|
Other Interesting Stories...
|
Trend Micro Study Shows A Problem With Using Corporate Fines to Fight Security Breaches
According to this story, fines aren't doing as much to influence businesses on security as news stories. Read More...
|
Banking Trojans That Target SalesForce.com Users
Banking Trojans are malware infections that can do transactions without you knowing it. Attackers now look for new ways into corporate computers through business communities. Learn More...
|
Stay Connected
|
|
|
Greetings!
Welcome to the new look for my newsletter for September, 2014, now called the Streetwise Security News (SSN). I aim to provide interesting and educational stories on a monthly basis, and I encourage you to share this newsletter with your friends and business associates.
See the list of topics on the left for a quick view of this issue's stories and content.
If you're not already a subscriber, and would like to sign up, please click HERE. You'll automatically receive a free copy of my Security Resource Guide that has links and source info for the tools I use on a daily basis. 
Cheers,
Scott Wright
|
|
Home Depot Credit Card Breach - Another major retailer gets caught by smart hackers
|
 What happened to Home Depot? 
On Sept 2, 2014, the hardware store chain Home Depot admitted that it was investigating "suspicious activity" that might indicate that their network had been breached. However, they did not confirm that this was the case until September 8.
According to security blogger and reporter Brian Krebs, there are strong indications that the retailer's computer network had been breached, and that consumer credit cards were being sold on the black market in a manner very similar to what happened last year with the Target retail chain. We know that Target's "point-of-sale" (POS) devices at store check-out counters had been infected with malware that stole credit card numbers that were also put up for sale on the same website.
Click HERE for a video clip of the interview I had with CTV News when the breach was first announced.
Consumer Perspective - Why "Chip and PIN" credit cards may help reduce losses
If it turns out that the Home credit card machines in stores were infected with malware, then there isn't much that you, as a consumer could have done to protect yourself - other than shopping somewhere else. It's interesting to note that the use of "Chip and PIN" credit cards that collect a PIN number at the cash register is a deterrent that makes it harder for hackers to do this - but perhaps not impossible. This technology tries to ensure that the card is present, and that the cardholder who knows the PIN, are both present for the transaction.
In Canada, 90 percent of retailers use "Chip and PIN" cards. This should mean that, even if the POS terminal manages to steal the card numbers from a "Chip and PIN" transaction, the PIN should not have been stolen (since it is the Chip on the card that protects the PIN). So, there is less likelihood that these card numbers can be re-used in future transactions without the cardholder having to enter the PIN.
However, it will be interesting to see if affected "Chip and PIN" cardholders are forced to obtain renew their credit cards. If this is the case, then "Chip and PIN" may only helpful to the credit card companies in reducing their losses - but this remains to be seen. The direct impact to consumers will be almost the same. Of course when credit card company losses are higher, consumers will end up paying more, anyway.
Would I still shop at Home Depot?
For the moment, yes I would. With the attention that this breach is getting. Home Depot likely will be double-checking everything. Will the other hardware chains do the same? Maybe. But Home Depot is under the gun right now. The risk is part of the price we pay for getting the best price at big-box stores.
Business Perspective - Fool me twice, shame on me
For any retailer that processes credit cards in-store, it's becoming clear that it's not just on-line transactions that are at risk of data loss. If it is true that the same type of malware infection used in the Target attack was used against Home Depot, then this is an inexcusable loss. The security industry has known since early in 2014 how the Target breach occurred.  In something called a "Kill Chain Analysis", published HERE, it's clear that many simple security failures occurred in the Target network environment. As a result, the CEO of target, Gregg Steinhafel, was fired. This should be a wake-up call to all executives that there is no excuse for not understanding security risks in their corporate networks. |
 |
Scott's Recent Blog Posts
|
From the Security Views Blog
Here's a recent extract from my blog...
What does "In the Cloud" really mean?
Sometimes we hear a term and if we don't understand it, we just ignore it. When talking about computers and data these days, you hear a lot of talk about "in the cloud".
Many of us understand this to mean that the data magically rises up to the heavens and no longer takes up space on our devices. Some of us may think that "The Cloud" and "iCloud" are the same thing. (Hopefully not! - iCloud is just Apple's name for their service.)
|
Social Media Security
|
The Social Media Security Podcast - Episode 36 - Tracking You Through Your Cat Pictures
You knew it had to happen, sooner or later. Somebody has aggregated a whole bunch of cat pictures and used them to do something pretty creepy. Join Tom Eston and myself for this fun-filled episode.
You can listen to this episode (and past ones) online by clicking HERE. Or you can subscribe to the podcast series on iTunes by clicking HERE. |
| Scott Wright's Upcoming Events |
Streetwise Security Workshop for Consultants - Ottawa (Sept. 23, 2014)
Following on from the workshops I've been conducting for security managers, this event is designed specifically for consultants of all types. It's a fun, 3 hour event that discusses non-technical security issues related to security of consultants' business information and that of their clients.
Just in time for National Cyber Security Awareness Month!
Conference Session: "Don't Spill Your Candy in the Lobby" - Countermeasure 2014 - Ottawa (October 16, 17)
In this Management Track session, I will be highlighting the kinds of tools and research attackers employ before launching social engineering and phishing attacks on individuals and businesses. If employees aren't careful about what they post on business or personal websites and accounts, attackers can use this information to create tricky phishing attacks - or what I call "Spilling your candy in the lobby".
|
|
| Streetwise Security Tip - Don't check the "Save My Credit Card Details" box when shopping online |
Don't check the "Save My Credit Card Details" box when shopping online
Many online merchant websites like Amazon, Target or Walmart will tempt you into checking a box that gives them permission to save your credit card details. They often say it will make checking out more convenient for you next time you shop there. However, it also increases the risk to you that your card details will be exposed if their site is hacked by an attacker.
If you don't give your permission, merchants are not supposed to store the credit card details they use in a transaction. They can only pass them on to the credit card company. There is much less chance of your card data being exposed if you don't check the box.
|
National Cyber Security Awareness Month -
It's coming! |
Do you have the best of intentions, but?...
Every year at this time, security professionals say to themselves, "This year will be different. I'm going to DO SOMETHING for Security Awareness Month." Sadly, the opportunity slips by for many of us. It can start with something simple, to get a placeholder in your calendar. But why not take a moment to reach out to others in your organization, or in your industry, to make something significant happen in recognition of the fact that, as the infamous hacker Kevin Mitnick once said:
"Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information."
There are many sources of news, data and trivia that can be used to add some awareness in your team's work environment.
I tend to like using games. In fact, I developed an HTML-based trivia game that looks like a well-known trivia game show board, with 25 multiple choice questions. The title, categories and questions are totally customizable, and it works great for kiosks and open houses. Soon, I hope to have new versions that can be hosted or accessed over a corporate Intranet. Click HERE for a quick video demo of the game.(Note that the clip is a little out of date... I've been improving the look and feel, but it gives you an idea of how it works. I now call it the "Streetwise Security Awareness Game" - but you can give it whatever title you want.)
Feel free to contact me if you'd like more information on the game, or would have a new idea for an educational security game.
|
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
|
|
