Target Breach Lesson: PCI Compliance Isn’t Enough

“Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Those words by Target Chairman, President, and Chief Executive Officer Gregg Steinhafel affirmed what security experts know as gospel: Compliance does not equal security.

“Just because you pass a PCI audit does not mean that you’re secure,” said Eric Chiu, president and founder of HyTrust. “Clearly we saw that in the Target scenario.”

PCI standards can suffer from a common regulatory affliction.

“A standards body takes many years to develop a standard,” Chiu told TechNewsWorld. “In that time frame, threats change.”

In the retail sector, Target was a security standout when it passed its PCI audit in September.

“The lesson here is even if you’re pretty vigilant and at the top of your industry, being secure today doesn’t mean being secure tomorrow,” Sonali Shah, vice president of products for BitSight, told TechNewsWorld.

Opiate for Executives

While CEOs may not know that, security pros do. Compliance rules are formulated with the best of intentions, but they can be an opiate for denizens of corner offices.

“Compliance can give you a false sense of security,” said Vijay Kumar Murty, CTO of PerfectCloud.

“Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear,” he told TechNewsWorld.

“Compliance is a minimal deterrent that everyone has to have in place. That doesn’t give us complete assurance that everything is OK,” Murty said.

“If you’re driving a car, you’re expected to have a driver’s license,” he pointed out. “That doesn’t make you a safe driver.”

WhatsApp Trouble

Encryption’s reputation as a deterrent to data snoops is legend, but even encryption can be worthless if isn’t done right — and that’s the case with Facebook’s new US$19 billion acquisition WhatsApp.

The bush league flaw in the app came to light last week, thanks to Double Think CTO Bas Bosschert.

While WhatsApp was encrypting its database of messages on the Android phones it was running on, it was using a static key to decrypt it, he found. The key is available in a free tool available online.

That means any app with permission to access the storage on a phone could snatch the WhatsApp database and upload it to a location where it could be decrypted with the free tool.

“What’s significant about the research is it shows an oversight in how to leverage encryption technology to protect data,” Grayson Milbourne, security intelligence director at Webroot, a maker of antivirus software, told TechNewsWorld.

“I expect very quickly we’ll see an update from WhatsApp that will address this problem,” he said. “It should generate a key for each device, which is the proper way to make the data unreadable.”

“The takeaway is you really have to apply security technology properly when you’re dealing with private data, especially with SMS,” he added. “That’s a sweet hotspot for very private data. To compromise that has very large implications.”

Hack for Cash

White hat hackers made a bundle of money last week at HP’s Pwn2Own competition held at CanSecWest in Vancouver, Canada. A record US$850,000 was paid out to researchers who found flaws in a number of popular applications, including Safari, Chrome, Firefox, Microsoft Internet Explorer and Adobe Flash.

“What was interesting were the different kinds of vulnerabilities that were demonstrated,” said Brian Gorenc, manager for vulnerability research for HP Security Research’s Zero Day Initiative.

“They weren’t all the same type,” he told TechNewsWorld. “In Firefox, there was a privilege escalation vulnerability along with an out-of-bounds read/write vulnerability that could result in remote code execution.”

What makes the contest especially exciting for researchers is that they get to spend some face time with the maker of the software they’ve hacked.

“When we get the researcher and the vendor in a closed room, there’s always an interesting conversation that happens between the two,” Gorenc said. “Several of the vendors have thanked the researchers for the quality of the work they’d done because it allowed the vendor to produce fixes faster.”

