CUISPA Podcast #22 - Numb with Indifference over the
reasonable expectation of privacy…
Panelists: John Brozycki, Alex Rams, La=
rry
Porres
Recorded: 3/28/2009
Questions, comments, or
something you’d like us to cover?&nb=
sp;
Contact us at: podcast@cuispa.org
T=
hanks
to all who responded to the survey.
We value and appreciate the feedback you give us. We had about 55 responses and, whi=
le
perhaps not statistically large enough, we’re going to assume that are
somewhat representative of the credit union community.
Q=
: Do
you listen to the CUISPA podcast?
52% listen to the podcast, frequently or infrequently
30% didn’t know about the podcast before the survey
12% don’t listen to podcasts (or at least not to the CUISPA podcast)<=
br>
6% would if it was available via RSS or iTunes
W=
hat
we’re doing: RSS functionality has been added and iTunes is being add=
ed
now.
Q:
Favorite podcast segments?
81% like the techtorials
71% like the news
58% like the phishing hole and cooltilities
42% (lowest rating) like the interviews
W=
hat
we’re doing: We’ll definitely be putting more effort into the
techtorials, starting with this episode.&n=
bsp;
While we haven’t done an interview in a while, we’re goi=
ng
to limit them and only include topics and speakers more relevant to you.
Q:
Given the economy, what training/learning options are currently still open =
to
you?
18%
39% Reduced training and expenses
51% Online training
43% Local training (no travel)
18% No training budget
W=
hat
we’re doing: We’ll be covering learning opportunities that we f=
ind
(and that you share with us) in our podcasts. We’re adding a new segment, =
We
also asked if any of you would consider contributing in some way to the pod=
cast
in the future, and appreciate the responders who said they would or would at
least like to hear more about it.
They will be hearing from us in the near future.
II. News stories
1) Heartland No
Longer PCI DSS Compliant
On Friday, March 13th, Visa announced that Heartland Payment Sys=
tems
is not on its list of “payment card processors who are in good standi=
ngs
for the industry-mandated standards for data security.” While Heartland has yet to announc=
e how
many cards were affected, it is generally accepted that it will be the larg=
est,
by far, card compromise ever.
“Retailers and other companies are not allowed to do business =
with
processors that are not PCI compliant” Gartner analyst Avivah Litan
reminds people in the TheRegister article.=
Funny thing is Visa transactions are still being processed. In the end compliance does not equ=
al
security. Just when credit un=
ions
and other card issuers can least afford it, we’re paying large fees to
reissue cards.
http://www.theregister.co.uk/2009/03/13/visa_delists_heartland_rb=
sworldpay/
Three Arrested in Heartland Breach Case=
Quick fact: There are believe=
d to
be at least 220 financial institutions that are affected by the Heartland
breach [1]. Three men alleged=
ly
used credit card number stolen in the breach to make purchases at an area
Wal-Mart and then resold for cash [2].&nbs=
p;
“The combined amount of actual and attempted fraudulent
transactions by the three esceeded $1000,000.”
[1]h=
ttp://www.bankinfosecurity.com/articles.php?art_id=3D1210
[2]http://www.compute=
rworld.com/action/article.do?command=3DviewArticleBasic&articleId=3D912=
7984&source=3Drss_topic17
2) P2P Holds Sensiti=
ve
Presidential Helicopter Information<=
br>
Marine One, the helicopter used=
by
President Barack Obama, has had its blueprints for the next version comprom=
ised
and copied to an Iranian IP address.
The attack methodology? A
contractor had P2P software on his laptop and it was misconfigured to allow
public access to the entire hard drive.&nb=
sp;
Takeaway: Don’t assume that any vendor you hire is beyond doing
something like this. You are =
the
one ultimately responsible. A=
s the
saying goes, “trust, but verify.”
http://www.wpxi.com/=
news/18818589/detail.html
3) Facebook’s =
New
Terms of Service (TOS): Chris Walters writes that
“Facebook's terms of service (TOS) used to say that when you closed an
account on their network, any rights they claimed to the original content y=
ou
uploaded would expire. Not anymore. Now, anything you upload to Facebook ca=
n be
used by Facebook in any way they deem fit, forever, no matter what you do
later. Want to close your account? Good for you, but Facebook still has the
right to do whatever it wants with your old content. They can even sublicen=
se
it if they want.”
http://yro.slashdot.org/article.pl?sid=3D09/02/16/1347230&for=
m=3Drss
&=
#8230;and
it bad enough that they’re wasting bandwidth!:
C=
oncerns
are looming about the length of HTTP requests and amount of bandwidth that =
is
being consumed for high traffic sites.&nbs=
p;
John Buswell writes that “despite being blatantly obvious is t=
he
length of directories and filename that are used to create URLs.”
