The Hacker Factor Blog

Tomorrow is the big day. Black Friday. The most insane shopping day of the year. (As opposed to the evening before Thanksgiving, when it is crazy to go to the grocery store.)

Black Friday got its name because that is when retailers are supposed to make enough sales to put them in the black for the rest of the year. However, I don't expect sales to be that great this year. Among the things I've noticed:

• Every year there are commercials for door prizes. The first 100 people at JC Penney's will get a plush toy, or the first 300 people at Target will get "valuable coupons". This year? I didn't see a single commercial that specified door prizes for early shoppers. Maybe I was just watching at the wrong time, or maybe I watch the wrong channels, but I just didn't see any.
  
  
• We don't get the newspaper, but every Thanksgiving they deliver one anyway. It's a courtesy paper paid for by the three inches of advertisements and Black Friday bargains. This year? No paper. (And yes, the paper is still being published.)
  
  
• Halloween candy was really expensive this year. In past years, they would drop the prices to encourage sales and they would extend the buying period. This year, the candy showed up late and didn't really drop in price. I view this as a sign of things to come.
  
  
• Holiday music is missing. There is always that one radio station that begins playing non-stop Christmas music before Halloween. This year? Well, it's already Thanksgiving and I haven't heard any Christmas music on the radio. (I counted this as something to be thankful for this Thanksgiving.)

Good Bye Brick and Mortar

Remember the old days when Radio Shack sold radios (and had battery cards), the donut shop sold donuts, and the video store was the only place that carried videos? (Be kind, rewind.)

Today I can buy DVDs everywhere -- Target, Kohl's, the grocery store, and even at the gas station. All of these places also sell digital cameras, radios, and add-ons for your iPod. Electronics are truly mainstream since you can get them just about everywhere.

I think it is this omnipresence of technological availability that might be hurting Black Friday. Every company is competing against everyone else. And while a few die-hard bargain hunters will seek out the absolute cheapest deal, most people will take an average discount at a convenient location. (Then again, I live in a town where 100 people waited in line during a blizzard so that they could get free fast food processed chicken for a year...)

Slipping a Disk

Another trend I've been noticing is much more disturbing. Nearly every electronic device we buy these days contain a CD-ROM. My standalone DVD player had a CD for the computer so you could read the manual -- even though it shipped with a printed copy. My netbook came with a CD-ROM, even though it doesn't have a CD-ROM drive. Heck, even my alarm clock came with a CD-ROM. (Ironically, my iPod Nano was the only thing that didn't include a CD-ROM with it -- go Apple!)

It wouldn't be so bad if these CD-ROM's just contained manuals. Unfortunately, they all contain programs that Windows wants to run. Uh, why does the CD-ROM manual for my DVD player want to install drivers on my computer? It isn't like the DVD player is networked -- there is no connection between the computer and DVD player. The DVD player doesn't even have a network card!

I view this as a huge security risk. The typical user won't know any better. Either out of curiosity or a false sense of requirement, they will put these CD-ROMs into their computers and they will install whatever wants to be installed. Sadly, I visited a friend who's computer contained tons of unnecessary software and crap because he felt a need to put in these unnecessary CD-ROMs. "But I need that!" "Why?" "I don't know! But I need it!"

I suspect that at least one of these unnecessary bits of plastic is what gave his a computer virus.

My advice for this season: If the item you purchased comes with a CD-ROM, try not using it. You might be pleasantly surprised to find that you already have drivers for that scanner, printer, or digital camera. Your new MP3 player may not need drivers and your new home router works fine out of the box. Only put the CD-ROM in the computer if you absolutely cannot get the device to work without installing something off the disk.

Remember: the "U" in USB stands for Universal. Chances are pretty good that any USB device will be supported without special software.

(Of course, if the item you bought is a CD-ROM or DVD, then go ahead and use it.)

Nearly every year some core industry suffers a catastrophic loss.

