Home Depot Admits to Potentially Massive Data Breach

home_depot

It wasn’t that long ago consumers were apprehensive about the risks of buying online. With the recent rash of retailers falling victim to point-of-sale malware, the tables may have turned. Last week Home Depot confirmed a potentially massive data breach and officially joined the ranks of Target, Neiman Marcus, P.F. Chang’s, Goodwill and other retailers that have been hit.

Signs indicate the hackers responsible for the attack belong to the same group that hit Target last year. Even the malware they used is a variant of the virus used against Target.

The Home Depot hack could go back as far as April, when security experts and financial institutions first linked stolen credit card data to compromised accounts of users who had made purchases from the chain.

This breach has the potential to touch even more consumers than the attack on Target. The Target breach affected 40 million cards. The number of cards affected by the Home Depot breach is unknown, but the home improvement giant is larger than Target and has more locations. Home Depot operates 2,266 stores and their systems could have been compromised for up to four months during the busiest season for the home improvement market. In comparison, Target has 1,795 stores and their breach lasted just 21 days

Home Depot is facing additional criticism because it appears they either ignored or were oblivious to the problem. The story was broken not by the company itself, but by security blogger Brian Krebs. Home Depot is already facing lawsuits from customers and financial institutions. The government has also gotten in on the action, with two Senators asking the Federal Trade Commission to probe the retailer’s systems and five states starting their own investigations.

Credit cards have not changed much in 50 years

Credit cards have not changed much in 50 years

The major challenge facing retailers is existing payment card technology itself. Credit cards have not changed much since they were introduced in the 1960s. They still use a magnetic strip that stores data in unencrypted format. There are more secure technologies available, but the retail and payment card industry have been dragging their feet due to costs. The newer cards contain an imbedded microchip so they’re more expensive to manufacture, and retailers must make expensive upgrades to their hardware.

Another issue for large is the sheer size of their networks. There are many vulnerability points, from unsuspecting employees who fall for a phishing attempt to logins used by vendors and suppliers. Once a hacker finds their way in, they can use lax permissions to move through the network, infecting vulnerable machines and gaining access to other stores. The Target breach was traced back to a single location.

While the exact details in the Home Depot breach are not yet clear, it’s unlikely the company will be the last victim. Hackers are undoubtedly working on the next generation of point-of-sale malware.

Learn more about the biggest retail hacking scandals in cyber security expert, Scott Schober’s Retail Sector Security Report. Download the PDF HERE.

Leaked Nude Photos Expose Cloud Security Risks

BVS CEO & Cyber Security Expert, Scott Schober provides security details on Inside Edition

Last week’s leak of confidential celebrity photos has focused renewed public attention on the security risks of storing data in the cloud. The photos were originally posted on a seedy Internet site by an anonymous user, then reposted to other disreputable sites. Some of the victimized celebrities released said the images were authentic but deleted a long time ago, others stated theirs were faked.

The original poster claimed the photos were taken from hacked iCloud accounts. A few simple account changes could have kept the victims’ accounts safe. Today we’ll look at what users can do to protect their cloud data.

Limit Login Attempts

It’s common for banks and other high-security web sites to lock user accounts after a few tries. If someone fails to enter the correct password, after 5 to 10 attempts the account locks and the user must call to have the account reset or wait a specific period of time before they can try again. Some sites make you turn on the feature and control the maximum number of attempts. Check the settings on your account and contact support if you have concerns.

exceeded_attempts

In this case, iCloud did not have a limit on the number of attempts. Hackers could use readily-available software to try an unlimited number of passwords. Since the nude photo story broke, Apple has patched this vulnerability, but hackers can still use this vulnerability at many sites holding confidential information.

Enable Two-Factor Authentication

Many hacks occur when the victim’s email account is compromised. The hacker can find sites where the victim might be a member by reading old messages, then go to the site and request a password reset. If a site uses single-factor authentication by email, the hacker can then reset the victim’s passwords and access their accounts on those sites.

