Tuesday, March 11, 2014
I'm sure Target would like everyone to believe the attack was overwhelmingly superior to any possible defense. I've never seen one that truly was...
Security firm report says Target data hack was low tech
The U.S. Secret Service has called the criminals behind Target Corp.’s monster security breach well-organized, “highly technical” and “sophisticated.”
But cybersecurity firm McAfee Inc. said in a report out Monday that the heist was anything but exotic, describing the attack as a Breach 101 operation.
The thieves used easily modified off-the-shelf malware, common methods to hide the malware inside Target’s point of sale system and didn’t encrypt either the instructions on where to send the stolen card data or the card information itself as it was being transmitted out of Target to a remote server, a data stream that should have been detected and caught,
… “As an attack, it is extremely unimpressive and unremarkable.”
… McAfee’s report, however, paints a picture of a run-of-the-mill attack.
The BlackPOS-based malware may have been customized for Target’s systems, but it was“far from ‘advanced,’” it said: “The BlackPOS malware family is an “off-the-shelf” exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”
The methods the thugs used to hide the malware on Target’s system were nothing new either, it said, calling it “standard practice” for criminals to evade the anti-malware and controls companies use for protection.
Thieves can easily get software online to test a company’s defenses and evade them, it said. [Security teams can use these tool too! Bob]
… The report names multiple retailers that suffered point of sale attacks in 2013 including Neiman Marcus, Michaels Stores, hotel manager White Lodging Services Corp., Harbor Freight Tools, Easton-Bell Sports and sandwich chain ’Wichcraft.
“Probably the biggest issue in this attack is that they lacked the situational awareness to identify anomalous occurrence in their environment,” Walter said. [Translation: They were not adequately monitoring their systems. Bob]
[The report is here: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2013.pdf
Simply harassment, or the first shot in a true CyberWar? (How can you tell?)
Ukraine's Computers Targeted by Powerful Malware: Experts
Dozens of computer networks in Ukraine have been infected by an aggressive new cyber weapon called Snake, according to expert analysis.
The cyber weapon has been increasingly used since the start of this year, even before protests that led to the overthrow of president Viktor Yanukovych, British-based BAE Systems said in a report published Friday.
… Although its origins are unclear, its developers appear to operate it in the same timezone as Moscow -- GMT plus four hours -- and some Russian text is embedded into the code, BAE says.
If you are into that kind of stuff...
Watch Edward Snowden talk at the SXSW in a rare public appearance
Are drones so radical that the government can't figure out what to do?
A federal judge has ruled that commercial drones are legal, stating that the Federal Aviation Administration has not issued an enforceable regulatory rule that governs commercial drone operation. The FAA plans to appeal the decision. In 2012, Congress told the Agency to implement a plan to integrate drones into the National Airspace by 2015. Shortly after, EPIC joined by over 100 other organizations, experts, and members of the public petitioned the FAA to address privacy as part of the integration. As a result, the Agency published a notice with proposed privacy requirements for drone operators. EPIC submitted comments in response to the notice, urging the Agency to mandate minimum privacy standards for drone operators. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. Several states have passed drone privacy laws and bills are also pending in Congress. For more information, see EPIC: Domestic Drones.
Nicer than an email... Perhaps my students should write Apps for other platforms.
Sick Of eCards? Send Real Cards With Ink By Sincerely
With Ink, the Android app from Sincerely, sending cards to your loved ones is simple and easy. And not those boring old e-cards, but actual physical cards. (It’s true, they still exist!)
There are many apps out there for sending virtual cards, but Ink takes that to another level by actually printing out a physical card for the user and mailing it. It’s as simple as it gets, and it only costs $1.99 per card, less than you would otherwise pay for a card and stamps.
Something to hang over my desktop.