Friday, September 19, 2014

It's not always good to be “Number One.” From their statements, I still don't like how they are handling this breach. I'm not even sure they understand what happened to them.
With 56 Million Cards Compromised, Home Depot's Breach Is Bigger Than Target's
Home Depot announced that 56 million credit cards were compromised in a breach that lasted from April to September 2014—making this latest retail breach larger than Target’s 40-million card breach.
… Home Depot says the malware used in the attack has not been seen in previous attacks, describing the malware as “unique” and “custom-built.” This differs from reports during the investigation that experts believed the breach involved the same malware as the Target breach.
… Home Depot estimates that the breach has cost approximately $62 million, with more costs likely to come. The company believes it will be reimbursed $27 million thanks to its insurance coverage. Last month, Target announced that its breach cost the company $148 million, more than twice the amount Home Depot is estimating.
… Home Depot also announced that it has now “rolled out enhanced encryption of payment data” to all its stores in the United States, completing a project that was started at the beginning of this year.

(Related)
Home Depot Confirms: It’s The Largest Data Breach Ever
… Interestingly, Krebs On Security reported the new Home Depot breach figures actually would have been much larger, but the numbers were limited because the thieves chose to only attack self-checkout units.
“Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards,” the Krebs report said. “But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.” Krebs also reported that MasterCard is telling financial institutions that it “found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.”

(Related) “We can get plywood from Oregon to New Jersey in three days. Computer Security isn't that important.”
Home Depot: 56M Cards Impacted, Malware Contained
… As to the timeline, multiple financial institutions report that the alerts they’re receiving from Visa and MasterCard about specific credit and debit cards compromised in this breach suggest that the thieves were stealing card data from Home Depot’s cash registers up until Sept. 7, 2014, a full five days after news of the breach first broke.


Imagine if this had happened to Congressional paychecks! (Not that those guys need the money) Makes a really good “bad example” for my Computer Security class. This can happen when you use the same password on multiple systems.
Susan Edelman and Philip Messing report:
A hacker stole the paychecks from four FDNY firefighters by breaking into a computer at their engine company, stealing their passwords — and then routing the dough to Russia, sources said on Wednesday.
The firefighters, from Staten Island’s Engine Co. 167, discovered that their paychecks hadn’t been direct-deposited into their bank accounts about three weeks ago, the sources said.
Read more on NY Post.


I'd like to see more. Are they saying that this information is Private, so they want to make it Public? Or is the concern that the police (“authorities” or “government” in this article) are screwing up the surveillance? Or that knowing where a police car was would cripple national security?
AP reports:
A California judge’s ruling against a tech entrepreneur seeking access to records kept secret in government databases detailing the comings and goings of millions of cars in the San Diego area via license plate scans was the second legal setback within a month for privacy advocates.
An initial ruling issued Thursday upheld the right of authorities to block the public from viewing information collected on vehicles by networks of cameras on stoplights and police cars. A judge will hear arguments Friday in the case before the ruling becomes final.


Another surveillance concern: phone cell towers.
Ashkan Soltani and Craig Timberg report:
As a black sedan pulled into downtown Washington traffic earlier this week, a man in the back seat with a specially outfitted smartphone in each hand was watching for signs of surveillance in action. “Whoa, we’ve just been hit twice on this block,” he said, excitement rising in his voice, not far from FBI headquarters.
Then as the car passed the Federal Trade Commission’s limestone edifice, “Okay, we just got probed.” Then again, just a few minutes later, as the car moved between the Supreme Court and the Capitol, he said, “That’s the beginning of an interception.”
The man was Aaron Turner, chief executive of Integricell, a mobile security company.
Read more on Washington Post.
[From the article:
As Goldsmith acknowledges, if there are indeed IMSI catchers in the locations his company reported on Wednesday, the CryptoPhone cannot easily determine whether they are deployed by the U.S. government, a local police force, a foreign intelligence agency or some other entity.
Experts say the most common users of IMSI catchers are law enforcement agencies, but such surveillance gear has become so affordable and common that many security experts believe that criminals are using them to spy on targets, including perhaps the police themselves.


If you don't pay attention (manage) it is really easy to get it wrong. I'd be a lot happier if they simply “received” information from all of these entities.
GAO released yet another report on Healthcare.gov on this week (the first one was noted here). From the highlights:
Enrollment through Healthcare.gov is supported by the exchange of information [What health information do they “exchange?” Bob] among many systems and entities. The Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) has overall responsibility for key information technology (IT) systems supporting Healthcare.gov. These include, among others, the Federally Facilitated Marketplace (FFM) system, which facilitates eligibility and enrollment, plan management, and financial management, and the Federal Data Services Hub, which acts as the single portal for exchanging information between the FFM and other systems or external partners. CMS relies on a variety of federal, state, and private-sector entities to support Healthcare.gov activities. For example, it exchanges information with the Department of Defense, Department of Homeland Security, Department of Veterans Affairs, Internal Revenue Service, Office of Personnel Management, Peace Corps, and the Social Security Administration to help determine applicants’ eligibility for healthcare coverage and/or financial assistance. Healthcare.gov-related systems are also accessed and used by CMS contractors, issuers of qualified health plans, state agencies, and others.
[ … ]
For Full Report:


How does the FTC think about security?


Wasn't this resolved by the Walker case? If someone with a gun asked me to identify myself, I probably would. If they don't like my ID – perhaps because it's from another state – what can they do next?
Papers, Please! Writes:
Last week a Los Angeles police officer detained the movie actress Danielle Watts and told her, “I have every right to ask for you ID…. You do not have a right to say ‘No’…. Somebody called, which gives me the right to be here, so it gives me the right to identify you by law.”
In the aftermath, the Los Angeles Police Protective League (LAPPL) has posted a false and misleading so-called “public service announcement” on the subject of Providing ID To Police Officers.
What happened to Ms. Watts, and what is our reading of the case law on these issues?
Read more on Papers, Please!


I'm trying to get the Security Club to build a wiki that points to all of these guides. (So I don't have to)
OWASP Releases New Testing Guide
The Open Web Application Security Project (OWASP) announced on Wednesday the availability of version 4 of the OWASP Testing Guide.
New chapters have been introduced for identity management testing, cryptography, error handling and client-side testing. The number of test cases has been increased from 64 to 87.
The OWASP Testing Guide Version 4 in PDF format is available here.


Useful tools. Might be real interesting to ask my students to flowchart their decision processes...
How To Create Stunning Flowcharts With Microsoft Word

No comments: