Monthly Archives: April 2015

Security engineers at Google announced the release of a new browser extension aimed to help users better protect their Google accounts against phishing attacks.

Known as Password Alert, the free, open-source Chrome extension works by alerting users when they enter their passwords into any non-Google site.

“Once you’ve installed and initialized Password Alert, Chrome will remember a ‘scrambled’ version of your Google Account password,” read the Google blog post.

If a user types the same Google password into a site that isn’t a Google sign-in page, the extension will generate a notice, alerting the user to reset his or her password or simply ignore the message.

“This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice,” wrote Drew Hintz, Google Security Engineer and Justin Kosslyn at Google Ideas.

The extension is also available for Google for Work users, including Google Apps and Drive for Work.

Hintz and Kosslyn added this feature would help spot malicious attackers attempting to access employee accounts. Administrators can install the extension for all users in their domain, and enable password alert auditing, send email alerts, and force end-users to change their Google password if entered into a non-trusted website.

The release of the tech giant’s new plugin comes after findings from multiple studies demonstrating phishing continues to be leverages as a tried-and-true tactic for attackers to gain unauthorized access.

As Google noted:

• The most effective phishing attacks can succeed 45 percent of the time, and
  
• Nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords;
  
• Various services across the web send millions upon millions of phishing emails, every day.
  

You can install the Chrome extension from the Chrome Web Store, or to deploy it in your Google for Work enterprise, follow the deployment guide.

Via: tripwire

 Just about every time you read about a data breach, you also read about password security. Passwords are cash money to bad actors who swipe them from social media sites, retailing databases and other electronic stores.

Unfortunately, it seems many consumers don’t get that.

In fact, 21 percent of respondents assume their passwords are of no value to cybercriminals, according to the Kaspersky Lab Consumer Security Risks Survey. On top of that, survey respondents often take the easy way out when creating and storing passwords. Kaspersky offered an example: only 26 percent of respondents create separate passwords for each account and just 6 percent use password storage software.

“Even if you are not a celebrity or a billionaire, cybercriminals can profit from your credentials,” said Elena Kharchenko, head of consumer product management, Kaspersky Lab. “A password is like a key to your home; you wouldn’t leave your door unlocked, or put your keys where anyone could find them, just because you don’t think you have anything of great value. Complex passwords unique to each account, carefully stored in a safe place, will save you a lot of trouble.”

Translating to the Enterprise

Kaspersky describes passwords as the keys to online account holders’ personal data, private lives — and even their money. It only makes sense, then, that passwords hold great value to cybercriminals who want to use them to log on to bank and credit card accounts.

Despite all the publicity around high-profile data breaches at retailers like Target and Home Depot and online properties like Dropbox, the Kaspersky survey reveals respondents don’t always take the necessary precautions to safeguard their passwords. For example, 18 percent of those surveyed write down their passwords in notebooks and 17 percent freely share their personal account passwords with family members and friends.

This translates to the enterprise. Given the proliferation of SaaS apps like Dropbox and Google Apps in the enterprise, it’s safe to assume there is a vast amount of sensitive corporate data being stored in them, often without IT’s knowledge, Paul Trulove, vice president of products at identity and access management firm SailPoint, told us.

“This lack of visibility, combined with not having the right controls in place over those apps, can leave organizations exposed to sensitive information being accessed by the wrong person,” Trulove said. “Such decentralization of IT leaves big gaps in a company’s security defenses. While it may not be feasible for an IT organization to manage the hundreds of consumer-focused SaaS apps like Dropbox, there are automated solutions that can help provide that missing visibility while enforcing a certain-level of security assurances through single sign-on and strong password management.”

4 Quick Reminders

There is also good old-fashioned wisdom. Kaspersky offered these four reminders:

1. Create a unique password for each account: if one password is stolen, the rest will remain safe.

2. Create a complex password that won’t be easy to crack even if cybercriminals are using special programs. That means using at least eight symbols including upper-case and lower-case letters, numbers, and punctuation marks but no pet names or dates of birth.

3. Do not give your password to anyone, not even your friends. If cybercriminals can’t steal it from your device, they might be able do it from someone else’s.

4. Store your password in a safe place. Don’t write it down on paper — either remember it or use a special program for storing passwords from a reliable vendor.

Via: enterprise-security-today

General Keith Alexander, the former head of the National Security Agency (NSA), is concerned that the United States’ energy infrastructure is vulnerable to targeted attacks launched by sophisticated actors.

“The greatest risk is a catastrophic attack on the energy infrastructure. We are not prepared for that,” he said.

According to General Alexander, the West’s “doomsday” scenario involves a coordinated attack against American critical energy infrastructure, including oil refineries and power stations, as well as a simultaneous campaign against Western financial centers.

Based on these threats, he feels the United States needs “an integrated air-defence system for the whole energy sector.”

General Alexander listed five countries who are capable of conducting “cyber warfare,” which includes launching targeted attacks against other nations’ critical infrastructure: the United States, the United Kingdom, Israel, Russia, and Iran.

Late last year, Michael Rogers, the current head of the NSA, testified that China is capable of launching targeted attacks that could cause “catastrophic failures” in the United States’ water systems and power grid.

Though Chinese hackers continue to steal intellectual property from U.S. enterprises, the NSA does not see any indication that China would seek to undermine American energy infrastructure at this time.

However, intelligence officials believe that Iran might show less restraint. A report by security firm Cylance Corp., for example, sheds light on a campaign called “Operation Cleaver” in which Iranian actors hacked U.S. military computer systems as well as government networks in 15 other countries.

General Alexander also believes that hackers aligned with or inspired by the Islamic State increasingly pose a threat to U.S. energy infrastructure.

Just this year, ISIS supporters have hacked the United States Central Command’s social media accounts, a series of French municipality websites shortly following the Charlie Hebdo terrorist attacks, a number of American-based websites owned by small businesses, and most recently the social media accounts and website of French television network TV5MONDE.

President Obama commented back in January that the CENTCOM hack illustrates “how much more work we need to do — both public and private sector — to strengthen our cybersecurity.”

To read more about what types of security vulnerabilities affect the United States power grid, which includes some recommendations for what U.S. utilities companies can do to meet these threats, please click here.

Via: tripwire

The annual RSA Conference, where I had the opportunity to speak yesterday, always provides a good opportunity to reflect on the progress we’ve made on cybersecurity over the past year and to look toward the work that lies ahead to ensure that our network infrastructure and, more importantly, our customers, are protected from existing and emerging threats.

At Comcast, we understand that effective cybersecurity begins with individual users. That’s why we’ve devoted so much time and so many resources to developing industry-leading tools and practices that help protect our customers from online threats.  And as we move toward completing our transaction with Time Warner Cable, we’re excited for the opportunity to extend those tools, and the industry-leading protection they provide, to millions of customers who don’t currently have access to many of the advanced cybersecurity capabilities and features provided by Comcast.

Our consumer cybersecurity experience begins with Constant Guard, an advanced group of security technologies – generally available at no additional cost to Xfinity customers – that works across platforms to safeguard users against various forms of malware, as well as widespread threats like phishing (a type of online fraud in which criminals pose as legitimate businesses like banks or insurers) and key logging (a form of tracking that can be used to steal passwords and account information).  Constant Guard includes free Norton security software, as well as unique bot detection tools and a dedicated team of professionals that focuses solely on customer security.

Our main goal with all of the security tools we provide is to stop attacks before they happen by helping our customers avoid known threats.  But as an added layer of defense, our customized, best-in-class incident-response platform also alerts us when our customers are compromised by malware. Developing this detection capability has greatly reduced our response time, allowing us to address in a matter of hours threats that might have otherwise gone undetected for months or even years.

To protect users from being snared by botnets (groups of computers infected with malware that are used by hackers to launch cyber attacks), Constant Guard delivers real-time browser alerts that warn customers if their modems inadvertently communicate with a known “command and control” bots.  As an additional layer of defense, we also created the “Am I Botted” tool, which allows Constant Guard users to instantly determine whether they are infected as part of a botnet.

While the protections afforded by our incident response platform are available only to Comcast customers today, we intend to extend them to TWC customers following completion of our transaction.

