The following issue caught my attention and I thought I’d research it in a little more depth as I think it’s important to anyone who does their personal banking online.  With the adoption of online banking and its associated convenience comes the risk of identity theft and potential loss of personal funds.

Recently a major US based bank was hacked and customer information was compromised.  This breach exposed personal information of 200,000 North American customers, leaking customer names, account numbers and contact information.  No social security numbers, date of birth or bank card security codes were compromised — in this case.

The obvious financial and social  engineering angles are that hackers can sell this information as well as use it to trick bank tellers into believing that they are the customer.

Banks provide reassuring boilerplate language on their web sites and customer agreements that expound the safety and security of your money and ID…but what does this really mean?  By definition, it can only mean against threats and techniques that are known.  It cannot possibly cover operations or tactics that are unknown to the bank’s IT security team.  As most everyone knows, information security is a cat-and-mouse propositon: there is not static snapshot.  There is no absolute safe state.

The most prevalent technology used in online banking to protect your data is called 128-bit SSL (Secure Sockets Layer) encryption and the most widely used method for securing internet transactions available.  What this means is that from your browser to the bank’s computer system, a “secure pipe” has been built that is difficult for hackers to break into.  However, once a malicious hacker is in the bank’s system and engaged in the transaction — once he’s ‘inside’ — this technology doesn’t cover the security of the transaction or the files stored in the virtual “file cabinet”.

Banks are having a hard enough time these days as it is.  The smart financial institution invests heavily in doing what it can for online customers before its safety reputation takes on irreparable water.  The old axiom in security is that the upside of security violations is that it teaches the defending team about new attack vectors.  That’s fine and well, but it doesn’t take too many ‘lessons’ of this nature for a bank’s customers to lose all faith in its online operation.  And if that happens, there’s no way to be competitive in the modern banking market.

###

More links:

MIPRO Consulting main website.

MIPRO on Twitter and Facebook.

About this blog.

“Don’t worry too much about security. You will eventually have a deep security when you begin to do what you want.”

— Natalie Goldberg, Writing Down the Bones

(Via Merlin)

###

MIPRO Consulting is a nationally-recognized consulting firm specializing inPeopleSoft Enterprise (particularly Enterprise Asset Management) andBusiness Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitteror Facebook, we’d love to have you.

More quotes to read.

Given the massive popularity of virtualization/VMMs/hypervisors in enterprise datacenters, this article by Gartner’s Neil MacDonald struck a chord with  me.  Like Neil, I have always been wary of the relative security of hypervisors and their ability to remain truly secure/hardened:

A breach of the virtualization platform which results in an escape to the hypervisor represents a worst-case security scenario. I’ll reiterate what I’ve been saying for more than 4 years:

• The virtualization platform (hypervisor/VMM) is software written by human beings and will contain vulnerabilities. Microsoft, VMware, Citrix, …. all of them will and have had vulnerabilities.
• Some of these vulnerabilities will result in a breakdown in isolation that the virtualization platform was supposed to enforce. This is not good.
• Bad guys will target this layer with attacks. The benefits of a compromise of this layer are simply too great.
• While there have been a few disclosed attacks, it is just a matter of time before a widespread publicly disclosed enterprise breach is tied back to a hypervisor vulnerability.

What do you do? I’ve written about this extensively for clients. First and foremost, extend the your vulnerability and configuration management processes to this layer just as you would for any sensitive OS. In fact, I’d argue that the virtualization platform is the most sensitive x86-based OS in your data center.

Does your organization use hypervisors?  MacDonald’s article, including the links it references, are more than worth your time.  In a word: scary stuff. If hypervisors aren’t in your configuration management and vulnerability practices, it’s time you put them there.

(Via @Beaker on Twitter)

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More nerdery posts.

Great NYT feature column by Ashlee Vance about the battles Microsoft has to fight in the name of counter-piracy.

Donal Keating, a physicist who leads Microsoft’s forensics work, has turned the lab into an anti-piracy playpen full of microscopes and other equipment used to analyze software disks. Flat-screen monitors show data about counterfeit sales, and evidence bags almost overflow with nearly flawless Windows and Office fakes. Mr. Keating serves as the CD manufacturing whiz on what amounts to Microsoft’s version of the A-Team, clad in business-casual attire.

As John Gruber notes, so much of these efforts revolve around physical media: CDs, holographic stickers, DVDs.  I wonder how much of this is attributable to Microsoft’s enterprise footprint?  In my experience, enterprises want physical media, whereas most consumers are happy with an online install.

Ask yourself: when’s the last time you really used physical media to install software?

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More nerdery posts.

First, I’d like to thank all our readers for their steady readership.  Last month we had the biggest traffic month (in terms of unique visitors and pageviews) we’ve had since starting this blog back in 2008, and we’re flattered you keep coming back for more.  Hopefully, we can keep this pattern going.  We appreciate you coming along for the ride.

