BJ’s Wholesale Club and acquiring bank not liable for third party expenses resulting from the 2004 breach

03. January 2010 · Comments Off on BJ’s Wholesale Club and acquiring bank not liable for third party expenses resulting from the 2004 breach · Categories: Breaches, Legal · Tags: , ,

In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.

The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”

The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.

The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.

Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.

Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.

Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.

In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.

RAM Scraping – new attack vector

02. January 2010 · Comments Off on RAM Scraping – new attack vector · Categories: Malware · Tags: , ,

RAM Scraping is a new type of malware being tracked by the security forensics team at Verizon Business. Good article describing it here.

RAM Scraping attacks were first seen targeting Point-of-Sales terminals as a way to get credit card information. However, as users increase the use of password managers to mitigate the risks of phishing and keyloggers, I can see RAM Scraping attacks increasing in popularity.

New non-ASCII domain names increase risk of phishing attacks

02. January 2010 · Comments Off on New non-ASCII domain names increase risk of phishing attacks · Categories: Phishing · Tags: ,

An article in the London-based Times Online last week pointed out the security risks, particularly phishing, of the recent ICANN expansion of domain names to non-Roman characters. Here is the key quote from the article:

The problem for Western users is that the internet addresses of many
well-known companies, such as Apple, Yahoo, Google and PayPal, can also be
rendered to look identical in Cyrillic scripts, such as Russian.


To a Roman-reading eye, an e-mail containing a link to any one of these sites
might appear genuine, while to a Russian-reading eye, “paypal”, for example,
reads as “raural”. An e-mail link could thus lead to a clone site
constructed by unscrupulous thieves, who could then use it to harvest
personal and financial details, or to steal cash.

There are two key reasons for ICANN's expansion decision (from the TechNewsWorld article):

  • Not introducing international domains would mean that alternate root
    servers will be set up around the world because the demand is so high,"
    Tina Dam, senior director for IDNs (international domain names) at
    ICANN, told TechNewsWorld.
  • It is definitely timely to make the IDN TLDs (top level domains)
    available, and we have also seen a demand from Asia and other parts of
    the world for quite some time," ICANN's Dam said. "The fact that you
    have to use a Latin character Web address on a site where the entire
    content is in Russian is not fair for Russian Internet users and does
    not make sense," she added.

There are some good comments on the Times Online article regarding how this type of phishing attack could be blocked. I'm sure most of the email, browser, and URL filter vendors will be responding soon.

Good guys bring down a botnet. Or did they?

31. December 2009 · Comments Off on Good guys bring down a botnet. Or did they? · Categories: Botnets, Malware, Network Security

Earlier this week PC World reported that a security researcher at FireEye took down a major botnet, Mega-D. However, LonerVamp weighed in with a more objective analysis of what FireEye accomplished.

Building Security In Maturity Model

31. December 2009 · Comments Off on Building Security In Maturity Model · Categories: Application Security, Security Policy · Tags: , , , , ,

I like the idea of maturity models as they can help an organization improve the state of a process in an organized fashion and enables the organization to compare itself to others. The granddaddy of maturity models is Carnegie Mellon University's software development Capability Maturity Model which was started in 1987. Now comes the Building Security In Maturity Model which is focused on building security into the software development process.

Here is the opening paragraph of their web site:

The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand
and plan a software security initiative. BSIMM was created through a process of understanding and analyzing
real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP
CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground
is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework
(SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where
your organization stands with respect to real-world software security initiatives and what steps can be taken to make
your approach more effective.

The organizers are Gary McGraw and Sammy Migues of Cigital and Brian Chess of Fortify. Cigital and Fortify are both leading vendors in the software security market. Please do not interpret this as a negative. Putting out valuable information for free and enabling two-way communications with users is about as ethical marketing as there is.

They are promoting the very worthwhile and intuitively obvious notion that your software will be more secure if you build security in during design and development rather than bolt it on afterward.

BTW, Carnegie Mellon's Software Engineering Institute is still very active with respect to maturity models. Check them out here. Wikipedia provides a nice summary here.

Schneier’s take on aviation security as theater

30. December 2009 · Comments Off on Schneier’s take on aviation security as theater · Categories: Security Management, Security Policy · Tags: ,

In light of TSA's reaction to the near-miss catastrophe on Northwest Flight 253 on Christmas Day, I'm glad to see that CNN republished an article by Bruce Schneier entitled, "Is Aviation security mostly for show?"

