Thursday, January 16, 2014

How does a (very) large corporation allow second rate communication with its customers? Also this confirms that Target had files online that did not involve card transactions.
Target issues apology letter - but includes some awful security advice
A Naked Security reader just emailed us to say, "I received a message from Target about the breach. It talks about customers, and people who shopped at the company's stores, and names me in the breach. But I've never acutally shopped at Target."
The concerned reader also pointed out that the statement was published on Target's website back on 13 January 2014, but the email she received only arrived on 16 January 2014.
… It certainly seems, from our reader's confusion, that "guests" (who lost details like name, address and phone number) include people who have had something to do with Target, somewhere, somehow, but who have never actually have bought any products there recently, or even at all.
… Secondly, if I were Target, I would not have said this:
Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
If you don't know and trust someone who calls you, why would you trust any phone number or web URL they might give you?

(Related) For my Computer Security students (and my Ethical Hackers) May be a bit too geeky for everyone else.
A First Look at the Target Intrusion, Malware
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
… Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

(Related) You'll need a database the size of Facebook (almost) to list everyone that is involved in this breach. If there are other big retailers involved, why not tell customers who they are?
States Probe Neiman Marcus Breach as Bank Sues Target
Neiman Marcus Group Ltd. is being investigated by states including Connecticut and Illinois over the theft of customer credit-card data by hackers, and a bank sued Target Corp. for its data breach during the holiday season.
Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan, whose offices are already leading a multistate investigation in the Target breach, are also looking into the hack of Dallas-based Neiman Marcus, which said on Jan. 10 that some unauthorized purchases may have been made with credit cards.
… Other states involved in the Target probe include Florida, Iowa, Massachusetts and Pennsylvania, spokespersons for those states’ attorneys general confirmed yesterday.
Democratic U.S. Senators Claire McCaskill of Missouri and Jay Rockefeller of West Virginia today made public a letter they sent jointly to Target on Jan. 10 requesting a briefing on the data breach from the retailer’s information security officials.
… Schneiderman said in a statement yesterday that his office’s Consumer Protection Bureau is also looking into reports of security breaches at other retailers and called on those companies, which weren’t identified in the statement, to offer free consumer protections to customers.
Friedman declined in a phone interview to name the other retailers and wouldn’t comment when asked if Neiman Marcus is one of them.

As goes the EU, so goes the world? Would this fly in California?
In a disappointing decision yesterday (Jones v. United Kingdom), the European Court of Human Rights upheld the immunity of states and state officials from civil suits for torture in foreign courts. In doing so, it may have written an obituary for one of the most heralded of all human rights cases: the U.K. House of Lords’ 1999 Pinochet decision, which stripped criminal immunity from Chile’s former head of state for some of the murders and tortures committed during his dictatorship.

Who can protect my Ethical Hackers? Would a neutral party, with enough clout to get anyone's attention, be able to stop this nonsense? Should they contact the “victim” through a lawyer?
Kashmir Hill reports an all-too-common scenario, this one involving security researcher Kristian Erik Hermansen:
1. White-hat hacker discovers vulnerability, tries to notify responsible party.
2. White-hat hacker gets nowhere despite numerous attempts to contact responsible party.
3. White-hat hacker discloses publicly.
4. Responsible party pays attention but is more focused on covering up problem.
5. The FBI threatens the white-hat hacker.
Bah. How many times have I written that every site should have a clearly posted/dedicated number to call or email to report security problems? Maybe if sites took my sage advice, we wouldn’t have so many of these situations.
Read Kash’s report on Forbes.

Interesting way to show that $32.5 million isn't a big deal.
Apple coughs up 7 hours of profit to refund kids' $32.5m app buying spree
… In some cases, a parent could authorize a child's in-app purchase, which was charged to the adult's credit card, and not realize that for the next 15 minutes, further purchases could be made without parental intervention – giving the kid a large window of time to buy plenty of expensive stuff.
… The $32.5m settlement will not hamstring Apple (net income last year: $37bn). Based on the company's financial figures for the year to October 2013, the company raked in sales of $170.9bn. So today's refund payout is worth about 6,000 seconds of Apple's time in terms of annual revenue, or about an hour and forty minutes. Or 7.6 hours of annual profit.

For my Ethical Hackers. Justifying your enormous budget...
Mathematical Model Predicts When Hackers Will Strike
… Researchers at the University of Michigan believe they have calculated the optimum time for a cyber attack.
The model, from student Rumen Iliev and political science professor Robert Axelrod, focuses heavily on timing: Wait until the attack will cause the most destruction, but not too long so that the vulnerability hackers are exploiting has been fixed.
… Though presented from the perspective of the offense—the hacker looking for the best moment to exploit a vulnerability—the findings are equally relevant to those companies and agencies hoping to fend off a future attack

Okay, maybe not some of the work my Ethical Hackers do, but generally I favor “Public!” (And links to the work on student resumes)
Public vs. Private – Should Student Work Be Public On the Web?
… School administrators, who are rightfully risk-adverse, often immediately say that no public posting is allowed. By decree, access to any student work must be limited to only those approved and with passwords.
Teachers, afraid of potential headaches due to students saying something inappropriate, bullying, or not having total control also get nervous about allowing students to publish freely online.
And, I’m very mindful of the fact that the privacy feature built into Edublogs is one of the number one reasons why schools choose our service. My answer to the privacy question isn’t really good for business.
But, when you look at all the benefits that publishing to the web can bring to student learning, the answer is most definitely yes.
No matter the age or experience, we believe that blogs are meant to be public.

I like lists, even though I rarely post about potential legislation.
Jeff Kosseff writes:
From electronic surveillance to healthcare privacy to drones, Congress is planning to consider a wide range of privacy legislation this year. The Edward Snowden leaks about the National Security Agency and the recent data breaches at retailers are likely to keep privacy and data security on the top of many lawmakers’ agendas. After the jump is a summary of twenty pending privacy-related bills to keep an eye on during the remainder of the 113th Congress.
Read more on Covington & Burling Inside Privacy

Quite a list, but for some reason it does not include the hyperlinks.
Cybersecurity: Authoritative Reports and Resources, by Topic
by Sabrina I. Pacifici on January 15, 2014
CRS – Cybersecurity: Authoritative Reports and Resources, by Topic - Rita Tehan, Information Research Specialist, January 9, 2014
“This report provides references to analytical reports on cybersecurity from CRS, other government agencies, trade associations, and interest groups. The reports and related websites are grouped under the following cybersecurity topics:
  • policy overview
  • National Strategy for Trusted Identities in Cyberspace (NSTIC)
  • cloud computing and FedRAMP
  • critical infrastructure
  • cybercrime, data breaches and data security
  • national security, cyber espionage, and cyberwar (including Stuxnet)
  • international efforts
  • education/training/workforce
  • research and development (R&D)
In addition, the report lists selected cybersecurity-related websites for congressional and government agencies, news, international organizations, and organizations or institutions.”

No comments: