Security Protection – Harry Waldron MVP Rotating Header Image

Uncategorized

Credit Card Fraud – Tips to spot Credit Card Skimmers

Credit Card skimmers are devices designed to intercept credit cards, allowing thieves to create a fake duplicate copy of the original and rack up unauthorized charges. Kim Komado highlights these dangers in one of the daily security tips.

http://www.komando.com/tips/278304/how-to-spot-credit-card-skimmers

 
One of the more successful tools of 21st century crooks is the skimmer. Thieves attach them to ATMs, gas pumps and other places people swipe their credit and debit cards. It’s quite ingenious.  Once in place, this sneaky bit of electronics steals the magnetic strip information from your card. Once the thieves have the information, it takes just moments for them to copy or clone it.  And once they have a clone, they can drain your bank account or run up huge bills and trash your credit before you even know it!

FBI Study – over 500,000,000 accounts exposed in past 12 months

The FBI and other authorities have quantified the many data breaches seen in past year.  The use of “hacked” means security records were exposed and these actual account information may or may not have been downloaded by the bad guys in the process.

http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

QUOTE: WASHINGTON — Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.

“We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch.

The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.

Nearly 439 million records were stolen in the past six months, said Supervisory Special Agent Jason Truppi of the FBI. Nearly 519 million records were stolen in the past 12 months, he said.

About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card, the FBI said.

About 110 million Americans — equivalent to about 50% of U.S. adults — have had their personal data exposed in some form in the past year, said Tim Pawlenty, president of the Financial Services Roundtable and the former governor of Minnesota.

About 80% of hacking victims in the business community didn’t even realize they’d been hacked until they were told by government investigators, vendors or customers, according to a recent study by Verizon cited by Pawlenty.

Data Breach – Early reports for possible Staples compromise

Hopefully the scope of the latest will continue to be isolated to about a dozen of the 1800 stores nationwide.  During WSJ report this morning, it was noted that approximately 400 million accounts have been compromised over the past year collectively by the many firms impacted.  

http://www.zdnet.com/staples-investigates-possible-data-breach-credit-card-fraud-7000034902/

http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

QUOTE: Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement.

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Framingham, Mass.-based Staples has more than 1,800 stores nationwide, but so far the banks contacted by this reporter have traced a pattern of fraudulent transactions on a group of cards that had all previously been used at a small number of Staples locations in the Northeast.

The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers. This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals.

BEST PRACTICES FOR INTERNET SAFETY FOR 2014

In November, a presentation is planned for professional organizations in our area.  This represents a planning outline that will be further refined.  

 1. SECURITY = SEC-U-R-IT-Y was once shared by a class leader that “you are it“.  Careful and well planned human behavior is your BEST defense, even over technological safeguards.  Fort Knox has some of the world’s best security, but if the guards open the doors and let unauthorized folks in — what good is all of that fortification?  For the best safety for yourself, family, and corporately, one must “think security” and then integrate those concepts in all actions.

2. THINK DEFENSIVELY –   Avoidance is your #1 risk management tool.  For email or internet actions — safety should always be a primary concern.  It’s good to get secondary verification before acting on items.  When a site is encountered that will not allow you to exit — use CTRL+SHIFT+ESC to bring up task manager to close malicious web pages & exit safely.   Lock down your browser settings with restrictive security settings.  Patch immediately from trusted sources quickly to fortify your system.

3. THINK BEFORE YOU CLICK – Think of every action being potentially dangerous on Internet.  While most actions are safe, there is still the potential of danger.  It is better to pause and double check than to act to emotions or initial responses sometimes.   The good news is that it takes one or more clicks by the user to install most malware.  The bad news is that many folks click anyway, without realizing this gives permission to possibly plant malicious code in a stealth like manner on the system.

4. STAY INFORMED ON DANGEROUS RISKS – When a leading bank with restrictive security has millions of accounts compromised, it is a wake call for security to be a top safety theme in our well connected society.  Security is only as strong as weakest point.  Recently, telephone call scams pretending to be the IRS, Microsoft, and other entities have emerged.  However in most cases, they use postal mail to contact folks on serious matters.  These are scams intended to rob folks ultimately.   There are “no free lunches on the Internet” and the appeal of winning or being chosen, may temp users to click on unsafe items.  Please avoid temptations to click on even false news alerts.  A few years ago a bad European 100 year storm hit and there was a “Storm Worm” virus that impacted many users.   Today, there are false Ebola news alerts circulating and clicking those links may implant a virus.  Sensationalized news alerts can be used to trick user.  Stay informed on security news bulletins & visit beneficial blog sites to stay educated on the dangers.

