Tag Archive for 2015

| July 9, 2015
One comment

Data Breach Is No Monkey Business

ReData Breach Is No Monkey Businessports are emerging that zoo’s across the nation have fallen victim to a POS attack and data breach. MLive warns anyone who made a purchase with a credit card at gift shops at the Detroit Zoo between March 23 and June 25, 2015, might be in danger of having the credit card information stolen. The Detroit Zoo posted a notice which claims that the only systems hacked were those run by Denver-based Service Systems Associates, the third-party responsible for running the systems at the Detroit Zoo’s retail stands.

Detroit ZooSSA posted a notice on their site confirming a breach but no other details. Officials are investigating data breaches of the point-of-sale systems at nine or more U.S. zoos, including the Detroit Zoo. MLive reports that hackers gained access to card holders’ names, expiration dates, CVV security codes in addition to the credit and debit card numbers.

Sources claim the malware has been since identified and removed from the systems, though the case remains under investigation. In response, A separate credit card processing system was installed after the Zoo learned of the breach. Gerry VanAcker, Detroit Zoological Society chief operating officer, said in a release:

We are obviously concerned that the vendor’s system was compromised,” s “Transactions made since June 26 are not affected by the previous breach, and it is safe to use a credit or debit card at SSA’s retail locations.

Data thiefKrebs on Security reports that the attack is widespread. Mr. Krebs cites financial industry sources that say the breach likely involves SSA concession and gift shops at zoo locations in Alabama, Arizona, California, Florida, Hawaii, Idaho, Indiana, Minnesota, Ohio, Oklahoma. Pennsylvania, South Caroline, Texas, and Tennessee.

Systems used at the Detroit Zoo for tickets food sales and membership sales were not affected by the breach and remain secure. Anyone who made a purchase via credit or debit card at a Zoo gift shop should check their bank statements immediately.

Those who expect that their identity has been stolen are asked to contact one of the consumer reporting agencies and place a fraud alert on their credit report.

rb-

Why don’t these POS companies give a damn? I have covered POS data breaches a number of times from the Bach Seat. POS breaches have been the largest source of data disclosure for at least 3 years. Of course, we know the answer, follow the money.

FPOS systemirms like SSA have no accountability. There are no costs or fines or even a demerit on their permanent record when they get breached. It is less costly for companies like SSA to allow a breach to happen than it is to update their systems and stop the attackers.

Maybe that will change in the future. Beginning in October 2015 firms like SSA that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.  – maybe.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| July 7, 2015
Comments Off on T-Mobile Ordered to Turn Over Most Customer Info

T-Mobile Ordered to Turn Over Most Customer Info

T-MT-Mobile Ordered to Turn Over Most Customer Infoobile received the most government requests for subscriber data in 2014 according to a report from CNET. U.S. governments made nearly 351,940 requests for data from T-Mobile (TMUS) in 2014. The author, Roger Cheng states that the 351,940 government requests for data are the most out of any of the four national wireless carriers.

The number 4 U.S. carrier by subscriber base recently released its first transparency report. The article breaks down the government requests for T-Mobile information:

  • 177,549 criminal and civil subpoenas
  • 17,316 warrants
  • 3,000+ wiretap orders
  • Between 2,000 and 2,250 national security requests,
  • 8 requests from foreign governments.

These numbers represent an 11% increase in government demands for subscriber information over last 2013.

The article claims that Verizon and AT&T each have twice as many customers, but T-Mobile fielded more requests than its rivals.

  • Verizon (VZ) with 132 million subscribers in Q4 of 2014, saw 287,559 government requests.
  • AT&T (T), with nearly 121 million subscribers in Q4 of 2014, saw 263,755 government requests,
  • Sprint (S) with 55.5 million subscribers in Q4 of 2014, saw 308,937 government requests.
  • T-Mobile with just over 55 million subscribers in Q4 of 2014, saw 351,940 government requests.

Here is how the four wireless carriers’ government information requests compare.

CarrierSubscribersSupeanasWarrantsWireTap OrdersTotal Requests
Verizon132 million138,158`31,2141,433351,940
AT&T121 million201,75420,9852,420263,755
Sprint55.5 million308,93713,5403,772308,936
T-Mobile55 million177,43917,3163,087251,940
Totals358.5 million826,28883,05510,7121,176,571

surveillance programsTransparency reports have become increasingly popular over the past year as civil liberties groups, shareholder and consumer advocates have pressured companies to be more open about when they disclose customer information. The article claims T-Mobile was the last of the four national carriers to issue a transparency report, which comes amid continued scrutiny of surveillance programs run by U.S. three-letter agencies and friends— including the bulk collection of phone call data — that was revealed when former NSA contractor Edward Snowden leaked classified government documents.

The author notes that companies aren’t under a legal obligation to show the data in transparency reports, but have been willing to share with the hope that the reports will help repair their reputations, which have been damaged by the Snowden revelations of the past two years.

rb-

government demands for subscriber informationThis data only represents data requests where they bothered to follow U.S. laws to legally request data. How much more is there sitting in a data warehouse in the sky?  

Why is the T-Mobile number so high? Is it bad luck? Do they fight the requests the most? Are they playing ball with the TLA’s?  We may never know. VentureBeat speculates that the best way to measure how willing T-Mobile works with the government is by looking at the percentage of government requests to which T-Mobile delivered data. But T-Mobile refused to offer that information to VentureBeat.