Here’s the past week summed up in tidy links, all of which were deemed interesting by yours truly and not at all objectively measured or ranked within any credible system whatsoever.

For the first time, the TSA meets resistance.

Microsoft changes strategy with Silverlight, acknowledging “…HTML is the only true cross platform solution for everything, including (Apple’s) iOS platform.”  The days of  proprietary Rich Internet Application (RIA) frameworks are quickly coming to an end.  See also: Adobe’s own Flash to HTML5 conversion tool.

The #1 most crazy idea Steve Ballmer has ever heard.

MapCrunch: teleport instantly to a Google Street View location somewhere in the world.  More fascinating than I just made it sound.  Seriously.

Blekko: live slashtag search.  (Say what? you ask.  It’s all about a new way to tag information on the web.  Read about slashtags here.)

The NYTimes’s Christoph Niemann nails another one, this time very entertainingly showing us that daily human life is subject to the universal laws of physics.

The hand pause.  In the words of Jim Coudal: “What hands do whilst waiting for devices to catch up with their intent.”  Simple and accurate observation.

Finally, Microsoft’s Ray Ozzie pens a long (3,500 word) missive on the state of the company and the industry – as he departs for greener pastures.  Maybe it’s just me, but this writing is about as opaque as it gets and serves almost no one.  Perhaps this is/was part of Microsoft’s messaging problems to the consumer markets.

Have a great weekend, everyone.

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More Linkology posts.

CNN:

In remarks at the annual conference of the UK Airport Operators Association in London, he said that the practice of forcing people to take off their shoes and have their laptops checked separately in security lines should be ditched.

Nationalism aside, even noted security guru Bruce Schneier says we’re way off the mark with our airport policies.  They’re intrusive and ineffective.

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More news posts.

Halloween is a funny time, especially if you have a six-year-old boy with an active imagination and a level of cynicism that belies his age.  While he’s super excited about Halloween – counting down the days until it arrives, every hour of every day – he also has his share of pragmatic concerns about the festival.  Such as:

• Indicating that since pumpkin pie is made out of pumpkins and we eat pumpkins for food, it’s a good thing we don’t bake cow pie.  I am not making this up.  I didn’t have the heart to pull the hamburger off his plate.
• Asking, while we were hanging a plastic decorative skeleton from one of our trees, if tying the rope around his neck would kill him.  Then, after a moment of reflection, “Well, he’s already dead, so I guess it’s okay.”  So my son, age six, is concerned about hanging a live person from our trees, but a dead person, well, get the juice boxes, it’s a party!
• He says that if any monsters break into our house during Halloween to try and get him, our cats will get the monsters first.  I don’t have the heart to tell him our cats are deathly afraid of just about anything, including molecules.

And that’s just for starters.  I could go on, but one day I will rely on him for medical assistance so posting embarrassing anecdotes about his penchant to rationalize the ridiculous isn’t exactly a winning strategy.

But here are some very premium links for you to read this weekend.  Please enjoy.

Jay Kang has a gambling problem.  Here’s a fascinating firsthand account of the lifestyle, including some tips on how to lose $18,000 in 36 hours.

A Redditor makes an observation about Minnesota and Alfred Hitchcock.

A story of a pilot who refused to walk through one of the new full body scanners with AIT (Advanced Imaging Technology), which essentially conducts a virtual strip search.

The Value of a Dollar project – in other words, a photoessay about how much food one can buy for a single dollar.  Thought exercise: if you didn’t have much money and your DNA was telling you to eat the most calorie-rich foods you could find to ensure your personal survival, do you see how fast food wins over good food?

Here’s a gangsta-ized (Snoop Double Dizzle) version of lorum ipsum.

Gene Simmons threatens Anonymous over DDoS attacks to his site.  Really stupid move.  Here’s some more info about Anonymous, in case you’re unfamiliar.

Finally, your password should not be ‘password’.

Have a great weekend, everyone.

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More Linkology posts.

Did I mention we’re really excited for Workday Rising next week?

I did?  Twice?  Oh, sorry.  Let’s get on with the links, then.

Wait – sorry again.  One quick thing: tomorrow is the Michigan vs. MSU game, which is a bit of a big deal here in Michigan.  I am a Michigan grad and fan, so it goes without saying that I’m pulling for the Wolverines to show they’re for real by beating State.

The problem is we have several folks here at MIPRO who are State fans, and, well, these particular folks are emotionally unbalanced, so if State manages to lose, it’s going to be interesting around here with lots of screaming and yelling and shredding of rubber green-and-white horseheads.  So for the sake of their sanity, please join them in rooting for State so for once in their lives they can claim their alma mater topped the school that turned their admission application down.  Thanks.

