PKF AvantEdge

Category: Risk Management (Page 4 of 5)

We are Minerals being Mined

March 25, 2018 / / 0 Comments

It is often said, and its almost cliche – Personal Information is the new currency.

And now, with the news on Facebook and Cambridge Analytica, we are faced with the sort of global privacy crisis that we always knew it would be coming. Furthermore, it wasn’t as if Cambridge Analytica was a key data broker/trusted partner/premier solutions arm of Facebook. It just developed software to get the data. That’s it. 50 million users.

It was as simple as getting an app to use your facebook login to enter the app and that’s it. We think we are just logging into the app, but we are actually allowing the app to login into our facebook and take everything. Everything.

But what did we actually expect? Think about it.

Did we expect to have such a service like facebook where we can get information, connect with long lost friends, advertise our solutions and products, express our opinions in a global platform, create online value, message and chat, have thousands of hours of free access to apps etc etc – FOR FREE?

Unless Zuckerberg has the title of a ‘Saint’ in front of him, then that would be a hard sell.

No, Facebook says. You guys agreed to it. The terms of services says it. The one that is too long for you to humanly read. The one that they update without letting you know, and allowing trickles of liberality of information usage to seep in.

Facebook even contends that developers who have these information from their app cannot “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”. That’s pretty kind of them. But in the first place, did Facebook inform users that their apps would be literally stealing the entire bank of information from the users?

It’s the sort of finger pointing activity you would expect – a phrase and sentence here and there that says, “Hey, we told you we are getting your information and we told these guys not to share! What can we do if they do share??!” But is Facebook giving excessive details? So in PDPA terms, it’s not just about third party sharing of information, it is about excessive collections.

In any case, I don’t think we have a case of PDPA against Facebook here as they do not have any systems in Malaysia processing personal information. But the point is that we have wittingly or unwittingly sold our information to Facebook in order to get the services they provide. Same for Google. Same for Apple. Same for Instagram. Same for Pokemon-go.

A great site we always give in our presentation of PDPA or information privacy to clients is: https://tosdr.org/

Terms of Services Didn’t Read. It’s a great site that basically summarises all the terms of services to human readable content and rate them according to how cavalier they are with our information. All the big guns are there. Even if not rated, we can look through their terms and have a little more details on what we are ‘paying’ them.

Take a look at Google, Youtube, Twitter to start with.

Facebook’s TOS:

  • The copyright license that you grant to Facebook goes beyond the requirements for operating the service. For instance, it includes the right for Facebook to transfer the license or to license it others on their terms (“sublicense”). Also, the copyright license does not end when you stop using the service unless your content has been deleted by everyone else.
  • This service uses cookies to track you even if you are not interacting with them directly. Amazon for instance, use cookies to track your device and serve targeted advertisements on other websites (Amazon associates, websites using Amazon Checkout). They “obtain certain types of information when your Web browser accesses Amazon.com or advertisements and other content served by or on behalf of Amazon.com on other Web sites”.
  • Facebook automatically shares your information with Bing, Pandora, TripAdvisor, Yelp, Rotten Tomatoes, Clicker, Scribd, and Docs, unless you manually opt-out.
  • Including: data analysis, testing, service improvement, control of the effectiveness of the personal ads, and location features and services.
  • You must use your legal name publicly on the service. Using a pseudonym or a pen name is not allowed. This can have negative consequences on the freedom of expression, especially for people who exercise certain professions, or who live in certain countries.
  • Facebook uses, pixels and local storage in order to gather information about you, your device, your browser cache, your use of Facebook. Facebook also uses cookies for adversing purposes.

For years I have advocated clients (and also my personal friends and family) to use Facebook with these in view. For family: Never post about your current location. Never put photos of your children up online. Never reveal too much about your views and opinions. For work: Never give any views on your current work, the time you finish work, the after drinks parties etc etc. Basically, never give any relevant information.

Will Facebook be able to still get information? For sure. Every “Like” you click. Every news you click. Even when you are not on Facebook, and you are browsing the web, there are Facebook plugins that can track what you are searching for. Even if you search on Google, whatever you are looking for will appear eventually on Facebook. Data brokers and advertisers trade our information like anything – and what you do on Google surfaces in other social media platforms.