2005: Insurance. Hurricane Katrina was the worst natural disaster that the insurance industry had ever handled. Over $81 Billion dollars in damages. After that, some insurance companies stopped offering coverage to coastal residents. Rates went up along the entire coastal region so many people could no longer afford coverage.

2007: Economy. The current global economic crisis began.

2008: Banks, Stocks, Homes, and Cars. Bond Insurance companies collapsed. If you invest in AA or AAA bonds today, you're taking a risk. Why? Because the bonds are worth more than the insurance companies behind them. This year also had the housing collapse, massive bank failures, and automobile manufacturer bailouts.

2009. More bank failures and the year is not even half over. However, the big thing right now seems to be the American automobile industry.

Commonalities

There are a few things that all of these failures have in common. They lack transparency, they are overly complicated industries, and they are thoroughly dependent on decades of old technology.

People inside insurance companies had an idea of what was going on, but nobody outside saw it. Banks still are not telling us how they spent their bailout funds. And American car manufactures depended more on their good names than on developing higher mileage and safer vehicles.

For example, when was the last time American cars got higher crash test ratings than foreign vehicles? According to the IIHS's report for "Midsize moderately priced cars, only one of their top six safety picks was American made (Ford), and it gets worse gas mileage than some of the others. According to GreenCar.com, the Ford Fusion gets about 23 MPG while the Honda Accord gets 25 MPG and the Volkswagen Jetta gets 34 MPG. If they are equally safe, then buy the better mileage. And if cost is a factor, then the Jetta costs less than the Fusion (MSRP $17,515 versus $19,270).

And notice how the two failing companies (GM and Chrysler) are not even in the top safety picks.

Trends

Each of these failed industries have another similarity: variable pricing. If two people go into the same insurance agency and ask for the same coverage, they will be given different quotes. Same thing with cars; with the exception of Saturn (which GM recently eliminated), dealerships may give you a ballpark number, but there is no fixed price.

Dealerships also try to add confusion by throwing out other numbers under labels like "cash back", "bonus", "incentive", and "promotion". They use advertising gimmicks like "everything must go!", and "limited time only!" This sense of urgency means many people will not spend time looking closely at the numbers.

Pricing also varies with banks and stock markets purchases. If you want to buy shares of a company or invest in a fund, what price do you pay? Sometimes the price is "at the moment you bought it". Other times it is the closing day price, high for the day, low for the day, weekly average, or something equally nonsensical. Perhaps this is why selling stock requires a "settlement". You really don't know what you're getting, but you'll settle with whatever you get.

Unhealthy Market

Knowing these similarities, we can start to identify trends. A market is likely to fail if (1) it lacks transparency -- you don't know what is really going on, (2) it relies on old technology, (3) it is overly complicated, and (4) it won't give you a straight answer on pricing.

So what's the next market to fail? I think it will be the health care system. I'm expecting big hospital chains to declare bankruptcy, medical centers to close, and people to give up on health insurance. This will send shockwaves through another sector: the pharmaceutical industry.

It's been a few years since I had a physical. While I take my car for regular checkups, I skimp on my own. My insurance is good about covering medicines, but it usually rejects all in-person doctor visits. One would think that the checkup for getting a prescription would be covered along with the drugs, but one would be wrong. Drugs are covered, but my doctor's appointment usually is not. Unless I get taken in by ambulance, I fully expect the visit to be rejected.

Anyway, I recently checked my insurance to see what local hospitals are "in my network". My insurance company's web page directed me to a different company (mentioned in a small logo on my insurance card) who in turn directed me to a third company that listed some local hospitals. I think I know which ones are in my network, but I'm not sure. (Lacks transparency and overly complicated.)

I called a few hospitals to get a quote: how much does a regular annual physical exam cost? None of the hospitals would give me a number. None would even give me an estimate. Every one of them said "it varies". Varies on what? The reply: on whatever code the doctor writes down. I asked if they could give me a ballpark figure -- are we talking $10, $100, $1000? Assume that I have no insurance -- how much can I expect to spend? "It varies." They couldn't rule out $1000 or more for the basic exam.