Two-Factor-Authentication

Many cloud-based services and secure sites offer two-factor authentication. For example, when a user requests a password change, the service may send an authentication email to their address and text a security code to their cell phone. Two-factor authentication is more secure, because a hacker would need access to both the victim’s email and their cell phone.

Two-factor authentication adds an extra step to the process, so some sites offer it as an option. Users must enable it manually. iCloud had it as an option, but at the time the pictures were released it was not enabled by default.

Select Secure Security Questions

When a user sets up their account, the site may ask them to pick a security question in case they forget their password. Common questions include “What high school did you attend?” or “What was the name of your first pet?” If everyone in the user’s social network knows they went to Riverdale High and their first pet was Fluffy, the user should select a different question. Better yet, create unique passwords or gibberish answers to the questions. This will ensure no one but you will ever be able to get past this security checkpoint. Just be sure to remember or note your answers somewhere for future reference.

Deleted Doesn’t Mean Gone

Just like deleting a file from a computer doesn’t remove it from the hard drive, deleting a picture from a phone doesn’t necessarily mean it’s gone forever. With many cloud services, the device will automatically upload pictures and deleting them off the device may not delete them from the cloud. Another potential source of concern is the server backups. Some companies store backups for years, and hackers could access those backups if they’re not adequately protected.

Ultimately, keeping sensitive data and photos private is up to both the user and the company running the service. For the moment, it’s best to remember online security is not absolute. If you want to keep data private, keep it offline.

Cloud Privacy
How concerned are you about your private photos and data getting out there?

‘Backoff’ Retail Malware Threat Even Worse than Expected

Backoff Malware

Just a few weeks ago the Department of Homeland Security issued a warning to retailers about Backoff, the point-of-sale malware responsible for the massive payment card security breach at Target during last year’s holiday season. The initial report indicated up to 600 retailers were affected, but on August 22nd the DHS issued another advisory that stated the scale is much larger. The Secret Service estimated over 1,000 businesses of all sizes have been victimized by variants of Backoff.

Backoff Basics

The days of the simple mechanical cash register are long gone for all but the smallest retailers. The registers most retailers use are actually Windows computers running point-of-sale (POS) software. They are networked and connected to the Internet so they can verify payment cards and checks. Like any computer, they are vulnerable to attack by malicious software and hackers.

The Backoff malware takes advantage of a vulnerability in the process used to read and validate payment cards. The customer’s information is stored in unencrypted format on a magnetic strip on the back of the card. When a customer swipes their card at checkout, the card reader transmits the data to the computer. The POS software will then encrypt the information and send it to the payment card processing company for verification.

Backoff can read the POS computer’s physical memory and record the payment card data before it is encrypted. It uses its own encryption on the data and sends it to servers the hackers can access. The hackers either sell the data to other criminals through black market channels or use it to make purchases themselves.

Moving Payment Cards Forward

There is little consumers can do to protect themselves at the moment except pay with cash or checks. These payment methods are more costly for retailers to handle and come with their own complications.

The only solution is to move away from magnetic strip cards and toward other methods of payment. Companies are experimenting with digital wallets and other smartphone-based payment systems, but they have yet to see widespread acceptance.

EMV

Europay-Mastercard-Visa system, or EMV payment data is encrypted and stored on a microchip.

The system that’s most like the payment cards consumers are already familiar with is the Europay-Mastercard-Visa system, or EMV. It uses the same plastic cards, except the payment data is encrypted and stored on a microchip. The credit card industry has set a deadline for retailers to move to EMV cards by the end of 2015, but the equipment required is expensive. A retailer could pay up to $1,000 per register, leading many to drag their feet due to the cost.

The cost of a security breach is much higher. Target estimated costs associated with the breach had reached $148 million in the second quarter of 2014. The cost of the damage to the company’s reputation, brand and corporate image is harder to calculate. Unless more retailers want to follow in Target’s footsteps, they must leave magnetic payment cards behind.

Follow every major phase of the Target retail security breach along with my insights. Download my RETAIL SECTOR PDF for all the major retail security stories in 2013 and 2014.