But we know. Services aren’t free. Our parents says, “There is no free lunch” and this is certainly true. But how much do we know about this lunch we are paying? We might be getting Subway sandwiches, but paying the money for Burgers and Lobsters dining. That, I suppose, is what the world is now only finding out.

For more on our information security services and PDPA services, drop us an email at avantedge@pkfmalaysia.com. The only thing we are collecting from you is whatever you tell us on that email. That’s our term of services!

 

 

The SAQ Bs and how they apply to you

March 31, 2017 / / 0 Comments

pci-compliance

We always say SAQ As and Ds get all the glory and attention.

This is because a majority of our SAQ clients are e-commerce companies and therefore they apply SAQ A or A-EP depending on where their credit card information is collected.

However, recent times, we have been working on a well-known retailer and were told that SAQ D would be the one that applies to us. Now the SAQ was passed to them by the bank and the bank insisted that they do SAQ D-Mer.

Now this post is going to assume that you have some working knowledge on what SAQ’s are in PCI-DSS world. Self Assessment Questionnaires are one of the most misunderstood concepts in PCI. They are like Donald Trump’s foreign policy and the plot of Interstellar all mashed into one misunderstood mess. Often because acquirers find it so hard to understand, they just tell all their merchants that they should go for SAQ D.

Now we have fought for our clients before – where we overturned the acquirer insistence for one of our e-commerce clients to do an SAQ D-Mer, and instead got them to agree that an SAQ A-EP is sufficient. SAQ A-EP = around 140 questions. SAQ D-Mer = around 320 questions. Big difference.

Why is this important? We firmly believed in the concept of overdoing PCI is not a good thing. Why? Because our clients have other things to do and limited time and money to do these. Ideally, sure, everyone should go on Level 1 Certification. But the reason why the PCI Council created a whole bunch of ‘levels’ and then types of SAQs is simply because different businesses face different risks. It doesn’t make sense for a neighbourhood grocery that accepts 10 cards a month to implement the same million dollar controls as, say, Tesco or Exxon Mobil. So. Don’t overdo things, but don’t under-do it as well.

Back to SAQ Bs. So with this client, after talking to them a few rounds we found out that:

a) Their credit card terminals are separate and not integrated with their POS machines and connected via USB.

b) The POS machines are all connected back to the branch switch (let’s call it branch switch) and from there connects back to corporate HQ for reconciliation purposes

c) However – we found out that the Credit Card terminals have their own connectivity to their own ethernet switch (lets call it Credit Card switch) that connects to an ISDN router and directly to the bank.

This means, there are two flows – once the credit card is used on the Credit Card terminal, the card information is sent out directly via ISDN to the bank. Whatever approval etc that comes back, it will go through the USB to update the POS.

The crunch here is that NO CREDIT CARD information is ever sent back to the client’s environment. Everything is out through the bank environment – as the Credit Card Switch all belongs to the bank. It’s only located on the customer premise but the customer has no access to it – physical or logical.

So begin our argument with the acquirer, to overturn their SAQ D to SAQ B or B-IP. Let’s look at SAQ B criteria as per PCI document:

a) Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;

Seems like it. Technically, the question here is whether a credit card terminal connected to a POS machine with USB is considered ‘standalone’. Our argument here is yes, as long as no credit card info flows through that USB connection and only approval/decline/transaction dollar amounts etc. Remember the USB connection connects the terminal to to the POS machine (a Windows box). Credit card info flows out the other way, directly to the bank via a circuit switched technology like ISDN (i.e dial out). For the millenials, ISDN used to be the granddaddy of broadband. If you have ever gone through internet connectivity era with normal dial up 14.4kbps, ISDN is like what God would send to us out of mercy and grace.

b) The standalone, dial-out terminals are not connected to any other systems within your environment;

Again, the argument here is ‘connected’. What does this mean? Is it through IP means, or even an RS232 connectivity is considered connected? Our reasoning is that this is USB connection and no card data flows through this ‘connection’ and we will use this reasoning once we get on the table with the acquirer.

c) The standalone, dial-out terminals are not connected to the Internet;

No they aren’t. They are on ISDN direct to the acquirer.

d) Your company does not transmit cardholder data over a network (either an internal network or the Internet);

No they don’t. In fact, no credit card info is stored, processed or transmitted anywhere in the customer environment. Except for the physical protection over the bank equipments residing on customer premise.

e) Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and

They do have some credit card info on paper which they need to protect, but these are manual forms they need to fill out for refund process. And the process is dictated by the bank.

f) Your company does not store cardholder data in electronic format.