One hospital actually told me that pricing varies on the topics that I talk to the doctor about. Good! "Do you have a price list for topics?" "No." So... if I say that I have allergies, am I charged more or less than mentioning that I'm coughing up blood? How much does it cost to answer "How are you doing today?"

Can you imagine going into the grocery store and asking "How much is the orange juice?" "It varies." "Varies on what?" "Varies on the code that the checkout clerk types in and the topics you talk about."

As far as I know, the last computer seller that made price determination overly complicated was CompUSA. And they declared bankruptcy, sold the brand to another company, and closed nearly all of their stores.

I'm actually more scared about this unknown pricing than anything the doctor might find. (A tumor the size of a basketball? Oh God! How much is this going to cost?)

Estimating Estimates

When asking for a cost estimate, I understand that some things should be priced "above" a baseline. If my car's 60,000 mile checkup reveals a bad timing belt, I understand that replacing it will be above the basic examination costs. With hospitals, if I need additional tests then it should cost more. However, hospitals should at least be able to give me a baseline price or general ballpark figure.

There are also hidden fees. I have friends who have had various operations -- in patient, out patient, extended stay, etc. The ones who actually looked at their bills each said that there were doctors listed who never came by, or who popped their heads in, saw that the patient was still alive, and left -- 10 seconds max. This could be wide-spread fraud, or it could be legitimate. But most hospitals do not keep detailed enough records to explain why another specialist was needed.

Semi-Transparent Field

In contrast to hospitals, other medical fields are much more direct and transparent. My optometrist and dentist readily provide pricing information when asked. I know how much a basic eye exam costs, I know how much glasses cost, and I even know the price to fill a cavity. I know these prices before I head to the appointment. But a basic blood pressure test at a hospital? No idea -- anywhere from $10 to $1000 or more, depending on what code the doctor writes down and the topics we talk about.

In all fairness, small walk-in clinics also give straight pricing. But these clinics have other problems: I never see the same doctor twice, they're not covered by my insurance, and many doctors are in training. This leads to clinic nicknames like "Doc in a Box" and "Quack Shack". It's fast-food health care.

Low Tech?

So hospitals lack transparency and cannot give even a vague estimate for something simple. And the entire process, from the hospital to insurance, is overly complicated, vague on details, and intentionally confusing. How about old technology?

While making my appointment, the person asked me some questions -- none related to my medical history. During this time, I kept getting placed on hold while the agent checked with her supervisor. It seems that the software was text based and overly complicated. She kept asking her manager about different codes and fields that needed to be filled in.

Text based and code numbers? That's like my insurance company -- but half of their software now has a GUI. (I'd also put my bank in there, but they got rid of their text-based system two years ago.) My optometrist and dentist both use paperless systems with pull-down menus (no code memorization) and intelligent forms. But the local hospitals? They seem to still use text-based entry forms circa Windows95. Sounds like old technology to me... It's enough to make a guy sick.

Every year a core industry fails. I fully expect 2010 to be the year of the hospital.

Last week we saw a number of automobile manufacturers make, what can only be called, the dumbest business decision ever. Chrysler and General Motors both decided to terminate relationships with a large number of their dealers.

I can only watch in awe -- this is the worst decision that they could make. Where will they sell their cars? While online sales are good for many products, Amazon does not sell automobiles.

Location! Location! Location!

In most cities and towns, dealerships are on the main thoroughfares. This gives car dealerships visibility. As you drive by, you see the cars and think about cars. Conscious or subconscious, passing a Saturn dealership makes you gawk at Saturn cars, and BMWs make you think BMWs.

The other way to get visibility is to have most of your cars on the roads. Toyota might be able to get away with closing a few dealerships -- there are plenty of Toyotas on the roads which act as rolling advertisements. However, GM and Chrysler don't have that kind of marketshare. And cutting 25% of their dealerships? That's like moving your TV commercial from Prime Time during House to nighttime during Chelsea Lately.

By closing dealerships, these companies are effectively saying that they don't want people to see their cars. And if someone can see them on the road, there won't be a convenient location to testdrive or purchase.

