A few security lessons from the Target breach

A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com

The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.

Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.

These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards.

This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systemsWhen fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks. 

Must read article.

There is also another excellent article from Wired.com that is also a must read:

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again by Kim Zetter – Wired Threat Level

A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?

Oh, and just in case you have forgotten them all, here is a list of all the others:

Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard.

BOLD emphasis mine.

Again, much more in the must read article including sections; What the Target Thieves GotInherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.

And as if that wasn’t bad enough, just yesterday on January 25th, Michael‘s too:

Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article was spot on:

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.

I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.

If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.

And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they will go the way of the dodo.

Fix the problem, not the blame.*

Thanks to the movie, Rising Sun for the quote.

BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!

EDIT 1-26-2014 8:508PM: @SecurityGarden posted the following and linked to this article; Exclusive: FBI warns retailers to expect more credit card breaches – Reuters:

@SecurityGarden Status regarding expanding on this posting on the security breaches

@SecurityGarden Status regarding expanding on this posting on the security breaches

Advertisements

XP SP3 and Office 2003 Support Ends April 8, 2014

Windows XP has been around since August 24, 2001 – 12 years ago now. It is getting VERY long in the tooth.

Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Like many Operating System versions, Windows XP was not such a great OS in the beginning. BUT, like many Microsoft products, it got better after Service Pack 1 (SP1), but wasn’t the best it could be till after Service Pack 2 (SP2) and mildly better after Service Pack 3 (SP3). SP3 is the current version of Windows XP.

I loved Windows XP for a long time, even though it was getting long in the tooth. But I have come to love Windows 7 even more. Windows 8 … the jury is still out. For me I use several different operating systems. I also love and use Mac OS X or just OS X (as it is called now) and Debian Linux.

Windows XP has been on life support or Extended Support since April 8, 2009 when Mainstream Support ended. That was after two says of execution as it were since it was supposed to be ended earlier than 2009.

Windows XP has been the main stay for many folks for a long time in the Windows world — the last 12 years. That’s a long time for an Operating System version.

Windows XP still holds the #2 spot at 31.24% of computer users as shown below in the graph from NetMarketShare.com:

NetMarketShare.com Operating System Breakout - November 1, 2013

NetMarketShare.com Operating System Breakout – November 1, 2013

Windows 7 holds the #1 spot for a very good reason. It is still the best of the newer Operating Systems from Microsoft to date — in my opinion and nearly half of all Windows users to date. And Windows 7 is still good to go until January 14, 2020 (end of Extended Support – it is still in Mainstream Support until January 15, 2015). Here’s the break out of the Windows lifecycle fact sheet info:

Windows Life Cycles from the Windows Life Cycle Fact Sheet

Windows Life Cycles from the Windows Life Cycle Fact Sheet

I have said all this because we need to see where were are, and where we need to be as computer users, particularly as Windows users with April 8, 2014 looming over those of us still using Windows XP.

Especially in the light of the pervasive malware purveyors out there today.

We need to make sure we are all no longer using Windows XP of any kind before or at least by April 8, 2014 when Microsoft will no longer be providing ANY security updates for Windows XP.

A few years back they did the same thing with Windows 2000. It’s now Windows XP’s turn.

Please read the following articles to see why this will be very important:

Windows XP infection rate may jump 66% after patches end in April – Computerworld

Microsoft yesterday again put the scare into Windows XP users, telling them that after April 8, 2014, the chance that malware will infect their PCs could jump by two-thirds.

Windows lifecycle fact sheet – Microsoft.com (image above)

New stats show Windows 8 usage up sharply as XP usage plummets – ZDNet (for curiosity though, look at the difference between the table on ZDNet’s article and the one today).

NetMarketShare (choose Operating Systems from the dropdown to see the chart above in real time)

Gartner Says Worldwide PC, Tablet and Mobile Phone Shipments to Grow 4.5 Percent in 2013 as Lower-Priced Devices Drive Growth – Gartner.com

Source: Gartner Oct 2013 - Worldwide Device Shipments by Segment

Source: Gartner Oct 2013 – Worldwide Device Shipments by Segment

It would appear, that, as predicted, many around the world are moving to other types of computers, in particular mobile devices. This was forecast and it would seem to be coming to pass rather dramatically now.