Over the past year, we’ve also been working to upgrade the privacy and security of our customers’ e-mail accounts, by deploying encryption technology throughout our email platform.  We recently completed the critical step of encrypting our Xfinity Connect webmail portal using Transport Layer Security (TLS).

That step capped a yearlong effort in which we encrypted outbound and inbound mail, and upgraded our mobile email app to support encryption.  Taken together, these steps ensure that we are encrypting our customers’ e-mail messages whenever possible as they pass through and outside of our system.

Comcast has also been an industry leader in deploying IPv6 and DNNSEC, two technologies that support more secure and stable Internet communication.

In 2014, we reached the milestone of supporting IPv6 – which helps to create a more secure Internet experience by providing better support for encryption and more secure resolution of Web addresses – throughout 100 percent of our broadband network.  The year before, Xfinity Internet was recognized as the world’s largestIPv6 deployment.  And in 2012, Comcast became the first major ISP in North America to fully implement DNSSEC, a technology that helps protect users against dangerous “man-in-the-middle” attacks.

Our transaction with TWC will accelerate the deployment of cutting-edge security tools and technologies throughout TWC’s network, allowing millions of additional users to enjoy a more secure online experience.  The transaction will also offer current TWC customers access to assistance from Comcast’s specialized customer security assurance group, which provides enhanced customer service support.  Moreover, the transaction will extend the benefits of Comcast’s enhanced intelligence gathering and deterrence capabilities, including its incident-monitoring infrastructure, to the TWC network.

No security technology is perfect.  The threat landscape changes almost daily, and providers must continuously evolve their tools and infrastructure to respond to new challenges.  We know that meeting those challenges requires a holistic, companywide commitment to security.  We’re proud of the work we’ve done toward demonstrating that commitment and excited to meet the challenge of making the combined Comcast and TWC network even more secure.

Via: comcast

In hundreds of communities across the U.S., 911 dispatchers are sending out a smartphone app alert summoning citizens trained in CPR.

Public safety agencies across the country are using mobile apps to try to improve responses to medical emergencies and save lives. Shutterstock  

When 911 dispatchers get a call that someone has collapsed and stopped breathing, they quickly notify first responders. In hundreds of communities across the U.S., they now also send out a smartphone app alert summoning citizens trained in CPR.

If those Good Samaritans arrive at the scene first, they can start resuscitation efforts until the professionals get there.

The mobile app is called PulsePoint, and it was devised to aid victims who have suffered cardiac arrest. It’s one of a number of apps that rescue workers, hospital staffers and patients themselves are using to try and improve responses to health emergencies and help save lives.

PulsePoint has helped save lives in cities such as Cleveland, where about 4,000 people have downloaded the app in the last year and 36 citizens have responded to almost three-dozen calls – including one Good Samaritan who helped save the life of a man who collapsed in traffic court.

“Apps used by citizens who want to help give them a way to be part of the structure of the emergency response program,” said Thomas Beers, emergency medical services manager at the Cleveland Clinic and coordinator for PulsePoint in the Cleveland area.

Some of the emergency apps that have been developed in recent years are designed to assist responders in monitoring patients or feeding information to hospital emergency rooms. Others are aimed at helping people alert authorities if they’re having a health crisis.

A software developer in Falls Church, Virginia, for example, created the free 911HelpSMS app, which informs a user of where he is located before he calls 911 in a medical emergency. It also instantly texts multiple family members and gives them the person’s GPS location.

Another free app called EMNet finderER was developed Massachusetts General Hospital. It allows users, including sick people, EMTs, doctors and caregivers, to quickly locate the nearest hospital in an emergency, whether they’re in a part of town they’re not familiar with or they’re on vacation.

“We’ve received great feedback from EMTs who have used the app on long transports when the patient gets unexpectedly worse and needs to go immediately to the nearest ER,” Dr. Carlos Camargo, a professor of emergency medicine at Mass General and Harvard Medical School, said in an email. “We’ve also heard from parents of children with food allergies, thanking us for creating the app that saved their child’s life.”