“Regarding the additional question on breaking out the numbers further than what’s currently provided in the report, our systems were not designed to track the kind of detailed reporting that other companies engage in today,” a T-Mobile spokesperson wrote to VentureBeat.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| July 3, 2015
Comments Off on Ordinary People Did Extraordinary Things to Aid the American Revolution

Ordinary People Did Extraordinary Things to Aid the American Revolution

Ordinary People Did Extraordinary Things to Aid the American RevolutionThe men who declared American Independence in 1776 get their due respect in the history books. But often, many of the men and women who helped earn that independence are forgotten. Mental Floss pays tribute to 11 of the unsung heroes who made huge contributions to the American Revolution.

This is the story of Joseph Plumb Martin the original Yankee Doodle. Martin was a typical soldier in the American Revolution. He joined the Connecticut state militia at just 15 years old. Martin served almost seven years in the Continental Army of General George Washington.

What set Martin apart is that he kept a detailed diary during the American Revolution. Many years after the war his diary was published as an anonymous account of the war. The book is titled A Narrative of Some of the Adventures, Dangers and Sufferings of a Revolutionary Soldier, Interspersed with Anecdotes of Incidents that Occurred Within His Own Observation. It sold poorly during his lifetime. However, it was republished over 100 years later under the title Private Yankee Doodle and shed new light on the daily life of the men who made independence possible.

rb-

Between the hot dogs, mosquitoes, and shopping, do something important. Turn off the TV, read a book, Thank a veteran, Get smarter about how politicians are destroying the country.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , , ,
| July 2, 2015
Comments Off on The Enemy Within at School

The Enemy Within at School

The Enemy Within at SchoolNaked Security reports on a hack that combines two of our favorite things on the Bach Seat, Florida, and lax data security at school. The way the Sophos blog tells the story, a 14-year-old Florida boy is charged with being a hacker by trespassing on his school’s computer system.

Florida school hacker

The charges came after he shoulder-surfed a teacher typing in his password and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.

an offense against a computer system and unauthorized accessA Tampa Bay Times article says that an eighth-grader was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school using an administrative-level password without permission.

A spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension. Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports. Naked Security says this is the student’s second offense.

Old school securityWhen the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests (now we know why he is in trouble – NCLB! – Common Core!!while logged in as an administrator. Those are files he well could have viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what this teenager might have done.

I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.

in typical HS-er logic, he told the newspaper:

If they’d have notified me it was illegal, I wouldn’t have done it in the first place. But all they said was ‘You shouldn’t be doing that.

Idaho school hacker

rented a cloud based botnet to launch a distributed denial of serviceAnother report from the other side of the continent comes from Engadget. They report that a teenager from Idaho took advantage of the latest trend in online criminal activity. He likely rented a cloud-based botnet to launch a distributed denial of service (DDos) against the largest school district in Idaho. The alleged DDoS took down the school district’s internet access according to media reports.

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack/ The attack forced the entire West Ada school district offline. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests (More high stakes testing – NCLB! Common Core!!) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test had to go through the process multiple times because the system kept losing their work and results.

State and Federal felony chargesThe report goes on to say that authorities have found the Eagle High student from their IP address. The students could now face State and Federal felony charges. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses suffered as a consequence of the attack.

rb-

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| June 30, 2015
Comments Off on How Social Engineering Works

How Social Engineering Works

From where I sit in my Bach Seat, it isHow Social Engineering Works clear that cyber-attackers will try anything to penetrate your online security. They will even exploit human nature to get access to a firm’s digital assets. In the human world, people who exploit human nature are often called politicians, con-men, or grifters. In the digital domain, we call it social engineering. Most online attackers use some sort of social engineering to get users to do something risky.

Social engineering psychological tricks

Here is a list of 6 psychological tricks that social engineers use to trick staff.

1- Reciprocation – When people are provided with something, they tend to feel obligated and then repay the favor.

2 – Scarcity – People tend to comply when they believe something is in short supply. As an example, consider a spoof email claiming to be from a bank asking the user to comply with a request or else have their account disabled within 24 hours.

3 – Consistency –  Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company’s IT team could have an employee agree to abide by all security processes, then ask them to do a suspicious task supposedly in line with security requirements.

4 – Liking – Targets are more likely to comply when the social engineer is someone they like. A hacker could use charm via the phone or online to win over an unsuspecting victim.

stick to their promises5 – Authority – People tend to comply when a request comes from a figure of authority. So a targeted email to the finance team that appears to come from the CEO or company president will likely prove effective.

6 – Social validation – People tend to comply when others are doing the same thing. For example, a phishing email might look as if it’s sent to a group of employees, which makes each employee believe the message must be valid if other colleagues also received it.

Conditioned to click

An article at Help Net Security Proofpoint argues that humans are psychologically conditioned (rb- Remember Pavlov’s dogs from Pysch 101?to click on links. Cyber-criminals leverage this conditioning by designing phishing emails most likely to trigger your automatic click response.

Proofpoint says that social engineering emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department typically expects a <2% click rate on their advertising campaigns.

Steps to protect against social engineering

They offer the following suggestions to protect against social engineering phishing emails:

  1. Understand that you are not being targeted specifically, you and your machine are just collateral damage.
  2. Upgrade your computer from Windows XP (as Microsoft is no longer providing security updates to the OS) or disconnect it from the internet – it’s that dangerous.
  3. Don’t use simple predictable passwords that are easy to crack.

Businesses need to:

  1. Put in place layered security to provide an in-depth defense against the latest attacks and malware.
  2. Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations. They should instead open their browser or app, log in, and manage their invites/messages from there.
  3. Deploy new technologies that combine big data security analytics with advanced malware analysis. These technologies provide predictive and click-time defense, end-to-end attack campaign insight. They also offer automated incident containment capabilities through connectors to your existing security layers.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
« Older Entries   Recent Entries »