- Email: [email protected]
PCI DSS appears to reduce breaches
NEWS
Sony under attack
H
ackers have succeeded in breaching Sony networks – the PlayStation Network (PSN), Qriocity and Sony Online Entertainment (SOE) – resulting in the compromise of users’ details that potentially numbered as many as 100 million records. Both systems were taken offline immediately the breaches at the AT&T datacentre in San Diego were discovered.
Initial reports claimed that as many as 77 million customer records were compromised during the PSN attacks, which took place in mid-April. This was based on the size of the system’s user base, but estimates of the number actually affected later dropped to 10 million – still a massive breach. The PSN attack netted the hackers records detailing names, birth dates, email addresses, account logins and physical addresses. Later it was announced that SOE had also been breached. SOE is home to a number of services, including multi-player online games such as EverQuest, The Matrix Online, Star Wars Galaxies, DC Universe Online and Free Realms. Up to 24.5 million records were compromised. Sony has claimed that although credit card information was stored on the PSN system – around 10 million user accounts had credit/debit card information associated with them – this data was encrypted. Sony also stated that it had “no evidence that credit card data was taken”. It also pointed out that it does not store CVV data. However, Sony gave no details about the encryption methods used. And researchers from Trend Micro claim to have seen discussions in carder forums offering this data for sale – with as many as 2.2 million records being available. Reported in the New York Times, Trend’s senior threat researcher, Kevin Stevens, said that the hackers might be asking as much as $100,000 for the data, and had even offered to sell it back to Sony. This has been denied by the company. With the SOE attack, Sony says that, in addition to current user information, an “outdated database” dating back
May 2011
to 2007 was also compromised. This contained credit/debit card expiration dates for 12,700 non-US customers and 10,700 direct debit accounts for customers in Germany, Austria, Netherlands and Spain – all of which may have been stolen. Other account info was taken and although Sony says passwords were hashed, it didn’t reveal what method was used for the hashing – for example, whether a salt was employed. Sony also hasn’t yet explained why an “outdated” database remained on its system and was still reachable via the Internet. “Enterprises need to reconsider the validity of data collection and accessibility,” said John Colley, managing director of (ISC)2 EMEA. “Marketing people, for example, should perhaps review the amount and type of information they gather as well as how they gather it, given the level of attempts to defraud people via email. They must consider whether data needs to be stored permanently or whether it can be held temporarily. Authentication is a clear example of where the data usage requirement can be temporary.” The Anonymous group, a loose collective of activists, immediately fell under suspicion, although very soon after the Sony breach was announced the group made a public statement that it was not responsible. However, it had been carrying out a DDoS campaign against Sony because of the company’s now-settled legal action against George Hotz, who hacked the PlayStation’s encryption key. These attacks effectively masked the hackers’ activities, which is why Sony didn’t notice the breaches sooner, the firm claimed. In a letter to a Congressional committee, Sony chairman Kazuo Hirai suggested that the Anonymous members engaged in the DDoS attack may have been providing cover for the hackers. “Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” he wrote. “In any case, those who participated in the denial of service attacks should understand that – whether they
knew it or not – they were aiding in a well-planned, well-executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world.” This prompted a second statement from Anonymous, reiterating that it was not responsible and that it doesn’t condone credit card theft (although it has supported direct attacks on financial institutions). However, the nature of the group is such that individuals can easily mount an attack claiming to act on behalf of the group. And Sony later said it had found a file named ‘Anonymous’ on its servers carrying the message ‘We are legion’ – a popular slogan used by Anonymous. Nevertheless, the file could have been left there by the hackers as a way of shifting suspicion. Sony said it is improving its security, which includes the creation of the post of Chief Information Security Officer (CISO) and moving its datacentre to a new location. And as well as working closely with the FBI and database provider Oracle, it has also called in security experts Guidance Software and Data Forte to help investigate the breaches. At the time of writing, there were rumours of a pending third attack. CNET reporter Erica Ogg claimed to have communicated with one of the attackers via an IRC channel. The hacker said the attack would be on Sony’s website where the hackers would publicise their successes.
PCI DSS appears to reduce breaches
A
lthough most information security practitioners insist that compliance does not equate to security, a new report sponsored by Imperva and carried out by the Ponemon Institute has found a correlation between Payment Card Industry Data Security Standards (PCI DSS) compliance and fewer data breaches.
The ‘2011 PCI DSS Compliance Trends Study’ found that 64% of the surveyed companies that comply with the standards reported no data breaches Continued on page 19....
Computer Fraud & Security
3
FEATURE South Africa. His interests include various topics in information security and privacy, mobile computing and IT service management. Botha is a certified IT Service Manager and serves on the board of the South African Institute for Computer Scientists and Information Technologists. He has published more than 50 papers in refereed international journals and conference proceedings.
