Adding Insult to Injury: Target Breach Attracts Phishing

Merchandise baskets are lined up outside a Target department store in Palm Coast, Florida

If you shopped at Target recently you are probably nervous enough about your identity being stolen or losing money from your checking account. It is important to protect yourself and check all of your credit cards and accounts regularly to see if there are any unauthorized transactions. Most credit cards and companies have been very good about keeping their account holders savvy on the breach, however there is now scammers looking to take advantage of you via phishing.

SC Magazine recently wrote an article discussing this very issue. “It is very common for phishers to concoct schemes to scam people impacted in data breaches, particularly because they can capitalize by taking advantage of nerves and paranoia in the midst of a potentially confusing and scary situation.”

Target posted this last week addressing the phishing reports; “We are aware of limited incidents of phishing or scam communications… To help our guests feel confident that what they are hearing from Target is really from us, we are in the process of setting up a dedicated resource on our corporate website where we will post PDFs of all official communications that Target sends to our guests.”

On Christmas day there was information released that PIN numbers were also compromised during the attack on their systems. However, it was later reported via a Target press release that no PIN numbers were exposed to the hackers because Target does not keep PIN numbers within their data system.

The press release from Target was as follows; “Target does not have access to nor does it store the encryption key within our system,” according to the release. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor.”

The root of this exposure has yet to be exposed, however it is believed that the card readers were compromised resulting in the breach.

Resources:

http://www.scmagazine.com/scammers-looking-to-capitalize-on-massive-target-breach/article/327200/

https://corporate.target.com/about/payment-card-issue.aspx?ref=sr_shorturl_paymentcardresponse#?lnk=Other_122913_HP2_E1|E1|T:Template_Home5|C:

http://img.zonebourse.com/reuters/2013-12-20T025316Z_4_CBRE9BI0WZN00_RTROPTP_2_CBUSINESS-US-TARGET-BREACH.JPG

One of America’s Favorite Retailers Faces a Breach

TARGET BREACH

When turning on the news yesterday morning it was one of the top stories, Target Stores Security Breach affects 40 million shoppers. Our office is right next door to a Target so it is safe to say I am there pretty regularly. Like many other American’s that hold their credit scores close to their chest, it worried me and Immediately I thought to myself how did this happen, how will it affect me, what does it really mean?

SecureState, a Qualified Security Assessor (QSA), had a very comprehensive article that explained the whole thing pretty thoroughly. The article explains all of the compliance and regulations that surround a company using point of sale card readers.  According to the article, it would appear that Target was running a homegrown, custom built application. However, there are standards that should be followed at all times, including the Payment Application Data Security Standard (PA-DSS).

“For a hacker to be able to infiltrate Target’s network and access the POS application several PCI-DSS and PA-DSS controls must not have been implemented effectively.  Thus, Target was not compliant during the time of the breach… It’s not easy for an attacker to bypass these controls, access a secure POS, and steal 40 million records.  Therefore, the hack was either very sophisticated or Target lacked basic controls to prevent it.”

What’s the next step for Target? To stop the bleeding and make sure that the systems affected are no longer available to the hackers and make sure that no further information is leaked. After all of that is done, they can put an action plan in place to prevent these types of breaches in the future. Then the finger pointing will begin, this is where is gets ugly on a corporate level.

All-in-all what this means for us, the consumer, is that we need to keep an eye on our credit cards and reports to make sure that nothing fishy shows up.

Sources:

http://blog.securestate.com/targets-credit-card-compromise/

https://www.pcisecuritystandards.org/security_standards/

Do You Know Who is Watching You? Part 2

Invisable Hand

On Tuesday we covered the basics of Remote Access/Administration Trojan also known as RATs. You can read that post here.

To dive deeper on the topic, one of the most common types of RATs is “Pandora”. The Pandora RAT allows an attacker to gain access to the following items on a compromised computer: files, processes, services, and active network connection.

