http://www.wired.com/2014/12/top-ten-card-breaches/ By Kim Zetter Threat Level Wired.com 12.02.14 The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. […]
http://www.infosecnews.org/ab-acquisition-llc-and-supervalu-inc-annouce-second-hacking-incident-involving-payment-card-data-processing/ By William Knowles @c4i Senior Editor InfoSec News September 30, 2014 AB Acquisition LLC and Supervalu Inc. are the newest group of retailers that have been hit by security breaches this year. This includes Aaron Brothers, Bartell Hotels, CVS, eBay, Goodwill Industries International Inc., Home Depot, Jimmy Johns, Michaels Stores, Neiman Marcus, Recreational Equipment Inc., Sally Beauty Supply, and Sears. On September 29, 2014, AB Acquisition LLC, which operates Albertsons stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc., was notified by its third party IT services provider, Supervalu Inc. of a separate, more recent, attempted criminal intrusion seeking to obtain payment card information used in some of its stores. AB Acquisition been informed that a different malware was used in this recently discovered incident than was used in the incident previously announced on August 14, 2014. The investigations into both this incident and the earlier incident are ongoing. Supervalu Inc. (NYSE: SVU) announced on September 29, 2014 that they also experienced a criminal intrusion into the portion of its computer network that processes payment card transactions at Supervalu’s Shop ’n Save, Shoppers Food & Pharmacy, four franchised Cub Foods stores in Hastings, Shakopee, Roseville (Har Mar) and White Bear Lake, MN, where implementation of the enhanced protective technology had not yet been completed. […]
http://www.computerworld.com/article/2684180/hackers-had-access-to-goodwill-hosting-provider-for-18-months.html By Jeremy Kirk IDG News Service Sep 16, 2014 Hackers evaded security systems for a year-and-a-half at a hosting center that processed payment cards for Goodwill Industries, using the same type of malware that struck Target and other major retailers to steal card data, according to the charity’s software vendor. In its first public statement since being identified by Goodwill as its technology partner, C&K Systems of Murrells Inlet, S.C., said two other customers were also affected by the unauthorized access, though it didn’t name them. Goodwill, which sells donated clothing, said in July that federal authorities were investigating a possible payment card breach at its U.S. outlets. It’s one of many retailers, including Target, Neiman Marcus, Michaels, P.F. Chang’s China Bistro and Sally Beauty, that have disclosed data breaches since December. In a rare move, Goodwill identified C&K as one of the contractors that provided payment processing for 20 of its stores, and said those stores had since stopped using the company’s services. […]
http://www.businessweek.com/articles/2014-09-16/home-depot-breach-why-small-merchants-will-pay By Patrick Clark Businessweek.com September 16, 2014 Federal law protects consumers from the cost of fraudulent charges incurred when thieves steal credit-card and debit-card numbers. That’s good for the millions of Americans who had their payments data exposed by the hackers who breached Home Depot’s (HD) computer system earlier this year. And it’s bad for merchants, who often take losses on sales made to crooks with stolen cards. When a credit-card company identifies fraud, it wipes the payment off the cardholder’s account and notifies the merchant. Unless the store can prove the payment was authorized, the credit-card company debits money from a merchant’s checking account, leaving the vendor on the hook for the cost of items that were fraudulently purchased. Merchants also pay penalties, called chargeback fees, for accepting unauthorized charges. Accrue too many chargebacks and you’ll pay higher processing fees or lose the ability to accept certain credit cards. Those costs add up. The average merchant lost .68 percent of annual revenue to fraud in 2013, but the total cost is a multiple of that, according to a survey published (PDF) last month by LexisNexis. For every dollar lost to fraud, merchants spend a further $3.08, to replace lost inventory and cover chargeback fees and other penalties, according to the survey. The Home Depot hack left as many as 60 million credit cards and debit cards exposed, according to a report in the New York Times. Add those to the 40 million accounts affected by a hacker assault on Target (TGT) last year, plus the cards pilfered from Chinese restaurant chain P.F. Chang, luxury retailer Neiman Marcus, and others. A lot of stolen identities are floating around. […]
Forwarded from: “Jackie Blanco”
http://www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq By Michael Riley Businessweek.com July 17, 2014 In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage. As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq. The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate. Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.” […]
“Dear Tech Support:
Last year I upgraded from Girlfriend 7.0 to Wife 1.0. I soon noticed that the new program began unexpected child processing that took up a lot of space and resources. In addition, Wife 1.0 installed itself into all other programs and now monitors all other system activity. Applications such as Poker Night 10.3, Football 5.0, HuntingAndFishing 7.5, and Racing 3.6. I can’t seem to keep Wife 1.0 in the background while attempting to run my favorite applications. I’m thinking about going back to Girlfriend 7.0, but the uninstall doesn’t work on Wife 1.0. Please help!
Thanks …Troubled User”
“Dear Troubled User:
This is a very common problem. Many people upgrade from Girlfriend 7.0 to Wife 1.0, thinking that it is just a Utilities and Entertainment program. Wife 1.0 is an OPERATING SYSTEM and is designed by its Creator to run EVERYTHING!!! It is also impossible to delete Wife 1.0 and to return to Girlfriend 7.0. It is impossible to uninstall, or purge the program files from the system once installed. You cannot go back to Girlfriend 7.0 because Wife 1.0 is designed not to allow this. Look in your Wife 1.0 manual under Warnings-Alimony-Child Support. I recommend that you keep Wife 1.0 installed and work on improving the configuration. I suggest installing the background application YesDear 99.0 to alleviate software augmentation.
The best course of action is to enter the command C:\APOLOGIZE because ultimately you will have to do this before the system will return to normal anyway.
Wife 1.0 is a great program, but it tends to be very high maintenance. Wife 1.0 comes with several support programs, such as CleanAndSweep 3.0, CookIt 1.5 and DoBills 4.2. However, be very careful how you use these programs. Improper use will cause the system to launch the program NagNag 9.5. Once this happens, the only way to improve the performance of Wife 1.0 is to purchase additional software. I recommend Flowers 2.1 and Diamonds 5.0, but beware because sometimes these applications can be expensive.
WARNING!!! DO NOT, under any circumstances, install SecretaryWithShortSkirt 3.3. This application is not supported by Wife 1.0 and will cause irreversible damage to the operating system.
WARNING!!! Attempting to install NewGirlFriend 8.8 along with Wife 1.0 will crash the system.
(see Wife 1.0 manual, Apologize, High Maintenance & Secretary with Short Skirt)”
http://www.informationweek.com/government/cybersecurity/nist-security-guidance-revision-prepare-now/a/d-id/1269663 By Vincent Berk Commentary InformationWeek.com 6/16/2014 The National Institute of Science and Technology’s Special Publication 800-53 aims to raise the bar and set a standard of security for federal government information processing systems. As NIST works on Revision 5 of the document, which is expected to come out in April 2015, it will need to reverse the sweeping generalizations made in Revision 4 regarding the nature of the threat against data. Network defense is not a spectator sport