Monthly Archives: December 2008

MD5 collision creates rogue Certificate Authority

MD5 collision creates rogue Certificate Authority

by Scott Merrill on December 30, 2008

At the 25th Chaos Communication Congress CCC today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.

When you make a secured connection to a website via HTTPS, a public key certificate is sent from the server to your computer. This certificate contains a digital signature which your computer uses to verify the identify of the site to which you’re connecting. Certificates are “signed” by a Certificate Authority CA, which acts as a kind of middle-man: you trust the CA, so you can trust the certificates signed by the CA. Anyone can create a certificate authority, though, so most browsers have a list of known reputable and trustworthy CAs. When your computer gets a certificate from a server, your browser checks the CA that issued it to determine whether the CA is trustworthy. If the CA is trustworthy, your browser assumes that the certificate being presented is trustworthy.

The public key cryptography utilized by Certificate Authorities is evolving, as are most things in the technology world. Some CAs used the MD5 algorithm to compute the digital signatures for certificates. MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.

Researchers attacked the MD5 algorithm using 200 PlayStation 3 systems and were able to construct a bogus Certificate Authority that looks like a known trusted CA. What this means is that these guys could generate a certificate for www.amazon.com which, when presented to your browser, would be accepted as the real thing. The digital signature on the fake certificate is listed as coming from a supposedly reputable CA, so your browser happily accepts it, reassuringly showing you the little padlock icon.

rouge CA attack diagram

Okay, so how does this affect you? If the researchers’ results can be duplicated by a malicious agent, they could generate any number of certificates that would be trusted by browsers all around the world. This alone might be sufficient, though this attack could be coupled with a sophisticated DNS attack to make it really really really hard for anyone to realize that they’d been suckered. Your browser would report that you’re at yourbank.com; your browser would report that you were using HTTPS to protect the connection; and your browser would report that the SSL certificate being used for that HTTPS connection really did belong to yourbank.com. Granted, the level of effort required to perform such an attack is currently enormous, and the potential gains are probably limited, so it’s likely not the kind of thing that would be pulled on average Internet users. But it’s still something about which to be concerned.

The attack outline states “[w]ith optimizations the attack might be done for $2000 on Amazon EC2 in 1 day.” Thankfully, the researchers are not releasing their specific implementation. That’s somewhat reassuring, but expect conniving folks somewhere to try to recreate the researchers’ results for less academic purposes.

The PDF concludes with this: “No need to panic, the Internet is not completely broken” and assures us that the “affected CAs are switching to SHA-1″. SHA-1 is believed to be weak against certain attacks, though, so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3.

Bottom line: as always, be cognizant of your browsing habits. If something looks or feels fishy, don’t provide any account names or passwords. Use different passwords for different websites, so that if you do get suckered by a phishing attack the phishers don’t get the keys to your online kingdom.

via MD5 collision creates rogue Certificate Authority.

RBS WorldPay Breach Rings Alarm Bells About Acquirer Security

(December 23, 2008) The latest data-breach battleground has shifted to merchant-acquiring and prepaid card territory. Atlanta-based RBS WorldPay, a big acquirer owned by the Royal Bank of Scotland Group that also provides prepaid card programs, late Tuesday afternoon reported a breach of its computer system that may have compromised personal information on about 1.5 million cardholders, including the Social Security numbers of 1.1 million consumers.

The data leak affected prepaid cardholders “and other individuals,” RBS said in a news release, but the company didn’t give a breakdown other than to say the cardholders held payroll and open-loop gift cards. “Personal information associated with certain payroll cards may have been improperly accessed,” the release says. “PINs for all PIN-enabled cards have been or are being reset.” Actual fraud to date involves only 100 cards. The company did not give a loss figure.

Formerly known as RBS Lynk, RBS WorldPay said it discovered the breach Nov. 10 and notified law-enforcement agencies and banking regulators “shortly thereafter,” according the release. But the company didn’t say why it waited until Dec. 23 to report the breach publicly. Spokespersons did not return calls from Digital Transactions News. Nor did the news release say how the breach happened or when it began. “RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation,” the release says without giving details. RBS WorldPay said it has notified affected cardholders and posted information on its Web site.

