In 2006, when Amazon introduced the Elastic Compute Cloud (EC2), it was a watershed event in the quest to transform computing into a ubiquitous utility, like electricity. Suddenly, anyone could scroll through an online menu, whip out a credit card, and hire as much computational horsepower as necessary, paying for it at a fixed rate: initially, 10 cents per hour to use Linux (and, starting in 2008, 12.5 cents per hour to use Windows). Those systems would run on “virtual machines” that could be created and configured in an instant, disappearing just as fast when no longer needed. As their needs grew, clients could simply put more quarters into the meters. Amazon would take care of hassles like maintaining the data center and network. The virtual machines would, of course, run inside real ones: the thousands of humming, blinking servers clustered in Amazon’s data centers around the world. The cloud computing service was efficient, cheap, and equally accessible to individuals, companies, research labs, and government agencies.

via Technology Review: Security in the Ether.

“It is the nature of man to rise to greatness if greatness is expected of him.” –John Steinbeck

Whether you are large or little, flush or floundering, it’s never too late to chart a course to flourish in the New Year. Even though recovery is still looming as a faint glimmer on horizon, we need to be vigilant about honing our skills to work smarter and make the most of the new economic realities. Here are some scrappy, do-more-with-less things you can do to jump-start your marketing program in 2010:

Contact your lapsed donors. Appeal to them via snail mail or better yet, through email. Reactivated donors can have higher lifetime value than new donors, because they’re already invested.

Express gratitude. Curtailing donor-acknowledgment activities as a means of cost-cutting can be counter-productive–and even devastating. In fact, messages of appreciation will be more potent than ever.

Take risks. Yes, even in a time of uncertainty, new tools can help you differentiate yourself in a sea of solicitations and a cacophony of causes. Social media can help you expand your base and leverage the viral power of peer-to-peer fundraising in dynamic, new ways. Discover exciting ways to streamline your process and empower your volunteers. In this Internet age, the medium is definitely the message, as well as the method!

Innovate. Effective fundraising is dependent on innovation. Everything is testable, and any idea can lead to a stronger program. Whether it succeeds or fails, there is something to be learned. The biggest mistake you can make during tough times is to retreat to a defensive position and make decisions out of fear.

Put the “Donate Now” button on everything. Don’t be shy about the “Donate Now” button. So many schools and universities, in particular, are shy about using this. It’s one of the easiest ways to increase online giving–by asking!!! Some key places to put it include:
• Your homepage.
• The homepage of your online community.
• Every email, every e-newsletter you send.

ENGAGE in social media. If you have not already, create a Facebook page that will automatically post status updates to your Twitter account. (Set that up, too.) And, investigate your LinkedIn groups. You may find that that there is already an active community of support burgeoning on these sites. Build a bridge, and interact with online savvy groups.

Investigate mobile applications. Whether you are providing mobile access to a unique resource, to volunteer offerings, or to giving opportunities, everyone is going mobile. We need to communicate to our donors and alumni where they are — in the palms of their hands — through mobile applications, texting, and mobile-friendly rendering of our communication devices. This will be essential in 2010! According to IDC’s Worldwide Quarterly Mobile Phone Tracker, vendors shipped a total of 43.3 million units during the third quarter of 2009 (3Q09), up 4.2% from the 41.5 million units shipped in 3Q08, and up 3.2% from shipments of 41.9 million units in 2Q09.

Whatever you do, keep trusting — and testing, testing, testing . . . And remember to take time to breathe and celebrate everything you have accomplished this year.

Elaine Gantz Wright writes about social media that makes a difference. Contact her at ewright @ publishingconcepts.com.

This is the fifth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

In January of 2009, it was disclosed that Heartland Payment Systems had experienced an intrusion into their computers that may have compromised over 100 million customer records.  After the dust settled, the breach was found to involve 130 million customer records, pushing this breach well past the previous record represented by the 2007 TJX breach that compromised 94 million records.  Heartland processes 100 million payment card transactions per month for 175,000 merchants.

