with losing or failing to protect that data are far greater than those associated with cash. And just like cash, data is at risk when it's at rest, in motion, or in use. Here are some tips for approaching data protection with the three states as a guide. Data At Rest
Data is at rest when it is not being accessed, such as when it is stored on a physical or logical medium. Examples include files sitting on a flash drive or on archived magnetic tapes in the corporate warehouse. Despite recent sensational headlines, encryption still works well to protect data at rest. Encryption applications, such as full disk encryption, provide very strong data protection when coupled with strong random number generation, the right encryption algorithms with robust keys, and intelligent acceleration, such as Intel Advanced Encryption Standard New Instructions (Intel AES-NI) to make the encryption unobtrusive to the user. Application owners and IT administrators are often concerned about an "encryption tax" -- a lag in application performance caused by CPU cycles consumed in complex cryptographic processing. If that performance tax is too great, user productivity and application efficiency suffers, making encryption an unattractive option. With intelligent acceleration of some cryptographic operations, this tax can be dramatically decreased so that encryption can be more widely deployed. Data In Motion
Data is in motion when it is moving between applications, traversing a network, or moving between networks. Data in motion can be protected by protocols, such as TLS, SSL, and IPsec, which encrypt data packets for secure transportation and decryption by intended parties. Like a really thick security envelope for an important letter, these protocols provide a wrapper that helps prevent unauthorized access to your data as it's in motion. Use of Intel instruction enhancements, such as Intel AES-NI and Intel Advanced Vector Extensions (Intel AVX), can help these protocols be more efficient, which can, in turn, help your data centers run more cost effectively. You can and should complement these protocols with data loss prevention software or appliances that monitor network traffic to help prevent unauthorized transmission of sensitive data. Data In Use
Data is in use when it is being actively read or written by an application, and this is its most vulnerable state. When in use, data sheds its protective layers so it can be used and changed. When living in an apartment building with other tenants, your apartment and its contents are secure only if the building manager keeps unauthorized people out and if the windows and doors are secure. If someone leaves a door or window unlocked (as with an application vulnerability), or if the building manager hires a cleaning crew who are actually crooks (like malware that's injected into a system service DLL), then you might as well leave your apartment door unlocked. Data in use can be just as unprotected and just as exposed to risk. You can establish an environment in which only trusted applications can access your data. This trusted execution environment is like a safe inside your apartment, to which you have the only key. In addition, like checking your apartment for items out of place or missing, a trusted execution environment can be measured and known to be secure, such as with Intel Trusted Execution Technology (Intel TXT), so you can be confident that your data is protected even when in use. Which Data Should You Protect?
You now have more freedom to answer this question because of the rapid pace of technological innovation. One important innovation is the acceleration of encryption technologies. The performance hit associated with encryption used to be so high that enterprises sometimes did not encrypt data that needed protection. However, today's encryption acceleration technologies let you base data-protection decisions on risk assessment rather than fears about performance because accelerated encryption essentially removes encryption overhead from the equation. This means you can deploy encryption where it's needed -- up to and including encrypting all of your data. While this greater freedom is a boon to data protection, your organization still must define policies that place data on a sensitivity continuum from highly restricted to public data. Then you can enforce those policies with processes and tools. This is an important topic that I'll address in a future post. Data Protection Starts With Encryption
The days when you might protect your data by locking up paperwork in a filing cabinet are long gone. That's because our connected business depends on keeping data both safe and available to business partners. Encryption remains a valuable data-protection tool. When you apply it systematically to data throughout its life cycle, you'll be on a path to foiling our modern-day Willie Suttons. * Thanks to Wikipedia, which also reports that this exchange is probably apocryphal. Oh, well. It still makes a good story. Follow me on Twitter: @tomquillin

RSA Response to Media Claims Regarding NSA Relationship

December 22, 2013

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation.
We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.
Key points about our use of Dual EC DRBG in BSAFE are as follows:
  • We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
  • This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
  • We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
  • When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