PulsePoint

The PulsePoint app was the brainchild of Richard Price, former fire chief of the San Ramon Valley (California) Fire Protection District. It was developed through collaboration between the district and Northern Kentucky University, and uses citizen crowdsourcing to assist patients who suffer cardiac arrest.

During cardiac arrest, the heart suddenly and unexpectedly stops beating, blood stops flowing to the brain and other vital organs, and the victim is unconscious. If not treated within minutes, it usually results in death, according to the National Institutes of Health.

Sudden cardiac arrest differs from a heart attack, in which the blood flow is blocked, but the heart usually doesn’t stop beating and the person remains conscious.

Every year, more than 326,000 people who were not in a hospital experience cardiac arrest, according to the American Heart Association. Ninety percent of them die. But if effective CPR is administered within three to five minutes, it can double or triple a victim’s chance of survival.

The association recommends that bystanders try to provide “Hands-Only”
CPR – which involves chest compressions without mouth-to-mouth breaths – if they see a teen or adult collapse suddenly. The group says that any attempt is better than none.

PulsePoint was first released in 2010, and the number of cities that have signed on, including Las Vegas, Madison, Wisconsin and Orlando, Florida, has grown to more than 1,100 in 22 states, according to Shannon Smith, spokesman for the non-profit foundation.

Here’s how it works: Once emergency dispatchers get a call about a suspected cardiac arrest in a public place, they activate an alert to PulsePoint app users at the same time they send out first responders. Users are notified if they’re within a certain distance, generally about a quarter of a mile, and if the victim is in a public location.

The app also directs citizen responders to the place where they can find the nearest publicly accessible defibrillator, a device that sends an electric shot to the heart to try to restore its normal rhythm.

The app is free for users, but public safety agencies initially pay $10,000 for installation costs and between $8,000 and $28,000 a year for a licensing fee, depending on the size of the area’s population.

Smith said that so far, PulsePoint has been activated more than 4,000 times and more than 10,000 citizens have responded.

Among the success stories was that of a 56-year-old Oregon man, who collapsed in his car outside his gym, and a five-week-old baby with an enlarged kidney in Washington state, who went into cardiac arrest at a ballet shop where his sister was getting a tutu.

“Being able to arm CPR-trained citizens with a tool to locate someone in distress, as well as the nearest defibrillator, strengthens the person’s chance of survival,” Smith said.

Jeff Helm, division chief of EMS for Sioux Falls (South Dakota) Fire Rescue, said that when his department first launched PulsePoint more than two years ago, some residents raised questions about potential liability and patient privacy issues.

But Helm said neither turned out to be a problem because citizen responders who assist during a medical emergency are protected from liability under Good Samaritan laws, which every state has enacted, and they’re attending to victims in public places and aren’t even aware of their names or other personal information.

Helm said that the app has gotten a lot of positive feedback from his community, where more than 10,000 people have downloaded it.

“It keeps the public engaged,” he said. “Everyone has a smartphone nowadays, and now we have an avenue to get them to the right place at the right time.”

In Fargo, North Dakota, about 2,500 people have downloaded the PulsePoint app, said Gary Lorenz, an assistant fire chief.

“We’re very supportive of it,” Lorenz said. “Anything we can do to help save somebody’s life is good.”

Emergency responders say they are more than happy that apps are being created to help them do their jobs better.

“We’re all for any app technology that can make the process more efficient and effective,” said Lori Moore-Merrell, who heads the research division of the International Association of Fire Fighters, which represents about 300,000 professional firefighters and paramedics. “If these apps can get a bystander to engage in CPR, or help us get there faster or better communicate with the hospital prior to arrival, we’re absolutely supportive of that.”

Other Emergency Apps

Unlike PulsePoint, most emergency health-related apps don’t just target one type of medical crisis. The ICEBlueButton app, for example, lets users store information on their smartphone that can be used during any medical emergency. That can include their doctor’s name, emergency contacts, allergies, medications and medical conditions. A barcode then is generated that can be accessed on the phone’s lock screen and scanned and downloaded by emergency responders, using a scanner app.

