Archive for the ‘Financial vulnerabilities’ Category

A friend of mine called me for help after she started getting pop-ups every time she opened her web browser. She asked me how her computer got into this mess. While I could not pinpoint an exact cause (no log files), I suspect she downloaded crapware with a software installation she trusted.

She also wanted to know why anyone would want to inflict this malware on her computer. The answer is simple: Money.

So what can you do to avoid this problem? The consensus advice is to only download programs from a trusted source. Ok! That’s great advice! But what is a “trusted source”?

HowToGeek.com explains in “Yes, Every Freeware Download Site Is Serving Crapware” that all the major free download sites–Tucows, CNET Downloads / Download.com, FileHippo, SnapFiles, MajorGeeks, and yes, even SourceForge–include adware and even malware with their installers. While some sites are better than others about telling you what they’re including and about allowing you to uncheck those additions, they all do it.

What to do instead? Go to the developer’s website and download from there. And support those software authors that do not include crapware by donating to support their development work.

Other steps to take:

  • Back up regularly (at least once a week or oftener), then disconnect the media. Test your backups by periodically restoring a file. I also recommend alternating backup media to offsite storage, such as a safe-deposit box. Backup media–just like any other technology–can break, become corrupted, get lost or stolen.
  • If you back up to a  cloud provider, your back ups can become unavailable if their storage media becomes unavailable for any reason, so use physical backup media as well.
  • On Windows systems, set System Restore Points.
  • Change your IMPORTANT passwords as soon as you can from a computer that is not infected. Use a unique, strong password for each site.
  • Can’t remember all those passwords? Use a password manager. Note: Do NOT lose this password! I use the Professional versions of KeePass and Portable KeePass, and KeePass2Android (available from Google Play), but cloud-based LastPass is also very popular. (LastPass is more convenient, but I am leery of cloud-based services for availability reasons.)

If you have recent back-ups and your files get locked by a version of CryptoLocker / CryptoWall, you may not have to pay to get your files back (depending on how recent your backups are).

For an interesting read, check out Kaspersky’s 2014 Trends in the Internet Security Industry.

Crime in the Workplace

Posted: January 20, 2015 by uszik11 in Security Breach, Vulnerabilities
Tags:

Your need to protect yourself from your co-workers is an unspoken truth. In criminology, we say “crime knows no neighborhood.”  In other words, crime is everywhere, not just in one bad place. People are people everywhere.   At work, we steal inventory and information from our employers.  We steal money and other tangibles from our colleagues.  Of course, I do not do those. Of course, you do not, either.  But other people do.  Here in America, about 20% of us are habitual perpetrators.

If you work in a small shop, you probably are among people you know well enough.  Nonetheless, your company is still in a shared space of some kind, a building, a strip mall, a street. Everyone there is in your world. You cannot know them all.

If you are in a large enterprise, the statistical facts are warnings.  If you have 1000 people in your building, then you meet 200 perpetrators every day.  Background checks only reveal the habitual, compulsive, or genetic predators who have been caught.  But many aggressors are opportunistic and competent. Routine offenders get away with harming others because no one speaks up.  And it is not easy to confront a bully or report a thief.  So, the harms and crimes continue.

Generally, security falls under the control of the facilities manager.  Rarely does an organization have a chief security officer at the same level as the chief financial officer or chief information officer. Facilities managers are concerned only with keeping costs down. Facilities managers seldom have professional training in security. As a result, most buildings have too few guards, posted in the wrong places, at the wrong times, assigned to futile activities.  Security is reactive, not proactive.

Badging and other controls for identity and access tend to be minimal and ineffective. You have no idea who is in your building with you.  Vagrants know all the ways to get in.  Professional thieves have no problem getting through the front door.

Professional thieves work large office buildings with public traffic. They look just like everyone else in our casual dress society.  They walk the halls peeking into offices, and trying doors.  Laptops are an easy grab.

Engineers and programmers are a special problem.  They enjoy getting around locks; and they are good at it.  The statistics apply to them as well. People who make a lot of money steal and bully just like poor people. Crime knows no neighborhood.  Even the 80% of them who are nice, still leave us vulnerable when they gimmick, jimmy, or shim a lock.  They have no control over who the next person will be to come through that door.

Protecting yourself at work begins with a few simple rules.  Lock your desk and your computer when you leave the area.  Always take your purse or wallet with you.  Never leave your laptop, phone, or pad unattended in the cafeteria or restroom.

Generally, if you have a problem with someone, you have six choices.