RSA, The Security Division of EMC


Sunday, December 22, 2013

Target: Data from 40 million credit, debit cards stolen

Target: Data from 40 million credit, debit cards stolen

Hackers have successfully made off with information from millions of credit and debit cards at retail giant Target in a meticulously planned attack.
The attack was pulled off during the busiest sales season of the year, between Nov 27 and Dec 15. The company has confirmed that data from 40 million cards has been stolen.
According to a statement from Target, pilfered data includes customers' names, credit or debit card numbers, card expiration dates and three-digit CVV security codes. The above information is sufficient to make a fake credit card, or even for make online purchases.

Whitepaper: Governance for All: Empowering IT and business content owners

"Governance for all" is more than an end goal written in a plan; it's a strategy that unites IT and business content owners. Now you can learn to create a governance strategy to suit all your needs. Learn More..
The Fierce Take: The strike during the holiday season is significant, given how the increased sales volume could mask otherwise strange spending behaviors from counterfeit cards. Though details of how the hackers penetrated Target are not known at the moment, there is clearly a new trend towards mixed physical and cyber attacks. We will post a follow up should more details of the breach become available.
For more:
- check out this article at InformationWeek
Related Articles:
Gang arrested for planting rogue hardware as part of cyber bank heist
Net Optics' CEO on leveraging network security to stymie cyber 'hit teams'

Read more: Target: Data from 40 million credit, debit cards stolen - FierceCIO:TechWatch http://www.fiercecio.com/techwatch/story/target-40-million-credit-cards-stolen/2013-12-20#ixzz2oExuALNg
Subscribe at FierceCIOTechWatch

NSA contracted RSA to use flawed algorithm, leaks reveal

  • NSA contracted RSA to use flawed algorithm, leaks reveal

    A secret contract reportedly tied the NSA and security firm RSA.
    A secret contract reportedly tied the NSA and security firm RSA.
    Leaked classified documents, detailed in a Friday Reuters article, show that the National Security Agency (NSA) arranged a $10 million deal with RSA that ultimately led to the security firm using a “flawed” encryption formula in its products.
    According to Reuters, the contract set an “NSA formula as the preferred, or default, method for number generation in the BSAFE software.”
    It was revealed in September that all versions of RSA's BSAFE Toolkits were impacted by a community-developed encryption algorithm that was believed to contain an NSA backdoor.
    The algorithm in question was Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which both RSA and the National Institute of Standards and Technology (NIST) recommended the industry not use at the time.
    Reuters reported that while the $10 million deal “might seem paltry” for a major company such as RSA – which serves as the security division for the global data storage corporation EMC – it actually accounted for “more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year."
    Dual_EC_DRBG was adopted by RSA before NIST's approval, and to help spur NIST's endorsement of its use, NSA shared that the government had already used the algorithm for some time, Reuters revealed.
    “RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit,” the article said. “No alarms were raised, former [RSA] employees said, because the deal was handled by business leaders rather than pure technologists.”


    'NSA betaalde RSA voor backdoor in encryptiesoftware'


    zaterdag 21 december 2013
    De Amerikaanse inlichtingendienst NSA zou beveiligingsbedrijf RSA 10 miljoen dollar hebben betaald voor het toevoegen van een backdoor aan een veel gebruikt encryptieprogramma, zo laten bronnen tegenover persbureau Reuters weten. Eerder dit jaar werd bekend dat de NSA een kwetsbaarheid aan het Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algoritme had aangebracht. Het algoritme is bedoeld voor het genereren van willekeurige getallen. De backdoor zorgt ervoor dat deze getallen niet willekeurig zijn. Daardoor is het mogelijk om encryptiesleutels te voorspellen en versleutelde informatie vervolgens te ontsleutelen.
    RSA had het algoritme al aan de producten toegevoegd voordat het door het Amerikaanse National Institutes of Standards and Technology (NIST) was goedgekeurd. Het NIST heeft een voortrekkersrol bij het ontwikkelen van standaarden en richtlijnen. Het doet dit in nauw overleg en in samenwerking met standaardisatieorganisaties, het bedrijfsleven en andere belanghebbenden. Onder die laatste categorie valt ook de NSA.
    Doordat het algoritme aan de producten van RSA was toegevoegd, kon de NSA weer tegenover het NIST zeggen dat Dual Elliptic Curve binnen de Amerikaanse overheid werd gebruikt. De inlichtingendienst zou zo het NIST hebben overgehaald om het algoritme goed te keuren.