5. STAY UP-TO-DATE ON SOFTWARE – Update Windows, Anti-Virus and all other products on your system as soon as this is offered. Stay on latest version of browser, flash, and other software. Reboot your PC often to give it a fresh start and ensure latest patched components load for your protection.

6. USE SECURE PASSWORDS – Use strong password techniques and don’t use the same one for each site, but vary them to reduce harm if the bad guys happen to discover one. Consider putting an asterisk (*) or exclamation point (!) at end of password that you like using. Use 2-pass security and other approaches in lieu of passwords when feasible.

7. WIRELESS NETWORK SAFETY – Use or setup these resources with security in mind, as unsecure connections can be easily intercepted. Be especially careful with your mobile smartphone as it can provide a wealth of personal and sensitive information, if lost or stolen.  Please consider wireless as HIGH RISK both at home or away.

8. PHYSICAL SECURITY – Carefully handle laptops or mobile phones while traveling by air or driving or at hotel. Hide, lock, and secure these resources. Encrypting the hard drive is beneficial for frequent travelers and anyone desiring high levels of security.

9. RECOVERY FROM SECURITY EVENT – When personal information has been compromised or malware infections occur, quickly change all passwords, alert banks, change account numbers, and take other actions to minimize damages associated with loss of information.  The key is to quickly change credentials for anything that has been disclosed and ensure your security in future processing is restored under new & improved controls.

10. SECURITY IS A CONTINOUS IMPROVEMENT PROCESS – the bad guys are improving their tactics & defensively we must proactively respond as developments occur. The defense mechanisms of five years ago won’t work for today’s threats. Security requires re-thinking and re-evaluation of safety techniques constantly.

Data Breach – JP Morgan 76 million users impacted

 

I had the same reaction of “The Atlantic” as 90 “BANK” servers were compromised and sensitive personal data was mined.  While no financial account data was extracted, phishing scams and targeted attacks could be easily created knowing email addresses and other personal data.  

http://www.theatlantic.com/business/archive/2014/10/why-the-jp-morgan-data-breach-is-like-no-other/381098/

QUOTE: Banks are supposed to have some of the most advanced security systems in the world.   JP Morgan still got hacked. Another month, another report of a large corporation failing to keep customer information secure. This time, it’s JP Morgan reporting that 76 million households and 8 million small business were exposed in a data breach. At this point, it’s understandable if the news doesn’t cause much alarm.

But hear us out: This JP Morgan Chase breach should freak you out, even if you don’t bank with them. Previous data breaches have largely been confined to retail companies (Target, Home Depot etc.), where brands are required to meet basic security protocols and not much else. “Retailers are known to be cheap,” Paula Rosenblum, managing partner at Retail Systems Research, said. “But it gives me much more pause when it happens to a bank.”

Banks have much more sensitive information about their customers than any retail operation, everything from social security numbers to detailed records of past spending. So far, JP Morgan reports that only limited personal information, such as names, phone numbers, and addresses, were stolen, insisting that social security numbers, banking information, and other data remain safe. “I’m assuming that [information] is encrypted,” said Rosenblum. “If not, then Katy bar the door.”

Then there’s the sheer scale of the breach. Let’s repeat: Seventy-six million households and 8 million small business were exposed. According to The New York Times, JP Morgan believed only one million accounts were affected a few weeks ago. So there’s the possibility that the number may rise even further.

ATM Malware – Tyupkin allows direct theft from infected ATM systems

Kaspersky Security is warning financial institutions regarding highly sophisticated ATM malware where a thief knowing the right input codes can steal money directly from the ATM itself

https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

QUOTE:  This ATM based malware attack uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.  When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

General advice for on-premise ATM operators

* Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras.
* The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
* Regularly check the ATM for signs of attached third-party devices (skimmers).
* Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
* Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
* Consider filling the ATM with just enough cash for a single day of activity.