ICEBlueButton, created by Humetrix, a California-based IT company, is free. But users also can pay a monthly fee to have the app send an email to their emergency contacts, letting them know when and where it was scanned. They also can buy stickers containing the barcode that can be placed on a child’s bike helmet, skateboard or car seat.

Another app, Twiage, allows first responders to instantly and securely send patient information from the ambulance to the hospital, including photos, videos and EKG results. The information appears on a computer screen at the emergency room, along with the GPS-tagged estimated time of arrival.

The app, which was developed by a start-up company in Cambridge, Massachusetts, is free for emergency responders. Hospitals that get the data pay a subscription fee, said YiDing Yu, a physician who co-founded Twiage.

Yu said that across the country, ambulances still use radios and phone calls to alert hospitals, which can lead to errors and delays in treatment. The app was created to help hospital physicians better prepare and accelerate care for patients who’ve suffered strokes, heart attacks or major trauma.

Moore-Merrell of the international firefighters group said that any apps that can improve communications between first responders and ER doctors are well worth it. “Bring it on,” she said. “It’s a home run.”

But Moore-Merrell also cautioned that those in her profession shouldn’t think of all these emergency health care apps as the be-all and end-all.

“With any technology, we can’t be so dependent on it that if it goes down, we’re in trouble,” she said. “We always need to be prepared to do what we do without technology.”

This article was originally published by Stateline. Stateline is a nonpartisan, nonprofit news service of the Pew Charitable Trusts that provides daily reporting and analysis on trends in state policy.

Via: emergencymgmt

 You’ve misplaced your Android device but you don’t have a friend around to call your number so you can track it down. Well, now you can find your phone by Googling it.

In a brief Google Plus post, the search giant unveiled its newest feature for smartphones running the latest version of the Android mobile operating system. Users whose devices have gone AWOL can ask Google via their desktops to “find my phone,” and the search engine will take it from there, according to the post.

After typing in the instructions, Google will return a map image showing the location of the device, along with a “Ring” icon. “If the pesky phone is hiding nearby, Google can ring it for you — or you can see it on the map if you, say, forgot it at the bar,” Google noted.

Expanding on Android Device Manager

The new feature actually simply builds upon something Google has offered since August 2013, when it rolled out its Android Device Manager. Designed to help Android owners find misplaced devices — or secure lost or stolen devices — the online Device Manager site enables users to order their phones to ring, or locate them on maps in real time.

Like Apple’s Activation Lock, which came out around the same time, Android Device Manager lets device owners remotely add screen locks to prevent their personal information and contacts from getting into the wrong hands. For devices that appear to have gone missing for good, Device Manager also lets users erase all the data on their phones or tablets.

Just last month, Google expanded the capabilities of the Android Device Manager to integrate with Android Wear. That means people who have smart watches running on Android can use their wearables to find lost or misplaced devices by either selecting the “find my phone” option or simply telling their devices, “OK, Google. Start. Find my phone.”

Remote Controls = Declining Thefts

The growing availability of remote phone controls — especially so-called “kill switch” technology that can remotely render a lost or stolen device unusable — is believed to have contributed to a decline in smartphone thefts and robberies in many areas. The technology has become more widely used since the Secure Our Smartphones (SOS) Initiative was launched in 2013.

Co-chaired by New York Attorney General Eric Schneiderman, San Francisco District Attorney George Gascón and London Mayor Boris Johnson, the SOS Initiative aimed to reduce violent crime associated with smartphone thefts. The theft of Apple iPhones, for example, has often been described as “apple picking.”

Since the initiative was launched, a growing number of phonemakers — starting with Apple — began rolling out kill switch capabilities for their phones. As more phones can now be disabled remotely, police in many cities are reporting that smartphone-related crimes have been declining. New York, for example, saw a 16 percent drop in cellphone robberies from January 2013 to December 2014, while San Francisco saw cellphone robberies decline by 27 percent.

Via: enterprise-security-today

Service will start for Nexus 6 smartphones under invitation-only early access program.

Google launched its own ambitious wireless network primarily in the U.S. in partnership with Sprint and T-Mobile.

