A few security lessons from the Target breach

A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com

The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.

Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.

These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards.

This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systemsWhen fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks. 

Must read article.

There is also another excellent article from Wired.com that is also a must read:

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again by Kim Zetter – Wired Threat Level

A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?

Oh, and just in case you have forgotten them all, here is a list of all the others:

Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard.

BOLD emphasis mine.

Again, much more in the must read article including sections; What the Target Thieves GotInherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.

And as if that wasn’t bad enough, just yesterday on January 25th, Michael‘s too:

Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article was spot on:

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.

I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.

If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.

And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they will go the way of the dodo.

Fix the problem, not the blame.*

Thanks to the movie, Rising Sun for the quote.

BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!

EDIT 1-26-2014 8:508PM: @SecurityGarden posted the following and linked to this article; Exclusive: FBI warns retailers to expect more credit card breaches – Reuters:

@SecurityGarden Status regarding expanding on this posting on the security breaches

@SecurityGarden Status regarding expanding on this posting on the security breaches

Advertisements

XP SP3 and Office 2003 Support Ends April 8, 2014

Windows XP has been around since August 24, 2001 – 12 years ago now. It is getting VERY long in the tooth.

Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Like many Operating System versions, Windows XP was not such a great OS in the beginning. BUT, like many Microsoft products, it got better after Service Pack 1 (SP1), but wasn’t the best it could be till after Service Pack 2 (SP2) and mildly better after Service Pack 3 (SP3). SP3 is the current version of Windows XP.

I loved Windows XP for a long time, even though it was getting long in the tooth. But I have come to love Windows 7 even more. Windows 8 … the jury is still out. For me I use several different operating systems. I also love and use Mac OS X or just OS X (as it is called now) and Debian Linux.

Windows XP has been on life support or Extended Support since April 8, 2009 when Mainstream Support ended. That was after two says of execution as it were since it was supposed to be ended earlier than 2009.

Windows XP has been the main stay for many folks for a long time in the Windows world — the last 12 years. That’s a long time for an Operating System version.

Windows XP still holds the #2 spot at 31.24% of computer users as shown below in the graph from NetMarketShare.com:

NetMarketShare.com Operating System Breakout - November 1, 2013

NetMarketShare.com Operating System Breakout – November 1, 2013

Windows 7 holds the #1 spot for a very good reason. It is still the best of the newer Operating Systems from Microsoft to date — in my opinion and nearly half of all Windows users to date. And Windows 7 is still good to go until January 14, 2020 (end of Extended Support – it is still in Mainstream Support until January 15, 2015). Here’s the break out of the Windows lifecycle fact sheet info:

Windows Life Cycles from the Windows Life Cycle Fact Sheet

Windows Life Cycles from the Windows Life Cycle Fact Sheet

I have said all this because we need to see where were are, and where we need to be as computer users, particularly as Windows users with April 8, 2014 looming over those of us still using Windows XP.

Especially in the light of the pervasive malware purveyors out there today.

We need to make sure we are all no longer using Windows XP of any kind before or at least by April 8, 2014 when Microsoft will no longer be providing ANY security updates for Windows XP.

A few years back they did the same thing with Windows 2000. It’s now Windows XP’s turn.

Please read the following articles to see why this will be very important:

Windows XP infection rate may jump 66% after patches end in April – Computerworld

Microsoft yesterday again put the scare into Windows XP users, telling them that after April 8, 2014, the chance that malware will infect their PCs could jump by two-thirds.

Windows lifecycle fact sheet – Microsoft.com (image above)

New stats show Windows 8 usage up sharply as XP usage plummets – ZDNet (for curiosity though, look at the difference between the table on ZDNet’s article and the one today).

NetMarketShare (choose Operating Systems from the dropdown to see the chart above in real time)

Gartner Says Worldwide PC, Tablet and Mobile Phone Shipments to Grow 4.5 Percent in 2013 as Lower-Priced Devices Drive Growth – Gartner.com

Source: Gartner Oct 2013 - Worldwide Device Shipments by Segment

Source: Gartner Oct 2013 – Worldwide Device Shipments by Segment

It would appear, that, as predicted, many around the world are moving to other types of computers, in particular mobile devices. This was forecast and it would seem to be coming to pass rather dramatically now.

It is amazing to see the number of people who rarely if ever use their desktop computers these days, relying on their mobile devices for almost all, if not all, their computing and Internet needs. Some folks no longer even have a computer other than a tablet, like the iPad or Nexus Tablet, or Surface, etc., or just use their smartphones for their email, browsing, messaging, gaming, etc. which is the bulk of what people seem to do on the Internet these days. Unless of course if their work or business, or gaming bents, are important to them. Having said that, even gaming has very much gone mobile for many people.

