STE WILLIAMS

The breach of cardholder data for 40 million Target customers that’s been speculated to have been triggered by attacks against Target’s point-of-sale (POS) systems has served as prime example for why security professionals have pushed for improved POS and payment application security in the last few years. And with increased scrutiny expected by the payment card brands on POS and payment application security as a result of more stringent standards written into PCI DSS 3.0 and PA DSS 3.0, Target’s breach serves as further reminder for why POS systems need to be on retailers’ immediate-term radar, experts say.

“There are some sophisticated attackers that understand payment processing and possess the high level of hacking skills needed to break into larger, more secure victims,” says Lucas Zaichkowsky, enterprise defense architect at AccessData.

According to Chris Strand, director of compliance for Bit9, the difference between the Target attack and most traditional forms of skimming attacks that attack individual POS devices is the sweeping nature of data collection across a whole network of devices. Rather than physically tampering with devices, attackers are going to be looking for a path of least resistance.

“This is a common type of attack that we’re going to see more and more prevalent because the attackers will take the path of least resistance and in this case, they’re realizing that these pos systems are not protected from a vulnerability perspective,” Strand says. “The fact is that the current security mechanisms they’re using to guard the internals of these POS systems is vastly inadequate to protect the inner systems and software running on these things.”

In addition to the scale of the attack and volume of cardholder data taken, also troubling was the depth of that data, which included track data.

“Loss of the track information from the credit cards is particularly nasty as it can allow for card cloning,” says James Lyne, global head of security research at Sophos. “That said, just the cardholder’s name, card and security code has the potential for widespread online ordering fraud which can be particularly nasty considering we’re in the midst of the holiday season.”

Lyne says he believes the Target breach points to poor architectural and business practices.

“It is critical that organizations handling such data take steps to protect it–such large volumes of data should never be accessible by one user or process—and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

According to experts with SecureState, a PCI Forensic Investigator, they believe that as further details emerge it will be shown that Target was not compliant PCI standards. Part of the issue, says BLANK, could be that Target’s custom developed payment application was not up to par with PA DSS requirements.

“For a hacker to be able to infiltrate Target’s network and access the POS application several PCI-DSS and PA-DSS controls must not have been implemented effectively. Thus, Target was not compliant during the time of the breach,” says. Ken Stasiak, CEO of SecureState. “How can I be so sure? We handle these investigations for the payment card brands and in all of the investigations we performed the merchant was not compliant to PCI-DSS controls during a breach.”

But many security insiders have noted that Target has a particularly secure information security practice—they point to its fast discovery and disclosure of the breach as testament to that—and some wonder what the other factors at play may have been.

“As Target is known to encrypt wireless transmission between the point-of-sale terminal and the wireless router, intercepting the personally identifiable information must have happened elsewhere in the processing chain,” says Girish Bhat, senior product manager at Wave Systems. “To carry an attack of this magnitude during the busiest holiday season is extremely difficult and may have involved multiple insiders.”

Regardless of the intricacies of the cause of the Target breach, the ultimate lesson is that organizations need to pay greater attention to the POS-related changes put forward by the PCI Security Standards Council.

“The security controls that merchants are using to meet the requirements on those POS systems are being highly scrutinized by the standard,” Strand says. “If you read through the standard, the overarching theme is to take a proactive stance when you implement your security controls for guard these systems. That is going to cause merchants to go out and say we need to re-address this. In the time being, I think we’re going to see more breaches like the recent Target breach.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/target-breach-should-spur-pos-security-p/240164960

Taichung, Taiwan – December 24, 2013. GOTrust, a FIDO Alliance member, announces FIDO microSD, among the first certified FIDO Readytrade products in the marketplace. FIDO microSD will work with 99% of existing laptops and personal computers, and the one billion Android devices in the marketplace today. FIDO microSD supports FIDO login and includes 8GB memory capacity for user storage.

“For the hundreds of millions of users and systems integrators who want to adapt existing devices to become FIDO Readytrade, there is FIDO microSD,” said Darren Lee, CEO of GO-Trust. “GO-Trust makes it simple, fast and affordable for developers and providers of personal computers, mobile devices and phones already in the marketplace to be enabled with universal strong authentication that can replace password authentication with easier to use, more secure and private authentication.”