  1. You can confront them.
  2. You can go to your manager.
  3. You can take it to human resources.
  4. You can report it to security.
  5. You can call the police.
  6. You can ignore them.

The bottom line is that it is better to prevent a problem than to fix one.

 

Let’s look back at 2014 to review events that could impact our information privacy. Some substantial vulnerabilities occurred this year including the Heartbleed bug, Shellshock, and POODLE, along with the usual Microsoft, Java, browser, and Adobe Flash and Reader problems. There have been some notable payment system breeches: Sony, Kmart, Jimmy Johns, Home Depot, Apple, Dairy Queen, Community Health Systems to name a few … even some Goodwill payment systems got hacked.

What can you do to protect yourself? Here are a couple things to do:

  • Protect your information!

Don’t give it out unless it’s absolutely necessary. If your doctor—like mine did—asks you to sign a release so they can use your deidentified data in a study, ask them what information they are sending and who they are sending it to: Does it include your initials, your first name, your zip code, your street, your age and gender, your diagnosis, your treatment? If they frown at you and say it’s deidentified, ask them what that means to them.

According to HIPAA, there are 2 main methods to de-identify patient data, the “expert determination” method and the “safe harbor” method. The safe harbor method is usually safer because it removes 18 specific identifiers from the research data, such as name, age, dates must be year only, telephone numbers, address, full-face pictures, and account numbers. The expert method depends on an “expert” to determine what’s safe to disclose.

For instance, why do you care if someone shares your birth date? The birthday paradox is a probability theory that explains if you’re in a room with 23 other people, the chances that at least 2 people in the room will share a birthday is 50%, and in a group of 70 people, the probability that at least 2 of them will share a birthday reaches 99.9%. However, the probability that 2 people will share the same birth date is considerably smaller.

A recent article in American Medical News explained how Latanya Sweeney, PhD, a Harvard University researcher, was able to attach 241 identities to the deidentified medical information of a database of 1,130 research patients, using birth date, gender, and zip code combined with public records, such as US Census records or voter registration. That’s 22%! Yikes!

To see how identifiable you are by using those parameters, visit the Data Privacy Lab.

  • Make your important passwords unique for each account, change them often—every six months or sooner, especially if the web site is hacked—and implement two-factor authentication on sites that allow it, especially sites like email, banking, or e-commerce.

What is two-factor authentication? Two-factor authentication means that instead of using just a password to access your account, you add an additional method of verifying your identity.

Google Authenticator is a way to add a second factor; it’s easy to use and it sends a code via a text message to your device. You can set it up so that you only have to input a code if a new device tries to use the account or your password changes. In case you don’t have an Internet connection or cell phone service, you can download a set of 10 codes for backup authentication. Make sure you keep these codes safe! I store mine right in KeePass.

  • Back up your personal information on all your devices—documents, photos, music, videos.
  • Lock your devices: Use PINs, passwords, puzzles, or biometrics.
  • Install software like Find My Phone (Windows, Android, or iPhone) or Prey; if your device is lost or stolen, send it a lock and erase it. Be safe, call the police. Do not try to recover it yourself.
  • Don’t save password information in your browser! Here’s an article on how to disable saving passwords in IE, Safari, and Firefox browsers, and Chrome.

Can’t remember all those passwords? Neither can I! You can use a password-protected Excel 2007 or later spreadsheet (do not save in compatibility mode), download a password manager like KeePass, or use a cloud-based password manager like LastPass.

Do not lose the master password! If you might forget, put it someplace safe like your safe-deposit box.

I have used all three options, and I prefer KeePass, although Excel is in some ways more convenient because you can decide on the fields you use. The data is stored on your device (unless you load it in the cloud yourself). I use KeePass’s professional and portable versions, and KeePass2Android. Try to only update the KeePass database on one device and copy it to your other devices so you don’t get confused as to which device contains the most up-to-date copy of the database. I date the database when I add a new account or change a password (BlahXX-XX-XXXX), so I know to move it to my other devices.

It is very important to back up this database and store a copy that you update regularly —as well as a printed copy—in your safe-deposit box.

LastPass is convenient, but I don’t like the idea of not knowing where my data is stored. Also, if the service is down—as happened last August for over 12 hours—can you access your accounts? According to their documentation, you should be able to. However, it is always best to keep a non-cloud-based back up for cloud-based services.

  • Keep your operating system and applications up to date. When an operating system is no longer supported, it is time to either get the device off the Internet or—if the option is available—upgrade to a new operating system or download and install an open-source operating system. If none of those options work, wipe the device and recycle it here or at one of the Goodwill locations that partners with the Dell Reconnect program.

