It's
not always good to be “Number One.” From their statements, I
still don't like how they are handling this breach. I'm not even
sure they understand what happened to them.
With
56 Million Cards Compromised, Home Depot's Breach Is Bigger Than
Target's
Home
Depot announced
that 56 million credit cards were compromised in a breach that lasted
from April to September 2014—making this latest retail breach
larger than Target’s 40-million card breach.
…
Home Depot says the malware used in the attack has not been seen in
previous attacks, describing the malware as “unique” and
“custom-built.” This differs from reports
during the investigation that experts believed the breach involved
the same malware as the Target breach.
…
Home Depot estimates that the breach has cost approximately $62
million, with more costs likely to come. The company believes it
will be reimbursed $27 million thanks to its insurance coverage.
Last month, Target announced that its breach cost the company $148
million, more than twice the amount Home Depot is estimating.
…
Home Depot also announced that it has now “rolled out enhanced
encryption of payment data” to all its stores in the United States,
completing a project that was started at the beginning of this year.
(Related)
Home
Depot Confirms: It’s The Largest Data Breach Ever
…
Interestingly, Krebs On Security reported the new Home Depot breach
figures actually would have been much larger, but the
numbers were limited because the thieves chose to only attack
self-checkout units.
“Many
banks have been bracing for a financial hit that is much bigger than
the exposure caused by the breach at Target, which lasted only three
weeks and exposed 40 million cards,” the
Krebs report said. “But so far, banking sources say Visa and
MasterCard have been reporting far fewer compromised cards than
expected given the length of the Home Depot exposure.” Krebs also
reported that MasterCard is telling financial institutions that it
“found evidence of compromise at approximately 1,700 of the nearly
2,200 U.S. stores, with another 112 stores in Canada potentially
affected.”
(Related)
“We can get plywood from Oregon to New Jersey in three days.
Computer Security isn't that important.”
Home
Depot: 56M Cards Impacted, Malware Contained
…
As to the timeline, multiple financial institutions report that the
alerts they’re receiving from Visa and MasterCard about specific
credit and debit cards compromised in this breach suggest that the
thieves were stealing card data from Home Depot’s cash registers up
until Sept. 7, 2014, a full
five days after news of the breach first broke.
Imagine
if this had happened to Congressional paychecks! (Not that those
guys need the money) Makes a really good “bad example” for my
Computer Security class. This can happen when you use the same
password on multiple systems.
Susan
Edelman and Philip Messing report:
A hacker stole the paychecks from four FDNY
firefighters by breaking into a computer at their engine company,
stealing their passwords — and then routing the dough to Russia,
sources said on Wednesday.
The firefighters, from Staten Island’s Engine Co. 167, discovered
that their paychecks hadn’t been direct-deposited into their bank
accounts about three weeks ago, the sources said.
Read
more on NY
Post.
I'd
like to see more. Are they saying that this information is Private,
so they want to make it Public? Or is the concern that the police
(“authorities” or “government” in this article) are screwing
up the surveillance? Or that knowing where a police car was would
cripple national security?
AP
reports:
A California judge’s ruling against a tech entrepreneur seeking
access to records kept secret in government databases detailing the
comings and goings of millions of cars in the San Diego area via
license plate scans was the second legal setback within a month for
privacy advocates.
An initial ruling issued Thursday upheld the right of authorities to
block the public from viewing information collected on vehicles by
networks of cameras on stoplights and police cars. A judge will
hear arguments Friday in the case before the ruling becomes final.
Read
more on Press
of Atlantic City.
Another
surveillance concern: phone cell towers.
Ashkan
Soltani and Craig Timberg report:
As a black sedan pulled into downtown Washington traffic earlier this
week, a man in the back seat with a specially outfitted smartphone in
each hand was watching for signs of surveillance in action. “Whoa,
we’ve just been hit twice on this block,” he said, excitement
rising in his voice, not far from FBI headquarters.
Then as the car passed the Federal Trade Commission’s limestone
edifice, “Okay, we just got probed.” Then again, just a few
minutes later, as the car moved between the Supreme Court and the
Capitol, he said, “That’s the beginning of an interception.”
The man was Aaron Turner, chief executive of Integricell, a mobile
security company.
Read
more on Washington
Post.
[From
the article:
As
Goldsmith acknowledges, if there are indeed IMSI catchers in the
locations his company reported on Wednesday, the CryptoPhone cannot
easily determine whether they are deployed by the U.S. government, a
local police force, a foreign intelligence agency or some other
entity.
Experts
say the most common users of IMSI catchers are law enforcement
agencies, but such surveillance gear has become so affordable and
common that many security experts believe that criminals are using
them to spy on targets, including perhaps the police themselves.
If
you don't pay attention (manage) it is really easy to get it wrong.
I'd be a lot happier if they simply “received” information from
all of these entities.
GAO
released yet another report on Healthcare.gov on this week (the first
one was noted here).
From the highlights:
Enrollment through Healthcare.gov is supported by the exchange
of information [What
health information do they “exchange?” Bob] among
many systems and entities. The Department of Health and Human
Services’ (HHS) Centers for Medicare & Medicaid Services (CMS)
has overall responsibility for key information technology (IT)
systems supporting Healthcare.gov. These include, among others, the
Federally Facilitated Marketplace (FFM) system, which facilitates
eligibility and enrollment, plan management, and financial
management, and the Federal Data Services Hub, which acts as the
single portal for exchanging information between the FFM and other
systems or external partners. CMS relies on a variety of federal,
state, and private-sector entities to support Healthcare.gov
activities. For example, it exchanges information with the
Department of Defense, Department of Homeland Security, Department of
Veterans Affairs, Internal Revenue Service, Office of Personnel
Management, Peace Corps, and the Social Security Administration to
help determine applicants’ eligibility for healthcare coverage
and/or financial assistance. Healthcare.gov-related systems are also
accessed and used by CMS contractors, issuers of qualified health
plans, state agencies, and others.
[ … ]
For
Full Report:
HEALTHCARE.GOV:
Information Security and Privacy Controls Should Be Enhanced to
Address Weaknesses GAO-14-871T: Published: Sep 18,
2014. Publicly Released: Sep 18, 2014 (17 pp, pdf)
How
does the FTC think about security?
Wasn't
this resolved by the Walker case? If someone with a gun asked me to
identify myself, I probably would. If they don't like my ID –
perhaps because it's from another state – what can they do next?
Papers,
Please! Writes:
Last week a Los Angeles police officer detained
the movie actress Danielle Watts and told
her, “I have every right to ask for you ID…. You do not have a
right to say ‘No’…. Somebody called, which gives me the right
to be here, so it gives me the right to identify you by law.”
In the aftermath, the Los Angeles Police Protective League (LAPPL)
has posted a false and misleading so-called “public service
announcement” on the subject of Providing
ID To Police Officers.
What happened to Ms. Watts, and what is our reading of the case law
on these issues?
Read
more on Papers,
Please!
I'm
trying to get the Security Club to build a wiki that points to all of
these guides. (So I don't have to)
OWASP
Releases New Testing Guide
The
Open Web Application Security Project (OWASP) announced on Wednesday
the availability of version 4 of the OWASP Testing Guide.
…
New
chapters
have been introduced for identity management testing, cryptography,
error handling and client-side testing. The number of test cases has
been increased from 64 to 87.
…
The
OWASP Testing Guide Version 4 in PDF format is available here.
Useful
tools. Might be real interesting to ask my students to flowchart
their decision processes...
How
To Create Stunning Flowcharts With Microsoft Word
No comments:
Post a Comment