This latest breach represents yet another worrisome development in the payment card industry’s unending war with computer intruders. While most of the attention in the past two years has focused on retailers’ lapses in securing credit and debit card data, the RBS WorldPay breach serves as a reminder of how hackers can penetrate the computer systems of a major acquirer and processor. “It’s very bad news,” says Avivah Litan, a technology and security analyst with Stamford, Conn.-based Gartner Inc. She notes that unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” she says, adding that a fraud-intelligence executive at a Gartner client company recently told her that attacks on acquirers and processors are increasing.

Another question raised by the breach is whether the Payment Card Industry data-security standard, or PCI, is adequate to protect acquirers/processors. While many merchants, especially small ones, don’t yet meet the PCI rules set down by the PCI Security Standards Council and enforced by the card networks, acquirers enforce the rules with their individual merchant clients and presumably are compliant themselves, Litan notes. She did not have information about the status of RBS WorldPay’s PCI compliance.

RBS WorldPay said it has called on outside experts as well as its own security professionals to investigate the breach. Those personnel are working with federal and state investigators. In the release, Ben Barone, RBS WorldPay president and chief executive, said his company “is working closely with leading computer security firms to further safeguard our system.” Barone also said “we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation.”

RBS WorldPay is offering individuals whose Social Security numbers were compromised free, one-year subscriptions to a credit-monitoring service. Gift cards that have already been purchased retain their value and can be used wherever merchants accept them. Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution, RBS said.

via News.

IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com

 

 

 

IGT Awarded The First PCI DSS 1.2 Certification

 

Submitted by newsdesk on Mon, 12/22/2008 – 19:42

IGT, a pioneer and global leader in travel technologies and services received the coveted PCI DSS 1.2 certification from leading PCI DSS QSAC, ControlCase. IGT is the first Travel BPO Organization to become PCI DSS 1.2 compliant. It has successfully met the newest version of the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. ControlCase conducted a meticulous audit process of IGT’s security measures used in protecting e-commerce customers and their data involving travel transactions.

ControlCase awarded IGT with the PCI DSS 1.2 compliance rating after IGT met the 259 Requirements (grouped into 12 broad categories) that make up the control objectives. Data security continues to be a concern for customers making payments over the internet. IGT supports millions of travel transactions annually and enables consumers to make travel purchases in a highly secure manner both online and remotely. The PCI DSS 1.2 certification demonstrates IGT’s continued commitment to the protection and security of our B2C and B2B customer’s account data throughout the transaction process.

Vipul Doshi, CEO, IGT, stated “Our clients rely heavily on credit cards with more than 2/3rds of travel transactions occurring over the internet, it’s imperative that we maintain the highest standard of information security. Receiving the PCI DSS 1.2 further demonstrates our commitment to protecting our client’s and their customers.”

Internet security and personal information continues to be a top priority and concern of individuals transacting over the world wide web. Credit card companies impose hefty fines on companies not meeting PCI compliance requirements. Some reports indicate nearly one trillion dollars per year is spent on travel, and more than 2/3rds of those sales occur with credit cards. That coupled with the travel industry racking up more sales on the internet than any other industry and you have a recipe for serious credit card fraud, the very reason PCI DSS was implemented.

Mohit Magon, Vice President – Business Excellence stated “Achievement of PCI DSS 1.2 compliance reinforces our continuous commitment to the highest level of security standards. As an organization our people are committed to achieve excellence in whatever we do. Our proactive approach to comply with PCI DSS 1.2 standard is a testimony to our responsiveness towards the ever changing business environment and customer needs.”

IGT is the first Travel BPO company to achieve the recently updated version of the PCI DSS. Suresh Dadlani, COO, ControlCase stated “We are pleased to have worked closely with IGT on PCI DSS 1.2 certification. The compliances to the requirements of the standard are quite technically intensive and do not provide any scope for compromises. The achievement of PCI DSS 1.2 Certification in a short period of time was only possible due to the commitment at all levels and the technical competencies demonstrated by the team.”

IGT remains committed to meeting the highest security standards applicable in the information technology industry. With more than 1/3rd of the world’s travel transactions relying on IGT, its good to know your data is protected with IGT.

About IGT

InterGlobe Technologies (IGT) provides services and solutions to corporations worldwide in the areas of Business Process Outsourcing (BPO) and Information Technology (IT). IGT’s gamut of offerings spread across the entire technology spectrum. With some 2000 global employees operating in facilities located in India, North America and Europe, InterGlobe was ranked by The Great Place To Work Institute as the best travel company of India. In 2008, Deloitte and Touche recognized IGT as one of the fastest growing companies in India and The Black Book of Outsourcing ranked IGT as one of the top 5 Travel BPO companies in the world. www.igt.in

About PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a world-wide benchmark mandated by credit card companies for the protection of card holder’s identity and transaction information. It prevents credit card fraud, hacking and various other security vulnerabilities and threats. The standard was developed by major card brands including American Express, Discover Financial Services, JCB International, Master Card Worldwide and Visa International.

via IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com.

Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US

Implementing PCI-DSS: The top five issues to consider

John Linkous, IT governance, risk and compliance evangelist, eIQnetworksDecember 22 2008

Talk to anyone who works for an organization that accepts, processes or even looks at a credit card, and the three letters “PCI” strike a chord of fear that is rarely seen in the IT world. While it’s true that the PCI standards – and specifically the Data Security Standard (DSS) – are rigorous mandates that require experienced security professionals to implement and maintain, achieving PCI compliance is not really rocket science. The following is a list of specific issues to consider related to PCI-DSS. This should help ensure that organizations can not only meet the letter of PCI, but actually make their systems more secure:

 

Implement a security program. Achieving and maintaining compliance with PCI-DSS are two different things. While most of the controls defined in the PCI-DSS standard are technical configurations for hosts and infrastructure devices, organizations are required to maintain these configurations once they are in place. To make that happen, organizations need at least rudimentary security processes in place to ensure that access controls are maintained, anti-malware and other countermeasures are kept up-to-date, and vulnerability assessments are conducted on a regular basis. Without a series of information security processes in place to manage security controls, it’s very easy to fall out of compliance.

Know your assets. The chain of custody around credit card data is one of the most common examples of the lowest common denominator approach to security – the weakest link dictates the likely vector of a malicious attacker. Because a typical credit card payment process can involve many different systems, it is critical to know the information systems that are part of that process, their role, and to what degree (if any) they are exposed to any part of credit card data. If an organization doesn’t have adequate security controls in place on all of these systems, they are at a higher risk of compromise.

Build and maintain a documentation library. Hand-in-hand with knowing what you have is knowing how you manage it. Documentation of all kinds – product and vendor-provided documentation, device configuration worksheets, security processes and procedures, and lists of personnel who have access to PCI data – will all be required as part of the audit process. Having up-to-date information available both for your security program personnel and your external auditors is critical to ensuring that you both maintain security and maintain compliance (which are two separate disciplines).

Awareness and training are crucial. Unfortunately, all of the technical controls in the world cannot stop an employee from inappropriately disclosing or handling cardholder data. While it’s important for organizations to implement technical controls per the PCI-DSS standard, it’s also vital that everyone who has access to cardholder data understand their roles and responsibilities related to the security of data. This includes everyone from point-of-sale personnel who physically touch the card, to DBAs and application developers who manage PCI processing systems, to third-party vendors who have access to limited cardholder information. This requires periodic training, and holding employees, contractors and vendors responsible for their exposure to the chain of custody of PCI data.

Your auditor is your friend. PCI-DSS auditors – both qualified security assessors (QSAs) and approved scanning vendors (ASVs) – exist primarily to ensure that your systems are reasonably secure. While the idea of an external auditor coming on-site to your organization to probe your IT assets and question your personnel may seem like a stress-inducing event, the fact is that even if findings are discovered in your environment, addressing these findings will make you more secure. It is important to challenge your QSA or ASV if they discover findings that you believe are incorrect, but similarly, it is equally important to listen to your auditor and address legitimate security gaps.

via Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US.

Feds finally put teeth into HIPAA enforcement

Three years after the federal laws rules on securing health care data took effect, HHS has issued its first corrective action plan. And more may be on the way.

Jaikumar Vijayan

A data security audit that the U.S. Department of Health and Human Services conducted at Piedmont Hospital in Atlanta last year was widely viewed within the health care industry as a harbinger of further actions by the federal government to enforce HIPAA’s security and privacy rules.

Eighteen months after HHS quietly began the Piedmont audit, there hasn’t been much evidence of stepped-up enforcement. But now a stringent “resolution agreement” signed in July by the agency and Seattle-based Providence Health & Services is generating the same kind of buzz among health care providers that the Piedmont audit did.

On July 15, Providence agreed to adopt a so-called corrective action plan (CAP) and pay $100,000 to settle what HHS described as “potential violations” of the Health Insurance Portability and Accountability Act’s requirements forsafeguarding electronic patient data.

The resolution agreement — the first of its kind under HIPAA — stemmed from theloss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them.