Breach Diary

• March 10. Statistics company Statista reveals the accounts of some 50,000 users were impacted in a data breach discovered March 8. Hackers apparently are using email addresses from the accounts to send spam to the website’s users.
• March 11. U.S. Sen. Diane Feinstein accuses CIA of violating federal law by tampering with documents and spying on Senate server space related to probe of the agency abuse in its detention and interrogation program.
• March 11. University of Northern Iowa holds forum for employees who claim they’re victims of identity theft resulting from a data breach at the school. The school says it doesn’t know where the breach occurred, but it offering free credit monitoring services to affected employees.
• March 12. Intercept, in report based on documents leaked by whistleblower Edward Snowden, reveals NSA used automated systems to infect targeted computers with malware and extract data from them.
• March 12. Lookout launches “Private Parts,” an open-sourced, customizable toolkit to help developers implement visual, user-friendly privacy policies.
• March 12. U.S. Foreign Intelligence Surveillance Court temporarily reverses earlier order that call records collected by the National Security Agency should be destroyed after the current five-year limit. Court modified its previous stand after a District Court in California ordered the government to retain phone records it collected in bulk from telecommunications carriers because the metadata may be evidence in two civil lawsuits that challenge the NSA’s phone records program authorized by the Patriot Act.
• March 12. University of Maryland lowers estimate of number of records affected by data breach last month from 309,079 to 287,580.
• March 12. University of California San Francisco notifies 9,986 persons that a number of desktop computers that contained personal and health information were stolen from the school in January. There has been no attempt to use the information on the pilfered computers, the university said.
• March 13. A CD containing personal information on 15,000 current and former New York transit authority workers was returned to the agency by a person who found the disk in a refurbished CD drive they’d purchased. Agency is offering affected workers a free year of credit monitoring and identity theft protection.
• March 13. Barracuda Networks releases free Chrome extension that automatically maximizes the privacy settings of a LinkedIn account to guard against corporate espionage.
• March 13. Skybox Vulnerability Center launched. It allows netizens to search for information about specific vulnerabilities or vulnerabilities from a particular vendor; customize the Skybox Vulnerability Index graphic to focus on specific vendors or categories of products; and view the vulnerability news items.
• March 13. Target received alerts in time to thwart holiday season data breach that compromised 110 million customer payment card and personal information records but failed to act on the information, Bloomberg Businessweek reports.
• March 13. New Yorker disables Customer Care website following discovery of vulnerability that allowed a user’s password to be seen when their mailing address was entered at the site. There was no evidence that any suspicious activity occurred with anyone’s New Yorker subscription account, the magazine said in an email to subscribers.
• March 14. Google Play adds to its Play Store setting, requiring entering a password every time a purchase is made and a more prominent in-app purchase notification.
• March 14. Several Seattle area parochial schools closed for security audit following discovery of data breach linked to national tax-fraud scheme.

Upcoming Security Events

• March 18. Cybersecurity: Collaborate, Comply, Conquer. Virtual conference sponsored by ISACA. Free with registration.
• March 19. Official RSAC ’14 Recap. 11 a.m. ET. Webcast sponsored by Cylance. Free with registration.
• March 20. 2014 Security Pressures Survey. 7 a.m. ET. Webinar sponsored by Trusteer.
• March 20. The Hidden Cost Of Customer Data: The More You Have, The More You Have To Lose. 2 p.m. ET. Black Hat Webcast. Free with registration.
• March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
• March 20-21. BSides Austin. WinGate Williamson Conference Center, Round Rock, Texas. $10 per day; students free.
• March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• March 26. CMaaS + Cyber Security 3.0. 8 a.m.-12:30 p.m. The Tower Club, Tysons Corner, Va. Free for GoMark Council members and government employees; non-members, $200.
• March 29-30. BSides Mumbai.Mumbai World Trade Centre, Cuffe Parade, Mumbai. 5,000 Indian rupees.
• March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
• April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
• April 1-3. 13th European Security Conference & Exhibition. World Forum, the Hague, the Netherlands. Registration: ASIS members, 970 euros; non-members, 1,170 euros.
• April 4-5. BSidesPR 2014. San Juan, Puerto Rico. Free.
• April 5. BSidesROC 2014. German House, 315 Gregaory St., Rochester, N.Y. Free with registration.
• April 5-6. BSides Orlando 2014. Wyndham Orlando Resort, Orlando, Fla. Ticket: $20.
• April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
• April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
• April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
• April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
• April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
• April 27-28. BSides Dubai 2014. Free.
• April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
• April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
• June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
• Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
• Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
• Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
• Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: through Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.