I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to “be there” when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world…that’s Black Hat! I liked how conference attendees were able to “vote” in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of “black hat”, “white hat”, and everything in between (gray hat) attendees. With a little more on the side of “white hat”. This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won’t think you are just going to another “hacker con”. For example, you can say to your boss “Hey, they have a vendor show with XYZ company that will be there!” Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course…).

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con’s in the world! I could do a whole post on how great attending DefCon is but in short it’s awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the “spot the fed” and all the other fun games and activities unique to DefCon.

Can’t wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

Share and Enjoy

<%image(20080530-000625_37.jpg|320|240|Indy likes lost backup tapes!)%>

Amazing that security breaches like the one I am about to tell you about are becoming more common…so common that the mainstream media like CNN doesn’t even report it anymore. If you haven’t read about this pretty significant security breach yet…let me briefly tell you about it…

Bank of New York (BNY) Mellon and People’s United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went “missing” from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:

“…on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes….an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used.”sic

Basically People’s hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.

Moving on…nothing to see here right?

The problem is that this data was not BNY Mellon’s customer data but the customer data from People’s United Bank, some Wachovia employees and some 64,000 MetLife shareholders…

“People’s United claims this was a BNY Mellon security lapse, as People’s United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost.”

Good for People’s Bank for encrypting the data in the first place…but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.

I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center…if the armored car was compromised in transit and the bank lost all the money inside the car, it’s not the bank’s fault…thus the armored car carrier is responsible for the loss and would have to compensate the bank.

Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.

Share and Enjoy

This is just classic. A TJX employee, Nick Benson, was fired for posting about security issues on the TJX internal network to this sla.ckers.org forum. Nick attempted to report security issues to his management back in 2006 (before the massive TJX security breach) and nothing changed. Apparently things like having blank passwords on servers were in effect up until May 8th of this year! Some of the issues he identified are noted from the SecurityFocus article below:

“Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords.”

“…a store server that was running in administrator mode, making it far more susceptible to attackers…”

and my favorite…

“My store manager even posted the password and user name on a post-it note…”

So whats the issue here? Two things…sure, telling your management that there are security issues was the right thing to do. However, when nothing changes based on the information you told them then things need to be escalated to a higher level of management. I would hope that TJX has some sort of “ethics” or “privacy” hotline (most major companies have these and they are anonymous) that this guy could have called. How about doing some research within the company Intranet to find out who to contact…that would be an easy approach to take if your management is not listening to you. Secondly, not the brightest idea to post on a hacking forum to let the whole world know of these issues. This guy was easily tracked back to his real IP…heck he probably even posted from work which made tracking him even easier! If he was really serious about not wanting to be caught then he should have used Tor or some other anonymous proxy to setup the account and make those postings (keep in mind he was just a retail worker, no IT background so Internet anonymity was an afterthought). Either way, not a very smart thing to do.

I still find it hard to believe that the TJX information security department would have thought it was ok to have blank passwords to log on to servers! If so these are not security professionals in my book…heck, a bunch of script kiddies wouldn’t even use blank passwords! My guess is that the information security department never even knew about these issues. The “management” that he reported the issue to was actually the loss prevention department. The loss prevention department in retail and other companies mainly deal with preventing shoplifting and theft…really not the right people to handle information security issues. Regardless, TJX still seems like a security train wreck…they won’t be getting my business anytime soon.

Share and Enjoy

<%image(20080424-blackhat.jpg|115|41|Black Hat Briefings)%>

If you happened to sign-up for the Black Hat USA 2008 Briefings early this year you will notice that as a paid delegate you are able to review and comment on all the current papers submitted to the Black Hat speaker review board. You can basically comment and rate each paper and also provide comments back to the person/group that submitted the paper.

Black Hat has always been a great security conference and I really like this new format as it gets the people that actually attend a chance to put input into what talks will be selected. One thing to note…there are some fantastic submissions, however, I was surprised to see all the junk that gets submitted as well! Reminds me a lot of getting resumes for open job positions…most resumes are 90% crap, 10% qualified.

If you are signed up for Black Hat USA 2008, you need to do your reviews quickly as the CFP closes May 1st.

Share and Enjoy