FIDO microSD provides portability from device to device and one FIDO microSD can enable many devices and work for all sites that require or accommodate FIDO authentication.

“GOTrust’s FIDO microSD is a great example of how users can benefit from the simple and powerful authentication strategies made possible by the FIDO Alliance,” said Joerg Borchert, vice president of the chip card and security business for Infineon Technologies North America. “GOTrust chose the Infineon SLE97144SD Secure Element controller for its implementation of the microSD which gives the platform unsurpassed security based on our Integrity Guard technology and the high-speed contactless interfaces required for a superb user experience.”

For enterprises and end users, microSD will soon be available at popular online outlets like eBay and Amazon. For more information about FIDO microSD, see http://www.go-rust.com/products/microsd-java/

FIDO microsSD can be seen in action at the Consumer Electronics Show, Las Vegas, NV from January 7-10, 2014 at the Infineon suites at the Aria Hotel.

About GO-Trust

GOTrust Technology Inc. (GO-Trust) is the innovator of the secure microSDs and the first company to deliver hardware security for mobile devices using the SD and microSD form factor. GO-Trust continues its world leading secure microSD innovation with the most powerful, fastest and smartest microSD embedded chips and the most sophisticated supporting applications. GO-Trust has fourteen international patents for secure microSD products and applications and are sold in over 30 countries worldwide.

Article source: http://www.darkreading.com/intrusion-prevention/gotrust-introduces-fido-microsd/240165000

Taichung, Taiwan – December 24, 2013. GOTrust, a FIDO Alliance member, announces FIDO microSD, among the first certified FIDO Readytrade products in the marketplace. FIDO microSD will work with 99% of existing laptops and personal computers, and the one billion Android devices in the marketplace today. FIDO microSD supports FIDO login and includes 8GB memory capacity for user storage.

“For the hundreds of millions of users and systems integrators who want to adapt existing devices to become FIDO Readytrade, there is FIDO microSD,” said Darren Lee, CEO of GO-Trust. “GO-Trust makes it simple, fast and affordable for developers and providers of personal computers, mobile devices and phones already in the marketplace to be enabled with universal strong authentication that can replace password authentication with easier to use, more secure and private authentication.”

FIDO microSD provides portability from device to device and one FIDO microSD can enable many devices and work for all sites that require or accommodate FIDO authentication.

“GOTrust’s FIDO microSD is a great example of how users can benefit from the simple and powerful authentication strategies made possible by the FIDO Alliance,” said Joerg Borchert, vice president of the chip card and security business for Infineon Technologies North America. “GOTrust chose the Infineon SLE97144SD Secure Element controller for its implementation of the microSD which gives the platform unsurpassed security based on our Integrity Guard technology and the high-speed contactless interfaces required for a superb user experience.”

For enterprises and end users, microSD will soon be available at popular online outlets like eBay and Amazon. For more information about FIDO microSD, see http://www.go-rust.com/products/microsd-java/

FIDO microsSD can be seen in action at the Consumer Electronics Show, Las Vegas, NV from January 7-10, 2014 at the Infineon suites at the Aria Hotel.

About GO-Trust

GOTrust Technology Inc. (GO-Trust) is the innovator of the secure microSDs and the first company to deliver hardware security for mobile devices using the SD and microSD form factor. GO-Trust continues its world leading secure microSD innovation with the most powerful, fastest and smartest microSD embedded chips and the most sophisticated supporting applications. GO-Trust has fourteen international patents for secure microSD products and applications and are sold in over 30 countries worldwide.

Article source: http://www.darkreading.com/intrusion-prevention/gotrust-introduces-fido-microsd/240165000

We’re winding down a bit for the Christmas holidays here, so you’ll see less new content over the next week or so as some of our writers take a break.

But we want to take a bit of time to show our appreciation to you all.

To everyone who commented on our site this year, sent us a story, liked something on Facebook, retweeted us, or just generally gave a nod in our direction, thank you!

All your contributions make our site what it is and we’re proud of our great community.

And, because we’re feeling a bit festive here, we’re giving away some prizes to our newsletter subscribers – those people who allow us to pop into their inboxes every day with our news, opinion, advice and research.

We’ve got an iPad Air to give away, as well as 50 of our lovely Naked Security tshirts.