If all of this doesn’t concern you, Pandora can also: remotely control the compromised desktop, take screenshots, record webcam footage, record audio, log keystrokes, steal passwords, download files, open Web pages, display onscreen messages, restart the compromised computer, hide the taskbar, and  hide desktop icons. It can even cause one of the most dreaded attacks: system failure and the blue screen of death.  Like many RATs, Pandora is user friendly, and can be mastered by expert and beginner hackers alike.

There is prosperous market of underground software sales based on RATs. They can be purchased from many websites and even appears for sale in hacking forums online.  The three main types that appear for sale are:

1) FUD which is fully undetectable by security vendors

2) Crypter which is a tool used to rearrange files in a way that the actual bytes are scrambled

3) JDB (Java drive-by) which involves a Java applet being placed onto a website disguised as a  pop-up to continue to the site

A few rules to stay protected: keep your anti-virus software up-to-date, avoid opening emails that look suspicious or if you are unsure of the sender, always be a skeptic when clicking on links that you receive from other sources, and only download files from sites that you know are secure. Always be aware of your webcam activity, if you do not have a shutter that closes then consider putting a piece of paper over the shutter as a precaution. Most importantly use common sense, if your computer told you to drop it off a bridge would you?

 

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source:

http://i.telegraph.co.uk/multimedia/archive/01961/hack_1961123b.jpg

Can I Borrow a Cup of Internet?

cup of sugar

Recently I experienced a modern day version of a classic neighborly good deed. Last night up here in New Hampshire, we had a snow storm that hit right at the heart of the evening rush hour. This storm nearly tripled my wife’s ride home as well as mine.

Upon arriving home I realized that my internet service was out, great. This would not be such a big deal; however, there is no cell phone service in my neighborhood either. This means I need to run a local tower that runs via my internet. Upon driving up the road and calling my service provider they were not open because it was after business hours, how convenient.

To make the situation worse, this posed a real problem because my wife needed internet access to send some files to a client when she got home. Verging on a nervous breakdown in our house I started thinking of solutions to this problem.

Then it dawned on me!

My neighbors have wireless, I wonder if I could borrow some bandwidth for the night?  I double checked that there were wireless networks in my area and was happy to see that all the wireless networks were encrypted by passwords. I bundled back up in my winter garb and trekked out in the snow to my neighbor’s house, and knocked on the door. Meanwhile in my head I was thinking how odd this whole situation was. Once they opened the door and I explained to them my current position and they were very generous and shared their password with me.

Granted sharing passwords is not a very good idea, however there is always an exception to any rule. While walking back to my house feeling like a hero because I got the internet access we needed to get by, I couldn’t help but have a little laugh. In the past people used to ask to borrow a cup of sugar, now we ask for a “spot of internet.”

Do You Know Who is Watching You? Part 1

Hand Through Screen

Everyone knows at least one paranoid person that insists on covering the web cam of their computer. Activities like this may be necessary due to the malicious attacks out there. These attacks use your web cam and allow it to be taken over, giving them access to your computer remotely. According to Symantec, “Remote access Trojans (RATs), or what we (Symantec) are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.”

The two most common types are Remote Access/Administration Tool and Remote Access/Administration Trojan, the biggest difference between the two is that the Trojan is installed for malicious purposes.  One of the major ways that they take advantage of your computer is to remotely access of your device; there are lots of different pieces of malware out there.

“Creepware” as Symantec calls it, flips your machine with the hacker’s, so your computer is the victim and the attacker’s computer becomes the client.  Once this has happened an attacker then has the ability to retrieve files easily from the victim’s machine. The degree to which this takes place can vary from people out to commit fraud to those who just think it is a harmless prank. Most victims don’t report this type of crime until their reputation has been damaged so often the attackers often aren’t caught.  Many of these activates often fall under the umbrella of cyber bullying.  

The hackers get crafty and downright mean, for example one instance they attacked a victim by sending a pop-up on the screen saying, “their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam.” Many victims brought their laptops into the bathroom to “steam clean” their machine, but don’t most people understand that you are not supposed to put electronics near moisture? 

Check back on Thursday for Part 2.

