The latest security vulnerability was uncovered last week, and the effects have been compared to the Heartbleed bug from earlier this year. This new bug, which is being referred to as 'Shellshock', has been uncovered in a commonly used piece of software called Bash.
Both Apple and Oracle are scrambling to release a fix for their users. Apple says that the majority of its users are not impacted by the bug; only its advanced users should be concerned. I was surprised to see an alert from GoDaddy related to my web hosting accounts early Saturday morning, stating that this bug may be affecting some of its hosting accounts.
Bash was created in 1987, and has been maintained by a software developer named Chet Ramey for the last 22 years. Mr. Ramey thinks that the vulnerability may have been introduced back in 1992 - 22 years ago. This bug is considered to be of high impact - hackers have the potential ability to entirely take over another machine. Additionally, it is considered to be a relatively easy bug to exploit.
As of today, patches have been released to help remove the vulnerability. If you utilize any Linux or Unix related systems, you should definitely make sure that your software is up-to-date. You should also be mindful of any hardware updates that may come up in the near future, such as for routers. Windows users shouldn't have anything to worry about, as the bug doesn't affect this system.
As soon as the bug was announced, hackers began to take advantage of the flaw. The patches truly couldn't come soon enough for many users. Most of these attacks have been denial-of-service attacks. While most larger companies are developing fixes and patching their systems, the concern is that smaller companies may not do the same as quickly.
A vulnerability such as this just goes to show you that no piece of software is safe; and the effects of one can be fast and widespread. Even software that was created nearly 30 years ago can be exploited.
Sunday, September 28, 2014
Friday, September 19, 2014
Home Depot makes history...not in a good way
Home Depot has confirmed the extent of its data breach this week, and the results aren't pretty...an estimated 56 million payment cards are predicted to have been compromised in the breach. This beats out the previous holder of the record - T.J. Maxx with an estimated 45.6 million compromised payment cards.
The investigation has shown that the self-checkout terminals in Home Depot stores were affected by malware, but the payment card readers in regular checkout lanes were not affected. If both had been compromised, this breach could have been much worse.
Home Depot has confirmed that the malware has been removed from its systems, and stated that they completed a major security project to encrypt the data at its sales terminals. They will also offer identity protection to those users who have been affected by the data breach.
Personally, I know of two credit cards that were used at Home Depot stores multiple times during the months identified - April through September. I have not received any notifications from Home Depot nor my credit card companies regarding this incident. Home Depot offers electronic receipts that are tied to the credit card that you use, so I know that they have a way of contacting me.
The worst part about this breach is that Home Depot could have potentially avoided these attacks by turning on a security feature that was already installed. Symantec offers an intrusion prevention feature in its software called Endpoint Protection, which was not enabled on Home Depot's systems. Security consultants hired by the company also recommended using an upgraded firewall, rather than the one provided with Windows. Neither of these recommendations were implemented by the company.
The data breach itself is expected to cost the company around $62 million; $27 million of which will be covered by insurance. Only the future will tell if this data breach affects the company's sales, especially given how much Target's sales were affected by it's data breach last year.
The investigation has shown that the self-checkout terminals in Home Depot stores were affected by malware, but the payment card readers in regular checkout lanes were not affected. If both had been compromised, this breach could have been much worse.
Home Depot has confirmed that the malware has been removed from its systems, and stated that they completed a major security project to encrypt the data at its sales terminals. They will also offer identity protection to those users who have been affected by the data breach.
Personally, I know of two credit cards that were used at Home Depot stores multiple times during the months identified - April through September. I have not received any notifications from Home Depot nor my credit card companies regarding this incident. Home Depot offers electronic receipts that are tied to the credit card that you use, so I know that they have a way of contacting me.
The worst part about this breach is that Home Depot could have potentially avoided these attacks by turning on a security feature that was already installed. Symantec offers an intrusion prevention feature in its software called Endpoint Protection, which was not enabled on Home Depot's systems. Security consultants hired by the company also recommended using an upgraded firewall, rather than the one provided with Windows. Neither of these recommendations were implemented by the company.
The data breach itself is expected to cost the company around $62 million; $27 million of which will be covered by insurance. Only the future will tell if this data breach affects the company's sales, especially given how much Target's sales were affected by it's data breach last year.
Sunday, September 14, 2014
Apple Pay: The Solution to the Data Breach Problem?
I don't think that anyone could ignore this week's announcements from Apple. One of those announcements involved Apple Pay. Before we talk about Apple Pay, I think that we need to define a few terms that have been discussed recently.
The first of these terms is NFC, or near field communication. NFC is a radio frequency that was designed to allow phones and other devices to transmit payment information to point of sale or other compatible systems. Many of our cell phones today are already equipped with NFC, and many payment terminals are too. NFC isn't necessarily a new technology, but it never really took off.
The next of these terms is EMV, which stands for Europay, MasterCard, and Visa according to Wikipedia. Here in the United States, the transition to using EMV credit cards has been pretty much non-existent; but if you travel over to Europe, you would see the technology in both their standard credit cards and payment terminals. EMV technology allows credit cards to store additional information in chips that are embedded in the card, which increases the security of the cards and how they are used. Cards that are embedded with chips usually require the cardholder to enter a pin number at the point of sale, which also increases security.
Now that we've gotten those out of the way, let's talk about Apple Pay. Other people have tried the same thing that Apple is - such as Google Wallet - and haven't been so successful. But, Apple is changing the game with a new spin on the same payment processing.
Apple Pay will allow you to store your credit cards in a virtual wallet on your iPhone by taking a photo. Then, you can select a primary credit card to be used. When you want to make a payment, you can place the device within range and payment data will be exchanged using NFC. Doesn't sound much different, right?
The game changer here is that Apple has made the process more secure, without adding any additional burden on either the user or the merchant. Apple Pay will work with existing systems, but will provide a one-time use credit card number for making purchases. This way, if a card number is stolen or recorded in some way - it can't be used again. Additionally, Apple verifies that you are the authorized user before storing the card, and requires the use of TouchID, which verifies that you are the owner of your device using your fingerprint.
Other merchants have unsuccessfully tried to implement virtual wallets by trying to be too involved in the process. Apple has tried to carefully place itself in the process, and doesn't require anyone to make changes while making the payment processing more secure at the same time.
Time will tell if Apple Pay will be a success - but with the backing of several different entities in the payment world, it seems like it might be the new and more secure way to make purchases at your favorite retailer.
Wednesday, September 3, 2014
This Week in Security: More Data Breaches
Unfortunately, it seems like the news is full of stories regarding data breaches lately. Several new potential data breaches have been reported over the last week or so.
The most concerning of these attacks is the suspected attack on J.P. Morgan Chase, which is still under investigation. Initial reports of this breach suggested that several other financial institutions may have been affected, and that checking and savings account information could have been compromised. So far, however, there is no evidence that other institutions were involved or that the thieves obtained a large amount of customer information.
Financial institutions are generally considered to have higher security protocols and measures in place than other types of businesses - so the news that hackers could have accessed a bank is both surprising and concerning to security experts. Hopefully, the results of the investigation prove otherwise.
Another recently publicized attack that is being investigated potentially affects Home Depot customers. Credit card companies have reported suspicious activity found on credit cards, with Home Depot being considered to be the source. If this ends up being the case, this attack may be even larger than the Target breach that was discovered late last year.
One of the biggest problems that I see with these credit card breaches is that they go undetected for so long. One of the articles reports that the breach of Home Depot may have begun as early as May of this year. Hopefully, stores are seeing these recent problems as opportunities to improve their security protocols - especially with regard to scanning and detecting potential breaches at point of sale systems.
The most concerning of these attacks is the suspected attack on J.P. Morgan Chase, which is still under investigation. Initial reports of this breach suggested that several other financial institutions may have been affected, and that checking and savings account information could have been compromised. So far, however, there is no evidence that other institutions were involved or that the thieves obtained a large amount of customer information.
Financial institutions are generally considered to have higher security protocols and measures in place than other types of businesses - so the news that hackers could have accessed a bank is both surprising and concerning to security experts. Hopefully, the results of the investigation prove otherwise.
Another recently publicized attack that is being investigated potentially affects Home Depot customers. Credit card companies have reported suspicious activity found on credit cards, with Home Depot being considered to be the source. If this ends up being the case, this attack may be even larger than the Target breach that was discovered late last year.
One of the biggest problems that I see with these credit card breaches is that they go undetected for so long. One of the articles reports that the breach of Home Depot may have begun as early as May of this year. Hopefully, stores are seeing these recent problems as opportunities to improve their security protocols - especially with regard to scanning and detecting potential breaches at point of sale systems.
Subscribe to:
Posts (Atom)