All you need to do is make sure you’ve subscribed to our newsletter by the end of December 31st.

If you already receive our newsletter then you’ll be automatically entered into the draw. We’ll pick all the winners at random in the new year.

Click here to subscribe

We’ll see you back in 2014. And if you’re celebrating over the next couple of weeks, have a wonderful time.

Follow @NakedSecurity

Image of gift courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/C-nChowdNZk/

Quick guide to disaster recovery in the cloud

Fallout from the allegation that RSA helped the NSA undermine crytpography standards is spreading, with Finnish security vendor F-Secure uninviting itself from the 2014 edition of RSA’s eponymous conference.

The reason, says F-Secure’s chief research officer Mikko Hypponen, is that RSA is an imperialist running dog. His strongly-worded missive addressed to EMC’s Joe Tucci and RSA’s Art Coviello says he won’t show at RSA and won’t deliver his planned speech titled “Governments as Malware Authors” at RSA 2014.

His reasoning for the cancellation is as follows:

“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are american anyway – why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.”

Hypponen’s being a little disingenuous, because while RSA appears to have done something at the NSA’s behest, the wider Snowden-derived scandal reveals that the USA has surveilled its own citizens as well as foreigners. If RSA has indeed fiddled crypto, as is alleged, that effort would hav helped domestic and global scrying.

But Hyponnen’s not alone in thinking a boycott of US technology concerns is apt: our own Trevor Pott made just such a call back in June. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/24/fsecure_wont_speak_at_imperialist_lackey_rsas_conference/

Quick guide to disaster recovery in the cloud

Edward Snowden believes he is “still working for the NSA right now” and that his actions in recent months don’t constitute treason but an effort “to improve the NSA”, according to an interview in The Washington Post.

Snowden’s thinking is that he did not set out to “bring down the NSA” but that his theft of and distribution of documents will help to refocus the agency on its true purpose. He therefore told the Post that the NSA “are the only ones who don’t realize” he’s still working for the agency.

Here’s a few of Snowden’s more interesting quotes from the interview:

• “If I defected at all, I defected from the government to the public.”
• “All I wanted was for the public to be able to have a say in how they are governed. That is a milestone we left a long time ago. Right now, all we are looking at are stretch goals.”
• “For me, in terms of personal satisfaction, the mission’s already accomplished. I already won. As soon as the journalists were able to work, everything that I had been trying to do was validated. Because, remember, I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.”
• “That whole question — who elected you? — inverts the model. They elected me. The overseers. [US Senator] Dianne Feinstein elected me when she asked softball questions. [US Congressman and Permanent Select Committee on Intelligence member] Mike Rogers elected me when he kept these programs hidden. . . . The Foreign Intelligence Surveillance Act court elected me when they decided to legislate from the bench on things that were far beyond the mandate of what that court was ever intended to do.”
• “I don’t care whether you’re the pope or Osama bin Laden. As long as there’s an individualized, articulable, probable cause for targeting these people as legitimate foreign intelligence, that’s fine. I don’t think it’s imposing a ridiculous burden by asking for probable cause. Because, you have to understand, when you have access to the tools the NSA does, probable cause falls out of trees.”

Whether Snowden’s declaration that his mission is accomplished means he will continue to release documents isn’t disclosed, but it is generally held he has many, many more items of interest in his possession. If he intends to carry on, there will be plenty more embarrassment to heap on the recent battering for RSA’s reputation, the the kink he put in US/Germany relations or the diplomatic spat between Australia and Indonesia sparked by previous leaks. The latter has even created a domestic debate about the role of public broadcasting in Australia, a widening ripple that presumably goes well beyond Snowden’s original intentions.

While Snowden’s intended targets have reacted to the waves he’s sent their way, sometimes in ways that support his goals of reducing domestic surveillance, most nations are toughing things out with a “we spy because we need to” line. The Post‘s piece has a lot of sympathy for that position. Do you? ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/24/snowden_mission_accomplished/

Quick guide to disaster recovery in the cloud

RSA has hit back at allegations stemming from Edward Snowden’s latest whistleblowing – specifically, the claim that it secretly took US$10m from the NSA in exchange for using the deliberately knackered Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in its encryption products.