By December the attack was traced to admitted TJX intruder Albert Gonzalez who eventually entered into a plea agreement on the Heartland breach and additional charges that he hacked into Hannaford Brothers, 7-Eleven and two other unnamed national retailers.  Heartland has allocated $12.6M for the clean-up, and as of today Heartland was still settling with American Express ($3.6M) and resolving other class action suits.

The scope of the breach re-energized conversations about the efficacy of the PCI standards and the general state of fraud protection for card based transactions.  The dialogue became more interesting when Heartland CEO Robert Carr did an interview with Bill Brenner of CSO Magazine where Carr laid the blame squarely on the audits done by their Qualified Security Assessors (QSAs).  Carr’s comments were viewed by many in the security community as “disingenuous” as most believe that the source of the breach could have been eliminated if Heartland had applied some generally accepted security controls. 

PCI has long been an industry hot button, and the Heartland attack was illustrative of the issues at hand.  Heartland appeared to be in full compliance with the PCI standards, but was attacked by essentially a “garden variety” SQL injection.  In an interesting twist, Heartland’s traditional signature based tools missed the attack, but the attackers actually used antivirus software to cover their tracks and avoid detection. 

So what are the lessons learned?  Heartland demonstrates that even the most sophisticated companies in regards to IT security are still far too reliant on signature based tools and must look to new and evolved technologies to close security gaps that allow long known vectors such as SQL injection to breach their perimeters.  Heartland is also a great “exhibit A” that compliance does not equal security; it is only a temporary measure that certain standards were in place at a point in time.  Finally, in spite of calls to action to rid the card processing industry of fraud, there is not much evidence that anything other than rhetoric came from the attack, so we can fully expect to see another Heartland in 2010.

There was post recently on the SPSP Forum regarding the lack of information on franchise operations and PCI compliance. Since I have been searching for a topic to write on, I thought I would take up this topic.

The PCI DSS has only one reference to franchises and that is on page 7. The reference on page 7 is only in regards to sampling. During our first year of QSA training, we were told that PCI compliance in a franchise environment is controlled by the operational relationship between the franchiser (the organization that licenses the concept) and the franchisee (the organization that executes the retail concept). Franchisees typically maintain their own merchant accounts and have their own contracts with an acquiring bank. For PCI compliance purposes, most franchisees are independent from their franchiser and therefore, the franchisee is responsible for their PCI compliance and any document filing.

At their simplest, franchisees use “knuckle busters” and stand-alone terminals. In these instances, the franchisee can fill out and file a self-assessment questionnaire (SAQ) B. Other franchisees, such as those in the fast food industry have purchased un-customized integrated point of sale (POS) with a network at the restaurant. These sorts of installations typically meet the requirements for SAQ C.

via PCI Compliance and Franchising « PCI Guru.

The inclusion of RAM scrapers in a recent Verizon Business list of the top data breach attack vectors has prompted a bit of buzz about what exactly RAM scraping is and how much of a threat it poses.

A RAM scraper as identified in the Verizon Business Data Breach Investigation report is a piece of customized malware created to grab credit card, PIN, and other confidential information out of a system’s volatile memory. The RAM-scraping breaches in Verizon’s report occurred in point-of-sale (POS) servers.

RAM scraping is not really what’s new, but what Verizon flagged as the emergent threat trend is RAM scraping in POS devices.

via Attack Of The RAM Scrapers – DarkReading.

Confessed hacker Albert Gonzalez’s turn as a Secret Service informant led him down a dark path of obsession, culminating in the largest identity-theft spree in history.

Frances Gonzalez Lago, Gonzalez’s sister, wrote his sentencing judge that her brother’s work as an informant for the agency between 2003 and and 2008 seemed to act as a reward for his obsession with computers. “All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,” she told the court.