http://www.o3magazine.com/4=
/a/0/1.html
http://tech.slashdot.org/article.pl?sid=3D09/03/27/2017250&from=
=3Drss
4) Canadian Judge Ru=
les
Internet Users Have "No Reasonable Expectation of Privacy"=
when it comes to records kept by Canada Internet service providers. Do you want to have your entire su=
rfing
history at the disposal of law enforcement authorities?
http://www.montrealgazette.com/news/Police+have+access+yo=
ur+online+history/12861
93/story.html
5) To avoid Wiretaps,
criminals recommend using VoIP<=
br>
Police in
[1]http://www.networkworld.com/news/2009/021609-criminals-us=
ing-skype-say-italian.html
[2] http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for=
_skype_pwnage/
6) What Do You Really
Know about DLP
“The first thing you should know
about data loss prevention (DLP) technology is that it doesn't actually pre=
vent
data losses…If your organization hasn't implemented DLP yet, not to
worry; you're not behind. Most reports indicate that fewer than half of lar=
ge
enterprises have DLP in place, and some say that figure is not even 25 perc=
ent.
However, most reports also say that a majority of companies, including some=
68
percent of companies in the
III. Tech Segment
In this tech segment we loo=
k at
using Windows commands to create lists from the content of directories and =
then
creating batch commands from that list to automate a process using those fi=
le
names, such as importing data into a database or application.
Any time you need to create
list to import, load, or otherwise process files in a directory, here is one
technique to do it using built-in Windows commands:
1)
explanation- /A:-D means don’t include directories, /B uses bare disp=
lay
format, /O:-D lists files sorted in date order, newest first (remove the
“-“ to sort by oldest first,) and “J:” represents t=
he
directory where the files are located.&nbs=
p;
“>” means take the output from the directory command =
and
send it to, and immediately following is the output file.
Result is a text file that has file names only from your directory, sorted
newest to oldest.
2)&n=
bsp; Edit
and save a batch file exactly as shown.&nb=
sp;
Note that if you want to run this as an interactive command instead =
of
as a batch script, replace “%%” with “%” so that
“%%i” becomes “%i” or else it will not work
correctly. In this example,
we’re going to create a batch file that would load the files into a M=
ySQL
database. However, you could
substitute that with anything else you were doing, such as running reports,
sending emails, etc.
for /F %%i in (c:\list.txt) do echo LOAD DATA=
LOCAL
INFILE 'J:\\%%i' INTO TABLE risk.transactions FIELDS TERMINATED BY ';' LINES
TERMINATED BY '\n'
(CardNo,Expire,Amount,CD,MonthDay,TranTime,Acquirer,Merchant,MCC,AsOfDate,C=
ountryCode,City);
>> final.sql
[Note: the spacing after the ‘\n&#=
8217;
is only a single space. Word
processor formatting has caused the next text to move down a line.]
for /F %%i in (c:\list.txt) causes=
the
file in parentheses to be read, one line at a time, and the line to be inse=
rted
into the variable %%i.
echo
is used to add leading text. =
In
this example, it is being used to print out a MySQL load statement. The %%i substitutes in the file name, =
which
was retrieved from the directory listing.
>>
final.sql causes the output from the echo command to be sent to =
the
file “final.txt. If a
“>” had been used, each write action would overwrite the
previous file, and the end result would be a file with a single line of the
last entry processed. The
“>>” means append to the file.
3)
IV. Cooltility (Cool + Utility =3D Cooltility)
http://lg.as6453.net/bin/lg.cgi
T=
his
site is a free public looking glass site.&=
nbsp;
A “looking glass” is a router on the Internet that permi=
ts
public access for some diagnostic commands. Many looking glasses are available=
. Some put you right at a command li=
ne
interface in a router, but this looking glass provides a web interface. A looking glass allows you to issue
commands such as PING and TRACEROUTE from different points on the
Internet. If members indicate=
they
can’t access your site, Internet banking, etc., you can use a public
looking glass from different geographic areas to see if there is a
problem. Sometimes, problems =
are
isolated to specific areas due to local problems. This allows you (as long as you can
reach it) to see what access might be like from different areas.
V. Smarter U.
One investment you can never lose on is the investment of
yourself.
1. SANS Webcasts (https://www.sans.org/webcasts/)
recommended by several listeners.
SANS offers free webcasts. An
interesting webcast is the “Pen Test Perfect Storm” series (the
third of which is scheduled, but the previous two are archived) at: https:/=
/www.sans.org/webcasts/show.php?webcastid=3D91601
2. Safari Books Online - $50/month access to many tech
manuals/books from O'Reilly and others.&nb=
sp;
Recommended by a listener.