(EDITOR’S NOTE: If you, our reader, are a State fan, please know that we consider you to be a balanced, smart, non-rubber horsehead wearing person who is admirable in every way.)

That said, the links:

Bruce Schneier on the Stuxnet worm.  This is utterly fascinating.  Read it.

Tweet Library – absolutely awesome application for curating your own tweets, favorites and retweets for later reference.  Worth ten bucks if you’re an iPad power-user who spends a lot of time with Twitter.

Google acquires BlindType, developers of intuitive and predictive virtual keyboard technology.  Great pickup.  Wonder what this means for future iOS versions?  And who’s going to nab Swype?

Crazy volcano footage.  You won’t get closer to a volcano, ever.

David Foster Wallace’s final novel, The Pale King, is now available for pre-order on Amazon.

A short documentary about the desks of creative people.  Worth your time.

Have a great weekend everyone!  GO BLUE!

###

MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management), Workday and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.

More Linkology posts.

While at one of our clients, we recently fielded a question about Nevada’s new data  security laws and how they may impact a company and its HR operations.  We’ve been able to find the following information think it might be useful to a broader audience.  So, here goes.

Nevada enacted a new data security law that went into effect on January 1, 2010.  Nevada is one of several states that have enacted or proposed legislation that addresses how companies transmit and store personally identifiable information (PII).  This PII can pertain to employees, customers or vendors and includes information such as social security number, driver’s license number, credit card data and bank account information combined with a last name and first name (or first initial).  These laws are being created to prevent identification theft (Nevada is ranked 2nd in a listing of ID theft victims per 100,000 population).

From a business perspective looking outward onto these laws, there are several safeguards that companies can do to comply with this new legislation:

• Use encrypted storage devices – Storage devices include any item that houses PII, including but not limited to servers, personal computer, external hard drives, flash drives, iPods, CDs, smart phones, DVDs or any other item that can store or transmit data.
• Limit access to data – Only persons with a business need for the PII  or access to the systems that house the PII should have access.
• Understand who has access and where data is stored – There should be an understanding of what systems house what data.  Also, one should fully understand the processes for secure access to the data.  What if a person’s job responsibilities change?  Are there processes in place to evaluate that the equivalent access to PII is necessary?
• Use encrypted transmissions – This pertains to personal transmission as well as automated transmissions between systems.  Care should be taken that PII is not emailed, instant messaged or otherwise transmitted over unencrypted connections.  In addition, there should be encryption built in to all PII interfaces between systems.  A company’s IT department should be familiar with the encryption standards as well as the storage of encryption keys.

It is important to note that while a given company may not have direct operations in Nevada, there are other states with similar pending legislation.  This legislation will become much more prevalent.  In fact, in another client discussion we learned there was a request for a state to have legislation regarding the storage of paper documents as well as digital data.

Identity theft is a mounting concern, and lawmakers are moving aggressively to combat it.

At a minimum, a solid data security policy that follows approved standards for data encryption (per The National Institute for Standards and Technology) is important.  It is equally important that companies develop and follow procedures for how they will manage personally identifiable information.

By way of example, MIPRO consultants do have PSP data encryption software on their hard drives.  So, if a laptop is ever lost or stolen, a password would have to be entered before someone can access any data on our laptops.  You cannot even get to the Windows login screen before entering the access password; we’re talking BIOS-level security here.

Also, as a rule, we also strongly encourage our clients to create a shared space for project documentation.  This space should be password protected and the project team in its entirety  (employees and consultants) should only be given access to the areas that are necessary.  So, for example, there is probably not a need for the project manager to have access to the folders where payroll data will be stored.

Finally, security in PeopleSoft is extremely structured to allow access to only the data that a particular employee needs to see.  This is done through the setup of roles.  As an example, if an employee gets a role of Training Administrator they will most likely have access to all things regarding training BUT they will not have access to SSN, payroll data, benefits data, etc.  This is completely customizable so that an organization can define security rules that fit their business needs as well as meet compliance requirements.

Have questions or feedback about this?  Want to know more?  Let us know in the comments.

As usual, Schneier is among the clearest heads in the fray when it comes to threat analysis:

Despite this, the proposed fixes focus on the details of the plot rather than the broad threat. We’re going to install full-body scanners, even though there are lots of ways to hide PETN — stuff it in a body cavity, spread it thin on a garment — from the machines. We’re going to profile people traveling from 14 countries, even though it’s easy for a terrorist to travel from a different country. Seating requirements for the last hour of flight were the most ridiculous example.

The problem with all these measures is that they’re only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.

It’s magical thinking: If we defend against what the terrorists did last time, we’ll somehow defend against what they do one time. Of course this doesn’t work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they’re going to do something else. This is a stupid game; we should stop playing it.

You should read the entire article.  The first few paragraphs are all about how certain security measures did work in this particular case, and yet nobody is talking about them.