WINDOWS 10 – First look by Network world

http://www.networkworld.com/article/2689722/windows/microsoft-windows-165000-first-look-windows-10.html

QUOTE:  Although Microsoft is skipping a whole version number for the next Windows version, which will ship some time next year, the early version of Windows 10 it showed off today was mostly composed of commonsense fixes to Windows 8, better integrating its Desktop and Metro halves and being smarter about adapting to keyboard and touch environments.

A big complaint about Windows 8 was the lack of the familiar Start menu that debuted in 1995. Windows 8.1 brought a Start button, but all it did was switch between the Metro and Desktop halves of Windows. Windows 10 brings back the real Start menu, but with the Metro tile look from Windows Phone and Windows 8’s Metro screen.

Windows 10 will let Metro apps run in Desktop windows like any other app, getting rid of the duality of Windows 8. That leaves the question: How’s a Metro app different from a Desktop app beyond the look and feel?

Windows 10 brings Windows 8.1’s snap feature to the Desktop, so you can arrange app windows in a tiled view. Yes, Windows has long supported a tiled view within apps (for their document windows), but now you get the capability among apps themselves.

WINDOWS 10 – Product Announcement link

Below is the public announcement thread, highlighting major features for Windows 10

http://live.theverge.com/microsoft-windows-9-event-live-blog/#

http://www.theverge.com/2014/9/30/6868695/microsoft-windows-10-announced-official

http://www.theverge.com/2014/9/30/6868899/windows-10-availability-technical-preview-tomorrow

 
The next major version of Windows, Windows 10, will be available late next year. The new operating system is being unveiled today at an event in San Francisco, where Microsoft announced its name and began detailing new features, including the return and makeover of the Start Menu, the introduction of multiple desktops, and a new universal search feature. Microsoft isn’t hiding that, for mouse and keyboard users, this is a move back toward what Windows users are used to and away from the contentious changes in Windows 8. “It gives the familiarity of Windows 7 with some of the elements of Windows 8,” Windows chief Terry Myerson says.

LINUX/UNIX Admins – PATCH AGAIN as new BASH Shellshock exploits are emerging

While these brand new vulnerabilities have emerged, they appear to be less “exploitable” from directly tailored environment variables than the original BASH Shellshock exploit.  Still, there is a need for open source administrators to be vigilant and in a “patch now” mode as further developments warrant    

http://www.darkreading.com/vulnerabilities—threats/new-bash-bugs-surface/d/d-id/1316161

QUOTE: If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it’s probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, – 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 — CVE-2014-6271 and CVE-7169 — have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. “They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn’t seem to apply,” says Ullrich, who is currently performing more testing on the latest findings.

https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725

QUOTE: I just published an updated YouTube presentation (about 15 min in length) with some of the shell shock related news from the last couple days:

YouTube: https://www.youtube.com/watch?v=b2HKgkH4LrQ
​PDF: https://isc.sans.edu/presentations/ShellShockV2.pdf
PPT: https://isc.sans.edu/presentations/ShellShockV2.pptx

Leadership – Inspiring project team with Vision

John Maxwell’s Leadership blog has excellent advice that is applicable for IT projects

http://www.johnmaxwell.com/blog/give-your-dream-a-team

QUOTE: If you’re dreaming big, then the size of your vision will surpass your present abilities. Not only that, but your dream will even dwarf your potential abilities. No matter how much you grow and develop, you won’t ever be able to accomplish the dream alone. One is too small a number to achieve greatness. Every dream needs a team in order to come true. The questions are who to include on the team and how to convince them to join.

Who should I include on my dream team?  Life is especially hard on dreams, and when challenges arise we can be tempted to delay the dream indefinitely or to abandon it altogether. That’s why every dream team has inspirers. These people keep hope alive by providing continual encouragement. They believe in the dream even when you start to doubt it.

There’s a fine line between a dream and a fantasy, and it can be easy to cross. Every dreamer needs honest critics to keep from wandering into make-believe. These constructive critics are not skeptics or cynics; they believe in the dream just as much as you do. However, they’re attuned to reality, and they know that a dreamer who avoids facts and evidence will inevitably lose credibility.