'Backoff' Retail Malware Threat
How worried are you about the 'Backoff' malware threat?

Is Your E-ZPass Spying on You?

E-ZPass

E-ZPass is a type of RFID device called an electronic toll collector (ETC). Instead of waiting in line at the toll booth while the driver ahead of you searches for loose change, you simply drive on through. A wireless transponder activates the ETC, reads the ID number and the transportation department debits your account. ETCs are currently available in 22 states, with more adding them every year. They’re popular and certainly convenient, but are they a threat to the user’s privacy? Most ETCs don’t give the user any indication when they’re being read, and at least one state has admitted to using ETCs for other purposes.

New York E-ZPasses Are Milked for Information

Last year a hardware hacker in New York going by the handle ‘Puking Monkey’ wired up his E-ZPass to trigger a signal light and mooing toy cow. The E-ZPass draws 8uA of power while at rest, but 0.3mA while being read. When the draw increased, the LEDs would light up and the cow would moo. He found multiple sites in and around NYC where the E-ZPass transponder was being read but there were no tolls.

Screen Shot 2014-08-25 at 9.48.23 AM

ETCs are placed throughout many major cities

When the media contacted the New York Department of Transportation, a spokesperson claimed the data was used to provide real-time traffic information, estimate travel times and reduce congestion. According to the E-ZPass Interagency Group, which oversees ETCs in 15 states, New York is the only state that has been using the passes outside of collecting tolls. It’s worth noting that some states have their own ETC systems and might also be using them to track motorists without their knowledge.

ETC Users Will Soon Be Able Rest Easy

Puking Monkey had to open his E-ZPass and do the wiring himself, but most ETC users don’t have the technical know-how to create their own alarm system. In many states, the user doesn’t own the ETC device and must return it if they leave the program.

Detect-A-Pass

BVS’ Detect-A-Pass keeps security conscious drivers in the know

But security-conscious ETC users will soon be able to purchase an off-the-shelf solution from BVS. We’re working on a new product that will let them know when their ETC is transmitting, without making alterations to the hardware.

Contact sales@bvsystems.com for more information.

Source:

http://m.authorstream.com/presentation/pukingmonkey-1903125-road-less-surreptitiously-traveled/ (E-ZPass info starts on page 84)

Car Remote Key Fobs Prove Vulnerable to Hackers

car_hackWATCH VIDEO HERE

Remote door locks are a convenience to the driver, but they could also offer thieves a convenient way to break in. When you press a button on your car’s key fob, it uses radio waves to send a series of codes to a receiver inside the vehicle. If the codes match, the car accepts the input. The problem is criminals could use off-the-shelf equipment to crack the codes and unlock the vehicle.

Silvo Cesare at Black Hat Conference

Silvo Cesare at Black Hat Security Conference

At the Black Hat Security Conference earlier this month Australian security researcher Silvo Cesare showed a video demonstrating the security flaw, unlocking his girlfriend’s car in just a few minutes. The hack disables the alarm and leaves no evidence for police, and the victim’s key fob will still function after a few repeated presses. Most victims would probably assume the battery in the fob is simply going dead.

While he’s only tried the hack on one car, automakers tend to use the same parts and technology across different models, meaning other cars are probably carrying the same vulnerability. While Cesare would not share the specific make and model, the video does show the car and a variant of the vehicle was sold in North America.

Cesare’s method does have some drawbacks that limits its appeal to thieves. Remote key fobs have used rolling codes that change every time the user presses the button since the 1990s, and the process of cracking the active code can take up to two hours. However, cars spend most of their time parked and idle. If the car sits overnight in a driveway or deserted parking lot, a thief would have ample time to break in.

Cesare used a software-defined radio to capture and transmit the wireless signals, a device that can send and receive wireless signals on a wide range of frequencies. Along with a laptop and an inexpensive amplifier and antenna, the equipment cost approximately $1,000.