No, of course not.

So you see, except for the tiny word ‘connected’ in question b), our client does meet all the SAQ B criteria. It’s really ridiculous to have someone go through the entire SAQ D when they do not have card holder data in the environment they control. And what if they have 80 branches, each with 10 POS terminals and servers? That would mean 800 systems in all branches come into scope for pentest, internal scans etc? No wonder I hear some retailers using PCI as a cuss word these days.

So, we don’t know how this is sorted out yet, but we will soon, and perhaps that will constitute another post. For now, if you need any help with your PCI-DSS – SAQ or Level 1 certification, drop us an email at pcidss@pkfmalaysia.com.

Cheers for now!

FREAK Vulnerability on Windows

March 7, 2015 / / 0 Comments

freak

As we do our penetration testing, we have to continue to get updated on some of the latest issues affecting systems out there. SSL seems to get the mother of all shares of vulnerability, with Heartbleed and then POODLE, and now, FREAK.

FREAK is found in detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204, which is basically a MiTM attack exploiting weak 512-bit keys. It affects OpenSSL, and upgrading to v1.0.2 fixes the flaw.

Basically, if you have weak cipher suites supported or SSL/TLS RSA-Export less than 512-bits, then get rid of it.

Resolution: We have always advocated to remove weak ciphers. Nobody really understood why, but now there is a vulnerability to include in our report.

If you need some assistance in vulnerability assessment, penetration testing or security audit to cover FREAK and other vulnerabilities, drop us an email at avantedge@pkfmalaysia.com and we’ll get a team to you.

A writeup on the recent FREAK vulnerability.

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered “Freak” security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned.

News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc’s iOS and Mac operating systems, along with Google Inc’s Android browser vulnerable to cyber attacks.

Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the “Freak” vulnerability.

The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption.

If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said on Tuesday.

The Washington Post on Tuesday reported that whitehouse.gov and fbi.gov were among the sites vulnerable to these attacks, but that the government had secured them. (wapo.st/18KaxIA)

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to use hours of computer time to crack the encryption before launching an attack.

“I don’t think this is a terribly big issue, but only because you have to have many ducks in a row,” said Ivan Ristic, director of engineering for cybersecurity firm Qualys Inc.

That includes finding a vulnerable web server, breaking the key, finding a vulnerable PC or mobile device, then gaining access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.

Apple said it had developed a software update to address the vulnerability, which would be pushed out to customers next week.

Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

“Freak” stands for Factoring RSA-EXPORT Keys.

– Source from Reuters

Are we a biscuit company?

March 18, 2013 / / 0 Comments

When our IT consultancy group first joined up with PKF, one of the first thing we did was to check if pkf.com.my was taken up. We had pkfmalaysia.com running already. Unfortunately this is where things got tricky, pkf.com.my was already taken up by a biscuit company. Hence, I suppose this is where we get a lot of “Are you a biscuit company” queries.There’s nothing much to be done about it, but when pkf.my first became available, we snapped it up, and did a forwarding to our main site.

I was speaking to a company that handled domain services last week, over a nice lunch, and one of the things they do is called “Digital Branding”. A simple form of it, in DNS speak is to ensure that your branding on the net doesn’t get devalued against anything that attaches itself to your name. It sounds like a simple service, but it’s really a critical one.

When Pope Francis was chosen to lead the 1.2 billion catholics in our world recently, he was viewed as a breaker of tradition. He asked the crowd to pray for him instead of blessing them. He refused to stand on a podium, instead stood together with his bishops and cardinals. He tweeted. He started a blog called www.popefrancis.com. Oh wait, that’s taken.Popefrancis.org…oh nuts, it’s squated by a blog. Popefrancisi.com? Wait, taken as well. A whole pile of popefrancis name with the top level domain .uk, .de, .be, .net, .tv all taken. The good news is that popefrancis.my is available. He should set up his site on our .my domain. It’s opportunistic. Sometimes, a $20 investment can get you around $3000 to $5000. Who wouldn’t want it?