Under the CAP (download PDF), Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. It also is required to implement technical safeguards, such as encryption and password protection. And the not-for-profit health system, which has operations in five western states, must conduct random compliance audits and submit compliance reports to HHS for the next three years.

In addition, the agreement calls for Providence’s chief information security officer to personally validate that all required policies have been put in place and that all employees have been trained on adhering to them. The CISO also has to attest that all backup media and portable devices containing health information protected by HIPAA are properly secured.

Significantly, the CAP precludes Providence Health from contesting the validity of or appealing any of its obligations under the agreement. The settlement is getting considerable attention within the health care industry because of the tough terms and conditions that the deal imposed on the provider.

“The CAP gives us some indication that the bar is being raised when it comes to HIPAA compliance,” said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS) in Chicago. “This is a fairly serious corrective action plan.”

Corrective Measures

The security action items that Providence Health & Services agreed to include the following:

  • Revise policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities.
  • Train all workers on security policies and submit proof to HHS that the training has been completed.
  • Update policies as needed, but at least on an annual basis.
  • Ensure that a security risk assessment and management plan and a data breach notification policy are in place.
  • Conduct reviews that include unannounced audits, spot checks and site visits at company facilities.

 

Source: U.S. Department of Health and Human Services

Gallagher added that the deal with Providence sends a clear message to other health care providers that HHS is finally cracking down on HIPAA violators, after having been accused of lax enforcement in the past.

The harder line is in keeping with an announcement in January that the Centers for Medicare & Medicaid Services (CMS), the HHS unit responsible for administering the HIPAA security rules, had hiredPricewaterhouseCoopers to conduct audits on its behalf. At the time, the CMS said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices.

According to Gallagher, the CMS is expected to release findings from those audits early next year. It also plans to highlight violation trends and provide guidance on the biggest problems that health care providers are having in implementing the controls required by HIPAA. “As far as I know, they are under way with these audits,” she said.

Gallagher also expects the CMS to start working more closely on enforcement with the HHS Office of Civil Rights, which administers the data privacy rules set by HIPAA.

As of press time, the CMS had yet to respond to questions that were sent via e-mail, as an agency spokesman had requested. Providence officials also asked that questions be sent via e-mail but also hadn’t responded.

Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas, agreed with Gallagher that the Providence settlement was a dramatic example of the potential consequences of HIPAA violations.

“If you look at what they’re being forced to do, it’s scary,” he said. “They have lost their ability to contest anything; there’s no way of getting out of this agreement. And this is the best deal they could get.”

MacKoul added that while Providence was audited for data security violations, many of the corrective actions it is being required to implement fall into the privacy realm, showing that HHS is making little distinction between privacy and security for compliance purposes.

And based on the terms of the CAP, organizations that have to comply with HIPAA shouldn’t be lulled into complacency by the previous lack of enforcement, MacKoul warned. “If I were a covered entity, I wouldn’t want to roll the dice and get caught up in something like this,” he noted.

The resolution agreement does appear to be a belated attempt by HHS to get the health care industry to take HIPAA more seriously, said Chris Apgar, president of consulting firm Apgar & Associates LLC in Portland, Ore. “I think it’s about time they used somebody as an example,” he said.

Even so, it’s unrealistic to expect a large increase in the number of HIPAA enforcement actions in the near term, according to Apgar and other analysts. Such actions are triggered only when complaints are lodged against organizations. HHS has no HIPAA cops who are actively looking for violations, and health care providers aren’t required to report internal violations themselves.

Also, neither the CMS nor the HHS Office of Civil Rights has anywhere near the resources or the funding needed to investigate all of the complaints that are filed. As a result, examples such as the settlement deal with Providence will likely continue to be more the exception than the rule, Apgar said.

In fact, one of the primary reasons why Providence was investigated in the first place no doubt was the publicity generated by the incidents involving lost IT equipment, said Randy Yates, director of security at Memorial Hermann Healthcare System in Houston.

“Once something that large hits the media, the government is bound to do something,” Yates said. “[The CAP] puts out a message that says, ‘We see this thing, and we don’t like it.'”

Often, enforcement actions are important because they get the attention not just of those in charge of implementing privacy and security policies, but also of those who control the purse strings within organizations. Last year, for instance, the audit at Piedmont Hospital contributed to the approval of a $1.3 million budget item for data encryption at Memorial Hermann.

