Throughout this semester, I have primarily focused on data security breaches. While this was not necessarily my intended path when I started, it was something that was commonly occurring throughout the semester.
There were several data breaches over the last few months, including J.P. Morgan Chase and Home Depot. Millions of consumer accounts have been compromised, and data includes everything from email addresses to payment card information.
I also explored some security vulnerabilities that came to light, including the "Shellshock" vulnerability and a Microsoft Windows vulnerability that allowed hackers to spy on several different institutions. If I were posting today, I would probably be posting about the latest Windows vulnerability - one related to the Schannel.
I also explored Apple Pay, and how it could increase the security of payment card systems. It's competitor, CurrentC (which has not yet been released), was also the victim of a data breach.
Throughout my posts, I used a wide variety of sources - although they were primarily news outlets. I tried to identify facts that were presented by multiple sources before presenting them. As we know, everything that we read in the news isn't always true.
I think that this type of blog could be useful to an information security professional - it encourages exploration into things that you may not otherwise know about. It also helps to keep you up-to-date on what is happening in the security world - and things can change very quickly in this environment.
My best recommendation for the next group of students would be to get into the habit of looking at the news every day. It is something that will benefit you far beyond this class - current events are a great thing to keep informed about, and they can spark your curiosity and expand your knowledge when you start looking into the details.
Thursday, November 13, 2014
Sunday, November 9, 2014
New Details about the Home Depot security breach
Today, I received an e-mail from Home Depot letting me know that my e-mail address had been compromised in their security breach. However, this e-mail stated that the stolen information was limited to only e-mail addresses, and did not include any other personal information or payment information.
In addition to the payment card information of 56 million customers being stolen, the e-mail addresses of 53 million customers were also stolen. In similar fashion to the Target breach, the hackers obtained access to the system through the security credentials of a third party vendor. In this case, however, the hackers then had to perform a second exploit - and gain increased privileges for the stolen account.Once the hackers escalated their privileges, they were able to place their malware on the system, which targeted the self-check out lanes within Home Depot stores.
The company is warning users whose e-mail addresses were stolen to be aware of phishing scams being sent through e-mail using the compromised addresses.
According to one source, the hackers exploited a zero-day vulnerability within Microsoft Windows. Companies and individuals have increased their security, making it more difficult for hackers to gain access directly. However, the hackers have moved on to exploiting the supply chain - third-party vendors are used by many companies for many different reasons. Companies should thoroughly investigate the vendors that they choose to use, and require them to maintain minimum security requirements. They should also reach out to current vendors, and ask for information regarding their security practices.
Unfortunately, it is likely that hackers will continue to gain access to systems until all companies become diligent about their security practices.
In addition to the payment card information of 56 million customers being stolen, the e-mail addresses of 53 million customers were also stolen. In similar fashion to the Target breach, the hackers obtained access to the system through the security credentials of a third party vendor. In this case, however, the hackers then had to perform a second exploit - and gain increased privileges for the stolen account.Once the hackers escalated their privileges, they were able to place their malware on the system, which targeted the self-check out lanes within Home Depot stores.
The company is warning users whose e-mail addresses were stolen to be aware of phishing scams being sent through e-mail using the compromised addresses.
According to one source, the hackers exploited a zero-day vulnerability within Microsoft Windows. Companies and individuals have increased their security, making it more difficult for hackers to gain access directly. However, the hackers have moved on to exploiting the supply chain - third-party vendors are used by many companies for many different reasons. Companies should thoroughly investigate the vendors that they choose to use, and require them to maintain minimum security requirements. They should also reach out to current vendors, and ask for information regarding their security practices.
Unfortunately, it is likely that hackers will continue to gain access to systems until all companies become diligent about their security practices.
Sunday, November 2, 2014
CurrentC exposed; the battle continues
Some bad news for CurrentC this week, as their systems were hacked and the email addresses of their early adapters who are currently testing the system were obtained by the hackers. Luckily, no credit card or purchase information was taken - however, it still doesn't bode well for a technology that hasn't yet launched.
The debate continues regarding whether CurrentC or Apple Pay will come out ahead in this battle of the payment acceptance merchants. Apple has maintained a focus on security and privacy with it's system, while CurrentC is more appealing to merchants. In bypassing the credit card merchants and taking payments directly, CurrentC merchants are able to avoid the usual 2 - 3% processing fee that is charged by Visa and Mastercard (and other payment processors).