I am hoping that folks will take a look at the overall picture and determine which direction they wish to go now that there are only a few months left before Windows XP will no longer be a viable Internet connected computer.

Will a Desktop or Laptop be the way to go, or will a Mobile device like a Tablet or maybe even just a smartphone be enough for many folks? Staying with Windows or moving to a Mac may also be a consideration.

No matter which way folks ultimately go, deciding will be important and thinking about this is really needed with Windows XP going away in just a short few months.

Over 31% of computer users will need to make this decision before April 8, 2014, if they wish to remain as safe as they can be on the Internet.

Even with Google Chrome continuing to support Windows XP SP3 a year after Microsoft (till 2015), if the Operating System itself has no updates, that will certainly not be enough.

Lots to think about and only a few months to decide … Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

WinPatrol PLUS For Everyone Just $2

Tech gift guide: Gift copy of WinPatrol Plus gives lifetime of PC protection – USAToday

There are a couple of reasons you might want to shell out $29.95 for gift copies of WinPatrol Plus and give them to all the PC users on your shopping list.

WinPatrol may be one of the best kept secrets in computer protection. What’s more, it is the creation of an iconic tech personality, Bill Pytlovany, one-man researcher/developer/distributor at BillP Studios.

Pytlovany has a loyal following of tech geeks who swear by the basic version of WinPatrol, which he created in 1997, graciously keeps updated and continues to make available for free — for the greater good.

I found the above article while reading BillP’s blog posting: WinPatrol PLUS For Everyone Just $2:

About once a year I go crazy and try to introduce WinPatrol PLUS to the folks who have never heard of WinPatrol or have never experienced this small powerful app. For over 15 years WinPatrol has been recommended by friends and family but I never invested in any kind of expensive PR campaign.

I heard about WinPatrol many years ago, at least 10-15 years ago … it could have been when it first came out. But I am not really sure. I could have found WinPatrol from Corrine at one of the Anti-Spyware forums I frequented, or FreedomList where she is an admin, or at Scot’s Newsletter Forum where she is also a fellow admin. Or it could have been through Fred Langa‘s LangaList which I subscribed to for many years before Fred merged LangaLIst with WindowsSecrets Newsletter with Brian Livingston who himself retired in 2010, or from an article in WindowsMag (one of my all time favorite magazines. I was very sad that CMP retired Windows Mag on June 25, 1999 but we did have an online version at WinMag.com for a couple more years). WinMag had some great writers and they all knew BillP. WInMag and PCMag were my initial magazines for Windows in the early days. It is where I read great articles from: Scot Finnie, Fred Langa, Mike ElganKaren Kenworthy (1),  and many other great writers (I used to know all their names off the top of my head, now these four I remember the most).  But, I digress…

This is a great time to consider buying WinPatrol PLUS for only $2! Can’t beat it! And BillP’s WinPatrol is a best in class software! Check out the Free version at WinPatrol.com, and upgrade if you like it. Can’t go wrong for $2.

For those who (EEEK!) might still be using Microsoft’s old and long unsupported OSes;  Windows 98 or Win2K, WinPatrol Downloads has something for you as well.

BillP’s  Message to Windows XP users – Very important as the April 2014 retirement of Windows XP approaches.

WinPatrol runs on Windows XP, Vista, Windows 7 and Windows 8 including x64 versions.

USA Today says…

“…best kept secret in computer protection.”

Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

Microsoft Patch Tuesday March 2013 – Flash and Java

Microsoft has released seven items in their Security Bulletin for March 2013. Most are for Microsoft Office, one is for Internet Explorer and two in Windows itself.

NOTE: If you are using Windows 8, in addition to the other Microsoft Windows, Internet Explorer and Microsoft Office updates, you will also get a Flash update. Don’t forget that Flash is built into Internet Explorer in Windows 8, just like Flash is included with and updated by Google Chrome. What that means is that you do not have to keep Flash updated for those two browsers – IE 10 in Windows 8 and Google Chrome  keep Flash updated for you.

More information at Security Garden blog.

You do still need to keep Flash updated for other browsers like Firefox and Opera, and Internet Explorer on earlier versions of Windows.

Also don’t forget that Oracle’s Java has had three, count them three, updates over the past month for Java. Make sure/verify you are at the latest version of Java: Java 7 Update 17.

 

 

New Metaspoit 0-Day IE7, IE8, IE9, WinXP, Vista, Windows 7

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 – SecurityStreet/Rapid7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.

