How does a (very) large
corporation allow second rate communication with its customers? Also
this confirms that Target had files online that did not involve card
transactions.
Target
issues apology letter - but includes some awful security advice
A Naked Security reader
just emailed us to say, "I received a message from Target about
the
breach. It talks about customers, and people who shopped at the
company's stores, and names me in the breach. But I've never
acutally shopped at Target."
The concerned reader
also pointed out that the statement was published
on Target's website back on 13 January 2014, but the email she
received only arrived on 16 January 2014.
… It certainly
seems, from our reader's confusion, that "guests" (who lost
details like name, address and phone number) include people who have
had something to do with Target, somewhere, somehow, but who
have never actually have bought
any products there recently, or even at all.
… Secondly, if I
were Target, I would not have said this:
Never
share information with anyone over the phone, email or text, even if
they claim to be someone you know or do business with. Instead,
ask for a call-back number.
If you don't know and
trust someone who calls you, why would you trust any phone number or
web URL they might give you?
(Related) For my
Computer Security students (and my Ethical Hackers) May be a bit too
geeky for everyone else.
A
First Look at the Target Intrusion, Malware
Last weekend, Target
finally disclosed at least one cause of the massive data breach that
exposed personal and financial information on more than 110 million
customers: Malicious software that infected point-of-sale systems at
Target checkout counters. Today’s post includes new information
about the malware apparently used in the attack, according to two
sources with knowledge of the matter.
… Armed with this
information, thieves can create
cloned copies of the cards and use them to shop in stores for
high-priced merchandise. Earlier this month, U.S. Cert issued a
detailed analysis of several common memory scraping malware
variants.
(Related) You'll need
a database the size of Facebook (almost) to list everyone that is
involved in this breach. If there are other big retailers involved,
why not tell customers who they are?
States
Probe Neiman Marcus Breach as Bank Sues Target
Neiman Marcus Group
Ltd. is being investigated by states including Connecticut and
Illinois over the theft of customer credit-card data by hackers, and
a bank sued Target Corp. for its data breach during the holiday
season.
Connecticut Attorney
General George Jepsen and Illinois Attorney General Lisa Madigan,
whose offices are already leading a multistate investigation in the
Target breach, are also looking into the hack of Dallas-based Neiman
Marcus, which said on Jan. 10 that some unauthorized purchases may
have been made with credit cards.
… Other states
involved in the Target probe include Florida, Iowa, Massachusetts and
Pennsylvania, spokespersons for those states’ attorneys general
confirmed yesterday.
Democratic U.S.
Senators Claire McCaskill of Missouri and Jay Rockefeller of West
Virginia today made public a letter they sent jointly to Target on
Jan. 10 requesting a briefing on the data breach from the retailer’s
information security officials.
… Schneiderman said
in a statement yesterday that his office’s Consumer Protection
Bureau is also looking into reports of security breaches at other
retailers and called on those companies, which weren’t identified
in the statement, to offer free consumer protections to customers.
Friedman declined in a
phone interview to name the other retailers and wouldn’t comment
when asked if Neiman Marcus is one of them.
As goes the EU, so goes
the world? Would this fly in California?
In a disappointing
decision
yesterday (Jones v. United Kingdom), the European Court of
Human Rights upheld the immunity of states and state officials from
civil suits for torture in foreign courts. In doing so, it may have
written an obituary for one of the most heralded of all human rights
cases: the U.K. House of Lords’ 1999 Pinochet
decision, which stripped criminal immunity from Chile’s former
head of state for some of the murders and tortures committed during
his dictatorship.
Who can protect my
Ethical Hackers? Would a neutral party, with enough clout to get
anyone's attention, be able to stop this nonsense? Should they
contact the “victim” through a lawyer?
Kashmir Hill reports an
all-too-common scenario, this one involving security researcher
Kristian Erik Hermansen:
1.
White-hat hacker discovers vulnerability, tries to notify responsible
party.
2. White-hat hacker gets nowhere despite numerous attempts to contact responsible party.
3. White-hat hacker discloses publicly.
4. Responsible party pays attention but is more focused on covering up problem.
5. The FBI threatens the white-hat hacker.
2. White-hat hacker gets nowhere despite numerous attempts to contact responsible party.
3. White-hat hacker discloses publicly.
4. Responsible party pays attention but is more focused on covering up problem.
5. The FBI threatens the white-hat hacker.
Bah. How many times
have I written that every site should have a clearly posted/dedicated
number to call or email to report security problems? Maybe if sites
took my sage advice, we wouldn’t have so many of these situations.
Read Kash’s report on
Forbes.
Interesting way to show
that $32.5 million isn't a big deal.
Apple
coughs up 7 hours of profit to refund kids' $32.5m app buying spree
… In some cases, a
parent could authorize a child's in-app purchase, which was charged
to the adult's credit card, and not realize that for the next 15
minutes, further purchases could be made without parental
intervention – giving the kid a large window of time to buy plenty
of expensive stuff.
… The $32.5m
settlement will not hamstring Apple (net income last year: $37bn).
Based on the company's financial
figures for the year to October 2013, the company raked in sales
of $170.9bn. So today's refund payout is worth about 6,000 seconds
of Apple's time in terms of annual revenue, or about an hour and
forty minutes. Or 7.6 hours of annual profit.
For my Ethical Hackers.
Justifying your enormous budget...
Mathematical
Model Predicts When Hackers Will Strike
… Researchers at the University of Michigan believe they have
calculated the optimum time for a cyber attack.
The model, from student
Rumen Iliev and political science professor Robert Axelrod, focuses
heavily on timing: Wait until the attack will cause the most
destruction, but not too long so that the vulnerability hackers are
exploiting has been fixed.
… Though presented from the perspective of the offense—the
hacker looking for the best moment to exploit a vulnerability—the
findings are equally relevant to those companies and agencies
hoping to fend off a future attack
Okay, maybe not some of
the work my Ethical Hackers do, but generally I favor “Public!”
(And links to the work on student resumes)
Public
vs. Private – Should Student Work Be Public On the Web?
… School
administrators, who are rightfully risk-adverse, often immediately
say that no public posting is allowed. By decree, access to any
student work must be limited to only those approved and with
passwords.
Teachers, afraid of
potential headaches due to students saying something inappropriate,
bullying, or not having total control also get nervous about allowing
students to publish freely online.
And, I’m very mindful
of the fact that the privacy feature built into Edublogs is one of
the number one reasons why schools choose our service. My answer to
the privacy question isn’t really good for business.
But, when you
look at all the benefits that publishing to the web can bring to
student learning, the answer is most definitely yes.
No matter the age or
experience, we believe that blogs are meant to be public.
I like lists, even
though I rarely post about potential legislation.
Jeff Kosseff writes:
From
electronic surveillance to healthcare privacy to drones, Congress is
planning to consider a wide range of privacy legislation this year.
The Edward Snowden leaks about the National Security Agency and the
recent data breaches at retailers are likely to keep privacy and data
security on the top of many lawmakers’ agendas. After the jump is
a summary of twenty pending privacy-related bills to keep an eye on
during the remainder of the 113th Congress.
Read more on Covington
& Burling Inside
Privacy
Quite a list, but for
some reason it does not include the hyperlinks.
Cybersecurity:
Authoritative Reports and Resources, by Topic
by Sabrina
I. Pacifici on January 15, 2014
CRS
– Cybersecurity: Authoritative Reports and Resources, by Topic
- Rita Tehan, Information Research Specialist, January 9, 2014
“This report provides
references to analytical reports on cybersecurity from CRS, other
government agencies, trade associations, and interest groups. The
reports and related websites are grouped under the following
cybersecurity topics:
- policy overview
- National Strategy for Trusted Identities in Cyberspace (NSTIC)
- cloud computing and FedRAMP
- critical infrastructure
- cybercrime, data breaches and data security
- national security, cyber espionage, and cyberwar (including Stuxnet)
- international efforts
- education/training/workforce
- research and development (R&D)
In addition, the report
lists selected cybersecurity-related websites for congressional and
government agencies, news, international organizations, and
organizations or institutions.”
No comments:
Post a Comment