Closing dealerships when you cannot make revenue is the same mentality used by corporations who prefer to hoard funds and layoff staff rather than reinvest in future technologies. (Was Carly Fiorina involved in the automaker's decision process?) Instead of selling cars at cost to recoup losses and build market share, they are closing their stores and ostracizing their partners.

Closing dealerships leads to other problems as well... What about repairs? If your Buick LaCrosse (a GM car) has engine problems after 2010, what do you do? Will you have a local authorized dealer? Will replacement supplies be genuine or dangerous second-hand parts?

Broken

Then again, are repair warranties even worth anything?

A friend of mine is a Ford retiree. He has vowed to never support Ford again. He bought a golden warranty with his last Ford. A few months ago (well within the warranty period) he had a problem with the car's computer. Turns out, Ford had issued a notice to dealerships about a bad washer near the computer, but never issued a recall. And that's what failed in this case. Even with the extended warranty and notice from Ford, the local Ford dealership refused to fix the car.

My friend consulted an attorney who said that they could easily win this in court. However, it isn't worth the battle. For the first time in his life, this Ford retiree just bought a non-Ford: a Toyota Prius -- and he will never go back.

And remember: Ford is one of the "good" car companies. They didn't need bailout money. But if Ford isn't honoring warranties, then you just know that other manufacturers are making similar anti-customer decisions... assuming you can still find a dealer.

The few dealers that will remain will be in an excellent position. If GM or Chrysler ever try to get back in the game, it will be on the dealer's terms. The dealers will say what they want and how many. They will direct manufacturing. (As Homer said, "I want a horn here, here, here, and here. You can never find a horn when your mad.") And if the car manufacturer cannot provide it, then the dealer will go elsewhere. Product loyalty is gone.

Lemon Law

It is clear to me that GM and Chrysler are about to vanish off the face of the Earth. Believing this, I must wonder: what about the bailout? As taxpayers, we already gave Chrysler $4 Billion and GM got $13.4 Billion. That's like $130 per US taxpayer (or four tanks of gas if you drive one of their cars). If they go out of business, will we get our money back?

I always wonder when groups remove useful functionality...

The LinkedIn social network offers topic-specific groups. This way, you can meet people with similar interests. Groups have their own discussion forums, where you can discuss topics relevant to the group members.

One group is the "Payment Card Industry Network". The group's description says:

Payment Card Industry (PCI) Network with over +5,000 LinkedIn members. Group website and mailinglist will be coming soon. PCI DSS, PA-DSS, QSA, PA-QSA, PABP Credit Card discussion.

Notice how the description says "discussion". The discussion forum for this group is disabled. Now, with LinkedIn, the discussion forums are enabled by default -- it takes a conscious effort to disable it.

Discussing PCI

There are many PCI discussion forums on LinkedIn. A few examples include the "PCI DSS FORUM", "PCI DSS Compliance Specialist", "PCI Europe", "Point Of Sale Professionals", and "PCI DSS Network Professionals". However, the largest of these groups (the "Payment Card Industry Network" -- which has more members than all of the other groups combined) does not want discussions.

Although I have not read the discussions on all of these other PCI groups, the ones I have looked at are mainly people asking for solutions. These range from help-wanted ("Looking for Sales Reps...") to recommendations (e.g., has anyone used gift cards with a particular system?).

The most technical questions have actually been in non-PCI forums, such as this one from the "Information Security Community" group. (Full disclosure: I left this group because most of the postings were off-topic and recruiter want-ads. This was one of the few technical security-related postings.)

On 11/21/08 4:41 PM, Rey Morgan asked:
QSA'S-Deadlines & PCI Compliance

Do we have enought QAS'S at the moment? What other alternative we have to be PCI compliant? In the US deadlines are due for type 1-2-3-4...Whats next?

---

On 11/21/08 9:05 PM, Neal Krawetz wrote:
Hi Rey,

You asked two really important questions:
"Do we have enought QAS'S at the moment?"
"What other alternative we have to be PCI compliant?"