But if the investigations are as sporadic as they have been in the past, the buzz generated will fade away quickly, said Christopher Paidhrin, IT security officer at ACS Healthcare Solutions, a Dearborn, Mich.-based unit of Affiliated Computer Services Inc.

Paidhrin noted that the Piedmont audit last year initially raised a considerable amount of concern among health care providers. But most of that concern eventually melted away when the expected increase in enforcement actions failed to materialize. The same thing will likely happen in the aftermath of the Providence Health settlement, he said — unless HHS takes additional actions elsewhere and publicizes them to the same extent.

via Feds finally put teeth into HIPAA enforcement.

New privacy guidelines for e-health records announced | Politics and Law – CNET News

The Department of Health and Human Services this week released new privacy guidelines (PDF) for electronic health records, the use of which President-elect Barack Obama has promised to support as part of his plan to jump-start the economy.

The use of electronic medical records could reduce costs and medical errors while potentially improving the quality of care patients receive, advocates say, but the level of new privacy standards needed for e-health records has been a matter of debate.

“Consumers need an easy-to-read, standard notice about how their personal health information is protected, confidence that those who misuse information will be held accountable, and the ability to choose the degree to which they want to participate in information sharing,” HHS Secretary Mike Leavitt said Monday.

The eight principles established in the guidelines are intended to facilitate the adoption of e-health records by providing a consistent approach to questions of privacy and defining the responsibilities of those who have access to e-health records and share them through a network. The principles address issues of patient access; correction of records; openness and transparency; patient choice; limitations to the collection, use, and disclosure of personal health information; data integrity; safeguards; and accountability.

The HHS Office for Civil Rights also published new guidance documents explaining how the Health Insurance Portability and Accountability (HIPAA) Act can facilitate the exchange of information through e-records.

Privacy advocates at a meeting with Obama’s transition team on Tuesday brought up the need for more stringent privacy standards for medical information. However, some members of the software industry, which strongly supports the adoption of e-health records, have said the HIPAA Act may provide sufficient privacy safeguards.

The new HHS guidelines state that “although the HIPAA Privacy and Security Rules apply to health information in electronic form, the current landscape of electronic health information exchange poses new issues and involves additional organizations that were not contemplated at the time the rules were drafted.”

via New privacy guidelines for e-health records announced | Politics and Law – CNET News.

Auditor: IRS doesn’t check cyberaudit logs

The U.S. Internal Revenue Service’s IT staff hasn’t routinely checked its cybersecurity audit logs, according to a report released this week by the agency’s inspector general’s office.

The IRS has effectively deployed intrusion detection systems at its Internet gateways, and it has used access controls for firewalls and routers, said the report, completed in July but released Monday. But the agency’s IT staff weren’t always saving or reviewing system audit logs, and clock settings on some firewalls and routers did not comply with IRS rules, the report said.

“These weaknesses increase the likelihood that intruders from the Internet could gain access to sensitive taxpayer data residing on the IRS network without being detected,” the report said.

One IRS employee, the database administrator for routers, had access to router audit logs, even though IRS rules require that a worker outside the immediate IT staff responsible for routers have access for independent review, the report said. In addition, IRS IT staff did not save audit logs on two separate servers, as recommended in IRS guidelines.

Related Content

The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations. The IRS agreed with the recommendations, saying it planned to do bi-weekly compliance testing.

The report also said the IRS had unnecessary services enabled on routers, although the public version of the report does not tell what those services were.

“We have corrected many of the findings outlined in your report and are aggressively implementing additional changes to further protect our Internet gateways,” Arthur Gonzalez, the IRS CIO, wrote in response to the report. “Your suggested recommendations are in adherence with standards that will further improve our security posture.”

The IRS’ parent agency, the Department of Treasury, received a failing grade for its 2007 cybersecurity efforts, according to a report card released in May. The annual report, released by the U.S. Congress, grades federal agencies’ compliance with the Federal Information Security Management Act, or FISMA.

The IRS review was performed at the IRS Computer Security Incident Response Center and covered the period from February 2007 to March of this year.

The IDG News Service is a Network World affiliate.

via http://www.networkworld.com/news/2008/121608-auditor-irs-doesnt-check-cyberaudit.html.

American Express web bug exposes card holders • The Register

A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.

Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users’ authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here.

McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.

“I believe they have an obligation to respond, even if it’s brief and callous,” McRee told El Reg. “You don’t have to be polite. Just fix it.”