CurrentC is also keeping the merchants happy by providing them with your transaction information - such as what you bought. Many of the retailers that have supported CurrentC have customer loyalty programs in place - which track what you buy and provide you with special offers based on your purchase history. Both CVS and Rite Aid - which have turned off their ability in stores to accept Apple Pay - have these types of programs in place. My guess is that the CurrentC platform would eliminate the need for shopper's cards to be used in addition to your payment card - and make the transaction seamless.
Sounds like a great concept - but the affects of this could be far-reaching. In a world where big data has become so popular, CurrentC could theoretically aggregate this data across merchants - and get a picture of everything that you buy. Consumers already have privacy concerns related to these loyalty programs, and expanding the reach of these programs may benefit merchants; but this may also alienate consumers even more.
Many of the merchants participating in the CurrentC program were also hacked themselves this year. While the platform may be available to more consumers - those consumers may be much more wary about using it based on privacy and security concerns.
The debate continues regarding whether CurrentC or Apple Pay will come out ahead in this battle of the payment acceptance merchants. Apple has maintained a focus on security and privacy with it's system, while CurrentC is more appealing to merchants. In bypassing the credit card merchants and taking payments directly, CurrentC merchants are able to avoid the usual 2 - 3% processing fee that is charged by Visa and Mastercard (and other payment processors).
CurrentC is also keeping the merchants happy by providing them with your transaction information - such as what you bought. Many of the retailers that have supported CurrentC have customer loyalty programs in place - which track what you buy and provide you with special offers based on your purchase history. Both CVS and Rite Aid - which have turned off their ability in stores to accept Apple Pay - have these types of programs in place. My guess is that the CurrentC platform would eliminate the need for shopper's cards to be used in addition to your payment card - and make the transaction seamless.
Sounds like a great concept - but the affects of this could be far-reaching. In a world where big data has become so popular, CurrentC could theoretically aggregate this data across merchants - and get a picture of everything that you buy. Consumers already have privacy concerns related to these loyalty programs, and expanding the reach of these programs may benefit merchants; but this may also alienate consumers even more.
Many of the merchants participating in the CurrentC program were also hacked themselves this year. While the platform may be available to more consumers - those consumers may be much more wary about using it based on privacy and security concerns.
Sunday, October 26, 2014
Apple Pay launches; several retailers say they have another way
Apple Pay launched on Monday (October 20th), although not everyone was ready to go. Many users were disappointed to find out that their credit card company had not yet transitioned to Apple Pay, or that their favorite store wasn't on board yet. However, I'm sure it won't be much longer until they are.
Some stores took advantage of the launch, like Whole Foods - with advertising geared towards Apple Pay users. Others, such as Staples, have not yet fully transitioned - while Staples is accepting Apple Pay through its mobile app, it is not yet accepting it in stores.
Several stores have stated that they will not be jumping on the Apple Pay bandwagon - at least not yet. Another company, called Mercent Customer Exchange (MCX), is working on a technology called CurrentC - which would be similar to Apple Pay. However, instead of accepting payments using NFC (near field communication), the customer would scan a QR code at the register.
What's the advantage to this type of system? Well, the stores would not be required to change out their existing terminals - while they do have to in order to communicate with the new Apple devices using NFC. Several stores, including Wal-Mart, Best Buy, Target, and Darden Restaurants are said to be supporting the MCX system. In addition to not having to change out the terminals, the merchants would also avoid the 2% to 3% fee that is charged by the credit card giants - Visa and Mastercard.
CVS and Rite Aid have also said that they will not be using Apple Pay - even though their existing systems support NFC. Time will tell who the winner of this fight will be - if Apple Pay becomes successful, it would be very difficult for stores to continue to decline its use within their stores.
Some stores took advantage of the launch, like Whole Foods - with advertising geared towards Apple Pay users. Others, such as Staples, have not yet fully transitioned - while Staples is accepting Apple Pay through its mobile app, it is not yet accepting it in stores.
Several stores have stated that they will not be jumping on the Apple Pay bandwagon - at least not yet. Another company, called Mercent Customer Exchange (MCX), is working on a technology called CurrentC - which would be similar to Apple Pay. However, instead of accepting payments using NFC (near field communication), the customer would scan a QR code at the register.