From my viewpoint, the biggest issue is not "what else needs to be done to become PCI compliant?" The bigger questions are (1) why are companies having trouble achieving compliance and (2) why are they stopping with the minimum?

(Time to rant...)

The PCI DSS gives a vague and mostly trivial list of requirements. The list has plenty of holes and even some areas with very bad advice. However, it is better than nothing. Sadly, this is a baby step and even with the updates from 1.0 to 1.1 to 1.2, there is still no serious meat to this requirement. Companies that struggle to achieve even this minimalistic checklist should reconsider being in business. (If they don't have the common sense to change default passwords and use anti-virus programs, then I seriously question their business sense.)

The only thing that bothers me more than this race to the bottom is the total lack of interest in going beyond the minimum. "We have logs!" check! "We have AV!" check! Most legal teams seem to view the PCI DSS as marketing views a feature list: if they can check it off, then they are happy. There is no interest in actually protecting data.

The PCI PED is tougher and more detailed than the PCI DSS, but it has a more limited focus (entry devices only). And unlike the DSS, you can buy a solution that is PED compliant. (Parts of solutions can claim DSS compliance, but it is the glue between the parts that remains vulnerable.)

I'm impressed by your question about alternatives. Visa's Payment Application Best Practices (PABP) and PA-DSS are starts for going above and beyond the PCI DSS. And MasterCard has their Site Data Protection (SDP) program. However, I seriously question any program that primarily relies on self-assessments.

(Stepping off the soapbox...)

Consider reviewing documents such as the OWASP for software development (especially for anything publicly accessible), and various guides for hardening Linux, Unix, Windows, and networking. I guarantee that if you follow these detailed checklists then you will be PCI DSS compliant and far, far above the minimum.

Also, if your security team is operating at or near 100% reactive, then consider freeing resources (or allocating new resources) to work on proactive security measures. I've found that a little proactive security can significantly lower reactive requirements.

In any case, don't wait around patting yourself on the back for achieving PCI DSS compliance. And don't sit waiting for the next update to the required compliance list. Anyone who thinks that PCI compliance means "security" is kidding himself.

While this had the potential to become a great discussion, nobody else responded. I'm guessing that it got buried under the spam noise from the recruiters in the Information Security Community forum. It would have been a better topic in a PCI-specific group, but none of those groups are discussing technical details.

Back to Topic

Last week I received a very nice inquiry about some of the fundamental problems with PCI compliance. I had actually started a paper on this about a year ago -- kind of a follow-up to my Point-of-Sale Vulnerabilities paper. However, I stopped writing it due to work overload.

While I am still overloaded, the recent compromises at Heartland and RBS Worldpay are directly addressed by the already-written text. Since there are no forums openly discussing these problems, perhaps it is time to restart work on the paper... (Anyone want to fund this effort?)

Earlier this week I had the pleasure of hearing Frank Abagnale speak at the Fort Collin's Lincoln Center. The presentation was impressive -- if you have the opportunity to hear him, I strongly recommend it.

The talk wasn't one of his normal topics... Usually his presentations are on fraud, counterfeiting, laundering, or scams based on social engineering. And make no mistake, he is definitely an expert on these topics.

Instead, the presentation was about himself. Frank Abagnale: 16-year-old runaway turned professional scam artist and counterfeiter. In five years he managed to scam 2.5 million dollars in 26 countries. (And this was back in the 1960's, when 2.5 million was much more than it is today. With inflation, that would be like $15 million today.)

Frank was only arrested once, in France. He served jail time in France, Sweden, and the United States, before making a deal to work for the FBI. Frank repeatedly stated that he has been with the FBI now for 35 years, 30 years beyond his parole requirement.

His Life

According to Frank, his biography, Catch Me If You Can, and subsequent movie (same title) are mostly accurate. The movie, directed by Steven Spielberg and starring Leonardo DiCaprio, took some basic liberties -- but that is expected with movies. The main differences between the movie and reality? The French jail in the movie was much nicer than the windowless pit with no lights and nothing but a hole in the ground for toilet. (The book captures this much better. If you're going to do jail time, don't do it in France.) He said he entered the jail weighing 190 pounds and left six months later weighing 109.