American Express proudly proclaims itself as a founding member of the PCI Security Standards Council, the group that forges the rules governing the Payment Card Industry. McRee says PCI’s Data Security Standards expressly hold that XSS errors are a violation of those rules, so Amex’s inaction carries a fair amount of irony.

XSS vulnerabilities are by far the most common class of security flaw affecting websites. They allow attackers to inject their own malicious code and graphics into trusted websites. In the process, they can siphon cookies, passwords, and other input supplied by users or create convincing spoof sites that show the target website’ URL in the user’s address bar. XSS vulnerabilities are generally quick and easy to fix.

On Monday, the XSSed blog reported three XSS bugs in Facebook, and within hours, they appeared to have been squashed. After sitting on a separate XSS flaw for four months, the social networking site exorcised it last week after The Register reported it here.

The NoScript add-on for the Firefox browser does an admirable job fending off XSS bugs. The upcoming version of Internet Explorer 8, which is now in beta, also sports some impressive anti-XSS features.

The Amex XSS vulnerability is the result of a lack of input validation in a get request using the q parameter. In addition to exposing users’ cookies, it allows allows attackers an easy way to create counterfeit pages for phishing and to inject malicious code using an iframe. Proofs of concept for those exploits are here and here.

We emailed Amex representatives and asked them if the company has a procedure for people to report XSS errors and other flaws that compromise their PCI compliance. A spokesman called back to say the company is looking in to McRee’s report. We’ll be sure to update this story when we get the results. ®

Update

Less than an hour after this story was posted, Amex closed the hole. Fortunately, McRee has documented it in this video. No word yet from the company on procedures for reporting vulnerabilities.

via American Express web bug exposes card holders • The Register.

Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

These regulations shall take effect on January 1, 2009.

read more at  201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.

International Challenges in PCI Security | ITworld

December 9, 2008, 01:01 PM — CSO —

In a country that’s seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

In the process, companies tend to forget that PCI compliance has been a recipe for international indigestion.

“Remember that credit cards are used abroad, and many American companies have personnel handling credit card transactions in offices all over the world,” says Bruce Larson, security director at American Water, a major water utility that employs more than 10,000 people. “If you have a multinational organization, your data is not just sitting in the U.S.”

There may be some irony in hearing that from someone whose concerns are mostly based on security threats inside the U.S. Larsen has to worry about everything from cyberattacks targeting computerized water filtration systems to terrorists who might try to bomb pipelines or poison the water supply. He also loses sleep whenever there’s the chance of a natural disaster.

The inconvenience of online, global commerce
But more people are using credit cards to pay the water bill online, and he knows the credit card data is floating around in databases outside the U.S. Losing any of that data could be a body blow in terms of public confidence. Then there’s the fact that American Water does business with vendors across the globe.

“I have a very geographically distributed network — more than 1,500 locations where humans work, 150-200 of those are critical operations facilities,” Larson told attendees during a PCI security seminar CSOonline held in New York in September.

For Harshul Joshi, director of IT-risk and advisory services at CBIZ and Mayer Hoffman McCann P.C. (MHM), a professional business services company, doing business internationally can make for a lot of confusion regarding the PCI security ground rules.

“When we deal with non-U.S. companies, there is often confusion over what PCI security requires,” Joshi says. “We work with one of the largest magazine publishers with operations around the globe and if you dial an 800 number, chances are you’ll be talking to someone in a call center in Vietnam. You give your credit card number and it is recorded somewhere outside the U.S.”

On the outside looking in
If a company is based outside the U.S. — in Sweden or Ukraine, for example — the problem is usually a lack of communication and money regarding PCI security needs.

Dmitriy Tsygankov, director of the corporate customer care center at a bank based in Europe, says Visa USA tends to offer American companies more incentives and assistance for their compliance efforts. As an example, he mentions the US$20 million in financial incentives Visa USA offered nearly two years ago to encourage quicker adoption of the standard.

“Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?” he asked. He suspects it’s because e-commerce is more popular and profitable in the U.S. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.

No financial incentives were mentioned in a recent statement from Visa Inc. announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by Sept. 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.

David Taylor, founder of the PCI Knowledge Base, agrees companies outside the U.S. don’t enjoy the same degree of financial support. “There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers,” he says.

Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the U.S.

“While Visa USA did offer some monetary incentives for U.S. merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise,” she says.

Keep the global perspective
Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the U.S. are being used elsewhere. There’s a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles.

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole — wherever in the world the company operates from.

via International Challenges in PCI Security | ITworld.