    Het algoritme is onder andere in de BSafe toolkit van RSA aanwezig, iets waar het beveiligingsbedrijf in september ook voor waarschuwde. BSafe wordt gebruikt voor het beveiligen van gegevens in allerlei producten. Reuters laat nu weten dat de RSA 10 miljoen dollar van de NSA kreeg om het kwetsbare algoritme aan deBSafe toolkit toe te voegen. Dit lijkt misschien een klein bedrag voor een groot bedrijf als RSA, maar is meer dan een derde van de omzet die de verantwoordelijke RSA-divisie het jaar daarvoor had gedraaid.
    Volgens sommige huidige en voormalige werknemers van RSA zou het beveiligingsbedrijf door de NSA misleid zijn. De overheidsfunctionarissen lieten het bedrijf weten dat het algoritme een "veilige technologische vooruitgang" was. Toch wijzen de werknemers ook RSA als schuldige aan. De ontwikkeling van het bedrijf, waarbij het zich niet meer alleen op pure cryptografische producten richtte, zou ook één van de redenen zijn geweest dat de backdoor uiteindelijk kon worden toegevoegd.


    RSA stelt in een verklaring dat het altijd in het belang van de klanten handelt en geen backdoors ontwikkelt of mogelijk maakt in de eigen producten. "Beslissingen over de features en functionaliteit van RSA-producten worden altijd door onszelf gemaakt", zo laat het bedrijf weten.

    Experts discuss implications of massive Target breach


    Experts discuss implications of massive Target breach

    Retail giant Target has yet to announce exactly how attackers compromised its point-of-sale (POS) devices to steal roughly 40 million credit and debit cards and CVV codes in two and a half weeks, but researchers and security experts have already begun weighing in on the implications of such a colossal breach.
    Paul Kocher, president and chief scientist at San Francisco-based cryptography company Cryptography Research, told SCMagazine.com on Thursday – the day Target officially announced the breach – that this incident highlights the need for rapid improvement in PCI requirements for payment systems.
    “This standard currently defines an ‘attack potential' for various kinds of threats, but a limitation of this approach is that these calculations tend to overestimate efforts because they don't reflect improvements that creative attackers can find,” Kocher said.
    Transitioning to smart cards and other cryptographic payment systems would help by providing retailers with non-reusable transaction authorizations, as opposed to needing all the information required for a transaction, Kocher said.
    Avivah Litan, vice president and distinguished analyst at research firm Gartner – who blogged about the breach on Thursday – agreed. “Bottom line: It's time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system,” she wrote.
    Meanwhile, the financial impact of the breach continues to be debated. Litan said that while the actual fraud loss that Target will pay is likely less than $25 million, the fees the retailer will pay the banks may be twice that.
    Kocher suggested Target will pay a few hundred million dollars in direct costs, as a result of fines and settlements. On Thursday, at roughly 3 p.m., Kocher explained that the stock market had Target down 2.14 percent, which is about 1.66 percent greater than the day's losses at Walmart and Costco.
    “1.66 percent of Target's market cap of $39.3 billion equals $652 million, which is largely attributable to the breach,” Kocher said.
    In an email to SCMagazine.com on Friday, Nathaniel Couper-Noles, a principal security consultant at mobile and cloud security company Neohapsis, said that the Target breach is similar to the 2006 breach of TJX, during which roughly 45 million credit and debit cards were compromised. At one point, TJX estimated the cost of that breach at $256 million, he said.