DLP Administration Requirements & Security/Compliance Portfolio Management

30. December 2009 · Comments Off on DLP Administration Requirements & Security/Compliance Portfolio Management · Categories: Data Loss Prevention, Security/Compliance Portfolio Management · Tags: , ,

Dark Reading's December 21, 2009 article, 4 Factors To Consider Before Firing Up that DLP Solution provides welcome insight into the administration requirements of DLP systems. Too often, the press just hypes the latest security solution types (think NAC in 2006 and 2007; where is Cisco's TrustSec?). While DLP is surely not new, this type of article is still refreshing.

The four factors described are:

  1. Policy – Initial creation and/or customization, ongoing modification
  2. Data Discovery – Initial and ongoing configuration of data identification algorithms
  3. Integration – e.g. ICAP, email, encryption
  4. Administration – Alert Adjudication

The article says that the amount of administrative work is a function of "the size of your organization and the level of deployment." I would add a third – the product you select.

Actually, all security products require at least Policy Management, Integration, and Alert Adjudication. Therefore when considering adding a new security/compliance solution type, review your overall security/compliance portfolio and consider consolidation opportunities as a way to control administration costs.

While the major security vendors have been acquiring and integrating additional functionality for years, start ups have been coming to market with innovative approaches to unifying functions designed and built from the ground up. Next generation firewalls, as described by Gartner, comes to mind.

Heartland pays AmEx $3.6 million for 2008 breach

28. December 2009 · Comments Off on Heartland pays AmEx $3.6 million for 2008 breach · Categories: Breaches, Legal · Tags: ,

Let the payments begin. Heartland Payment Systems settled the lawsuit brought by American Express due to Heartland's 2008 breach of 130 million credit cards (which I wrote about here) for $3.6 million. There are still many more lawsuits outstanding including Visa and MasterCard which no doubt represent the majority of the credit cards stolen.

The article quotes Heartland CEO, Bob Carr, as saying that Heartland "has set aside $12.6 million to charges related to the hack." I find this number to be a gross underestimation considering that TJX believes its breach will cost $250 million as reported here, here, and here.

Database security – the last frontier

28. December 2009 · Comments Off on Database security – the last frontier · Categories: Database Activity Monitoring · Tags: , ,

i just stumbled on a blog post by John Oltsik of ESG entitled Database Security Is In Need of Repair written on August 26th, 2009. John reports on a survey ESG conducted that showed Database Security is surprisingly weak given the fact that 58% of the survey respondents said that databases contain the highest percentage of their organizations' confidential data. File Servers came in a distant second at 15%.

How can this be? John says:

1. No one owns database security, rather it appears to be a collective
effort done by security administrators, IT operations, data center
managers, system administrators, DBAs, etc. With this many people
involved, it is likely that database security is fraught with redundant
processes, numerous "root" access passwords, and human error.

This resonates with my experience. The worlds of DBAs and IT Security professionals rarely meet. They speak different languages. DBAs are all about availability and performance, just as network administrators traditionally were.

There are two types of Database Security solutions – Encryption and Database Activity Monitoring. Encryption solutions are used for compliance purposes, for example to encrypt the Social Security Number column of a database o block unauthorized users who gain access to the database server. However, it does nothing to block authorized users violating access policies.

Database Activity Monitoring, which I wrote about here, comes in three flavors – logging, network, and host based. In some cases, Database Activity Monitoring can provide a layer of policy control to restrict authorized users (insiders) to just the data they need to do their jobs. And even of those solutions there can be limitations.

In summary, 1) the solutions available are improving and 2) it behooves database administrators to expand their vision to include database security.


Verizon Business 2009 DBIR Supplemental Report provides empirical guidance for unifying security and compliance priorities

28. December 2009 · Comments Off on Verizon Business 2009 DBIR Supplemental Report provides empirical guidance for unifying security and compliance priorities · Categories: Breaches, Compliance, Risk Management, Security Management, Theory vs. Practice · Tags: , , ,

The Verizon Business security forensics group's recently released 2009 Data Breach Investigations Supplemental Report provides common ground between those in the enterprise who are compliance oriented and those who are security oriented. While in theory, there should be no difference between these groups, in practice there is.   

Table 8 on page 28 evaluates the breach data set from the perspective of data types breached. Number one by far is Payment Card Data at 84%. Second is Personal Information at 31%. (Obviously each case in their data set can be categorized in multiple data breach categories.) These are exactly the types of breaches regulatory compliance standards like PCI and breach disclosure laws like Mass 201 CMR 17 are focused on.

Therefore there is high value in using the report's "threat action types" analysis to prioritize risk reduction as well as compliance programs, processes, and technologies.

While the original 2009 DBIR did provide similar information in Figure 29 on page 33, it's the Supplemental report which provides the threat action type analysis that can drive a common set of risk reduction and compliance priorities.

« Older articles
Newer articles »