Thieves who simply want to take a car or steal something inside will probably opt for simpler and more direct methods like a slim jim or the old smash and grab. In some cases criminals might want to commit a crime using a method that doesn’t leave evidence for the victim to find, such as wiring a car bomb or attaching a GPS tracking device.

Car thieves might already be using similar technology. Last year CNN reported police were stumped by a rash of car thefts caught on tape showing thieves using mysterious black boxes to unlock the vehicles. We’re not sure if these devices use the same technique as Cesare, but as prices fall the equipment he used will become more available to criminals.

Source:

http://www.cnn.com/video/data/2.0/video/us/2013/06/21/newday-pkg-lah-high-tech-car-theft.cnn.html

5 Security Tips To Stay Safe From Russian Hackers

Russian Hackers

On August 5th the New York Times announced the largest known theft of online login credentials. A group of Russian cyber criminals has amassed stolen usernames and passwords from over 1.2 billion accounts and 524 million email addresses. The data was uncovered in an 18-month investigation by a Milwaukee-based company called Hold Security. According to their report, the criminals got the information from over 420,000 sites of all sizes, many of which remain vulnerable.

Here are five things you can do to help ensure your information stays safe in the future.

1. Don’t use the same login information on multiple sites.

So far it appears the hackers have only used the stolen credentials to send spam on social media sites, but people often use the same usernames and passwords on other sites. According to the Internet security firm Symantec, the average user has 26 password-protected accounts but only five passwords. If you use the same login credentials on your bank’s web site or at online retailers that store credit card information it’s like leaving the front door of your house wide open.

2. Protect your email password.

Email is so commonplace, we almost forget about it. But criminals can use your email account to wreak all sorts of havoc. If you’ve ever received an email from your bank or clicked at “forgot password” link on another site and forgotten to delete the message, anyone with access to your email account will know how you have an account on that site. Criminals can also glean personal information they can use to commit identity theft from your email account. Treat your email password as you would any high-security account.

3. Practice secure password policy.

Choose passwords that are difficult to crack. Do not use passwords based on personal information such as a child or pet’s name, your birthday or the school you attended. In today’s online world of social media, this information may not be as private as you might think. Choose a password that is at least 12 characters long and has a mix of numbers, symbols and uppercase and lowercase letters.

Symantec also found 38% would rather clean a toilet than make a new password, but secure passwords don’t have to be difficult to create and remember. Acronyms of phrases make excellent passwords that stay with you.

4. Change your passwords often.

Many of us are guilty of not changing our passwords often enough. Remember, there are many security breaches that go unnoticed or unreported. Make it a practice to update all your passwords at least every six months.

5. Be wary of follow-up scams.

Hackers often use compromised email and social media accounts to commit phishing scams, since people are more likely to open an email attachment or click a link in a message sent from a trusted source. Never open a link or email attachment you weren’t expecting, even if it supposedly came from someone you know.

Homeland Security Warns of Retail Malware Threat

Hacked!

As banks and financial institutions have become harder to break into, cyber criminals have increasingly turned to targeting retail operations. According to an advisory issued last week by the DHS, the malware family known as Backoff has been identified in three forensic investigations of large-scale Point-of-Sale (POS) data breaches.

The malware reads credit and debit card information from the infected computer’s memory, before it can be encrypted for verification. Backoff attaches itself to an essential Windows executable file and is very difficult to detect. The report indicated it is almost undetectable by current virus definitions.

While the antivirus software companies work on a solution, here are a few things you can do to keep Backoff away from your business.

Disable or remove remote desktop applications

Backoff targets computers running programs like Apple Remote Desktop, Chrome Remote Desktop and Splashtop 2. If your IT staff needs to use these programs for troubleshooting or updates, have them disable or remove the programs when they are finished. Leaving them installed and active lays out the red carpet for data thieves.