What's the advantage to this type of system? Well, the stores would not be required to change out their existing terminals - while they do have to in order to communicate with the new Apple devices using NFC. Several stores, including Wal-Mart, Best Buy, Target, and Darden Restaurants are said to be supporting the MCX system. In addition to not having to change out the terminals, the merchants would also avoid the 2% to 3% fee that is charged by the credit card giants - Visa and Mastercard.
CVS and Rite Aid have also said that they will not be using Apple Pay - even though their existing systems support NFC. Time will tell who the winner of this fight will be - if Apple Pay becomes successful, it would be very difficult for stores to continue to decline its use within their stores.
Sunday, October 19, 2014
Russian Hackers Strike Again
A new vulnerability in Microsoft Windows has been uncovered, which reportedly allowed Russian hackers to spy on several different groups - including NATO, an academic institution, the European Union, and the Ukrainian government.
The security flaw is said to have been present in operating systems from Windows Vista through Windows 8.1. Microsoft released the patch to fix these vulnerabilities earlier this week. The vulnerabilities allowed a remote hacker to take control of a target computer.
Dallas-based security firm iSight Partners discovered the vulnerability, and it has been nicknamed 'Sandworm' - because references to the science fiction movie "Dune" have been found in the code. The hackers used a common technique called spear-phishing - where innocent looking emails were sent to targets. Once the emails were opened, the malware was downloaded onto the servers and used to exploit the vulnerability.
While many of the targets have been identified, it is still unclear what type of information they were seeking or what they were able to obtain.
- Adobe AIR
- Adobe Flash Player
- Java
- A number of Windows components, including Office, Internet Explorer, and .NET
The Adobe and Java updates are unrelated to the Windows vulnerability; however, they do fix several other security holes that have been discovered. The Adobe update fixes issues with three known security flaws, and the Java update includes fixes for more than two dozen identified security issues.
Sunday, October 12, 2014
An update on the J.P. Morgan Chase data breach; additional data breaches come to light
The same hackers who breached J.P. Morgan Chase did in fact attempt to gain access to several other financial institutions. Chase still maintains that financial information was not accessed in the breach, although they do continue to warn customers about phishing scams because of personal information that was obtained by the hackers.
Based on the SEC filing, it appears that the hackers were able to obtain the password of an employee and use it to gain access to the personal information of millions of customers. What was originally thought to include only one million customers ended up being over 83 million, including both personal and business accounts.
Up to 13 other financial institutions discovered attempts to access their systems by the same suspected hacking group. By checking the web addresses used by the group in the J.P. Morgan Chase breach, these companies were able to identify attempts that were made on their systems as well. These other institutions include ADP, Citigroup, HSBC, E*Trade, Fidelity, and Regions Financial Corporation. However, none have reported evidence that any personal or financial information was accessed by the hackers.
One positive that has come from this breach is that J.P. Morgan Chase has said that it plans to increase its cyber-security budget over the next five years. With a current spending of $250 million per year, Chase expects to double this figure in the future.
Other reported data breaches this week include Dairy Queen and K-Mart. The K-Mart data breach is currently being investigated, and appears to have begun in early September. Initial reports state that it is the same software that was used on Home Depot's systems. Dairy Queen also reported that it's payment systems contained malware, which likely captured the account numbers and expiration dates of customers.
Saturday, October 4, 2014
Millions of Chase accounts compromised
First reported in early September, the suspected data breach of J.P. Morgan Chase has now been confirmed. Hackers were able to gain access to the accounts of 76 million households and 7 million small businesses. Fortunately, they were not able to obtain any financial information related to these accounts - however they did obtain personal information such as names, addresses, and email addresses.
The data breach was first discovered in July, and is suspected to be the work of Russian hackers. While no payment information was stolen, the idea that hackers had any access to the systems of a financial institution is of great concern to the security community. It has also been reported that the same hacking group obtained access to nine other banks, although those banks have not been identified.
If you are a Chase customer, the biggest concern right now is phishing and scams. Since thieves obtained contact information, they could potentially contact customers pretending to be the bank in order to gain access to financial accounts. If you are a Chase customer, you should be incredibly diligent in verifying someone contacting you. Thieves will try anything - including telephone calls, emails, and even snail mail. While financial information is not suspected to have been compromised, you should also keep an eye out on your bank statements and quickly report any suspicious activity.