Or what about the long drama between Nissan Motors for www.nissan.com? Nissan is actually a jewish name. In the bible, there’s reference to Nissan as month in the Hebrew calendar. If you go to www.nissan.com you can read the drama on how Nissan motors tried flexing its corporate muscles to bump out this guy running a computer shop from nissan.com domain. It’s a David and Goliath scenario, except the Goliath here is Japanese…who is half French.

So back to digital branding. As we become more and more dependent on the internet as the main source of information, it’s important to look at the simple stuff like this. For Pope and Nissan, they dropped the ball. For PKF, I’m just glad that pkf.com.my is a biscuit company and not some sort of porn site.

The Essentials of a Service Level Agreement

March 5, 2013 / / 0 Comments

In PKF Avant Edge, one of the things we’ve been asked to do is to provide advisory and implementation on policies and procedures. We find a lot of companies have sound policies governing internal processes, but not so sound policies governing third-party providers. Some have not even heard of a Service Level Agreement (SLA) before, and when asked when would the vendor respond to their IT issues, they blissfully responded, “Maybe tomorrow. Sometimes next week.”

In many cases, the promise of a cheap service provider, whether supporting your network, your server or devices or simply IT infra; is enough for the company. As long as they pay RM1000 less a month, that’s all that matters. Is it? What if you get crap service? What if the provider is unable to support certain things? What if there are variation orders for additional tasks not provided for?

This is where proper third party governance comes in. It’s invariably a critical process we look at in all our IT audit exercises. No use strengthening internally when your dependence on external parties are not properly structured!

What is a Service Level Agreement?

A service level agreement is a contract between a service provider and a customer that specifies what the services are being provided by the service provider. The services can be measured, justified and compared to those who are providing the same services.

 

The benefits of SLA:

  1. A proper SLA helps to strengthen communication, so that the parties come to better understand each other’s need, priorities and concerns.
  2. The SLA process facilitates the identification and discussion of expectations. Therefore, the two parties will achieve shared expectations about services and service delivery.
  3. With shared understanding about needs and priorities .An SLA and the communication process involved helps to minimize the number and intensity of conflicts.
  4. SLA provides mechanism for periodic review and modifications to services, expectations and responsibilities due to changing circumstances.
  5. With the presence of an agreement, SLA provides a consistent, on-going and mutually agreed to basis for assessing the service effectiveness.

The key components to SLA:

  1. List the exact services being provided so that customer will not expect more than the expected services listed in the SLA.
  2. Let the customer know what they should expect from you and what you expect from them.
  3. SLA give customers a timetable to let them know how long it will take the service provider to get back with them via phone call, email or whatever agreed upon method is.
  4. Let the customer know what is the procedure for any disagreement and how exactly it is handled will gives the customer peace of mind.
  5. The SLA let you know when you’re expected to pay and if you don’t pay by that time, what the repercussions will be.

Popular metrics used in Customer service:

  1. Turn Around Time: The time it takes you to complete any given task.
  2. Time Service Factor: A percentage of calls answered within a defined timeframe.
  3. Average Speed to Answer: This is self-explanatory, the amount of time it takes to have a call answered by your customer service agents.
  4. Abandonment Rate: Percentage of calls abandoned while they are waiting to be answered.

Why do SLAs fail?

  1. Service providers want to create an SLA to suppress customer complaints. Conversely, customers want to use an SLA to blow the service provider whenever service slips.
  2. The process of communicating and building the foundation for a win-win relationship is essential to the success of SLA. It is much more than just filling in the SLA template. If the relationship is lacking, even the best-written document will be worthless.
  3. Both parties must be involved in the formulation of an SLA. If one party attempts to control the process, member of the other party may resist its provision even if they might otherwise support them.
  4. A common misconception is that once the SLA document is complete, the job is done. As a result, an SLA that is not managed fails upon implementation.

So please, if you haven’t done so, ask yourself: “Did we formalise our relationship with the service provider? Has an NDA been singed? Are proper SLAs measurements in place?”. Gone are the days of a handshake agreement. We now need proper documentary proof to govern how we run our businesses.

 

 

 

 

 

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