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source: http://www.sitejabber.com/blog/wp-content/uploads/2013/02/identity-theft-500×260.jpg

P@ssw0rdS

password

Passwords we all have them, but we all can’t remember them: A satirical observation on the complexity of passwords.

There is so much pressure on choosing the “right” or “R!6ht” password, it has to exceed 6 characters and even though we really wanted to use our dogs name “Spot,” which won’t work since it’s only four characters. So we are then left to think of some other variation to use that we then may or may not remember. Then it becomes an ordeal to just remember is it spot12, Spot123, or SPOT10 since he was ten when you created the password, but was that in human or dog years?

Passwords just aren’t fun anymore, they are stressful. Some people put too much pressure on themselves when creating a password, we promise it’s not like the pressure of trying to win a gold medal at the Olympics. On other end of spectrum some people don’t put enough pressure on creating a strong password (cough) 123456.

Faith Sale once said, “It sometimes feels like the only person from whom your passwords are keeping you safe is YOU.” 1

After forgetting your password you then feel like you need to go to therapy, after being asked enough questions about your childhood to make your head spin. Maybe you don’t have the greatest childhood memories, and you are still recovering from being called, “Chunky Monkey” for the first 13 years of your life. But sure enough, you are prompted to enter in your childhood nickname.

“It may all lead to a profound existential crisis which leaves you yelling at your computer, ‘IT’S REALLY ME, I JUST FORGOT WHO I AM!!!’”1

Some people would argue that passwords are something we have just for the sake of making us feel safe rather, than actually keeping us safe. We don’t agree, a hacker acquiring one or two of your passwords could bring you whole world crashing down. Your bank account could be drained, and even worse they could potentially acquire your social security number and really do some damage.

So adapt password habits that you will remember, and maybe if you are lucky the organization you work for will implement single sign-on, if they haven’t already.

Resource:

1.)    http://www.cbsnews.com/news/a-word-for-the-password-weary/

EU Behind the Times for Cyber Security

Night view of Europe

 

Often in our blog we focus on what is happening here in America, but we work with companies all over the globe. Recently, there was a survey done by the  where they questioned over 27,000 people in the European Union about their internet use, security attitudes and experiences. 1  The survey showed that individuals in the EU were behind the times when it came to cyber security.

Just over a quarter those surveyed only use their own hardware to go online, and just under that figure (24%) use unique passwords for different sites. Does this remind you of any recent breaches?

“Of those surveyed 48% of web users said they had not changed any of their online passwords in the last year. Out of those who had made changes, the highest figure was for webmail (31%) with social networks just behind on 26%. Online banking passwords were less likely to be changed, with only 20% changing in the last 12 months, and shopping site passwords were rarely changed, at only 12%. “1

These numbers seem slightly off because you would think the information that could obtained from hacking into your bank account would be more detrimental than a social media account.  The website Naked Security adds that maybe this is a sign that there is a need for more education.

Most of the statics in the report point back to the fact that there is a common fear of the risks associated with using the internet, so they put off taking advantage of all that it has to offer.  The catch is that most of these people are not even doing the basics to protect themselves.

If you have a fear about using the internet take the time to educate yourself and those around you, whether it’s your family or co-works.  Make sure you have strong passwords in place that cannot be easily guessed. And if you do not have anti-virus software installed on your machine then definitely take the time to do so.

You can read the full report here, for more statistics.

Resources:

1.)    http://nakedsecurity.sophos.com/2013/11/27/only-24-of-europeans-use-different-passwords-for-different-websites/

2.)    http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf

Protecting Your Company: Dealing with a Low IT Budget without Compromising Security

locked-money

As mentioned in the previous article “The Weight of the World on Your Shoulders: The Pressure of Being an IT Professional” there are many struggles facing today’s IT departments. One reoccurring problem is achieving goals whiles staying within budget. As an IT professional, you may have to play a balancing act of protecting your company’s network and information on what seems to be a shoe-string-budget.

