Throughout this semester, I have primarily focused on data security breaches. While this was not necessarily my intended path when I started, it was something that was commonly occurring throughout the semester.
There were several data breaches over the last few months, including J.P. Morgan Chase and Home Depot. Millions of consumer accounts have been compromised, and data includes everything from email addresses to payment card information.
I also explored some security vulnerabilities that came to light, including the "Shellshock" vulnerability and a Microsoft Windows vulnerability that allowed hackers to spy on several different institutions. If I were posting today, I would probably be posting about the latest Windows vulnerability - one related to the Schannel.
I also explored Apple Pay, and how it could increase the security of payment card systems. It's competitor, CurrentC (which has not yet been released), was also the victim of a data breach.
Throughout my posts, I used a wide variety of sources - although they were primarily news outlets. I tried to identify facts that were presented by multiple sources before presenting them. As we know, everything that we read in the news isn't always true.
I think that this type of blog could be useful to an information security professional - it encourages exploration into things that you may not otherwise know about. It also helps to keep you up-to-date on what is happening in the security world - and things can change very quickly in this environment.
My best recommendation for the next group of students would be to get into the habit of looking at the news every day. It is something that will benefit you far beyond this class - current events are a great thing to keep informed about, and they can spark your curiosity and expand your knowledge when you start looking into the details.
Thursday, November 13, 2014
Sunday, November 9, 2014
New Details about the Home Depot security breach
Today, I received an e-mail from Home Depot letting me know that my e-mail address had been compromised in their security breach. However, this e-mail stated that the stolen information was limited to only e-mail addresses, and did not include any other personal information or payment information.
In addition to the payment card information of 56 million customers being stolen, the e-mail addresses of 53 million customers were also stolen. In similar fashion to the Target breach, the hackers obtained access to the system through the security credentials of a third party vendor. In this case, however, the hackers then had to perform a second exploit - and gain increased privileges for the stolen account.Once the hackers escalated their privileges, they were able to place their malware on the system, which targeted the self-check out lanes within Home Depot stores.
The company is warning users whose e-mail addresses were stolen to be aware of phishing scams being sent through e-mail using the compromised addresses.
According to one source, the hackers exploited a zero-day vulnerability within Microsoft Windows. Companies and individuals have increased their security, making it more difficult for hackers to gain access directly. However, the hackers have moved on to exploiting the supply chain - third-party vendors are used by many companies for many different reasons. Companies should thoroughly investigate the vendors that they choose to use, and require them to maintain minimum security requirements. They should also reach out to current vendors, and ask for information regarding their security practices.
Unfortunately, it is likely that hackers will continue to gain access to systems until all companies become diligent about their security practices.
In addition to the payment card information of 56 million customers being stolen, the e-mail addresses of 53 million customers were also stolen. In similar fashion to the Target breach, the hackers obtained access to the system through the security credentials of a third party vendor. In this case, however, the hackers then had to perform a second exploit - and gain increased privileges for the stolen account.Once the hackers escalated their privileges, they were able to place their malware on the system, which targeted the self-check out lanes within Home Depot stores.
The company is warning users whose e-mail addresses were stolen to be aware of phishing scams being sent through e-mail using the compromised addresses.
According to one source, the hackers exploited a zero-day vulnerability within Microsoft Windows. Companies and individuals have increased their security, making it more difficult for hackers to gain access directly. However, the hackers have moved on to exploiting the supply chain - third-party vendors are used by many companies for many different reasons. Companies should thoroughly investigate the vendors that they choose to use, and require them to maintain minimum security requirements. They should also reach out to current vendors, and ask for information regarding their security practices.
Unfortunately, it is likely that hackers will continue to gain access to systems until all companies become diligent about their security practices.
Sunday, November 2, 2014
CurrentC exposed; the battle continues
Some bad news for CurrentC this week, as their systems were hacked and the email addresses of their early adapters who are currently testing the system were obtained by the hackers. Luckily, no credit card or purchase information was taken - however, it still doesn't bode well for a technology that hasn't yet launched.
The debate continues regarding whether CurrentC or Apple Pay will come out ahead in this battle of the payment acceptance merchants. Apple has maintained a focus on security and privacy with it's system, while CurrentC is more appealing to merchants. In bypassing the credit card merchants and taking payments directly, CurrentC merchants are able to avoid the usual 2 - 3% processing fee that is charged by Visa and Mastercard (and other payment processors).
CurrentC is also keeping the merchants happy by providing them with your transaction information - such as what you bought. Many of the retailers that have supported CurrentC have customer loyalty programs in place - which track what you buy and provide you with special offers based on your purchase history. Both CVS and Rite Aid - which have turned off their ability in stores to accept Apple Pay - have these types of programs in place. My guess is that the CurrentC platform would eliminate the need for shopper's cards to be used in addition to your payment card - and make the transaction seamless.
Sounds like a great concept - but the affects of this could be far-reaching. In a world where big data has become so popular, CurrentC could theoretically aggregate this data across merchants - and get a picture of everything that you buy. Consumers already have privacy concerns related to these loyalty programs, and expanding the reach of these programs may benefit merchants; but this may also alienate consumers even more.
Many of the merchants participating in the CurrentC program were also hacked themselves this year. While the platform may be available to more consumers - those consumers may be much more wary about using it based on privacy and security concerns.
The debate continues regarding whether CurrentC or Apple Pay will come out ahead in this battle of the payment acceptance merchants. Apple has maintained a focus on security and privacy with it's system, while CurrentC is more appealing to merchants. In bypassing the credit card merchants and taking payments directly, CurrentC merchants are able to avoid the usual 2 - 3% processing fee that is charged by Visa and Mastercard (and other payment processors).
CurrentC is also keeping the merchants happy by providing them with your transaction information - such as what you bought. Many of the retailers that have supported CurrentC have customer loyalty programs in place - which track what you buy and provide you with special offers based on your purchase history. Both CVS and Rite Aid - which have turned off their ability in stores to accept Apple Pay - have these types of programs in place. My guess is that the CurrentC platform would eliminate the need for shopper's cards to be used in addition to your payment card - and make the transaction seamless.
Sounds like a great concept - but the affects of this could be far-reaching. In a world where big data has become so popular, CurrentC could theoretically aggregate this data across merchants - and get a picture of everything that you buy. Consumers already have privacy concerns related to these loyalty programs, and expanding the reach of these programs may benefit merchants; but this may also alienate consumers even more.
Many of the merchants participating in the CurrentC program were also hacked themselves this year. While the platform may be available to more consumers - those consumers may be much more wary about using it based on privacy and security concerns.
Subscribe to:
Posts (Atom)