Today's top story:

HOW MUCH DO YOU TRUST YOUR BANK MACHINE?

Was anyone as surprised as I was at the result of the U.S. Mid-Term Elections? I don't mean the fact that the Democrats won, but the definite lack of media coverage of the infamous voting machines that have been accused of influencing the fragile balance of American democracy. With hours to spare before the election, an HBO documentary called Hacking Democracy became front page news when its protagonist, a grandmother named Bev Harris, demonstrated how these machines could be intentionally programmed to 'elect' a particular candidate and essentially alter the course of history. Worth seeing, but we are not here to discuss voting machines, only the questionable ethics of their manufacturer, a little big company called Diebold.

I'd now like to point out that the very same company whose CEO promised Bush Jr. - in writing - that he would deliver him the election, is now handling the financial details and banking transactions of millions of Canadians. How did this happen? Here's a brief and incomplete order of operations:

Back in December 2003, Diebold confessed (after a report by SecurityFocus.com) that back in August of that year, automatic teller machines (ATM) at a number of U.S. banks were infected by the Nachi computer virus. How? Simply because these machines, despite an unfavorable reception by the security industry, run the notorious operating system we know as Microsoft Windows. The Nachi worm, also called Welchia, was written to clean up after the MSBlast, or Blaster, worm (which had a serious impact on the financial industry). Instead it crippled or congested networks around the world, including the check-in system at Air Canada. Both worms spread through a hole in Windows XP, 2000, NT and Server 2003.

A general purpose operating system like Windows running on specialized and sensitive machines like ATMs seemed like a stupid idea, especially as this was in stark contrast with specialized and otherwise verifiably less vulnerable ATM operating systems which are apparently now obsolete (despite there being no advantage to the convenience or functionality provided by these newfangled machines).

Needless to say, computer security experts predicted more problems as Windows migrated to critical systems that unsuspecting consumers rely on.  The ATM infections are believed to be the first of a series of viruses with the capability to infect cash machines.  "Specific-purpose machines, like microwave ovens and until now ATM machines, never got viruses," said Bruce Schneier, author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." "Now that they are using a general purpose operating system, Diebold should expect a lot more of this in the future," he said.

In response to the problem, and supposedly to meet their customer's IT requirements, Diebold began shipping a software firewall with all their machines in early 2004. "We have many customers that are placing ATMs on their network, and as a result of that we have to meet certain criteria ... we haven't had to meet before," said Chuck Somers, vice president of global software development at Diebold.

Just imagine the effort, and the efficacy of that incredible strategy! Any observer would immediately assume that all banks would have been insulted by the suggestion (in particular since the firewall in question is now obsolete) but...

In 2004 Hewlett Packard announced that it had won a seven year outsourcing contract, worth $420m to upgrade and manage TD Bank's national network of ATMs and payment systems. And guess which illustrious company's products now provide 'convenient' banking through over 2400 ATMs across the country?

"Through this innovative strategy,...TD?s rigorous selection process ensures that the proposed technology solution will benefit all parties" said Chuck Hounsell, senior vice president, TD Bank Financial Group. 

No kidding!

John Pescatore, an analyst at Gartner Research was not quite as optimistic: "It's a horrendous security mistake," he said of specific-purpose machines like ATMs running Windows, which is written for general-purpose computers and for which Microsoft releases security fixes on a regular basis. "I'm a lot more worried about my money than I was before this."

Great, if it's not online banking (see below), it's crooked ATMs. If it's not skimming, it's insider bank card PIN fraud (go ahead, my links are worth clicking). Can we ever trust banks again?

But really, if something did go wrong, don't we have laws to that require companies to inform us of this, essentially preventing what happened in the States with the voting machines? How could ATM companies ever hope to get away with this? John Vrabec, executive director of the Financial & Security Products Association, may have an idea: "Diebold has changed its policies regarding diagnostics and spare parts in such a way that it is abusing its dominant position with its installed base of customers and is prohibiting these customers from using any maintenance company other than Diebold for installation and service." Previously, Diebold's policies permitted third-party maintenance companies to service Diebold-brand ATMs, and offered easier access to the manufacturer's diagnostics. Diebold is also requiring that a Diebold technician perform the installation."

Think you've heard enough? According to Rob Evans, director of industry marketing at NCR, a Diebold ATM competitor who has apparently also given in to the dark side, "You get a consistent look and feel, expanded transactions across all channels, and new solutions. Those are well worth the inconvenience you might get from a PC virus."

Um.. No it isn't, you moron! Not even when it affects only one customer's finances and privacy, let alone those of millions of trusting and unsuspecting clients!

Though ATMs typically sit on private networks or VPNs, the most serious worms and even trojans have demonstrated that even segregated systems have undocumented connections and these ATMs are far from providing security professionals with the requisite degree of confidence in their ability to protect customers.

