Tuesday, August 31, 2010
Thursday, January 21, 2010
More Data Showing Static Passwords not good
An analysis of 32 million passwords recently hacked from RockYou show that the most used passwords are easliy guessed by hackers using simple computer programs. Passwords such as 123456 and abc123 continue to be the most widely used in spite of the news concerning the recent attacks on Google's email accounts. http://bit.ly/7q92ie
If you want to secure your online transactions is is best to use multifactor authentication technigues such as One Time Passwords (OTP). One company that leads the way and has pioneered the use of one time passwords in credit card form factor is NagraID Security. Their Display cards not only have OTP in a flexible display, they have also incorporated a secure contactless chip for e-wallet transactions. www.nidsecurity.com
If you want to secure your online transactions is is best to use multifactor authentication technigues such as One Time Passwords (OTP). One company that leads the way and has pioneered the use of one time passwords in credit card form factor is NagraID Security. Their Display cards not only have OTP in a flexible display, they have also incorporated a secure contactless chip for e-wallet transactions. www.nidsecurity.com
Wednesday, July 29, 2009
AP Reports Social Networking Site Steals Identities
The Associated Press reports that New York’s attorney general, Andrew Cuomo, is charging Tagged.com, a social networking site, with stealing the identities of more than 60 million Internet users around the world. He said he’s suing the company for deceptive marketing and invasion of privacy.
Cuomo alleged that Tagged acquired most of its users fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends. The message read: “(name of friend) sent you photos on Tagged.”
When recipients tried to access the photos, they become new members of the site — without ever seeing any photos. Recipients’ e-mail address books would then be stolen, said Cuomo.
The attorney general said a lawsuit would seek to stop Tagged from engaging in “fraudulent practices” and to seek fines.
Cuomo alleged that Tagged acquired most of its users fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends. The message read: “(name of friend) sent you photos on Tagged.”
When recipients tried to access the photos, they become new members of the site — without ever seeing any photos. Recipients’ e-mail address books would then be stolen, said Cuomo.
The attorney general said a lawsuit would seek to stop Tagged from engaging in “fraudulent practices” and to seek fines.
Tuesday, July 28, 2009
Network Solutions data security breach exposes a half-million credit card numbers
Network Solutions data security breach exposes a half-million credit card numbers
By SearchSecurity.com Staff27 Jul 2009 SearchSecurity.com
Security Wire Daily News
Hosting company and domain registrar Network Solutions LLC said malware planted on Web servers compromised more than a half million credit card accounts belonging to customers of its e-commerce merchants.
SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Herndon, Va.-based Network Solutions disclosed the data security breach late Friday. The company said it discovered unauthorized code on servers supporting some of its e-commerce merchants' websites and determined that it may have been used to steal transaction data for about 4,343 of its merchant websites to outside servers.
Outside forensic experts informed Network Solutions on July 13 that the stolen data included credit card information. Approximately 573,928 cardholders were affected by the breach, which affected transactions between March 12 and June 8 of this year, the company said.
"At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants' customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer," the company said.
In a blog post Sunday, Network Solutions emphasized that the incident affects only its e-commerce customers. Customers of its other products, including domains, email accounts and hosting were not impacted.
The company is working with law enforcement to investigate the case and has arranged with credit reporting agency TransUnion LLC to work on behalf of its merchants to contact affected customers. Network Solutions set up a website about the security breach.
The company touted in its message to customers that it was PCI compliant, despite the data security breach.
"Assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said in its blog post. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."
SearchSecurity radio:
But in a prepared statement, Bob Russo, general manager of the PCI Security Standards Council urged the company to be more cautious about its statements regarding PCI compliance until an investigation is completed.
"Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status," Russo said. "Friday's announcement of a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures. Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices."
Amichai Shulman, chief technology officer of database security vendor Imperva said the breach highlights the fundamental security risk of cloud computing. The databases and the servers used by hosting providers become attractive to cybercriminals as more companies turn to cloud-based services to host data, Shulman said in a statement.
"The attackers here aimed on the big prize – the servers," Shulman said. "Instead of dealing with a website here and there, once the hackers broke in, all the sites were open to them. The lesson: once you've penetrated the cloud, you've got an easy path to the important, underlying data."
By SearchSecurity.com Staff27 Jul 2009 SearchSecurity.com
Security Wire Daily News
Hosting company and domain registrar Network Solutions LLC said malware planted on Web servers compromised more than a half million credit card accounts belonging to customers of its e-commerce merchants.
SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Herndon, Va.-based Network Solutions disclosed the data security breach late Friday. The company said it discovered unauthorized code on servers supporting some of its e-commerce merchants' websites and determined that it may have been used to steal transaction data for about 4,343 of its merchant websites to outside servers.
Outside forensic experts informed Network Solutions on July 13 that the stolen data included credit card information. Approximately 573,928 cardholders were affected by the breach, which affected transactions between March 12 and June 8 of this year, the company said.
"At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants' customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer," the company said.
In a blog post Sunday, Network Solutions emphasized that the incident affects only its e-commerce customers. Customers of its other products, including domains, email accounts and hosting were not impacted.
The company is working with law enforcement to investigate the case and has arranged with credit reporting agency TransUnion LLC to work on behalf of its merchants to contact affected customers. Network Solutions set up a website about the security breach.
The company touted in its message to customers that it was PCI compliant, despite the data security breach.
"Assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said in its blog post. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."
SearchSecurity radio:
But in a prepared statement, Bob Russo, general manager of the PCI Security Standards Council urged the company to be more cautious about its statements regarding PCI compliance until an investigation is completed.
"Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status," Russo said. "Friday's announcement of a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures. Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices."