Protecting your company from cyber-attacks can be very costly, but an attack could end up costing you even more. According to a study conducted by Ponemon this year, “The average time to resolve a cyber-attack is 32 days, with an average cost incurred during the resolution period of $1,035,769, or $32,469 per day – a 55% increase over last year’s estimated average cost of $591,780 for a 24-day period.”1 This varies depending on the size company and the industry that they are in.

It is important to invest not just in anti-virus software, but software that will strength over all security of your network, such as authentication software. Having multiple layers of password authentication in place allows you to have peace of mind knowing that your end-users are who they say they are. There are many high priced solutions available on the market for enterprise sized companies, but what about the smaller companies, school, municipalities and government run programs? These institutions need to be protected too, but they do not have the budget to purchase a high priced solution.

Many companies find themselves in some form of a budgetary crisis and look to companies like PortalGuard for a comprehensive solution at an affordable price. Your company can get superior protection that will be within your budget without losing any of the features or functionality that you need.

Resources:

1- http://www.infosecurity-magazine.com/view/34990/cyberattacks-cost-1-million-on-average-to-resolve/

When was it Ever a Good Idea to use ‘123456’ as a Password?

password 123

A weak password is never a good idea. More and more often it is being uncovered that people are using weak passwords, but why? A possible reason they are using these passwords is since they are so easy to remember, or users feel they are not vulnerable for a cyber-attack.

In the news today, it was uncovered that two million people were exposed due to weak passwords. SpiderLabs, a highly skilled security team connected to Trustwave uncovered this ‘treasure trove’ of users recently. The users affected were using sites ranging from social networks like Facebook and LinkedIn to the payroll service provider ADP.

SCMagazine.com reported; “The theft involved credentials for about 1.5 million websites, 320,000 email accounts, 41,000 FTP accounts, 3,000 remote desktops and 3,000 secure shell accounts, according to a Tuesday post, which shows that passwords were stolen from about 320,000 Facebook accounts, 70,000 Google-related accounts, 60,000 Yahoo accounts and 22,000 Twitter accounts.”

These user accounts were exposed via a ‘Pony bonet controller’; these pieces of malware embed themselves and show everything from user management to log-in credentials.

John Miller, a security research manager at Trustwave explained to SCMagazine.com that “Pony steals credentials in two ways… ‘First is by searching for stored passwords in browsers, email clients, FTP tools and other software configuration files. Second is by monitoring browser traffic to identify when users are logging into a website and stealing the credentials as they are being sent.’”

While information on social media platforms can expose certain things that you may not want others to know, a breach at a company like ADP can open a whole other can of worms. They store everything from your address, social security number and your bank account information. That is definitely information you do not want in the wrong hands.

This is just another example of how simple passwords are not a good idea, and that employing a product that allows your users to only have to remember one password is a better way than storing them in browsers. Single Sign-on software is a great way to avoid this as we mentioned in a previous post.

Resources: http://www.scmagazine.com/discovery-of-two-million-hacked-credentials-123456-is-again-the-common-password/article/324201/

http://en.wikipedia.org/wiki/Botnet

Shopping Smart Series: Cyber Monday

cyber-monday

With the shopping season upon us we wanted to give you some safe shopping tips to help keep you protected while you are out-and-about or online.

 

Safeshopping.org has a great “Top Ten List” of safe online shopping tips. Some highlights from that list include trusting your instincts and making sure that you are shopping from a trusted retailer. Also, if a deal looks too good to be true, do your homework and make sure the item and website are legitimate, and exactly what you are looking for.

 

Some other great tips from there site include: “Make sure the Internet connection is secure, find and read the privacy policy, insure the safe delivery of your item.”1 We touched on using secure WiFi last week in this article.

Getting a great deal  today shouldn’t cost you your identity and thousands of unexpected dollars. By using your best judgment and sticking only to sites you know and trust, you should be able to snag some great deals out there without having to worry.

Following these simple rules will allow you to shop safely, and enjoy your holiday season. And, if you are at a loss of what to give as gifts this year for the holidays gift cards are always a great choice.

Safe Shopping and Happy Holidays!

Resource:

http://www.safeshopping.org/tips.shtml