Here’s the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled “Let’s Start the Week with a New Java 0day in Metasploit“. You’d think the 0-day attack from the same malicious group might cool down a little after that incident… well, you’d be wrong. …

BOLD and COLOR emphasis mine.

I am sure that they only tested IE7, IE8 and IE9 initially on this because those are the only IE browsers in use right now for Windows XP, Vista and Windows 7 and based on the w3Counter, the largest number of IE users at this time.

He also said that if he were to test IE10, he was certain it would fail the test as well.

One can only imagine how miserably IE6, as the highest level of IE that works on Win2K, would do. You would think that most people have moved onto newer versions of Windows, but some have not sadly despite the fact that Win2K hasn’t had an update since I think July 2010 and despite articles like this one from Ed Bott January 16, 2010. Don’t think it’s a big issue? Well according to the IE6Countdown website, IE6 still has an impressive 6% of Internet users worldwide as of August 2012.

Sure the USA’s piece of pie for IE6 is only 0.04% but I know a few of those folks and they are diehard users who refuse to leave a dead OS and browser due to economic issues, or sight issues, or both. Now, to their credit, some of these Win2K users do have a NAT hardware router, a software firewall, and they use Firefox and not IE6, but still, Win2K has not had any updates since July 2010! Not a wise move.

Personally,  I have NO addons allowed to work in IE8 in Windows XP by default on the Installations of Windows XP SP3 that I have still running, or IE9 on Windows 7.

I lock down my other browsers with no scripting type extensions like NoScript on Firefox, Chrome, etc. regardless of the operating system I am using (Windows, Mac, Linux), as well as Adblock Plus.

Another great little program for Windows that can help you keep a handle on what is happening on your Windows computer is BillP Studio’s WinPatrol Plus and FREE WinPatrol. I use it on my WinXP SP3 as an added protection since I have a laptop that can only run WinXP (SP3 of course), I use very intermittently for special use tasks such as setting up routers, or downloading music using Amazon Downloader, or sites that use OverDrive Media Console, etc. which won’t run on Linux on my laptop. This is when I am on the road using Library or Starbucks, or other public wifi hotspots due to our bandwidth limitations here at home on Verizon Wireless.

And I have found it to be wise to use a different browser (locked down of course as much as you can tolerate), rather than the ‘ubiquitous’ browser (IE in Windows, Safari on the Mac, or whatever the default browser is in a given GUI in Linux) in any given operating system.

One can not leave this to chance these days, IMHO.

 

EDIT: Added articles – one more about the exploit and the link to information on Microsoft’s workaround:

Update: Hackers exploit new IE zero-day vulnerability – Computerworld

Customers can use the Enhanced Mitigation Experience Toolkit (EMET) 3.0 to harden IE enough to ward off the current attacks, said Wee, of the company’s Trustworthy Computing Group, in an email late on Monday.EMET 3.0 can be downloaded from Microsoft’s websites.

Microsoft issues workaround for IE 0-day exploited in current attacks – net-security.org

Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate – but not yet remove – the threat:

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7’s advice and switch to another browser for the time being.

Again BOLD emphasis mine.

Mac Malware Targeting Unpatched Office Running on OS X – Not the same as before

Mac Malware Targeting Unpatched Office Running on OS X – eWeek

This is a different issue than reported earlier on this blog here on April 16th.

Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X.

Microsoft has discovered malware that’s preying on Apple computers running unpatched versions of its Office application suite.

The two vulnerabilities in question were patched in the Microsoft Office Word 2000 suite in June 2009, almost three years ago.

At that time, Microsoft put out a critical security bulletin—MS09-027—to close the holes, which can allow an attacker to get control of a system if a user opens a maliciously crafted Word file.

Much more in the article.

These Office Word 2000 installs on Mac OS X should have been patched by users for 3 years now.

Another troubling situation is that the malware seems to be targeting Snow Leopard and earlier versions of Mac OS X; not Lion.

With Lion the particular memory address being abused to run shellcode isn’t vulnerable like in earlier versions of Mac OS X.

So, if you have ANY version of Microsoft Office software running on your Mac, make sure it is up to date.

Better yet, if you have any software running on your Mac make sure it is updated including MS Office, Java, and other Internet facing programs, as well as Mac OS X itself. This should be obvious to must Mac users by now, but certainly bears repeating.

This is not just a Mac problem, but it has been exacerbated on Macs because getting MS updates for MS Office on the Mac apparently hasn’t been done as religiously as it often is on MS Windows systems, which are also vulnerable by the way.

Microsoft Security Bulletin MS09-027 – Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514).

For Mac OS X, MS Office 2011/Office 14, Microsoft has a page showing how to check for software updates automatically.

Microsoft has a page to download MS Office Updates (at least back to Office 2004)