With all of the security breaches lately, there has been an increased focus on companies to invest both more monetary and human resources into protecting consumer information. Many companies who did not have CISO positions before now do, and companies are hiring additional security staff as well. I expect to see an increase in degree and training programs related to security in the near future as well.
The data breach was first discovered in July, and is suspected to be the work of Russian hackers. While no payment information was stolen, the idea that hackers had any access to the systems of a financial institution is of great concern to the security community. It has also been reported that the same hacking group obtained access to nine other banks, although those banks have not been identified.
If you are a Chase customer, the biggest concern right now is phishing and scams. Since thieves obtained contact information, they could potentially contact customers pretending to be the bank in order to gain access to financial accounts. If you are a Chase customer, you should be incredibly diligent in verifying someone contacting you. Thieves will try anything - including telephone calls, emails, and even snail mail. While financial information is not suspected to have been compromised, you should also keep an eye out on your bank statements and quickly report any suspicious activity.
With all of the security breaches lately, there has been an increased focus on companies to invest both more monetary and human resources into protecting consumer information. Many companies who did not have CISO positions before now do, and companies are hiring additional security staff as well. I expect to see an increase in degree and training programs related to security in the near future as well.
Sunday, September 28, 2014
Shellshock: Rocking the security world
The latest security vulnerability was uncovered last week, and the effects have been compared to the Heartbleed bug from earlier this year. This new bug, which is being referred to as 'Shellshock', has been uncovered in a commonly used piece of software called Bash.
Both Apple and Oracle are scrambling to release a fix for their users. Apple says that the majority of its users are not impacted by the bug; only its advanced users should be concerned. I was surprised to see an alert from GoDaddy related to my web hosting accounts early Saturday morning, stating that this bug may be affecting some of its hosting accounts.
Bash was created in 1987, and has been maintained by a software developer named Chet Ramey for the last 22 years. Mr. Ramey thinks that the vulnerability may have been introduced back in 1992 - 22 years ago. This bug is considered to be of high impact - hackers have the potential ability to entirely take over another machine. Additionally, it is considered to be a relatively easy bug to exploit.
As of today, patches have been released to help remove the vulnerability. If you utilize any Linux or Unix related systems, you should definitely make sure that your software is up-to-date. You should also be mindful of any hardware updates that may come up in the near future, such as for routers. Windows users shouldn't have anything to worry about, as the bug doesn't affect this system.
As soon as the bug was announced, hackers began to take advantage of the flaw. The patches truly couldn't come soon enough for many users. Most of these attacks have been denial-of-service attacks. While most larger companies are developing fixes and patching their systems, the concern is that smaller companies may not do the same as quickly.
A vulnerability such as this just goes to show you that no piece of software is safe; and the effects of one can be fast and widespread. Even software that was created nearly 30 years ago can be exploited.
Both Apple and Oracle are scrambling to release a fix for their users. Apple says that the majority of its users are not impacted by the bug; only its advanced users should be concerned. I was surprised to see an alert from GoDaddy related to my web hosting accounts early Saturday morning, stating that this bug may be affecting some of its hosting accounts.
Bash was created in 1987, and has been maintained by a software developer named Chet Ramey for the last 22 years. Mr. Ramey thinks that the vulnerability may have been introduced back in 1992 - 22 years ago. This bug is considered to be of high impact - hackers have the potential ability to entirely take over another machine. Additionally, it is considered to be a relatively easy bug to exploit.
As of today, patches have been released to help remove the vulnerability. If you utilize any Linux or Unix related systems, you should definitely make sure that your software is up-to-date. You should also be mindful of any hardware updates that may come up in the near future, such as for routers. Windows users shouldn't have anything to worry about, as the bug doesn't affect this system.
As soon as the bug was announced, hackers began to take advantage of the flaw. The patches truly couldn't come soon enough for many users. Most of these attacks have been denial-of-service attacks. While most larger companies are developing fixes and patching their systems, the concern is that smaller companies may not do the same as quickly.
A vulnerability such as this just goes to show you that no piece of software is safe; and the effects of one can be fast and widespread. Even software that was created nearly 30 years ago can be exploited.