Monitor outside connections coming into your network

Once the criminals find a vulnerable system, they usually attempt to break in using brute force. They use automated software to try common usernames and passwords until they hit a match. Monitor your network traffic for unfamiliar IP addresses and unusually high numbers of external connections or login attempts.

password

Require strong passwords for all accounts

Weak passwords are easy to crack. Strong passwords should be at least 12 characters and have a mix of uppercase and lowercase letters, symbols and numbers. Some systems use two passwords, the user’s normal password and a single-use password sent via another route such as text messaging.

Educate your users about email security

Don’t forget many security breaches start with simple phishing scams. Caution your users not to click on any email link or attachment they weren’t expecting, even if it’s from someone they trust. If they receive a suspicious email, have them contact the source directly to make sure it’s legitimate.

lock

Safeguard your point-of-sale computers

Your POS computers should have their own network isolated from other computers, and they should only run software directly related to POS functions. The criminals responsible for the Target data breach last November stole their login credentials from an HVAC subcontractor that had also done work for other large retailers. Businesses often give HVAC companies network access to monitor heating and cooling equipment. Since the POS machines ran off the same network, the criminals were able to access them and install their malware.

What’s next?

Now that Backoff has been discovered, it’s certain antivirus software companies are hard at work on finding ways to neutralize it so it won’t remain undetectable for long. But retailers shouldn’t be lulled into a false sense of security. Malware developers aren’t standing still either, and there are always new threats on the horizon.

Top 4 Security Drawbacks of BYOD

BYOD

BYOD Security Concerns

Many organizations have allowed or encouraged employees to use their own smartphones and tablets on the job. The process is called bring your own device, or BYOD. It’s popular with workers and saves the employer money on equipment costs. However, BYOD has drawbacks that concern security experts.

Last week the Information Security Community on LinkedIn and Internet security firm Vectra Networks released the results of their second annual BYOD & Mobile Security Study. The study involved polling more than 1,100 IT security experts on their top BYOD security concerns.

1. Loss of Company or Client Data

The biggest fear of any IT security professional is losing confidential data. Smartphones and tablets are basically handheld computers and malicious individuals can use them to steal information and cause damage to your corporate systems.

2. Unauthorized Access to Company Data and Systems

With workers bringing their own equipment, the process of administration and granting access is more complex. In addition to workers, the company may also have clients and contractors that need access using their own devices.

3. Mobile Malware

mobile malware

Viruses, worms and Trojans aren’t limited to computers anymore. The open structure of the Android operating system and the lax screening policy on the Google Play Store makes it a prime target for malware programmers. Antivirus and Internet security developer Symantec has called Android a “malware magnet.”[1] Apple maintains a tighter control on iOS apps, but the iPhone and iPad are not immune from malware either.

4. Installed Apps with Security Flaws or Suspect Permissions

Even if an app isn’t outright malware, it can have built-in security flaws. In April 2014, Fiberlink released the results of a survey of BYOD users that found 83% had 10 to over 100 apps installed on their devices.[2]

It’s highly likely that many of these apps have not been tested for security and compatibility with the employer’s systems. Apps that use advertising to generate revenue often use third-party mobile ad services that add another layer of potential security problems. Many apps have permissions that allow them to share information that may be sensitive with the developer. For example, a game or social media app the user installed on impulse could share the user’s contact list or call history.

Even if your company has not embraced BOYD, it still needs to address the use of personal mobile devices. The BYOD & Mobile Security Study found 21% of organizations that have no BYOD support acknowledge employees are using their own devices for work-related tasks anyway.

[1] http://www.cbronline.com/news/security/symantec-google-android-is-a-malware-magnet-4324588

[2] https://blog.cloudsecurityalliance.org/2014/07/21/survey-finds-byod-devices-cluttered-with-mobile-apps/

Wiping Your Old Android Device Isn’t Enough

 

pileofcellphones(x-ray)

The average user’s upgrade cycle for smartphones and tablets is around two years. If the old device is still in good shape once the user upgrades, individual users and small businesses usually sell it or pass it along to someone else. Big companies send obsolete devices to companies that specialize in recycling end-of-life electronics. Most users just perform a factory reset before sending the device on its way, but a recent finding by security software company Avast illustrates that this assumption is false.