The information appears in a 24-page sentencing memo originally filed Tuesday by Gonzalez’s attorney, Martin Weinberg, before it was sealed, along with several exhibits. The memo was unsealed on Friday, with several pages redacted. Threat Level disclosed on Tuesday the information that was revealed in the redacted pages.

via TJX Hacker ‘Will Never Commit Any Crime Again’ | Threat Level | Wired.com.

The PCI DSS world was shocked yet again this week when MasterCard backed off its position from earlier this year, requiring Level 2 merchants to obtain validation from a QSA, and publicly are aligning its levels directly with Visa—including setting reciprocity with their levels. The reason I put “publicly” in there is because the merchant operating regulations are NOT public for MasterCard like they are with Visa, but I understand that level reciprocity remains in those regulations even though they were removed from the public facing information.

via Branden Williams’s Security Convergence Blog » MasterCard’s Got Its Flippy-Floppies.

CIO Article on 2009 Data Breaches

If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.

What does this say or speak loudly of?  Is it about Competence or Incompetence?  I don’t really think so.  Overall, it is about a lack of “dogged, stick-to-it-iveness”.  What does that mean?  I am certain that all the named organizations on this list have highly competent practitioners in their IT space.  Certainly there may be exceptions. 

I have found through many, many year of hands-on experience that it isn’t always about the level of technical competence.  Most of the time, it is about the burning desire to ALWAYS get it right.  Is this type of discipline possible or warranted for every aspect of Technology Management?  Well, in an ideal environment called “Nirvana”, maybe.  In real life, it just isn’t practical.  As a result, some Technology disciplines such as Security, Data Privacy, etc. absolutely require that kind of commitment and effort.

For example, if I were build a submarine and I had the best engineers / practitioners in the world, but the Project Manager decided to put in a screen door, overall, a small detail, but  completely defeats the concept of a secured and air-tight perimeter. You can use the same example for corporate network access.  If you secure 99% and one rogue sales office adds a DSL modem without proper security, you will get the same affect of the screen-door in the submarine.

Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.

The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.

It gave Heartland the dubious distinction of having announced the largest ever data breach in history.

TAKEAWAY: 130 million credit card records were in the open.  Was it one of yours? Technical Competency must be augmented with strict levels of effort and commitment in order to be effective.

Caesar si viveret, ad remum dareris

(If Caesar were alive, you’d be chained to an oar)

B

In a chat today lasting over an hour, we got to talk to a person claiming to be the infamous hacker behind RockYou’s latest data security woes.

While he claimed to have no animosity toward users, he had one clear message for websites: Take better care of your customers’ data. RockYou isn’t the only hacked site storing plain text login information, either.

What Happened

To bring us all up to date, here’s the gist of the story so far: The hacker, who we’ll call Tom (not his real name) for brevity’s sake, tells us that he used an SQL injection to gain direct access to RockYou’s database, where he found login information for more than 32 million user accounts. The data was all in plain text and contained third-party site logins, as well.

Tom sat on this information for a while. Although he’s posted about similar hacks in the past, he also claims to have exposed the same vulnerabilities and gained access to the same kind of data for many major U.S. sites. Tom wouldn’t reveal which sites he’d hacked, but he did say that he has no intention of using or publishing the data he’s unearthed.

But yesterday, incensed by this warning from an Internet security company and RockYou’s claims that only some accounts had been compromised by the security breach, Tom posted about the hack on his blog.

We (along with several of our peers) were tipped off to the situation via Twitter, and TechCrunch has since written two posts about the data breach.

via RockYou Hacker: 30% of Sites Store Plain Text Passwords.

I hate the term “identity theft.”

As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.

Yes, the criminal will be masquerading as me. But anyone who knows me – my husband, my children, my colleagues, my doorman, my employer – will not be fooled. If “I” was actually stolen, I believe that would be called a kidnapping.

