Wednesday, September 10, 2014

We know how to detect breaches like this. We just don't bother to look.
Nicole Perlroth reports:
Home Depot confirmed on Monday that hackers had broken into its in-store payments systems, in what could be the largest known breach of a retail company’s computer network.
The retailer said the exact number of customers affected was still not clear. But a person briefed on the investigation said the total number of credit card numbers stolen at Home Depot could top 60 million. By comparison, the breach last year at Target, the largest known attack to date, affected 40 million cardholders.
Read more on NY Times.
[From the article:
The breach may have affected any customer at Home Depot stores in the United States and Canada from April to early last week, said Paula Drake, a company spokeswoman. Customers at Home Depot’s Mexico stores were not affected, nor were online shoppers at HomeDepot.com. Personal identification numbers for debit cards were not taken, she said.
Home Depot has not yet confirmed other details.
The retailer operates 1,977 stores in the United States and 180 in Canada. That is about 400 more than Target had when it was compromised. Target’s breach went on for three weeks before the company learned about it, while the attack at Home Depot went unnoticed for as long as five months.
… Buried in the malware used in the Home Depot attack were links to websites that reference the United States role in the conflict in Ukraine.
… Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks.
Only one-third of those experts said they did the kind of continuous monitoring needed to identify irregular activity in their databases, and 22 percent acknowledged that they did not scan at all.

(Related)
Reuters reports:
At least five states have launched a joint probe into the data breach on the payment-card processing systems of Home Depot, even as the retailer works to determine the impact on its customers in the United States and Canada.
The coordinated effort was disclosed on Tuesday, a day after Home Depot confirmed suspicions that its payment processing systems have been breached.
A spokeswoman for Connecticut Attorney General George Jepsen told Reuters that California, Connecticut and Illinois would lead the multistate effort. New York and Iowa said they would participate.
Read more on CNBC.


Don't use a password on more than one site.
RT reports:
A database of what appears to be some 5 million login and password pairs for Google accounts has been leaked to a Russian cyber security internet forum. It follows similar leaks of account data for popular Russian web services.
The text file containing the alleged compromised accounts data was published late on Tuesday on the Bitcoin Security board. It lists 4.93 million entries, although the forum administration has since purged passwords from it, leaving only the logins.
[...]
The leak comes just days after similar leaks affected Mail.ru and Yandex, both popular Russian internet services. The previous leaks contained 4.66 and 1.26 million accounts respectively.
Read more on RT.
Note that this is not evidence that Google, Mail.ru, or Yandex were hacked, and the two Russian firms deny they were, while Google says it is investigating. As Mohab Ali points out on Twitter this morning: “According to reddit comments, people who found their email addresses found the passwords they used in other websites not gmail.”
@BrianHonan According to reddit comments, people who found their email addresses found the passwords they used in other websites not gmail.
Mohab Ali (@0xAli) September 10, 2014


We have a similar problem. You can lead a student to technology, but you can't make them think.
Convincing Employees to Use New Technology
All of our companies are digital now – or quickly becoming that way. Almost any enterprise you can think of, no matter the industry or sector, is trying (or being pressured by competitors) to use new technology to harness the vast new oceans of data being generated by smartphones, sensors, digital cameras, GPS devices, and myriad other sources of information originating from customers and markets.

No comments: