EPIC LANKA GROUP
Malware from UN's security STEALING MILLIONS N.J. U.S. CREDIT
Learningto investigatingsupermarket data breach theft
MasterCardblame in USFOR failurecredit card data
Massive warns of massive credit-card breach
Symantecbank security breach
HACKER SENTENCED customer uncovered in FROM
By Staff, ZDNet UK CNET2005-06-17
By Michelle Meyers, News.com
Robert Lemos, SecurityFocus News.com
CARDSMills, CNET 08:44 AM
Thursday, January 22 2009 11:37 AM
Wednesday, April 2008 11:15 AM
Monday, March 31,01, 2009
Bank employees implicated in conspiracy; 500,000 victims alleged
Data thieves|breached the systems of credit-card processor CardSystems Solutions and made
23 Feb 2009 SearchSecurity.com
off with data looking somehow found its a call affecting various credit-card credit find
Symantec malware intoas who prefer onto a Maine-based supermarket may
commentary Those 40 millionthatwayconvenience to securitychain's servers,
It turns Costello
Hackeroutis on as manyT-Mobile systems center employee in India soldbrands,card
penetrates allegations accounts
A Bulgarian up with2005-01-11News
they end its customerssaid4-1/2 year jail sentence forundercover investigation. 4.2 million
which led to Internationalneither.
MasterCard the was givento BBCFriday. reporters this his connection to a up to
Kevin Poulsen,ofman security breach announced earlier in anmonth compromisingcybercriminal
numbers SecurityFocus a on
credit cards. NewApril 28, 2005 Attorney General Kellycards. ReutersMarchagency reported
In that p.m. millions of dollars from stolen credit breach which has failed an security
This credit-card ETthe United Nations Galileo logistical system,datedafter analyzing the data,
Thea is thebilked giant's anti-fraud systems detected the Ayotte and, news 24, theinternal
gang letter fate of Hampshire
CitingAssaid pinpointed the 28, fora the internationalthird-partyinvolving a as responsible,of
MasterCard it computer hacker hadfour members an organized US$2 small numberon
Monday Galileo Mehmed, Atlanta, access to servers incident ofgiant The Boston gang were
audit. a that Issa is responsible and potential Massachusetts regulators, T-Mobile for at of the
sophisticated was "investigating sent to security at wireless cybercriminal Globe
A vendor letter the Hannaford grocerGeorgia-basedofdisposition processorbillion worth least a
company said in that thefor court Thursday, intercepted datais no extortion passwords and
Fridayvarying usedstatementmoney softwareOrazio Lembo wasandoverstatingtiedthey paid with
material, includingN.J. information".late Service
customers' credit aid, In released
HACKENSACK, to monitor U.S. military supplies, there described as as importance
year, which he sentences-medical andSecretFriday. e-mail, obtain customers'the alleged ring of
given reported a card malicious laundering, financial fraudfrom customers the to spending
the report's stolen credit cards.a massivecandid guilty tocustomer in New users, toand who may
plastic atonsaid it was sending a Mehmed pledinsecure,takencrimes. Reuters said mostpersonal
leader of what police saynetwork links an photos
Symantec conclusions: was sent data overseas. the by Sidekickaccounts detect
Social Security numbers, and andnotice toscheme to steal 500,000 bank existed including the
millions checkout counters download wereunnamed no mechanisms Hampshire of
have and affected by it to bill collectors.
information, then sell authentication information
creditbeen celebrities, the alleged U.S. learned. was devastatingly unsafe.
Hollywood debit cards belonged to incident, even though the company does not believe a
security breaches, and SecurityFocus has...
security the fun, defined by included servers at with the 300-some stores frightening
Lembo's alleged installed on New Hampshire statue hadand employees from some of New
The malware was accomplices computerbranch managersofoccurred.
To add to breach asbackup systems were co-located each the main systems, with operated by
Jersey's biggest banks, including Bank of America,
Hannaford and its partners, the Globe reported. Wachovia and Commerce Bank.done a great
implications for business continuity. A determined, informed opponent could have
The company isat little risk.its investigation into how the malware mayavailable even in the the
deal of damage continuing With IT skills and equipment now widely have been placed on
servers. The theaters, the UN has placedis conducting its own risk--a risk to which it was
remotest of Secret Service, meanwhile itself at considerable investigation.
Insecure Data at Rest
80% of information theft and frauds are caused
by internal users
- IDC -
Insecure Data in Motion
70% - 80% of electronic fraudulent
activities are committed by the Trust User.
- Gartner -
Losses resulting from internal theft are 500%
more costly than external attacks.
- FBI report -
Growing list of applications forces users to
remember more than 10 different passwords.
Repudiation of Actions
Users deny their actions or involvements.
Today’s Concerns in Security….
A PAIN !
• be sure you know who you are communicating with
• keep secrets secret
• ensure users do not exceed their allowed authority
Integrity (of the Data)
• be sure nothing is changed behind your back
• have the evidence in the event of a dispute
What are the
Options we have
to address these
The Best Option we have today to address
these issues is …
Public/Private Key (PKI) based
At least protect your Data in Motion AND
authenticate the users with
Digital User Identity
Main components of PKI
• Public Key
• Private Key
• Security Application
• CA & RA (not necessarily in-house)
• IT Infra (depends)
How to achieve A PAIN….
Use of Digital Signatures/Certificates.
Use of Digitally Signed Event/Operation Logs.
Encrypting Data Communication Channels.
Usage of proper Anti Virus, Anti Spy-ware Tools.
Usage of effective Firewalls.
How to achieve A PAIN….
Manage Users on Applications and Systems.
Usage of Licensed Software with support.
Imposing Application Level Security.
Imposing Web Server Level Security.
Recommended Steps towards building a
• Discover and Classify the Data.
• Establish consistent Data Protection Policies.
• Educate the Users.
• Roll-out Data Protection Solutions (to protect Data
at Rest and Data in Motion).
• Roll-out effective User Identity Management
Solutions (Public-Private Keys and Digital IDs).
• Automate Enforcement.
How you think
How I think
Are your Information
Systems Secured and
adequately protected ?
Public/Private Key: Encryption + Authentication for
Data in motion
Alice B’s public B’s Private Bob
Plaintext key key Plaintext
day off day off
3X7b Decrypt Check
Encrypt Mbd0 message) the sig-
Sign it Signed Signature
again) Uv%r the sig Alic OK?
A’s private key
A's public key