The entities that would be fooled by a masquerader are ones that don’t really know me: my bank, my credit card company, places where I do online or offline shopping. Maybe they should have done a better job figuring out who I was before parting with my money or their goods.

via The Fallacy of Identity Theft – WSJ.com.

I admit it. I like texting. I don’t know if it is the writer in me, the social media maven, mom, or bon vivant, but I am hooked. It took me a while to embrace it, but I have found the direct access to those I care about quite appealing. I can receive a quick text at work when my son gets home from school—or a little casual banter with a flirtatious friend—without the formality a phone conversation entails. I guess it’s part of the “instant,” byte-sized culture we are creating.

So, I suspect that’s why I haven’t stopped thinking about Stanford University professor Andrea Lunsford’s five-year examination of college students’ writing in the Stanford Study of Writing. From 2001 to 2006, she collected 14,672 student writing samples—everything from in-class assignments, formal essays, and journal entries to emails, blog posts, and chat sessions. What she discovered might surprise you. The reality is that the most popular technological tools and social media platforms continue to receive plenty of sanctimonious slander—from Facebook’s narcissistic drivel, to PowerPoint’s bullet-point prose, to Twitter’s unintelligible prattle. But in true train-wreck fashion, we just can’t seem to stop looking.

As many traditional academicians, such as University College of London English professor John Sutherland have moaned, social media and texting are “dehydrating language into bleak, bald, sad shorthand.” However, the new media guard thinks differently. The truth is that communication is evolving and morphing as breakneck speed, and we are right smack in the middle of maelstrom. Granted, it’s hard to achieve the perspective needed to make sense of it all. Professor Lunsford suggests:

“I think we’re in the midst of a literacy revolution the likes of which we haven’t seen since Greek civilization. Technology isn’t killing our ability to write. It’s reviving it—and pushing our literacy in bold new directions.”

The first thing she found is that young people today write far more than any generation before them. That’s because so much socializing happens online, and it almost always involves text. Moreover, they are writing more than any previous generation, ever—in history. They are immersed in a complex, often confounding, new space where writers and their audiences are now enmeshed. “The consumer has become the producer,” says Professor Clay Shirky. The rules of the game have changed, and communication mores have been literallyturned upside down.

Lunsford pins her findings to the pervasive psycho-sociological trends defining our culture. She says, “More than earlier generations, young people today are aware of the precarious nature of our lives. They understand the dangers that await us. Hence, writing is a way to get a sense of power.” Interestingly, comparing the Stanford students’ writing with their peers from the mid-1980s, Lunsford found that the writing of today’s students is about three times as long today—they have “the ability to generate more prose.” I guess expressing ideas about hard things requires hard words. And when grappling with hard things, “I don’t think it can be worked out in 140 characters,” Lunsford contends. How ironic.

Of all the writing that the Stanford students did, a stunning 38 percent of it took place out of the classroom. Lunsford calls this “life writing.” Those Twitter updates and lists of 25 things about yourself add up. The fact that students today almost always write for an audience—a real switch from the prior generation—gives them a different sense of focus and message impact. It’s almost as if we are narrating our own lives. In interviews, students defined good prose as something that had an effect on the world. For them, writing is about persuading, organizing, and debating. It’s about finding a voice and taking a stand—even if it’s a review of the latest movie.

The Stanford students were almost always less enthusiastic about their in-class writing, because it had no audience but the professor. It didn’t serve any purpose other than to get them a grade. How about texting those LOLs and emoticons? Are they eroding the sanctity of academic writing? When Lunsford examined the work of first-year students, she didn’t find a single example of texting speak in an academic paper.

At the end of the day, texting has it’s time and place. And, there’s the rub. It represents a fascinating dichotomy of communication. It is simultaneously immediate and intimate, yet passive. It finds you any time of the day or night (no matter where you are—except driving, I hope) in the soft, fleshy palm of your hand. But at the same time, it gives you the power to choose when and how you want to respond. To engage or not to engage—the new “text-i-quette.”