Spring clean your installed apps: if you don’t use it, uninstall it. Fewer apps will free up resources like memory and drive space, and your device might even run faster.

One application to consider installing on a Windows machine is Secunia’s Personal Software Inspector. It makes sure that all your updates and patches are current. I test a lot of software and some apps don’t always have automatic updates; this app is wonderful!

Everyone here at IntentionalPrivacy.com wishes you a prosperous, happy, healthy, and safe 2015! We’re happy you read us.

Christmas Present: The Interview

Posted: December 23, 2014 by IntentionalPrivacy in free speech, Security Breach
Tags: , , ,

The Art House Convergence  offered Sony a way to distribute The Interview, so there will be limited showings of the movie starting on Christmas Day. Here is a list of theaters currently showing the movie according to Variety, which they will continue to update.

In a statement released on Tuesday, 12/23/2014, President Obama praised Sony’s decision to release the movie.

In other news, North Korea experienced massive Internet outages for much of Monday, but Internet access was restored on Tuesday according to Reuters.

I still think this story would make a great plot.

Happy holidays!

 

On December 17, Matt Mason (@MattMason), chief content officer at BitTorrent, tweeted that “Sony should release The Interview as a BitTorrent Bundle. This is the very thing the platform is designed for.”

Okay! An unlikely hero rides to the forefront!

What is BitTorrent?

BitTorrent is file-sharing software that uses a peer-to-peer computer model. Peer-to-peer means that files transfer from device to device instead of getting them from a centralized server.

How it works: The hoster of a file breaks a large file into smaller, equal-sized pieces and stores the pieces on seed computers. Then the hoster creates a small torrent descriptor file that they advertise. The torrent software is installed on a client computer. When the client decides to download a file, the software locates the pieces on seed computers and starts transferring pieces. The pieces typically arrive out of order and are re-arranged into the proper order when the transfer of all the pieces completes. That means the download can be stopped at any time and re-started without having to start the download over. When the file has been completely downloaded, the client with the completed file becomes a seed computer for other clients to download the pieces.

According to Wikipedia, an estimate of monthly BitTorrent users was about 250 million in January 2012. That means that as the file pieces are distributed to seed computers and downloaded by client computers who then become seed computers, the speed of file distribution increases.

You may even have been using BitTorrent already and didn’t know it. It is a component in Amazon S3 Simple Storage Service, an online service providing cloud applications, backup, and content distribution. Open source and free software projects use it to distribute downloads. Blizzard Entertainment’s Blizzard Downloader client (Diablo III, Starcraft II, and World of Warcraft) uses it for games, content, and patches. Universities sponsoring BOINC distributed computing projects often offer BitTorrent to reduce bandwidth costs. It supports Facebook and Twitter.

Why could BitTorrent release The Interview when the major theater chains couldn’t?

The peer-to-peer model would make it difficult for the attackers to stop downloads of the file.

And, “BitTorrent Bundle is a safe and legal way for Sony to release this film, and they would join the nearly 20,000 creators and rights holders now using the Bundle publishing platform,” said BitTorrent according to VentureBeat.

Why does BitTorrent think it is better to release the movie through them instead of through Sony’s own online video channels?

According to BitTorrent, by “using the paygate option, Sony are able to set the price for the film and release it widely without implicating anyone or exposing any third party to a terrorist threat,” and “it would strike a strong note for free speech.”

Sony Entertainment CEO Michael Linton told CNN on December 19th that “no ‘major video on demand distributor’ has been ‘willing to distribute’ the film. ‘We don’t have that direct interface with the American public, so we need to go through an intermediary to do that.’”

Sony, meet BitTorrent.

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

You might know and follow the general rules for creating a good password. Apparently, no one else does.

The “25 Worst Passwords” is an annual press release from SplashData, which sells password management tools. They also tap into the resources provided by similar security reporting firms. Those reports from recent news stories illustrate that most people seem to be really bad at inventing new passwords. Writing about the Adobe website breach of 2013 PC World revealed that ‘adobe123’ and ‘photoshop’ were very common choices. An article from the BBC cited security researcher Per Thorsheim. He pointed out that the color schemes of Twitter, Facebook, and Google, all lead people to include the word “blue” in their passwords.

As a result, more websites require you to use a Mix of Upper and Lower Case, and also to include $pecial C#aracters and Numb3rs. The password photoshop becames !Ph0t0$hop* and that should be more secure.