Friday, September 19, 2014
Home Depot makes history...not in a good way
Home Depot has confirmed the extent of its data breach this week, and the results aren't pretty...an estimated 56 million payment cards are predicted to have been compromised in the breach. This beats out the previous holder of the record - T.J. Maxx with an estimated 45.6 million compromised payment cards.
The investigation has shown that the self-checkout terminals in Home Depot stores were affected by malware, but the payment card readers in regular checkout lanes were not affected. If both had been compromised, this breach could have been much worse.
Home Depot has confirmed that the malware has been removed from its systems, and stated that they completed a major security project to encrypt the data at its sales terminals. They will also offer identity protection to those users who have been affected by the data breach.
Personally, I know of two credit cards that were used at Home Depot stores multiple times during the months identified - April through September. I have not received any notifications from Home Depot nor my credit card companies regarding this incident. Home Depot offers electronic receipts that are tied to the credit card that you use, so I know that they have a way of contacting me.
The worst part about this breach is that Home Depot could have potentially avoided these attacks by turning on a security feature that was already installed. Symantec offers an intrusion prevention feature in its software called Endpoint Protection, which was not enabled on Home Depot's systems. Security consultants hired by the company also recommended using an upgraded firewall, rather than the one provided with Windows. Neither of these recommendations were implemented by the company.
The data breach itself is expected to cost the company around $62 million; $27 million of which will be covered by insurance. Only the future will tell if this data breach affects the company's sales, especially given how much Target's sales were affected by it's data breach last year.
The investigation has shown that the self-checkout terminals in Home Depot stores were affected by malware, but the payment card readers in regular checkout lanes were not affected. If both had been compromised, this breach could have been much worse.
Home Depot has confirmed that the malware has been removed from its systems, and stated that they completed a major security project to encrypt the data at its sales terminals. They will also offer identity protection to those users who have been affected by the data breach.
Personally, I know of two credit cards that were used at Home Depot stores multiple times during the months identified - April through September. I have not received any notifications from Home Depot nor my credit card companies regarding this incident. Home Depot offers electronic receipts that are tied to the credit card that you use, so I know that they have a way of contacting me.
The worst part about this breach is that Home Depot could have potentially avoided these attacks by turning on a security feature that was already installed. Symantec offers an intrusion prevention feature in its software called Endpoint Protection, which was not enabled on Home Depot's systems. Security consultants hired by the company also recommended using an upgraded firewall, rather than the one provided with Windows. Neither of these recommendations were implemented by the company.
The data breach itself is expected to cost the company around $62 million; $27 million of which will be covered by insurance. Only the future will tell if this data breach affects the company's sales, especially given how much Target's sales were affected by it's data breach last year.
Sunday, September 14, 2014
Apple Pay: The Solution to the Data Breach Problem?
I don't think that anyone could ignore this week's announcements from Apple. One of those announcements involved Apple Pay. Before we talk about Apple Pay, I think that we need to define a few terms that have been discussed recently.
The first of these terms is NFC, or near field communication. NFC is a radio frequency that was designed to allow phones and other devices to transmit payment information to point of sale or other compatible systems. Many of our cell phones today are already equipped with NFC, and many payment terminals are too. NFC isn't necessarily a new technology, but it never really took off.
The next of these terms is EMV, which stands for Europay, MasterCard, and Visa according to Wikipedia. Here in the United States, the transition to using EMV credit cards has been pretty much non-existent; but if you travel over to Europe, you would see the technology in both their standard credit cards and payment terminals. EMV technology allows credit cards to store additional information in chips that are embedded in the card, which increases the security of the cards and how they are used. Cards that are embedded with chips usually require the cardholder to enter a pin number at the point of sale, which also increases security.
Now that we've gotten those out of the way, let's talk about Apple Pay. Other people have tried the same thing that Apple is - such as Google Wallet - and haven't been so successful. But, Apple is changing the game with a new spin on the same payment processing.
Apple Pay will allow you to store your credit cards in a virtual wallet on your iPhone by taking a photo. Then, you can select a primary credit card to be used. When you want to make a payment, you can place the device within range and payment data will be exchanged using NFC. Doesn't sound much different, right?