Some psychologists warn against this intimate anonymity—that it encourages risky behavior. Elisabeth Wilkins wrote in a blog post that “texting can rob our kids of the ability to interact socially”—diminishing the importance of body language and facial expressions. I think the evolution of email and texting has radically changed the way we communicate and how we express ourselves, but I’m not sure it’s something we can condemn or alter. It simply is. It is the new communications behavior and landscape, which is inextricably intertwined with the technological innovation that enables it.

What do you think of texting and the changing patterns of communication? How are they affecting us as human beings?

Elaine Gantz Wright writes about social media that makes a difference. Contact her at ewright () publishingconcepts.com

As the Internet matures, slowly but surely everything we do in the real world is going social. But there’s a limit to how much information we can explicitly share on all the various services. A new service, Blippy, launching today in private beta, has an interesting way to take something you do everyday, buy things with your credit card, and automatically push those transactions online for others to see and interact with.

Yes, I know this is a controversial idea — that’s part of what makes it potentially a great one. Imagine being able to see everything your friends buy with a credit card as they do it. This not only tells you what kind of things they’re actually into (rather than someone just saying they like something), but also other information like how cheap they are, as well as where they actually are at a given time. There is actually a lot of data tied into the transactions we make, and Blippy takes that and makes it social.

via Want Everyone To See Your Credit Card Transactions? Of Course You Do. Meet Blippy..

May Street Presbyterian Church

May Street Presbterian Church Belfast.

A huge 81% of organizations that are subject to the Payment Card Industry’s Data Security Standard PCI DSS were found to be non-compliant prior to a data breach, according to a new study.But according to telco Verizon Business’ Risk team, which published the findings, a “fairly new” threat in the shape of RAM scrapers is increasingly being used by online thieves to bypass PCI DSS rules requiring credit card data to be encrypted anyway.The company’s 2009 Data Breach Investigations Report found that 74% of security incidents were the result of external attacks. Such events resulted in a huge 285 million records being compromised over the last year – mainly via online systems.Only 20% of data breaches were caused by insiders, 32% by business partners and 39% by multiple parties. Some 67% of the incidents occurred because the attacker exploited errors made by the victim, while a further 64% were the result of hacking and 38% of malware.But in its 2009 Supplemental Report called Anatomy of a Data Breach, Verizon Business also pointed to the rising threat of RAM scrapers.RAM scrapers work by scouring the volatile random access memory in point-of-sale terminals, which process, store or transmit PINs and other credit card data in unencrypted form. When the program detects such information, it captures it and uploads it to servers that are usually controlled by malicious external sources but sometimes belong to trusted partners.While the technology has been around for a few years, its usage has now increased to the extent that it came in at number 14 in Verizon’s 15 most common type of security attack. Keylogging and spyware software ranked number one, followed by backdoors and SQL injections.RAM scrapers are often used in conjunction with other malware such as backdoors and command-and-control programs and have to date mainly been discovered in systems belonging to the retail and hospitality sectors.

via Infosecurity USA – Firms failing on PCI DSS.

Today’s smartphones certainly promise more convenience and functionality, but for IT, they promise new nightmares about protecting that data. It’s not merely contact data, but files, slides, traffic history, E-mail records, chat transcripts and almost anything else that can be done on a desktop. Then there’s the Grand Poobah of data protection night terrors: Geolocation.

Geolocation is the phone’s ability to tell any app on the phone—or anyone at all, really—the exact location of the phone virtually every minute it has power. That data is relatively small in size and yet—tied into various other datapoints (especially time and date)—could be monstrously helpful to some while being stunningly destructive to others.

But fear not, IT execs are thinking, there’s no way such data could ever get out to unauthorized places, right?

Read the full Evan Schuman article.

I just read this is a report I was doing peer review on. The CDE is the “cardholder data environment.”  That is the area of the network where payment card data is stored, transmitted, processed.