There's always another security vulnerability, and the fact that only DIEBOLD is allowed to service these machines puts the banks in a situation where business continuity is critical. Sometimes business continuity  is a company-wide problem and other times it's limited to one machine. In the pictures at right, a Carnegie Mellon University campus ATM crashed and curious students couldn't resist making use of typical Windows programs, such as the Windows Media Player.

Students had mixed feelings about the incident. "I feel fine about [my money]," said one. "Most of the computer was closed off; there wasn't much we could do." However, replying to an online post about the incident, another wrote, "yes, I will be switching banks."

Have you seen Windows-based ATMs at other banks across Canada? You can easily recognize them by the number of promotional ads, images and numerous options they display on screen.  Write back and let me know.

Important Security News

Is Online Banking Any Better?

As many of us have noticed, some Canadian banks have taken steps to protect customers who connect to their online services but the U.S. FFIEC (Federal Financial Institutions Examination Council) has actually taken the extra step of requiring that U.S. banks provide stronger authentication methods to customers by the end of this year.

Needless to say, the sting of phishing and ID theft is so severe at this point, that it's actually affecting legislation and not only that, new technologies are being developed to allow users to preserve much of the convenience of online banking without the perceived hassle of carrying physical tokens in their pockets, remembering 2metre-long passwords or other forms of abuse.

The options list is impressive and it is included in a current CSO Magazine article, but is it enough? I like the fact that new technology is being developed and that by the same 'token' users are forced to adopt a security awareness mindset, but I do hope that the downsides are being considered also. The way I see it, these diverse efforts will create different security solutions with varying degrees of effectiveness, eventually leading to 'security fatigue' and less awareness on the part of customers. Secondly, with all this added complexity, the nature of malicious software will increase to the point where it will not only be undetectable, but it will almost entirely target the legitimate customer, who will in effect remain the biggest victim in the big scheme of things. So ultimately, I don't think that throwing more technology at security problems is a solution, but education and awareness is likely to be the most effective way to address the issue.

Don't Rely On Anti-Phishing Tools

Two independent studies, from Carnegie-Mellon University and 3Sharp have stated that McAfee's SiteAdvisor product, which claimed to have anti-phishing features had in fact no such ability. The embarrassing finding certainly upset McAfee but it brings to light the fact that most anti-phishing tools you will come across are either ineffective or impractical (here is a summary and link to the study). That's the conclusion we came to here at Informatica Security Research when we tested various browser toolbars and browser add-ons for 3 different platforms. Certainly, you, the user, remain your best protection against phishing and identity theft and to test your skills in this domain, go to this site.

Did You Hear The One About Windows Vista?

According to Mark Rasch of SecurityFocus.com (who is also a lawyer and former head of the U.S. Justice Department's Computer Crimes Unit), the terms of the Vista EULA (End_User License Agreement), like the current EULA related to the ?Windows Genuine Advantage,? allows Microsoft to unilaterally decide that you have breached the terms of the agreement, and they can essentially disable the software, and possibly deny you access to critical files on your computer without benefit of proof, hearing, testimony or judicial intervention. Read the full article at SecurityFocus.com.

What Happens To Stolen Data Exactly?

There goes another quarter million people's personal information into the Internet ether, but we're not supposed to worry?  What does it mean, in the age of the Internet, to say that an intruder or attacker could "access" or "view" information, but that it was not "taken" from the database?  Read John Espenschied's full discussion in ComputerWorld.

How Much Should Your Company Invest In Security?

Here?s how to apply the risk intelligence methodology. Suppose your company has been spooked by recent security breaches that have compromised customer data. You?re trying to figure out just how much?and where?to invest in security safeguards. The company?s network has never been breached, although a competitor?s customer database was compromised and the story was all over the news. Closer to home, a laptop was stolen from a salesperson?s car a few weeks earlier. Read the full article on CIO.com then visit www.SecurityAudits.ca and take your pick.

Quick Password Tip

You may recall a few months back, I mentioned that Microsoft's new recommendation to combat password fatigue and forgetfulness is to simply write it down and keep it in your wallet. That suggestion continues to be met with skepticism from both regular and security folk, so here's a three-step tip for picking a winning password, every time:

1. choose a hard phrase that you know you can remember
2. change part of it by inserting a mnemonic, a number or a character somewhere within the phrase, and let that portion be your unique 'key' for every different system
3. write down, scrambled or not, that key, if you're afraid of forgetting it.

If you did this correctly, you won't have a problem either remembering your password, nor risking a security breach should you ever lose that piece of paper.

Main Site | White Papers | Free Software | News & Articles | Forward to a Friend

About your humble scribe: Claudiu Popa is a certified security professional (CISSP, PMP, CISA) and president of Informatica Corporation, a Toronto-based consulting company with a strong focus on education. Over the past decade, Claudiu has focused on helping companies improve their information security. Today, he brings effective security to corporate boardrooms, helping organizations manage security, awareness and compliance programs. Claudiu can be contacted by simply replying to this message (and he promises not to respond in the third person).  He welcomes your suggestions and comments regarding this publication.

use this link to subscribe.