The TSA says you can't take knives through airport security. But why would you want to if you can just buy a knife once you're through? I'm usually perfectly happy leaving the TSA humor to Bruce Schneier, but this is too good to pass up: personalized pocket knives for sale past security at SFO. Credit for this find (and photo) to my friend Jeff Piper.

Technorati Tags: TSA security humor

The world recently learned that Albert Gonzalez, a former Secret Service informant, was allegedly involved in breaking the record for the greatest number of credit card numbers stolen in a single operation. According to prosecutors, he did so by stealing 130 million credit and debit card accounts as part of a breach that targeted the card payment processor Heartland Payment Systems and two chain stores: 7-Eleven and Hannaford Brothers. Remarkably, Gonzalez also held the previous record, which he set by allegedly steeling 45 million card numbers in a breach that targeted T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.

For readers who like to track the play-by-play and not just the statistics, it is now being reported that the hacker behind the Heartland breach broke into the system using a SQL injection attack. Once on the network, he installed some malware that contained a backdoor, which had been tested against 20 popular anti-virus programs to make sure it went undetected. Once again, this incident demonstrates that when you're code doesn't have security built into it, attackers will find a way to exploit this shortcoming to their great advantage.

As usual, security researchers at Fortify kept up with the latest in hacking by attending the DEFCON conference in Las Vegas. In a lot of ways this year's 17th annual DEFCON felt like a confirmation of our work at Fortify: Topics included advanced SQL injection attacks and other seemingly exotic vulnerabilities, which the Security Research Group has already built support for into one or more of our products. So what was exciting?

In my opinion, the inventive misuses of Firefox plug-ins and the novel Wi-Fishing technique were two of the most interesting talk. On average, users today install Firefox plug-ins as if they were recommended by Mozilla and certified to be secure. Guess what? The plug-ins that were abused had been recommended by Mozilla, but apparently not proven to be secure.

The handful of misuses all exploit design flaws in the add-ons and ranged from password discovery to automatically dialing numbers from the Skype. For example, under normal conditions the Skype plug-in recognizes a phone number in a page and shows you a button to dial the number. But what if you could eliminate the user interaction (autodialing) and trick a victim in visiting a malicious page that automatically dials hundreds of charge-for-use phone numbers?

The Wi-Fishing technique is again a simple but clever misuse of the design. Even if you’re a thousand miles away from home, your wifi client may be continuously scanning for network names it has connected to in the past and attempting to connect to them again. The proof-of-concept tool attempts to phish these wifi clients that are searching for common networks that they have connected to in the past, such as “wireless” or “linksys”. Once the configuration settings of the network that the device is using to connect are known, a ‘clone’ of the network can be set up. Connecting to the clone makes the clone a man in the middle which is a perfect set up to sniff passwords, redirect to malicious websites, or phish other personal information from users.

Both of these exploits come down to a question of trust. Wireless networks have always been dangerous to connect to, but as we come to depend on Internet connectivity more and more, our propensity for connecting to potentially untrusted networks is increasing. Be careful! With respect to malicious software from trusted third-parties, my personal conclusion is that more and more attackers will take advantage of newly popular trusted but unverified sources of software, such as Firefox plugins and Apple App Store applications. Here at Fortify we're keeping an especially keen eye on this threat because we think software analysis may play a roll in preventing some types of malicious software from making it into a third-party distribution sites.

It's been three weeks since I joined the CCHIT Advanced Security working group and so far it has been a very educational experience. I’ve been impressed by the amount of knowledge and drive my new colleagues bring to the process, as well as the sheer volume of government regulations, standards and guidelines that we have to contend with. As I spend more time thinking about this initiative, two new points have become apparent:

Certification is Expensive

Developing more secure software is expensive, but that expense actively improves the software. The certification process can also be expensive. Currently, CCHIT tests products by auditing a demonstration of the product following a set of test scripts and reviewing documentation provided by the vendor. When I first looked at this, it did not seem like much, at least in terms of security. However, I’m beginning to realize that the level of organization the process requires and the amount of time qualified professionals must invest to observe demonstrations and review paperwork is immense.

I still believe we need a more rigorous testing process, but I think we also need to consider how to do this in a way that is both economically feasible and actively improves the products. This is easier said than done, but it’s an important thought to keep in mind.

Failure would be Really, Really Bad

This wasn’t an entirely new thought for me – health data has always seemed more valuable than financial data because of its permanence. If someone gets your credit card number, you can cancel your credit card and get a new one. Of course, it isn’t quite that simple, but knowing that your data has been compromised can allow you to prevent future misuse. With health data, the information is about you, not assigned to you.

The part I had not considered is that a failure to handle security and privacy properly could prevent electronic health records from being quickly and widely adopted. While the Obama administration and others believe that electronic records can improve efficiency and accuracy in medicine, many believe they are expensive boondoggles. In short, supporters of electronic health records need to push for stronger security regulations. Without these regulations, we are likely to see a series of public breaches like the ones we've seen in the financial industry, which could prove to be a huge setback for the digitization of health records for decades to come.

Technorati Tags: cchit ehr arra security