References 1. ‘Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves’. Sophos press release, 14 August 2007. ...Continued from page 3 involving credit card information in the past two years. This figure dropped to 38% for non-compliant firms. The companies that meet PCI DSS standards also had fewer data breaches in general, with 63% of them having no more than one breach in the two-year period, compared to 22% of non-compliant firms. And 26% of non-compliant companies suffered more than five breaches in that time. “We believe that PCI DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture,” said Amichai Shulman, co-founder and CTO of Imperva. “Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t, period.” Of the surveyed organisations, twothirds had achieved full PCI DSS compliance, compared to around 50% in the equivalent study carried out in 2009. In 2011, only 16% of companies had failed to achieve any level of compliance, against 25% in 2009. However, not everyone is convinced of the security benefits of PCI DSS. Among
May 2011
. 2. Phippen, A; Davey, R; Furnell, S. ‘Should We Do It Just Because We Can? Methodological and Ethical Implications for Information Revelation in Online Social Networks’. Methodological Innovations Online, 2009, 4(3), pp41-55. 3. Johnson, B. ‘Privacy no longer a social norm, says Facebook founder’. Guardian.co.uk, 11 January 2010. .
4. Furnell, S. ‘Jumping security hurdles’. Computer Fraud & Security, June 2010, pp10-14. 5. McKeon, M. ‘The Evolution of Privacy on Facebook’. 2010. Accessed Feb 2011.. 6. ‘Facebook privacy settings to be made simpler’. BBC News Online, 26 May 2010. 7. Freiert, M. ‘Facebook vs Linkedin – Network, Socialize, Be Professional?’ Compete Pulse, 22 July 2008. Accessed Feb 2011.
the respondents themselves, 88% did not support the contention that compliance has a direct and beneficial impact on the number of data breaches. Only 39% listed improvements in data security as one of the benefits of achieving compliance. And just a third thought that the cost of compliance is justified by benefits to the business.
Typically, phishing emails or malicious web pages are used to compromise people within organisations who are authorised to carry out funds transfers. Once login credentials have been stolen, the cyber-criminals initiate illegitimate funds transfers via intermediary banks which, according to the alert, are “typically located in New York”. It goes on to say that, “Like most account takeover fraud, the victims tend to be small-to-medium sized businesses and public institutions that have accounts at local community banks and credit unions, some of which use thirdparty service providers for online banking services.” The money is sent to companies in port cities of the Heilongjiang province of China. In most cases, each recipient company is used only once; in the few instances in which a firm has been sent money more than once, it’s been over the course of just a few days, and then never again. All appear to be legally registered firms with accounts at the Agricultural Bank of China, the Industrial and Commercial Bank of China or the Bank of China. Continued on page 20...
Fraudulent funds transfers to China
T
he FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) are warning small and mid-sized US firms about the danger of their accounts being used to siphon funds to China.
According to the alert, compromised online banking credentials are being used to set up wire transfers to Chinese companies operating near the Russian border. The FBI uncovered at least 20 such incidents in a two-month period, amounting to attempted fraud of $20m and actual losses to victims of $11m. Individual transfers have ranged from $50,000 to $985,000 – mostly towards the top end of that scale.
Computer Fraud & Security
19
Sony under attack
H
ackers have succeeded in breaching Sony networks – the PlayStation Network (PSN), Qriocity and Sony Online Entertainment (SOE) – resulting in the compromise of users’ details that potentially numbered as many as 100 million records. Both systems were taken offline immediately the breaches at the AT&T datacentre in San Diego were discovered.
Initial reports claimed that as many as 77 million customer records were compromised during the PSN attacks, which took place in mid-April. This was based on the size of the system’s user base, but estimates of the number actually affected later dropped to 10 million – still a massive breach. The PSN attack netted the hackers records detailing names, birth dates, email addresses, account logins and physical addresses. Later it was announced that SOE had also been breached. SOE is home to a number of services, including multi-player online games such as EverQuest, The Matrix Online, Star Wars Galaxies, DC Universe Online and Free Realms. Up to 24.5 million records were compromised. Sony has claimed that although credit card information was stored on the PSN system – around 10 million user accounts had credit/debit card information associated with them – this data was encrypted. Sony also stated that it had “no evidence that credit card data was taken”. It also pointed out that it does not store CVV data. However, Sony gave no details about the encryption methods used. And researchers from Trend Micro claim to have seen discussions in carder forums offering this data for sale – with as many as 2.2 million records being available. Reported in the New York Times, Trend’s senior threat researcher, Kevin Stevens, said that the hackers might be asking as much as $100,000 for the data, and had even offered to sell it back to Sony. This has been denied by the company. With the SOE attack, Sony says that, in addition to current user information, an “outdated database” dating back
May 2011