It is amazing to see the number of people who rarely if ever use their desktop computers these days, relying on their mobile devices for almost all, if not all, their computing and Internet needs. Some folks no longer even have a computer other than a tablet, like the iPad or Nexus Tablet, or Surface, etc., or just use their smartphones for their email, browsing, messaging, gaming, etc. which is the bulk of what people seem to do on the Internet these days. Unless of course if their work or business, or gaming bents, are important to them. Having said that, even gaming has very much gone mobile for many people.

I am hoping that folks will take a look at the overall picture and determine which direction they wish to go now that there are only a few months left before Windows XP will no longer be a viable Internet connected computer.

Will a Desktop or Laptop be the way to go, or will a Mobile device like a Tablet or maybe even just a smartphone be enough for many folks? Staying with Windows or moving to a Mac may also be a consideration.

No matter which way folks ultimately go, deciding will be important and thinking about this is really needed with Windows XP going away in just a short few months.

Over 31% of computer users will need to make this decision before April 8, 2014, if they wish to remain as safe as they can be on the Internet.

Even with Google Chrome continuing to support Windows XP SP3 a year after Microsoft (till 2015), if the Operating System itself has no updates, that will certainly not be enough.

Lots to think about and only a few months to decide … Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

Oracle to stop patching Java 6 in February 2013

Oracle to stop patching Java 6 in February 2013 – Computerworld

The article notes that of course this will be a hardship for Mac OS X Snow Leopard users and for users of earlier versions of OS X, but that is not as far as this rabbit hole goes. Very good article. Well worth a read.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle’s update.

It will also be hard on businesses, and even government agencies and departments, that will now be forced to work over their Java based programs to make sure they will still work with the current versions of Java 7.

That also means that Oracle themselves will have to update their Forms and Reports (or maybe these are things built by the companies using them too), to work with Java 7 so companies and some government agencies and departments can allow vendors that provide service and products to them. Currently, many of them must make use of Oracle Forms and Reports built on Java 6 from a special site like the MyInvoice subdomain that the government military still uses. That site requires a later version of Java 6 even now. This puts them and their vendors at risk by requiring an old Java on their systems in order to even work with them.

And what about the medical community. I have seen them falling down on the job as well on keeping up with the version of Java that physicians must use on their computers in order to read X-Rays remotely from home or on the road.

The article further is concerned about even upgrading to Java 7:

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, “Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7.”

Now that is sad news indeed. There are many sites that make use of Java and with good reason! Even Android is based on Linux — C,C++ and Java. As are many embedded systems, phones, and many electronic devices around the home.

Oracle needs to fix this problem and their Java. If they are going to be the owner of Java, they need to do better with the Java programming language that companies are not concerned about moving to their Java 7! So many programming eco systems out there depend on Java.

They inherited Java and the huge eco systems that depend on them, and base of users when they bought out Sun Microsystems. They can’t make swiss cheese with a door and think people will be be fine with this. Even things like OpenOffice.org and LibreOffice depend on Java — thankfully the current Java, but even that is according to this article, problematic. And what about all the embedded devices that depend on Java? When you install Java and are waiting for it to install, Oracle proudly talks about the billions of devices, that run Java. Oracle’s Java.com About page proudly states:

To date, the Java platform has attracted more than 9 million software developers. It’s used in every major industry segment and has a presence in a wide range of devices, computers, and networks.

Java technology’s versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

  • 1.1 billion desktops run Java
  • 930 million Java Runtime Environment downloads each year
  • 3 billion mobile phones run Java
  • 31 times more Java phones ship every year than Apple and Android combined
  • 100% of all Blu-ray players run Java
  • 1.4 billion Java Cards are manufactured each year
  • Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

To see places of Java in Action in your daily life, explore java.com.

The bold on the bullet list above is mine.

Oracle really needs to wake up now before they totally destroy the great reputation that Sun Microsystems had when they conceived and built so much with Java. And all for nothing!

Trust is a terrible thing to waste.

 

 

Adobe Flash Zero Day Bug Emergency Patch

Adobe patches new Flash zero-day bug with emergency update – Computerworld

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.

All editions of the Flash player are affected, but those abusing this vulnerability are targeting Internet Explorer with this current exploit and Adobe is giving it their Priority 1 status:

The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

In this case of course it’s already actively being exploited. So don’t wait! Don’t be a target, get your Adobe Flash Player update today!