Computer Attacks are Alive and Kicking

The humble home PC, used by most people to surf the ‘net and store digital photos, is being used by some as a launch pad for all manner of sinister activities, with the perceived anonymity making it all the more attractive to those with malicious designs.

7Safe recently worked with the Serious and Organised Crime Agency (SOCA) by providing evidence for the prosecution of Adrian Ringland, a paedophile preying on children by blackmailing them over the Internet. Finding his victims in chat rooms, he sent them files which allowed him to gain control over their computers. Once he proved to the children that he had control, Ringland blackmailed them into taking lewd photos of themselves for him to see. If they refused, he told them that he would crash their computers.

Fortunately, one of the victims (who lives in Canada) decided to tell her parents who wisely contacted the police. Despite newspaper reports that he bragged that he was so clever as to never be caught, Ringland pleaded guilty in August in the face of the overwhelming evidence found against him. He is due to be sentenced on October 19th, 2006.

In the US, a man was sentenced to three years in prison in August for hacking into thousands of PCs, including some within the US Department of Defense. Christopher Maxwell was sentenced to three years in prison as well as three years of supervised release after pleading guilty to federal conspiracy charges. According to media reports, Maxwell and two others made more than $100,000 by installing adware via botnet attacks. During their 3 year spree, they were accused of breaking into machines at the Pentagon, Northwest Hospital in Seattle and the Colton Unified School District in California.

Consumer confidence in corporate security also took a beating recently when hackers broke into US telecommunication giant AT&T’s online store and accessed customer accounts without authorisation. The company announced that they notified the major credit card companies of the accounts involved, advised the police, and vowed to pay the cost of monitoring the affected credit accounts. The identity of the attackers is currently unknown.

The CC Industry Strikes Back

In response to the number of attacks focused on obtaining credit card details, Visa and MasterCard have joined forces to ensure that credit card data has a level of protection against unauthorised access.

The Payment Card Industry (PCI) Data Security Standard was created in order to restore consumer confidence in card payments. It aims to give cardholders the assurance that their card details are safe and secure when their debit or credit card is offered at the point of sale, over the Internet, on the phone or through mail order. The standard consists of 12 general requirements (with sub-requirements) based around best practice security measures, specifically applied to card holder data:

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored data
  2. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security

Comparisons can be drawn with ISO 27001, the information security standard. Application of the PCI standard means that merchants processing over six million credit card transactions per annum, or that have suffered an attack where account data security has been compromised (like with AT&T), are classified as ‘Level 1’ Merchants. The PCI Data Security Standard requires compliance validation for Level 1 Merchants by way of an annual on-site data security assessment and quarterly network scan by an approved security company.

There are three additional levels for merchants, with differing validation actions, but all must now undertake network scans from qualified independent scan vendors in order to comply with the standard.

It certainly is refreshing to see the competing credit card companies unite like this in an effort to protect card holders from fraud.

Alan Phillips MBCS
Alan Phillips is a registered BCS security practitioner and contributing author of IT Security training courses at 7Safe, an independent Information Security services consultancy delivering an innovative portfolio of services including Penetration Testing, ISO 27001 Consulting, Forensic Investigation and Information Security training courses