Avast employees purchased 20 used smartphones from eBay and used readily-available data recovery software to browse through the wiped devices using a PC. They were able to recover over 40,000 photos, 750 messages and 250 contacts. They also managed to identify four previous users and found a completed loan application with enough information to perpetrate identity theft.

Why wiping your device doesn’t delete your data

The factory reset or wipe feature on an Android device doesn’t actually remove the data from the device’s storage. When it comes to deleting files, the system Android uses is very similar to the hard drive on a computer. It uses an index of pointers to keep track of the location of different files. When you wipe your device, the operating system only resets the pointers and marks the space open for overwriting. The actual information is still present until the device overwrites the space. Until then, anyone with access to the device, a computer, a data cable and the right software can find and open the deleted files.

How to make sure your information is gone for good

1. Enable Encryption on Your Device

Google included a standard encryption feature starting with Android 3.0. When you encrypt the data before wiping the device, the device prompts you to enter an encryption key. Without the key the information is unreadable. The default location for this setting in stock Android is Settings>Security>Encryption. Device manufacturers and developers can customize Android to their own specifications, so check the manual or contact support if you can’t find it.

android-encrypt

2. Save personal files on a removable memory card

If your device has a memory card slot, use a microSD card to store your photos, videos and other personal files. When you remove the memory card, the data goes with it.

3. Load junk data

After wiping your device, use a computer to transfer files into the memory and fill up the available storage space. Any large file without sensitive information will work. After the transfer is complete, wipe the device again. Doing this will overwrite your personal files, so anyone trying to browse through them will only find the junk files.

4. Install adequate security software

Avast’s has a vested interest in pointing out the problem because they provide a free Android app that allows you to secure your device and permanently delete the data. For an added fee there are other useful services such as remotely wiping the data in case you lose the device. They aren’t the only game in town, so browse through the Google play™ store and choose an app that fits your needs.

When you decide it’s time for an upgrade and want to dispose of your old Android device, don’t just wipe it and consider the job done. Take a few minutes to clear the data the right way and you won’t have to worry about the new owner getting your personal information.

TSA Bars Dead Electronics from Certain Incoming International Flights

56440_low_income_health__battery-low

On July 6th the United States Transportation Safety Administration announced passengers flying into the U.S. from Europe and the Middle East will soon have to power on their cell phones and other electronic devices. If the device will not power on, it won’t be allowed on the plane. The TSA has required international passengers to power on laptops for many years, but until Sunday smaller electronics were exempt.

pan-am-bombing

While the TSA has stated there’s no specific threat, the administration is concerned that terrorists may hollow out the devices and use them to conceal explosives. It’s not as farfetched as you might think. In 1988, Pan Am Flight 103 was brought down by a bomb hidden in a cassette player. Cell phones were also used to detonate explosive devices on public transportation in Europe in 2004 and 2005. Since then explosives have gotten smaller and harder to detect.

Here’s a list of things you can do to make sure your cell phone can come on the flight with you once the new rules go into effect:

  • Make sure your phone is charged prior to arriving at the airport. Don’t count on being able to charge your phone while you’re there. Available outlets are few and far between at many airports and competition can be fierce.
  • If your phone has a replaceable battery, carry a spare and keep it charged.
  • Invest in a portable battery pack or battery case. They provide extra power, even to phones with sealed batteries. If you carry a laptop, you can use it as a portable battery in a pinch.
  • Carry your charger and extra cables in your carry-on bag. A portable power source won’t do you much good if you can’t connect it to your phone.
  • Turn off your phone or use airplane mode when you don’t need to make or receive calls. Many phones have trouble picking up signal at airports due to radio interference. While the phone is searching for service, the battery drains much faster. You may find your phone has gone dead during a long layover.

41OLCwoaiVL._SY300_

Right now the changes only apply to passengers on international flights coming into the United States, not passengers on domestic flights. However, that could change at any time. All it took was one person with bombs in his shoes for the TSA to require everyone to remove their footwear at security checkpoints.