If you follow me on Twitter or Facebook you’ll have seen me make the following update

just found out our company credit card has been scammed for 17k..thanks a lot scumbags!

We didn’t even know it had happened. The credit card company called over the weekend and the police paid a visit to my business partner to go over the details. They wouldn’t say much but it looks like the card was used online. Since it’s a credit card we are protected against fraud so we’re not liable for the money. It’s still money that someone has lost (i.e the card company!)

This isn’t the first time I’ve experienced card fraud

What frustrates me is that the chip and pin system was brought into effect in 2006 at great expense but it only solves part of the problem

If you order something over the phone or on a website you have to hand over

Name on the card

Card Number

Expiry Date

Card security code (CSC)

That is enough information for anyone to use that credit card – they don’t even need to physically have it in their possession

The telephone transaction is the biggest cause for concern in my opinion as your trusting the person your speaking with to put the card details in their system and not write them down for their own use

So what’s the solution?

That I don’t know. The only thing i can think of is if the credit card itself could generate a one-time password (a-la RSA SecurID or AuthAnvil Tokens)

It would mean you’d physically have to be in possession of the card – though that still wouldn’t help if you had your card stolen

We’ll be more wary of who we’re giving our card details to going forward but in all honesty I don’t think we did anything wrong here

I’m probably not the first person to say this but i’d like to publicly applaud Susan “SBS Diva” Bradley for sharing the full details of her recent security incident

It would have been very easy for her to have attributed the downtime to anything other that what actually happened, flattened the machine and start over - especially since she is so passionate about patching and security

Fortunately for the rest of us she’s shared her experience for the benefit of all – thank you!

Not much elase to say really so go read what happened and think about how your managing your patches!

http://msmvps.com/blogs/bradley/archive/2008/06/24/so-how-did-they-break-in.aspx

http://msmvps.com/blogs/bradley/archive/2008/06/20/point-and-counterpoint.aspx

http://msmvps.com/blogs/bradley/archive/2008/06/19/so-what-happened.aspx

http://msmvps.com/blogs/bradley/archive/2008/06/16/offline-for-a-couple-of-days.aspx

http://msmvps.com/blogs/bradley/archive/2008/06/16/houston-we-have-a-problem.aspx

When it comes to computer security most people are happy to ensure automatic updates is turned or WSUS is configured

Some of us go a little further than that and make sure we’re 100% up-to-date on the latest patches and issues. If Susan’s blog inspires ONE person to rethink their attitude to patching it’s a step in the right direction

 Anyway, last night there were a whole load of security updates on the Microsoft download website.

If you subscribe to the The Microsoft Security Response Center (MSRC) blog you’ll already have had advance warning of this. As i was reading through the January release details they mentioned a blog i hadn’t seen before. It’s quite new and is called the Security Vulnerability Research & Defense blog

The blog goes into detail about the information Microsoft discover when researching vulnerabilities. Ensuring your getting updates from the security response center is probably enough, but if the geek in you wants to know more about HOW software gets compromised take a look.

I find the subject fascinating, even if a lot of it does goes straight over my head!

Fasthosts aren’t having an easy time of it at the moment.

It was discovered in October their user database had been comprised.

They did a couple of things to resolve the problem including getting in touch with their customers to inform them of the problem. At the same time they were asked to change their password to help prevent any further problems

A month later they decided to reset all the passwords of the accounts where the original request had been ignored and sent out new passwords by post (customers are also able to call the support desk, verify their identity and get the password that way)

I’m not a FastHosts customer so hadn’t been particularly following this but what caught my eye was a story on the BBC news site.

The story covers how upset the users of FastHosts where when they had their passwords changed and locked out of their sites while they wait for post to arrive

The reason they are upset is (quote)

“This is causing severe problems for thousands of businesses and is only going to get worse,” said Simon Metcalfe of SDM Insight.

A story on the Times website has some details about customers who are upset at how much business they have lost

This article also says they were informed by post so they can’t even use the “i didn’t get the email” excuse

I’m sorry but i don’t quite get this.

If your website is so critical to your business that when your host has their database hacked you ignore their request to change your password?

Your host then decides to cover your back since you can’t be bothered to protect your “business critical website” (after a month i might add, plenty of time to have done it yourself)

And your upset?

If your a FastHost customer and this situation has annoyed you i’d love to hear why?

Wireless security is something pretty important to us all. Most people understand that we need to make sure we’ve covered to stop other people jumping on the network (which your paying for!)

However most end users / business owners don’t understand what to do to make them the most secure

Why should they understand the difference between WEP and WPA?!

I still don’t understand why wireless equipment still comes with WEP to be honest. If it’s not secure don’t make it an option! Yes I understand that we need to make sure new hardware is compatible with old hardware and I’m hoping as older kit eventually gets replaced WEP will be dropped as an option. Can’t we can make WPA the default option? or have the user go through a couple of “are you really sure?” prompts before enabling WEP

What winds me up is when your given bad advice by people you expect to trust

One of the things i see all the time is recommendations to hide your SSID to help make you more secure

How about this for an example

“Hide your wireless network
You can ‘hide’ your wireless network by hiding your SSID. Your SSID works like a password, so only people that know your SSID can access the network. You’ll be able to find more information on how to do this in the instructions that came with your hardware. Be sure to set an SSID that doesn’t give away any important information, for example, do not include your name or address.”

Hiding your SSID wont do anything to put off a determined thief and in some situations can make it harder for you to use. What makes this even worse is that it likens your SSID to a password! In fairness the advice to not include any personal information is sound

So where did i find that nugget

On the Plusnet website (take a look here) 

A UK based ISP recently taken over by BT. They are advising end-users that this is good security best practise. I have friends and family who are on Plusnet and if i tried to explain to them how best to secure their wireless they could quite simply say

“I was just doing as my ISP told me”

I found a good article by Steve Riley on why hiding your SSID isn’t enough. It also explains why MAC address filtering isn’t that great either

Make sure your using WPA encryption on your wireless network!

Please tell me your not using WEP for your wireless network?

An article over on slashdot reports that the attack to discover WEP keys has been optimised even futher and that a 104-bit key can be discovered using only 40,000 captured packets. Even further the key can then be cracked very quickly (about 3 seconds!) on any modern hardware

The full article is here including a white paper

Interesting is that is mentions further down the page that 256-bit keys are not supported by this method. Even so what excuse is there for not using WPA (or even better WPA2 if your software/hardware supports it) nowadays