However, what really makes that more secure is not the mix of characters but the two additional symbols. The ! and * at the beginning and end turn a string of 9 characters into a string of 11. The basic arithmetic of computing says that the longer something is, the harder it is to guess. Your bank transfers money with cipher strings of 200 digits. We call them “computationally difficult” to crack.

“Black hat hackers” build special computers to attack passwords. One of those homebrew boxes broke every Windows-standard 8-character password in under 6 hours. A lesser machine revealed 90% of the passwords on LinkedIn. However, if you have an 11-character password those powerful crackers would need 515 years to work through all the possible combinations. And yet, long as they are “AmericanTheBeautiful” and “ToBeOrNotToBe” are known phrases.

Those networks of multiple game processors also grind through huge databases of words and proper names in English and their many variations. . Passages from the Bible, quotations from Shakespeare, and other cultural artifacts add to the databases.  Black hat hackers have mammoth dictionaries of known passwords. Those are compiled from the revelations of each successful attack.

Password Cracking Machine

Jeremi Gosney’s High Performance Computer. The rapidly-moving graphics of games are computationally intensive. So, the central processor and parallel processors of the Xbox, PlayStation, and others rely on co-processors designed for rapid arithmetic. That makes them perfect for running billions of guesses per second.

It is also true that some websites prevent you from using special characters. You might be instructed to keep your passwords to Upper and Lower Case Letters and the numerals 0 through 9. Restricted like that, all of the possible 11-character passwords can be broken in just 4 years. Turn the computer on; let it run day and night; it churns out passwords.

The reason why you sometimes are restricted from special characters is that the Dollar $ign and <Greater-than Less-than> and @some others# are common to programming systems and languages such as SQL (pronounced “sequel”) and Java. So, in place of the password, a hacker inserts a line of computer code to open up the website to their commands. Such SQL attacks are common.

BBC Cat 2

“If you have a cat, or any other type of pet, do not use its name as part of a password.” – BBC

That brings us to the corporations and organizations that allow your data to be stolen. SQL attacks are an old, known problem. But everyone is busy. And businesses cut costs by releasing employees. So, successful attacks are inevitable. The key to security is not just to put up barriers. Victims must act quickly, decisively, and effectively when those firewalls are breached. And they will be breached. It is not a matter of “if” but of “when.” For over 20 years, even the FBI has suffered periodic intrusions.   Rather than requiring you to have a ridiculously difficult password, the system administrators should just do their jobs.

But this is the Information Age. We all have computers, phones, pads, notebooks, and networks. That puts the burden back on you.

We give out our usernames and passwords all too easily. Spam Nation is new book by Brian Krebs. Formerly a technology writer for the Washington Post, Krebs more recently investigated two Russian “businessmen” who apparently controlled the world’s largest floods of spam email. They sold fake Viagra and fake vicodin, fake Gucci and fake Rolex. Millions of people bought them. From all indications, the crooks really did deliver the goods. In doing that, they acquired millions of usernames and passwords. And people are lazy.

If you have the same log-in credentials for illegal drugs that you do for your bank account, you have only yourself to blame when a drug dealer steals your money.

Brian Krebs writes a very readable blog.

Brian Krebs writes a very readable blog.

But the same breach could come through the garden club, the library charity, your school, or work. How many log-in accounts have you had since the Worldwide Web was launched in 1991? According to Brian Krebs, it is your responsibility to keep yourself safe by keeping your identities separate.

Even Wonder Woman, Superman, Batman, and Batgirl manage only two lives each, not twenty. You may need a password manager. PC Magazine, PC World, MacWorld, and InfoWorld all review and evaluate password managers. It is a start. Of course, if your home Wi-Fi network is open to the public, then you have a different problem, entirely.

RESOURCES

If you have a late model car, someone could disable the brakes, command the steering wheel, set the speed, open the doors, disable the airbags, or explode them, all from a Wi-Fi hotspot.

Perhaps the modern icon is the General Motors OnStar system. Everyone knows it; it shows up in movies and TV as commonly as orange juice or dogs. OnStar was launched in 1995 and went from analog to completely digital in 2006. (Wikipedia here.)  Now, such radio systems are a standard feature on common makes and models. The radios are called “transceivers” for “transmitter and receiver”, that is, a “walkie-talkie” or two-way radio, in other words, a cell phone that is always on. With that link someone can take control of your car.

