Archive for July, 2010

The Register, The Terror Beyond the Firewall, Hacker Breaks Into ATMs, Dispenses Cash Remotely

SC Magazine, Cybercrime Costs Businesses $3.8 Million Per Year

CSO, A striking Disconnect Between CSOs and Hackers

SC Magazine, Black Hat 2010: Why User Quality and Design Matter for VPNs

[tweetmeme source=”vpnhaus” only_single=false]

At this week’s Black Hat 2010 in Las Vegas, NCP engineering is releasing a new white paper that sheds light on common VPN vulnerabilities that put organizations at risk. It’s prudent to occasionally survey the threat landscape with a fresh lens because while VPNs aren’t new, the threats they combat are constantly changing and require regular monitoring and security updates to stop. The white paper, Remote Access—Attack Vectors: Threats, Findings & Remedies, chronicles recent breaches and gleans lessons for all organizations that allow remote access to their network. For example, the infamous breach at Heartland Payment Systems in 2008 occurred, in part, using a VPN. This was followed by incidents at Google earlier this year and a major breach at Energy Future Holdings that resulted in $26,000 of business.

The white paper explores the two primary reasons that hackers find VPNs so alluring. For one, VPNs transmit sensitive information over public and shared networks. The extension of the network outside the perimeter makes assets much more accessible. Second, a VPN typically does not have layers of security found in perimeter defenses, yet it will pro­vide access from outside a perimeter to inside networks. This can make VPN-based attacks that bypass a perimeter more attractive than attacks that directly target the perimeter.

The vulnerabilities that caused these breaches, and others like them, can be distilled into three categories. While the white paper delves deeper into these categories, in a nutshell, they include VPN quality, security, and management. For instance, VPN systems are expected to handle complex security operations but not all products are created equally. Most will contain some flaws but the severity of these varies on the importance placed on quality in the VPN’s engineering’s process. The level of security also fluctuates, depending on whether the VPN solution emphasizes security of simply ease of deployment and connectivity. Finally, proper management is essential to ensuring that VPNs effectively secure data and block unauthorized users from gaining access.

Although the vast majority of breaches involve management issues, design and quality are still very important considerations. When selecting VPN solution, consider that both design and quality are among the best ways to differentiate VPN prod­ucts and solutions.

[tweetmeme source=”vpnhaus” only_single=false]

*Editors’ Note: This week, Highlights will focus on Black Hat 2010, being held in Las Vegas next week. We encourage our readers to send us their thoughts and experiences from Black Hat 2010 at

Ars Technica, Millions of Routers Vulnerable to New Version of Old Attack: Presentation at Black Hat 2010

CSO, Black Hat, DefCon and B-Sides: A Survival Guide

InfoWorld, Black Hat and Defcon to Focus on Critical Infrastructure

Network World, Black Hat Talk to Reveal Analysis of Hacker Fingerprints

SearchSecurity, Black Hat Conference 2010 Coverage: News, Podcasts and Videos

[tweetmeme source=”vpnhaus” only_single=false]

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data.

VPN Haus: What are the basics for provisioning employees at healthcare organizations?

Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting.

VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records?

Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time.

The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in!

VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of?

Maglothin: There’s the error of excessive credulity. An example would be a unit clerk on a certain building having a password that would allow her access to, say outpatient records or mental health unit records, for which she would have no reason to have access to.

There’s also the error of excessive skepticism. An example would be, a cardiologist might not be cleared to access mental health records, but one of the patients has just had a cardiac code and the cardiologist is called in for a STAT consult.

Marshall Maglothin is owner of Blue Oak Consulting, based in Washington DC.

[tweetmeme source=”vpnhaus” only_single=false]

In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards.

VPN Haus: You’ve mentioned that some companies take a “nobody wants to hack us” attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant – ones that have already had a breach?

Chuvakin: While many in the security community would quip that only stupid companies would say that “nobody wants to hack us,” reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake…

In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant – but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year.

VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent?

Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don’t get upset — the breach is a natural result of your own behavior, please learn to take the responsibility.

VPN Haus: How would you describe PCI’s approach to the cloud? Everyone seems to have an opinion on the cloud, but it seems like PCI has been quiet on this front.

Chuvakin: It is quiet [because] Requirement 12.8 that covers service providers addresses it just fine. [The requirement states,] “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers …” No need to say anything new on the subject, for the most part.

VPN Haus: So basically, the PCI compliance applies to service providers or cloud providers if they have cardholder data?

Chuvakin: Yes, of course. PCI DSS has – and pretty much always had – a section about the responsibilities of a service provider.

VPN Haus: Is there anything that we haven’t covered that you think is relevant or that you’d like to discuss?

Chuvakin: Like we say in the PCI book, “The best way to protect the data from hackers is to delete it.” People should learn that the best approach to PCI is reducing the scope by eliminating card data storage and movement from their environments. If there is a way to change their business process to reduce handling of cardholder data, it should be taken first. Only then – after the data elimination/reduction step is taken – think of encryption, firewalls, application security and other security controls. Outsourcing data handling all together – if possible – is a good way to take this approach as well.

VPN Haus: Would outsourcing your data handling actually increase risks, as you can’t control a third-party vendor’s compliance but you can control your own?

Chuvakin: No, not at all –  because – pardon my French – that “you” mentioned in the above is typically an idiot – in regards to security. Their environments are “owned” and card data is being stolen every day. Think of outsourcing as “do you store a lot of CASH in your restaurant/hotel/business?” “No, you ‘outsource’ it to the bank” – “then WHY oh WHY do you insist on writing your own card processing software?” Check out this recent paper: Most every PCI expert would agree that payment protocols just doesn’t belong inhouse.

Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the Security Warrior blog and is based in San Francisco.

[tweetmeme source=”vpnhaus” only_single=false]