The EMC-owned security outfit said it started using Dual EC DRBG by default in 2004, sometime before the generator was standardised. By 2007 the algorithm was found to effectively have a backdoor in it that weakened the strength of any encryption that relied on it, making life easier for snoops. In September 2013, RSA told its customers to stop using the algorithm.

The NSA, which championed Dual EC DRBG, is separately accused of weakening the random number generator during its development.

In a strongly yet carefully worded blog post today, RSA said “we categorically deny [the] allegation” that it “entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator”.

The biz goes on to offer four reasons for its choice of random number generator, namely:

• We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
• This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
• We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
• When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

The post, which avoids discussing whether or not the company actually took the NSA’s $10m, concluded with the following statement:

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

Meanwhile, Joseph Menn, the Reuters writer who broke the original news on Friday, stands by his story. ®

5 questions to answer about your DR plan

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/23/rsa_nsa_response/

ARMONK, N.Y., Dec. 23, 2013 /PRNewswire/ — IBM (NYSE: IBM) inventors have received a patent for a breakthrough data encryption technique that is expected to further data privacy and strengthen cloud computing security.

The patented breakthrough, called “fully homomorphic encryption,” could enable deep and unrestricted analysis of encrypted information –intentionally scrambled data — without surrendering confidentiality. IBM’s solution has the potential to advance cloud computing privacy and security by enabling vendors to perform computations on client data, such as analyzing sales patterns, without exposing or revealing the original data.

IBM’s homomorphic encryption technique solves a daunting mathematical puzzle that confounded scientists since the invention of public-key encryption over 30 years ago.

Invented by IBM cryptography Researcher Craig Gentry, fully homomorphic encryption uses a mathematical object known as an “ideal lattice” that allows people to interact with encrypted data in ways previously considered impossible.

The breakthrough facilitates analysis of confidential encrypted data without allowing the user to see the private data, yet it will reveal the same detailed results as if the original data was completely visible.

IBM received U.S. Patent #8,565,435: Efficient implementation of fully homomorphic encryption for the invention, which is expected to help cloud computing clients to make more informed business decisions, without compromising privacy and security.

“Our patented invention has the potential to pave the way for more secure cloud computing services – without having to decrypt or reveal original data,” said Craig Gentry, IBM Researcher and co-inventor on the patent. “Fully homomorphic encryption will enable companies to confidently share data and more easily and quickly overcome challenges or take advantage of emerging opportunities.”

Following the initial revelation of the homomorphic encryption breakthrough in

2009 Gentry and co-inventor Shai Halevi began testing, refining and pursuing a working implementation of the invention. In 2011, the scientists reported a number of optimizations that advanced their goal of implementing of the scheme.

The researchers continue to investigate homomorphic encryption and test its practical applicability.

IBM invests more than $6 billion annually in RD and consistently explores new approaches to cloud computing that will deliver a competitive advantage to the company and its clients.

For 20 consecutive years, IBM has topped the list of U.S. patent recipients. The company’s invention and patent leadership is illustrated at http://ibm.co/11k6fRn.

IBM has a tradition of making major cryptography breakthroughs, such as the design of the Data Encryption Standard (DES); Hash Message Authentication Code (HMAC); the first lattice-based encryption with a rigorous proof-of-security; and numerous other solutions that have helped advance data security.

More information about how IBM inventors are propelling cloud computing innovations is available at http://ibm.co/174A8tS.

Article source: http://www.darkreading.com/privacy/made-in-ibm-labs-advancing-privacy-and-s/240164985

Article source: http://www.darkreading.com/attacks-breaches/slide-show-the-coolest-hacks-of-2013/240164988

RSA was put on the defensive on Friday, after a report surfaced suggesting that the EMC-owned security firm accepted a $10 million payment from the National Security Agency (NSA) to select a weak random number generator as the default for its BSAFE encryption libraries.

That allegation was first reported by Reuters, which said it based its report on interviews with a dozen current and former employees of RSA. The alleged “secret” $10 million contract, signed in 2006, would have represented more than one third of the annual revenue of EMC’s RSA division the year prior to the contract being signed.

On Sunday, RSA issued a statement denying that it had “entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.”

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/government-vertical/rsa-denies-trading-security-for-nsa-payo/240164990