RSA Data Breach and Your Two-Factor Authentication

As we all know, breaches happen. In an open letter to its customers, RSA, the security division of EMC, announced that they had suffered a security breach:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

I am not going to speculate on anything, but you should be aware of the situation and monitor developments. After RSA's own statement, a good place to go is the Securosis blog which has its own summary of the situation. Since they did a better job than I could, I'll let you read their analysis of the situation and open questions.

Clearly this is no fun for anybody. But if you use RSA 2-factor authentication -- and who doesn't -- it is worth your monitoring developments.

Your Campus Hotel is Targeted

If you have a hotel or conference center on your campus, assume it is targeted by criminal hackers who want to get the stash of payment card information they keep.

I've written about this issue before (see here, here, and here). Three major hotel associations issued a joint statement today warning of cybercriminal attacks. Their basic recommendations were:

1. Eliminate EVERY default password on EVERY machine on your network -- server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer's desk for monitoring building systems, or the PC in the parking garage attendant's office, or the one in a closet running your keycard system.

2. Eliminate holes in remote access to systems inside your network.

3. If you don't have a firewall, buy one and install it. If you are connected to the Internet without one, then people you don't know, from around the world and many with malicious intent, are reaching into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day -- equating to one every 39 seconds. If that computer is in your hotel, and if their intent is to steal credit card data, they will probably succeed.

The release also endorses PCI DSS compliance. This is actually pretty smart given their three recommendations are pretty well covered by PCI Requirements: 2.1; 8.3 and 8.5.6; and 1.1 (and all its sub-sections), respectively.

The point is to share this information with your campus hospitality and conference organization. Let them know they are targeted, and to be PCI compliant every day -- not just the one day a year when you do your assessment. If you are not or cannot be PCI compliant today, do your best to protect your network perimeter and at least get rid of a lot of cardholder data that you probably don't need anyway.

Keep in mind the cybercriminals are very smart and well financed. You might also note that as far as I can tell, there are only two kinds of computer systems out there: those that have been breached, and those that are going to be.

Japan Earthquake and Phishing Scams

In the aftermath of the tragic earthquake in Japan, we can anticipate a swarm of fraudulent websites springing up offering video and opportunities to make contributions to victims. This might be a good time to warn everybody of the phishing risks. The bad guys have no morals, and you can expect your users to receive emails and be searching websites for videos.

The SANS Storm Center contains the following warning and advice:

There will probably be some emails scams and malware circulating regarding the recent Japanese earthquake that occurred overnight.

Be aware off

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.

You might want to alert your users to be particularly vigilant during this period, both at work and at home.

Vote for NACUBO on PCI Board of Advisors

If your institution is a Participating Organization on the PCI Council, this post is for you. Specifically, I would like to ask you to vote for NACUBO's nominee to the Board, MaryFrances McCourt. Electing MaryFrances would not only add a very qualified professional (to an already impressive Board), it would give Higher Education a voice at the table where PCI decisions are made.

The PCI Council is holding elections for its Board of Advisors. There are nominees from merchants, financial institutions, and vendors. The top vote getters serve a 2-year term. This is why I am asking if your institution is a member, you make sure to vote for NACUBO's nominee as your top (and maybe only) choice.

Voting is open now and continues until April 8.

MaryFrances is Treasurer of Indiana University. She is active in industry and professional activities outside of IU, and she has been an active proponent of PCI compliance at IU and other forums nationwide. Her hands-on experience in dealing with achieving PCI compliance in an extremely complex environment (a large university) means she can represent Higher Ed's issues and perspective to the PCI Council. Please understand that while MaryFrances works for IU, as a member the PCI Board of Advisors she would represent NACUBO and all Higher Ed, not her institution.

If you are reading this blog and you are not a Higher Ed institution, that means that as a vendor, perhaps, Higher Ed is important to you. May I ask that you please consider voting for MaryFrances and NACUBO as being in both your and your customers' interest?

If your school is a are Participating Organization, make sure you vote for NACUBO's nominee. It is in your own self interest and that of your colleagues at Higher Ed institutions nationwide.