Computers in cars go back to the 1978 Cadillac Seville. The chip was a Motorola 6800, used also in early personal computers. It ran the car’s onboard display that provided eleven outputs such as fuel economy, estimated time of arrival, and engine speed. By the turn of the Millennium, upscale BMWs and Mercedes boasted 100 processors. Even the low-tech Volvo now has 50. (Automotive Mileposts website here and Embedded website here. Note that “embedded” systems are computer controllers that built into other machines for control or diagnostics. Embedded systems is a branch of computing.)

However, the older your car, the safer you are. A vehicle from the 1980s or 1990s will have electronic controls, but they will be less open to attack from the outside.  Without a radio link such as OnStar, there is no way to control the car from the outside. Also, the older processors were more often dedicated to reporting things such as gas mileage or fuel economy. Electronic fuel ignition replaced carburetors, but, again, was a simple, stand-alone controller that could not be compromised from the outside.

Over the past few years, two different security projects have been reported in which “white hat hackers” (good guys) investigated ways to take control of different models of automobile.

models-panelbg-001

The little antenna on the Prius is not just for the FM radio.

 In 2011, Car and Driver told about the work of the Center for Automotive Embedded Systems Security, a collaboration between academics from the University of Washington and California State University at San Diego. First, they plugged their own device under the dashboard to compromise the on-board diagnostic computer. (Anyone who can get to your car could do that the next time you take in for an oil change or other routine service.) In the second phase, they figured out how to do that remotely.

According to Car and Driver: “Such breaches are possible because the dozens of  independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus.  Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached.”  (“Hack to the Future” Car and Driver July 2011 by Keith Barry here.)  The original research from the academics is posted online as PDFs.  (See below).

In the words of the researchers:  “We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”  (Published as “Experimental Security Analysis of a Modern Automobile” by

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
 IEEE Symposium on Security andPrivacy, Oakland, CA, May 16–19, 2010. Available as a PDF from the authors here.)

Then, having figured out how to install their own controller into a car under the dashboard, they turned to the problem of remote control.

“Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.”  (Published as “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage (University of California, San Diego) and Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (University of Washington). Available as a PDF from the authors here.)

Two years later, Andy Greenberg, who reports on technology for Forbes, filed a story about Charlie Miller and Chris Valasek who carried out their own car hacking research with a government grant.

“Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.” (Forbes, August 12, 2013 here. This story includes a video of the event. They took Greenberg for a ride that ended in a crash despite everything he could do to fight for control of the car. The 5 mph roll out finally stopped in some high grass. )

 

 

According to KrebsOnSecurity.com, Jimmy Johns aren’t the only restaurants to get caught in this breach, which lasted from June 16 through mid-September (dates vary at some locations). Many small restaurants use Signature Systems PDQPOS point-of-sale systems. A total of 216 Jimmy Johns and 108 other restaurants are affected because “an authorized person gained access to a user name and password that Signature Systems used to remotely access POS systems.” This access allowed the attacker to install malware to steal payment card data, containing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.

I wonder if Signature Systems changed their passwords on a regular basis? Probably not. Did they use two-factor authentication? Long and strong passwords? Did they conduct employee training on anti-phishing techniques?

Unfortunately, as of October 28, 2013, PDQPOS was only acceptable for pre-existing deployments. So it’s possible that some of these restaurants may receive fines if the system was installed after that date.

They’ve all had recent breaches.

How many well-known and large breaches have we had in the past year? A bazillion! Please see the page I’ve posted that shows a list of recent breaches.

What should you do if you’ve used a payment card–debit or credit–at a store with a recent breach?

  1. Check your financial statement to confirm that you used the card within the time period breached.
  2. If you have unauthorized charges, notify your financial institution immediately.
  3. Even if you don’t have unauthorized charges, ask your bank or credit union to replace your card.
  4. If the breached company is offering identity protection, sign up for it.
  5. If your identity has been stolen, this FTC site–Create an Identity Theft Report–will help you create documents for the various places you will need to contact.
  6. Don’t shop with a debit card online.
  7. Use the credit card option when shopping with a debit card.

KrebsOnSecurity stated last week that banks are seeing fraudulent ATM withdrawals from debit cards stolen in the Home Depot breach. Be vigilant!

The last thing to think about, if a company has a breach and only has a news release. Two recent examples include Dairy Queen and Jimmy John’s. There’s no additional information on their website, not even an apology! Should you continue to visit their establishment?  How do you know they’ve even cleaned up their payment systems?

I’m voting with my feet and I will never buy anything from either Jimmy Johns or Dairy Queen again.