Monday, March 10, 2014

Internet Security: we're losing

The Good Guys are outnumbered, out gunned, and out funded.  And that's the good news.

The bad news is that a bunch of the Good Guy troops in the trenches are draftees.  They didn't sign up for Information Security, they're IT drones that are told to do it.  Or worse, they're not even in IT, they're in data entry or customer support.

That is the starting lay of the land, which will help to clarify just why we're losing so badly.  For example, one of the Big Three credit agencies gave open access to an identity fraudster:
In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers.

Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam.
How did this happen?  Well, it didn't involve any l33t h4X0Rz:
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.
He bought access to the data, using money he got from identity theft.  Since selling access to data is Experian's business model, this is pretty much assured to be happening all over the place.

Oh, and remember that line: and other records on more than 200 million Americans.  That was your data.

But it doesn't seem to help to have a business model that relies on security.  Target got hacked, and information that's coming out suggests that it was a rookie security mistake made by their CIO, keeping security under her duities:
CISO duties at Target previously had been split among multiple people. The new CISO at Target will have centralized oversight and responsibilities for the retailer's information security, as Target's executive VP of Target Technology Services and Chief Information Officer Beth Jacob has now left the post she had held since 2008.
Raj Ramanand, founder and CEO of Signifyd, said it's surprising that the CIO was managing security duties at Target. "In most large enterprises, the CISO has a direct reporting line to the board of directors and to the CIO of the company," he says. "I'm surprised by the fact that this was all being managed by the CIO and they didn't have separate officers in charge."
That's like having the financial auditors reporting to the CFO.  The financial auditors are there to check up on the CFO, and that's the reason that most companies have a CISO reporting directly to the Board of Directors.  Target's IT was well funded enough, it just wasn't focused correctly.  Target may not have been in the minority as far as companies, either.

But it gets even worse.  What if your company could go bankrupt if your security were bad?  Wouldn't you pay very close attention?  Some people didn't:
Yet another cryptocurrency has come forward and admitted that security and system problems have led to customer funds being pinched by hackers.

Poloniex, a Bitcoin trading post similar to Mt. Gox, has lost 12.3 percent of the Bitcoin stored in hot wallets on the website. However, in stark contrast to how Mt. Gox CEO Mark Karpeles handled his company's Bitcoin losses, the owner of Poloniex, Tristan D'Agosta -- a.k.a. Busoni -- admitted to the loss and asked users how they would like to be compensated.

In a forum post, Busoni said that a hacker took advantage of a processing flaw in the Bitcoin exchange post. When users submit a withdrawal request, the input is checked against your balance, deducted, and the new amount recorded within a database. However, it was discovered that placing several withdrawals all in practically the same instant meant each request was processed at more-or-less the same time, resulting in a negative balance but "valid insertions into the database, which then get picked up by the withdrawal daemon."
Millions of dollars worth of Bitcoins were stolen by hackers.  With Bitcoin, there is no physical object (that's the whole point), and so this is really electronic bank robbery.  All the security problems are digital.  The people involved know this, and we should assume that they are all very competent and very well funded.

The still got robbed.  And they were the third Bitcoin exchange to get hacked.

And so we're seeing a more or less complete failure of security, whether it's low level people getting scammed, or Fortune 500 mid-organization, or the impossibility of very good people being human and not closing 100% of all possible bugs.

The implication is that security failure is a cost of doing business.  The IT Security budget needs to have a line item for expected legal payout to settle potential lawsuits.


Dave H said...

I wonder, are all the Bitcoin exchanges running the same code? With that many intrusions in such a short time, it sure sounds like it.

Borepatch said...

Dave, I doubt it. I would expect it's all custom code. However, the coding mistakes (e.g. PHP) are the same, and so it will attack a specialized skill set in the Bad Guys.

cryptical said...

A couple months ago an infosec guru (can't remember which one at the moment) suggested that running a SQL fuzzer against bitcoin exchanges and Silk Road-like sites would be more efficient than mining.

Hearing that a number of the sites are running NoSQL databases on the backend makes me realize that many kids nowdays have never heard of ACID in relation to databases.

With so much commerce happening on the edge of the law I wonder when some form of organized crime will get involved, if only for dispute resolution.

"A team of our crack customer service agents has been dispatched from Odessa to service your trouble ticket."

Borepatch said...

cryptical, yeah. Not just that they've seemingly never heard of ACID, but they haven't heard of Bobby Tables, either.

And yeah to the Odessa Customer Service team.

Jester said...

Borepatch or others perhaps you can fill me in here as I'm not up to the same speed you guys are on this.

However would these events, particularly with personal credit databases being hacked from one of the big three start to destroy nearly all personal credit, or at least make it so that credit history is less important to the average smuck? I'm sure it would be more work to go in and have your history "Scrubbed" but if it seems to be so easy to switch credit history, or just plain go to any creditor that "Yeah, my credit has been hacked so many times now that no one knows what is going on anymore..."

In other words, if your credit history is now suspect no matter what, or if you have suspect history you can pass it off as "Hacked" would this not really start to shake up how credit is weighed, measured and balanced for risks? Not that I feel credit damage is not too easy to accomplish anyway but I digress...

Am I reading too much in to this or is this perhaps where we are headed as a whole for both personal and business credit history/measurements?