It seems like a lot of places still have their payment card systems in the same huge network with everything else. This makes PCI compliance a lot harder. But, invariably everybody asks – “what does isolate mean?”

It realistically means a firewall. Something where traffic is controlled between CDE and the rest of the network. The firewall can be a hardware device (which is best) or ACLs on VLANs (which is okay, but has to be done right) or a host-based firewall (which will pass, but is not preferred.)

Intrusion monitoring, wireless scanning, and other things are required for the CDE as well. Which is why we tend to like the new UTM-style firewalls (like Fortinet) which can offer multiple services in one appliance. They’re a very cost-effective way to ensure compliance and raise the bar on security.

The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.

Read the rest of Eric Fredericksen’s blog on Risk vs Uncertainty.

Shopping in the big swanky mall today, and I was watching the teenagers leaning over the railing looking down on the girls walking below them.  Of course, I’m thinking “teenage boys with a strategic position to look at teenage girls, uh huh. I remember that.”  Then I whip out my card to pay for a purchase at a kiosk, and the lady is entering my info into a Web page PoS on a laptop.  Typing in my card number, CVC2, etc.  I look back up at the teenagers and wonder…”do they have binoculars? How good is the zoom on that cell-phone camera?”

Are they checking out the cleavage of the young ladies, or are they shoulder surfing for CC#’s and PINs?  Very interesting.  And a little scary.

We are operational!

Aircraft – Check!

LiDAR – Check!

Aerial Photography Camera – Check!

Hyperspectral Camera – Check!

LiDAR Data Colored by Elevation

We’re operational and have a ton of data in the can and ready for processing.  Our data sets include samples from residential communities to transmission powerlines to unmentionable clients who have some interesting needs!  One of the biggest hurdles has been developing our own viewing software that we can deliver with these large datasets so that our clients can manage their deliverables.  The goal is to build a piece of software that is lightweight and easy to maintain code-wise, while building tools that clients can use to streamline their business processes.

3"-pixel Aerial Photography

Keep watching here for data samples and updates to our software!

We’re finishing up on the City of Charlotte’s pilot pavement data collection project.  To date, we have collected Mobile LiDAR, Mobile Video, Ground-Penetrating Radar, Roughness and Rutting data for a 50-mile pilot area.  This was the first go-around for our pavement camera and the results were just “so-so”.  We had an issue with one of the laser illuminators, so most of the imagery is tonally whacked, but we can still see what we need to see to assess the pavement condition.

Pavement Cam

What’s cool about this is that we can now get a great view of the lane of travel and see the low density cracking because we’re basically collecting 2mm pixels.  We’re working on learning how to orthorectify these images so they can be fused with the point cloud to give a real-world representation of the pavement surface that can be viewed in 3d.

Companies take one of three approaches to develop and deploy POS terminals: buy a purpose-built platform that usually runs on a proprietary or embedded operating system, use a common PC running Windows and a POS application, or build and deploy a custom-built POS system. They can maintain the POS systems themselves, outsource maintenance and operations, or use some combination of both.

Regardless of the approach they take, business owners typically estimate total cost of ownership based on critical features, deployment, and ongoing support. POS security is usually an afterthought. Yet if a breach occurs, the resulting costs can easily eclipse the price tag for the POS system deployment.

Part of the challenge is that it's difficult to calculate how much a breach costs. If your organization loses credit card or personal data, you incur notification, incident response, investigation, and legal costs, along with a PR nightmare, potential customer churn, and possible fines and lawsuits.

via The Point-Of-Sale Problem — Security — InformationWeek.

PCI in Hospitality

Hospitality Technology's market update on the hot technologies and trends that are impacting PCI compliance in hotels and restaurants: Topics include the July 1, 2010 deadlines; the straight story on tokenization; PCI-compliant solutions and more.

via PCI in Hospitality | In This Issue | Hospitality Technology: Technology Resource for Restaurant/Lodging Executives.