TJX hackers caught

computer FRAUD & SECURITY ISSN 1361-3723 August 2008

www.computerfraudandsecurity.com

TJX hackers caught

E

leven individuals have been charged in what US officials have called the biggest hacking and identity theft case in history. The group, responsible for the TJX Group credit card theft incident and attacks on many other retailers, were spread around the globe from Belarus to China. Three are US citizens.

The group was charged with conspiracy, computer intrusion, identity theft

Contents and fraud at a federal court in Boston. It confirmed earlier reports that the malware used to steal details of over 40 million credit cards was installed on the TJX servers using a ‘wardriving’ attack, in which the accused allegedly hacked into wireless networks at retail locations. Other retailers targeted included Barnes & Noble, Sports Authority, Forever 21 and Boston Market. Continued on page 2...

Featured this month: The complexity of living like a snail – the dangers of the ‘fuzzy boundary’

T

he fuzzy boundary is an area of dynamic vulnerability on the outside of the technical protection of the organisational network. There are a number of factors which contribute to the vulnerability: some are within the control of the business itself and some are not, but need to be considered.

Wendy Goucher seeks to examine some of the clearest factors that can lead to security weakness. It does not bring solutions but attempts to shed some light on ignorance in order to raise the awareness of risk owners who can consequently address the fine balance between security and acceptable operation. Turn to page 7...

Beyond the PIN: Enhancing user authentication for mobile devices

T

here is now an increasing need for an enhanced level of user authentication on mobile devices. In this article, Steven Furnell, Nathan Clarke and Sevasti Karazouni begin by examining the existing provision, which is dominated by PIN and passwordbased approaches. They established that these may be both inconvenient and inadequate for securing modern devices and services.

From this basis, the discussion considers how authentication may be enhanced; by recognising the varying requirements that may exist during the use of mobile applications and services, as well as the desirability of being able to tie the provision to these aspects in a flexible and non-intrusive manner. The discussion is supported by reference to an operational research prototype that the authors have designed. Turn to page 12...

NEWS TJX hackers caught

1

Countrywide employee arrested

2

Internet scrambles to fix major DNS flaw

3

McKinnon loses court appeal

3

FEATURES Economics of ICT security

4

Andrea Pasquinucci explores the relationship between money and mitigation. The complexity of living like a snail – the dangers of the ‘fuzzy boundary’ 7 Wendy Goucher discusses some of factors that affect the vulnerability of the fuzzy boundary and the role of risk management in dealing with them. How ready are you for the Companies Act?

9

Corporate governance has come a long way - and it will go further, thanks to new legislation in the UK that starts in October. Steve Gold investigates. Paper cuts: Security in non-digital written media

11

The press often focuses on the protection of electronic data, says Wendy Goucher. But what about paper? Beyond the PIN: Enhancing user authentication for mobile devices

12

With the inadequacy of PIN-based authentication, this article examines a flexible and non-intrusive approach that links the level of authentication required to the type of service being used. War & Peace in Cyberspace: Don’t Twitter away your organisation’s secrets

18

Dario Forte and Richard Power discuss the explosion of the Twitter phenomenon. REGULARS Editorial

3

In Brief

3

Calendar

20

ISSN 1361-3723/08 © 2008 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843933 E-mail: [email protected] Web: www.computerfraudandsecurity.com Editor: Danny Bradbury E-mail: [email protected] Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Lin Lucas Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices:
1017 for all European countries & Iran US$1104 for all countries except Europe and Japan ¥135 300 for Japan (Prices valid until 31 December 2008) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 843933 E-mail: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065

2

Computer Fraud & Security

Editorial What’s up with Microsoft? At Black Hat US this year, the firm announced three new programmes. Starting in October, its Microsoft Active Protections Program (MAPP) will give other security vendors early access to upcoming vulnerability information about Microsoft products, the Exploitability Index scores vulnerabilities on how likely they are to be exploited. The Microsoft Vulnerability Research (MSVR) initiative formalises an arrangement in which the firm advises third parties of security flaws in their products (which it often finds during its own vulnerability research). This isn’t the Microsoft that people used to know and hate. The old Microsoft was more insular, and less responsive. But following its Trustworthy Computing Initiative, which started after the now famous Gates memo in 2002, things have been changing. The firm is preaching ‘community security’ these days, and is focusing on inclusiveness. This approach came at a good time. Dan Kaminsky’s discovery of a major DNS flaw (see news article

Continued from front page... Three Ukranians were indicted in the case: Dzmitry Burak, Sergey Storchak, and Maksym Yastremskiy. Aleksandr Suvorov of Estonia and Sargey Pavlovich of Belarus were also charged, as were Hung-Ming Chiu and Zhi Zhi Wang of China. Another participant known only by the nickname ‘Delpiero’ was also charged. Christopher Scott and Damon Patrick Torey of Miami were also a subject of the investigation, along with the other US resident, former Secret Service informant Albert Gonzalez of Miami. He had already been arrested by the Secret Service in 2003 for access device fraud. He faces life imprisonment if all charges stick. The team collected customer card data using the malware planted on

on page 3) called for a massive collaboration between multiple parties to get it fixed. A large collection of ISPs and vendors were involved in the fix, which was still only partially successful (many people at the time of writing still hadn’t patched). It required silence among all those involved, which got the industry a couple of weeks to fix the flaw before exploit code leaked. Vendors and researchers have worked with competitors before, of course, but these developments seem to push the envelope. Are we looking at a new era of cohesion in the security research community? What will this look like? The formation of the Industry Consortium for the Advancement of Security on the Internet (ICASI) gives us some clue. The organiasation, formed at the end of June by a series of industry heavyweights including Microsoft, set out to foster more industry co-operation when addressing security challenges. As threats become more complex and pervasive, it’s a step in the right direction. Danny Bradbury retail computers via the wireless networks. The data was then stored on encrypted servers in eastern Europe and the US, and the numbers sold to criminal networks. Numbers were encoded to forged bank cards and then used at ATMs. “Businesses should see this as clear reminder that with increasing electronic use of customer data they must ensure they use, store and discard it safely following the principles set out by the Payment Card Industry (PCI) and the Data Protection Act,” said Greg Day, security analyst at McAfee.

Countrywide employee arrested

A

Bank of America subsidiary responsible for subprime mortgage loans lost roughly two million customer records to a data

August 2008