The game changer here is that Apple has made the process more secure, without adding any additional burden on either the user or the merchant. Apple Pay will work with existing systems, but will provide a one-time use credit card number for making purchases. This way, if a card number is stolen or recorded in some way - it can't be used again. Additionally, Apple verifies that you are the authorized user before storing the card, and requires the use of TouchID, which verifies that you are the owner of your device using your fingerprint.
Other merchants have unsuccessfully tried to implement virtual wallets by trying to be too involved in the process. Apple has tried to carefully place itself in the process, and doesn't require anyone to make changes while making the payment processing more secure at the same time.
Time will tell if Apple Pay will be a success - but with the backing of several different entities in the payment world, it seems like it might be the new and more secure way to make purchases at your favorite retailer.
Wednesday, September 3, 2014
This Week in Security: More Data Breaches
Unfortunately, it seems like the news is full of stories regarding data breaches lately. Several new potential data breaches have been reported over the last week or so.
The most concerning of these attacks is the suspected attack on J.P. Morgan Chase, which is still under investigation. Initial reports of this breach suggested that several other financial institutions may have been affected, and that checking and savings account information could have been compromised. So far, however, there is no evidence that other institutions were involved or that the thieves obtained a large amount of customer information.
Financial institutions are generally considered to have higher security protocols and measures in place than other types of businesses - so the news that hackers could have accessed a bank is both surprising and concerning to security experts. Hopefully, the results of the investigation prove otherwise.
Another recently publicized attack that is being investigated potentially affects Home Depot customers. Credit card companies have reported suspicious activity found on credit cards, with Home Depot being considered to be the source. If this ends up being the case, this attack may be even larger than the Target breach that was discovered late last year.
One of the biggest problems that I see with these credit card breaches is that they go undetected for so long. One of the articles reports that the breach of Home Depot may have begun as early as May of this year. Hopefully, stores are seeing these recent problems as opportunities to improve their security protocols - especially with regard to scanning and detecting potential breaches at point of sale systems.
The most concerning of these attacks is the suspected attack on J.P. Morgan Chase, which is still under investigation. Initial reports of this breach suggested that several other financial institutions may have been affected, and that checking and savings account information could have been compromised. So far, however, there is no evidence that other institutions were involved or that the thieves obtained a large amount of customer information.
Financial institutions are generally considered to have higher security protocols and measures in place than other types of businesses - so the news that hackers could have accessed a bank is both surprising and concerning to security experts. Hopefully, the results of the investigation prove otherwise.
Another recently publicized attack that is being investigated potentially affects Home Depot customers. Credit card companies have reported suspicious activity found on credit cards, with Home Depot being considered to be the source. If this ends up being the case, this attack may be even larger than the Target breach that was discovered late last year.
One of the biggest problems that I see with these credit card breaches is that they go undetected for so long. One of the articles reports that the breach of Home Depot may have begun as early as May of this year. Hopefully, stores are seeing these recent problems as opportunities to improve their security protocols - especially with regard to scanning and detecting potential breaches at point of sale systems.
Tuesday, August 26, 2014
Welcome!
A little bit about me...
My name is Dana, and I am a graduate student at Bellevue University. I am currently pursuing my Masters degree in Management of Information Systems with a concentration in IT Project Management.
I currently work as a Java developer, and an aspiring project manager. I received my CAPM certification earlier this year, and I am currently leading my first project.
My husband and I enjoy traveling in our free time - earlier this year we went on a three week trip to Europe. I had the pleasure of seeing France, Belgium, England, Denmark, Sweden, Finland, Russia, and Germany. I also enjoy making things - sewing, crafts, and even a little bit of DIY home improvement.
A little bit about security...
Data breaches have become a fairly common news story in recent months - I personally have been contacted by several different companies because my information has potentially been compromised. It is hard to say if we will ever be able to fully protect information from unauthorized access; however, there are many things that companies can do to help prevent these breaches from happening.
All companies have undergone increased scrutiny due to these data breaches, which is ultimately good for everyone. It is likely that many companies are spending more money on protecting their information - but this is probably cheaper than the potential cost of a breach happening. Target, for example, is still struggling to recover from the costs associated with the data breach it incurred earlier this year as well as the lost revenue from a decrease in customer confidence.
Hopefully the news stories about data breaches will become fewer and farther between as companies place an increased importance on protecting their data and making sure that it is only accessible by authorized users.
Subscribe to:
Posts (Atom)