to 2007 was also compromised. This contained credit/debit card expiration dates for 12,700 non-US customers and 10,700 direct debit accounts for customers in Germany, Austria, Netherlands and Spain – all of which may have been stolen. Other account info was taken and although Sony says passwords were hashed, it didn’t reveal what method was used for the hashing – for example, whether a salt was employed. Sony also hasn’t yet explained why an “outdated” database remained on its system and was still reachable via the Internet. “Enterprises need to reconsider the validity of data collection and accessibility,” said John Colley, managing director of (ISC)2 EMEA. “Marketing people, for example, should perhaps review the amount and type of information they gather as well as how they gather it, given the level of attempts to defraud people via email. They must consider whether data needs to be stored permanently or whether it can be held temporarily. Authentication is a clear example of where the data usage requirement can be temporary.” The Anonymous group, a loose collective of activists, immediately fell under suspicion, although very soon after the Sony breach was announced the group made a public statement that it was not responsible. However, it had been carrying out a DDoS campaign against Sony because of the company’s now-settled legal action against George Hotz, who hacked the PlayStation’s encryption key. These attacks effectively masked the hackers’ activities, which is why Sony didn’t notice the breaches sooner, the firm claimed. In a letter to a Congressional committee, Sony chairman Kazuo Hirai suggested that the Anonymous members engaged in the DDoS attack may have been providing cover for the hackers. “Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” he wrote. “In any case, those who participated in the denial of service attacks should understand that – whether they
knew it or not – they were aiding in a well-planned, well-executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world.” This prompted a second statement from Anonymous, reiterating that it was not responsible and that it doesn’t condone credit card theft (although it has supported direct attacks on financial institutions). However, the nature of the group is such that individuals can easily mount an attack claiming to act on behalf of the group. And Sony later said it had found a file named ‘Anonymous’ on its servers carrying the message ‘We are legion’ – a popular slogan used by Anonymous. Nevertheless, the file could have been left there by the hackers as a way of shifting suspicion. Sony said it is improving its security, which includes the creation of the post of Chief Information Security Officer (CISO) and moving its datacentre to a new location. And as well as working closely with the FBI and database provider Oracle, it has also called in security experts Guidance Software and Data Forte to help investigate the breaches. At the time of writing, there were rumours of a pending third attack. CNET reporter Erica Ogg claimed to have communicated with one of the attackers via an IRC channel. The hacker said the attack would be on Sony’s website where the hackers would publicise their successes.
PCI DSS appears to reduce breaches
A
lthough most information security practitioners insist that compliance does not equate to security, a new report sponsored by Imperva and carried out by the Ponemon Institute has found a correlation between Payment Card Industry Data Security Standards (PCI DSS) compliance and fewer data breaches.
The ‘2011 PCI DSS Compliance Trends Study’ found that 64% of the surveyed companies that comply with the standards reported no data breaches Continued on page 19....
Computer Fraud & Security
3
FEATURE South Africa. His interests include various topics in information security and privacy, mobile computing and IT service management. Botha is a certified IT Service Manager and serves on the board of the South African Institute for Computer Scientists and Information Technologists. He has published more than 50 papers in refereed international journals and conference proceedings.
References 1. ‘Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves’. Sophos press release, 14 August 2007. ...Continued from page 3 involving credit card information in the past two years. This figure dropped to 38% for non-compliant firms. The companies that meet PCI DSS standards also had fewer data breaches in general, with 63% of them having no more than one breach in the two-year period, compared to 22% of non-compliant firms. And 26% of non-compliant companies suffered more than five breaches in that time. “We believe that PCI DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture,” said Amichai Shulman, co-founder and CTO of Imperva. “Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t, period.” Of the surveyed organisations, twothirds had achieved full PCI DSS compliance, compared to around 50% in the equivalent study carried out in 2009. In 2011, only 16% of companies had failed to achieve any level of compliance, against 25% in 2009. However, not everyone is convinced of the security benefits of PCI DSS. Among
May 2011
4. Furnell, S. ‘Jumping security hurdles’. Computer Fraud & Security, June 2010, pp10-14. 5. McKeon, M. ‘The Evolution of Privacy on Facebook’. 2010. Accessed Feb 2011.
the respondents themselves, 88% did not support the contention that compliance has a direct and beneficial impact on the number of data breaches. Only 39% listed improvements in data security as one of the benefits of achieving compliance. And just a third thought that the cost of compliance is justified by benefits to the business.
Typically, phishing emails or malicious web pages are used to compromise people within organisations who are authorised to carry out funds transfers. Once login credentials have been stolen, the cyber-criminals initiate illegitimate funds transfers via intermediary banks which, according to the alert, are “typically located in New York”. It goes on to say that, “Like most account takeover fraud, the victims tend to be small-to-medium sized businesses and public institutions that have accounts at local community banks and credit unions, some of which use thirdparty service providers for online banking services.” The money is sent to companies in port cities of the Heilongjiang province of China. In most cases, each recipient company is used only once; in the few instances in which a firm has been sent money more than once, it’s been over the course of just a few days, and then never again. All appear to be legally registered firms with accounts at the Agricultural Bank of China, the Industrial and Commercial Bank of China or the Bank of China. Continued on page 20...
Fraudulent funds transfers to China
T
he FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) are warning small and mid-sized US firms about the danger of their accounts being used to siphon funds to China.
According to the alert, compromised online banking credentials are being used to set up wire transfers to Chinese companies operating near the Russian border. The FBI uncovered at least 20 such incidents in a two-month period, amounting to attempted fraud of $20m and actual losses to victims of $11m. Individual transfers have ranged from $50,000 to $985,000 – mostly towards the top end of that scale.
Computer Fraud & Security
19