Amichai Shulman, chief technology officer of database security vendor Imperva said the breach highlights the fundamental security risk of cloud computing. The databases and the servers used by hosting providers become attractive to cybercriminals as more companies turn to cloud-based services to host data, Shulman said in a statement.
"The attackers here aimed on the big prize – the servers," Shulman said. "Instead of dealing with a website here and there, once the hackers broke in, all the sites were open to them. The lesson: once you've penetrated the cloud, you've got an easy path to the important, underlying data."
Thursday, July 16, 2009
Password Strength and Keeping Online Accounts Safe
From Google Online Security Blog (Macduff Hughes)
There's been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we're highly invested in providing a high level of security in our products. While we can't discuss individual user or customer cases, we thought we'd try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure. Read the full story [Google Online Security Blog].
There's been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we're highly invested in providing a high level of security in our products. While we can't discuss individual user or customer cases, we thought we'd try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure. Read the full story [Google Online Security Blog].
Thursday, June 25, 2009
TJX to pay $9.75 million for data breach investigations
TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states.
This was a self inflicted wound and certainly TJX has done a lot of work since the breach, but the breach itself was the result of poor processes and negligence Jon Oltsik,senior analyst, Enterprise Strategy Group
The parent company of T.J. Maxx and Marshall stores, disclosed in January 2007 that its systems were hacked, exposing at least 45.7 million credit and debit cards to possible fraud. Under the terms of the settlement, the company will pay $2.5 million to create a data security fund for states and a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations.
In addition, TJX said it agreed to certify that TJX's computer system meets detailed data security requirements specified by the states; and encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system.
"Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime," Jeffrey Naylor, chief financial and administrative officer of TJX said in a statement.
Naylor reiterated TJX stance throughout the incident that the company did not violate any consumer protection or data security laws. "The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company said.
PCI DSS:
Video - PCI compliance requirement 4: Encrypt transmissions: Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 4: "Encrypt transmission of cardholder data across open, public networks."Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security.Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
According to investigators, over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems. Investigators said TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
Eleven indictments were announced by the United States Attorney in 2008. To date, two of those indicted have pled guilty and two other individuals have pled guilty to related charges.
"This was a self inflicted wound and certainly TJX has done a lot of work since the breach, but the breach itself was the result of poor processes and negligence," said Jon Oltsik, senior analyst, Enterprise Strategy Group.
Although TJX had become the poster child of what could happen when a company suffers a massive breach, Oltsik said it will likely take a breach of intellectual property and other sensitive data that puts a company out of business, before every firm takes data security seriously. There have been other massive breaches since, Heartland Payment Systems is in the midst of a data breach investigation affecting millions of cardholders and Hannaford Supermarket investigators discovered malware that bilked 4.2 million credit and debit card numbers from the grocer's systems.
"The difference between TJX and any other company is just the luck of the draw. They had areas where they were not compliant with PCI but most companies do if you look close enough," said Ed Moyle, cofounder of IT consultancy Security Curve, security solutions manager at integrator CTG. "Some of these environments are quite complex, especially with brick and mortar retail outlets."
The Payment Card Industry Data Security Standards (PCI DSS) have addressed security of cardholder data. But Oltsik said its unclear how much fraud there is in the audit process as there is relatively little oversight from people outside the payment transaction industry.
"PCI is a pretty good first start, but there's plenty of room for abuses and for fraud," Oltsik said.
This was a self inflicted wound and certainly TJX has done a lot of work since the breach, but the breach itself was the result of poor processes and negligence Jon Oltsik,senior analyst, Enterprise Strategy Group
The parent company of T.J. Maxx and Marshall stores, disclosed in January 2007 that its systems were hacked, exposing at least 45.7 million credit and debit cards to possible fraud. Under the terms of the settlement, the company will pay $2.5 million to create a data security fund for states and a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations.
In addition, TJX said it agreed to certify that TJX's computer system meets detailed data security requirements specified by the states; and encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system.
"Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime," Jeffrey Naylor, chief financial and administrative officer of TJX said in a statement.
Naylor reiterated TJX stance throughout the incident that the company did not violate any consumer protection or data security laws. "The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company said.
PCI DSS:
Video - PCI compliance requirement 4: Encrypt transmissions: Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 4: "Encrypt transmission of cardholder data across open, public networks."Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security.Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
According to investigators, over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems. Investigators said TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
Eleven indictments were announced by the United States Attorney in 2008. To date, two of those indicted have pled guilty and two other individuals have pled guilty to related charges.
"This was a self inflicted wound and certainly TJX has done a lot of work since the breach, but the breach itself was the result of poor processes and negligence," said Jon Oltsik, senior analyst, Enterprise Strategy Group.
Although TJX had become the poster child of what could happen when a company suffers a massive breach, Oltsik said it will likely take a breach of intellectual property and other sensitive data that puts a company out of business, before every firm takes data security seriously. There have been other massive breaches since, Heartland Payment Systems is in the midst of a data breach investigation affecting millions of cardholders and Hannaford Supermarket investigators discovered malware that bilked 4.2 million credit and debit card numbers from the grocer's systems.
"The difference between TJX and any other company is just the luck of the draw. They had areas where they were not compliant with PCI but most companies do if you look close enough," said Ed Moyle, cofounder of IT consultancy Security Curve, security solutions manager at integrator CTG. "Some of these environments are quite complex, especially with brick and mortar retail outlets."
The Payment Card Industry Data Security Standards (PCI DSS) have addressed security of cardholder data. But Oltsik said its unclear how much fraud there is in the audit process as there is relatively little oversight from people outside the payment transaction industry.
"PCI is a pretty good first start, but there's plenty of room for abuses and for fraud," Oltsik said.
Subscribe to:
Posts (Atom)
