February 7, 2014
Internet & Technology
Written by Mike Sterling for Canadian Community News
To Comment on this article Click Here
The recent cyber attack on Target stores in the US brought forward the terrible danger that these threats pose. Terrorists and criminals have access to technology that can bring down industries and government installations, if not checked.
How did the Target threat work? Was it an inside or outside job?
Did somebody from the outside gain access? Most probably someone obtained credentials of an outside contractor or Target employee. It may have been through a technology firm that serviced some part of their credit system.
They may not have breached firewalls or found discovered thousands of passwords. They might have taken a more direct route by obtaining the key and not directly beating down the door.
The cyber criminal may have installed in the Point Of Sale (POS) terminal malware that would gain access to customer information. The malware may have been inserted in the Alpha or Beta software configuration. What is that?
Any computer software system has a chain of testing where they freeze and test software in a version that is known as Beta version X.
Behind the Beta test exists an Alpha version that may be just taking shape. It would include further changes and everything in the Beta too. These Alpha-Beta-Production sequences march ever forward.
Once the Beta version has undergone sufficient testing it is released by a mass update of ALL the terminals and servers that exist in the companies POS system. There can be to a lesser degree hardware changes too.
There is a mass download of what now becomes the production version. The malware is distributed to all the sites. Once installed, the malware can be triggered by an event such as a calendar day or other keys. At that time key customer data can be obtained from incoming credit information.
It can also be done by ignoring the distributed POS terminals and instead using the data gathering program that responds to sales at the POS This type of invasion is much harder to detect.
The latter case is somewhat easier to hide because the software is more complicated at the server source and can escape detection because of its size and complexity.
Why don't they catch these invasions? That's easy to explain. There are millions of lines of code used in these solutions. There is no overt entry around a firewall. The security software has not seen this before and cannot differentiate good from evil software.
No one author exists for the company software. There are hundreds, if not thousands of software and hardware modules involved with hundreds of authors, some never employed by the company in question. No one person knows every part of the software. So a module can exist in hiding over a long period of time and never attract attention.
I've talked to many people about these threats. They seem to not understand them at all. Some are arrogant because of the type of system they use. For example, Apple users are particularly haughty. Yes, Apple has a very serious problem. See or and many, many more
How many of us have opened up our computer or tablet and seen a message that calls for an update from some source? Great care must be exercised in making sure this update is coming from a reliable source, but who really knows?
Even the best security can be compromised. Reliable sources are registered. You will see that in the update notice. The warning of unknown sources should not be ignored, but it is not foolproof at all.
Some updates can come through from say QuickTime and install malware on your machine.
Last night I turned on a Galaxy Pad and got a message that the Android operating system was being updated. There was no choice, it just started updating. Even if it asked me, I have no basis for a rational decision. Many times the update has to do with security and should be installed. I'm sure we have all experienced waking up in the morning to an automatic update that took place in the wee hours.
Sometimes a message will come up that asks me to install something. I don't click yes and I don't click no either. I go to the task manager and I delete the entire task. One can never tell. Clicking yes or no can cause trouble. If you are in doubt consult the web site of the software and see if an update has been scheduled.
The other day I watched a US Congressional Hearing on software security issue on C-Span.
The government and industry experts were very good in large part. In fact it was the US government who informed Target that they had a big, big problem on December 12, 2013. How they knew that was not mentioned, but you can guess.
I was shocked by one congressman and one congresswoman. One Republican Libertarian from Texas was ignorant beyond belief. His philosophy was apparent. No government is good government.
He called for no government standards and to allow the 'free market' to take care of it. That is, he said:
"If you are worried pay more for your security."
That was his answer! He completely missed the point and I think he came late to the hearing anyway. He does not realize that paying more does not help. We all pay in an indirect way. There was no way for Target to go out and pay more for a magic solution. It's a world-wide problem and has to be considered a threat to everyone.
How could a Target shopper before Christmas pay more for his or her security?
The real experts did NOT want detailed legislative bills on the subject from Congress, but rather they advocated general guidelines. Why? They know that the technology is moving too fast and the solutions will all involve technology and process.
All they wanted from the lawmakers was a go ahead on a set of minimum standards that will evolve to protect the consumers. These they can monitor to achieve good practice standards. They can upgrade them as solutions appear.
For example outside vendors and software/hardware changes should be process coded just like changes and upgrades to commercial aircraft are at present. All changes and updates to an airliner are chronicled and detailed in process sheets that are constantly audited. These auditors catch 'bad stuff' all the time that have to do with sequencing, process and quality.
Big retail firms like Target need a lot of help on their software development methods.
When the congressmen from Texas flies back to Dallas, I'm sure he feels better that somebody is paying attention to the changes to the airframe. Maybe not, he was too dumb to consider that. He wore a sneer on his face when he asked questions and ignored answers, not allowing the experts to educate him on the very question he asked.
No matter with the Congressman, the issue is very serous. Good lawmakers world-wide are terrified by the implications. It behooves all legislative bodies to have access to people who understand the threat and its consequences.
What Might Help:
1. Even small municipalities should have access to outside affordable experts who could come in a do an audit and teach best practices for their information technology.
2. Serious jail sentences for Malware crimminals.
Click on the ads for more information
books, sports, movies ...
Friday, February 07, 2014