Another difference was his relationship with his parents. They never told him that they were getting a divorce. Instead, he learned this when he was called to "Family Court" and asked by the judge which parent he wanted to stay with. That's it -- the first time he learned of their divorce was from the judge. He ran out of the courtroom. He didn't see his mother again for seven years; he never saw his father again.

Oh, and he didn't slip away from the FBI by escaping the airplane through the lavatory. He went out through the galley.

Creative Scams

After his presentation, he opened it up to questions from the audience. The best one asked about the most interesting cases he has worked on. Enron, WorldCom, Tyco -- he's investigated all of the big financial scandals. He said that he always marvels at creativity. Frank managed to do what he did strictly because nobody had thought that way before. The same goes for modern scams. The best ones are where scammers think differently.

The most creative case that he discussed was a scam by two brothers who needed a summer job. They registered a DBA (doing business as -- a legal alias), then sent out advertisements: Get the 10 best nude videos for $49.95 -- a $200 value! Anyone who wrote in received back a letter saying that they were sold out so their $49.95 was being refunded.

If anyone cashed the check, they would have received their refund. The checks were good. But nobody cashed them. Why? The DBA was printed in big red ink at the top of the check: "Child Porn Videos". I guess that the buyers were too embarrassed to cash the check.

The postmaster general wanted to get them on mail fraud, but it seems that the brothers had actually mailed out one set of videos. Thus, not a fraud. And the checks were good, and the DBA was real and done legally. The brothers just played on the embarrassment factor, and correctly assumed that nobody would cash the checks. The brothers got off free.

(As I recall, Pablo Picasso was also fond of writing checks. As a famous artist, his signature was worth more than the check so few people cashed them.)

A Few Surprises

The presentation included a few surprises.

First, Frank said that paying with a check is just asking for fraud. The person has your name, address, signature, and account number. You don't even know who holds the check. It could be the cashier, manager, anyone with access to the storage warehouse, bank employee, shredder person, etc. Anyone along the line can steal your identity. Frank never uses checks.

Instead, use a credit card. The credit bureau acts as a buffer between yourself and fraud. "I'm not spending my money, I'm spending the credit company's money," Frank said. The key is to keep and maintain good credit.

Frank also reiterated one of my own warnings: don't use a debit card. They act like a check and not a credit card; if it gets stolen, then the thief has direct access to your account. Even if the bank tells you that you're protected, it just isn't true. Stay away from debit cards -- only use credit cards.

The second surprise came in response to a question about the proposed national ID card. He said it is a waste. The United States has one of the most sophisticated passports in the world -- with many things not made public. If we need a national ID, then why not just require everyone to have a passport? More types of redundant IDs just increases the opportunity for identity theft.

While I agree that the national ID card system (proposed in both the US and UK) are wasted efforts, I found it odd that he would praise the passport system as something so hard to counterfeit. New passports have RFID chips. These chips can be scanned from quite a distance, possibly permitting remote identity theft and definitely opening other attack vectors.

Oh, Frank also says that passports cost $5 to make. So why is a non-profit government organization charging $100?

Back Talk

I've heard many "bad guy turned good guy" speak. I left one of Kevin Mitnick's talks feeling uneasy. He seems to buy into his own mythos and thinks his punishment did not match his crime. (Dude, you accepted a plea bargain. Thus, no trial. And when you're in jail, they can put you wherever they want. If you think solitary confinement for months was bad, just remember Ed Cummings (aka "Bernie S.") -- he had his teeth kicked in by the regular inmates.)

In contrast to Mitnick, Bernie S., and others, I found Frank Abagnale to be honest, sincere, and he actually said that he still feels remorseful. And unlike the people on the 2600 radio show, he does not advocate breaking the law. (I would fully trust Frank... if he didn't work for the FBI -- an organization that I think is myopic and paranoid.)