Calling it Project Fi, Google promised seamless wireless connections, initially for Nexus 6 smartphone users, whether they are within more than 1 million free and open Wi-Fi hotspots or within an LTE cellular network operated by Sprint or T-Mobile.

In a blog, Google asked customers to sign up online to join an Early Access Program for the service. The service will initially be available on the Nexus 6 smartphone that Google builds with Motorola. Potential customers must request an invitation from Google on a separate site to get started.

Pricing was announced at $20 a month for talk, text, Wi-Fi tethering and international coverage in 120 counties, plus a flat $10 per gigabyte for cellular data while in the U.S. and abroad. One unusual feature is that Google will give users credit for unused data in any given month. Additional details were posted online.

In the blog, Nick Fox, vice president of Google communications products, said Google has developed new technology that gives users “better coverage by intelligently connecting you to the fastest available network at your location, whether it’s Wi-Fi or one of our two partner LTE networks.” Data will be secure through encryption once a connection is made, he said.

A separate webpage describes the network in more detail.

In addition to allowing users to freely move from Wi-Fi to cellular, Google said a user’s phone number will live in the cloud so users can talk or text with that number on “just about any phone, tablet or laptop.”

Fox said there are advantages to Google’s involvement in the network as well as with the device and its software. “By designing across hardware, software and connectivity, we can more fully explore new ways for people to connect and communicate.”

T-Mobile CEO John Legere blogged that Project Fi “is going to make people think differently about wireless — and I love that.”

Sprint issued a statement saying it was “proud to enable Google’s entry into the wireless industry as a service provider,” adding that Sprint has empowered more than 100 successful MVNO’s (Mobile Virtual Network Operator) in the U.S.

Many analysts have questioned how Google will make it as an MVNO, since some large projects have failed in the past decade. However, others believe Google will have greater control over the entire mobile experience for customers, which will only improve the company’s ability to sell search and advertising services.

In January, when Google’s interest in a wireless service first surfaced, MachNation analyst Dima Tokar argued that Google won’t be a traditional MVNO and will use its network to start offering Google-branded Internet of Things services for homes and cars “to link all aspects of consumers’ lives.”

Via: networkworld

Microsoft promised this morning to release by the end of April a set of Office applications that it calls “Universal” for smartphones running Windows 10.

The company has a two-prong productivity strategy in place for Windows: Office 2016 for desktop use, and, for all other Windows 10 experiences, its touch-focused Office Universal apps. The latter apps, according to Microsoft, will function across tablets and smartphones, dynamically changing their design to allow users to better use them based on their current screen size.

The two names for the two groups of apps — Office Desktop and Office Universal — might seem a bit odd, given that the Universal apps aren’t quite designed to be. The universal tag is instead more useful in the mobile context — these are the apps you will use across Windows devices whenever you’re not at your desk typing away happily on a full-sized keyboard.

Here’s a shot of the Universal Word app, as shared by Microsoft this morning:

We’ve known for some time that the Universal applications will be free for smartphones and tablets. So, if you do test them out, you can leave your wallet at home.

Microsoft is slowly snapping the parts of its new platforms and productivity strategy into place: Windows everywhere; Office everywhere; Office tools for work environments that have a cost attached; Office tools for the on-the-go user for no cost, all glued together by an application layer — the universal Windows Store; and various subscription services to provide additional content and capability to those who need it — Office 365, Xbox Live, and so forth.

The company has also begun to experiment with bundling its services into a single sale. I wouldn’t be flabbergasted if we see a Microsoft Bundle, akin to Amazon Prime from the company that encompasses all its services into a single price, sold on a yearly or monthly basis (probably yearly).

For now, all Windows 10 for phones users can look forward to new code in short order.

Via: techcrunch

A recently disclosed iOS security flaw could potentially enable hackers to crash any nearby iOS devices.

At the RSA Conference this week in San Francisco, researchers Yair Amit and Adi Sharabani disclosed a dangerous and scary new iOS hack which can cause targeted iPhones or iPads to enter a perpetual reboot loop, effectively rendering the devices all but useless.

Amit and Sharabani, who both work for the mobile security firm Skycure, note that the security flaw exists in iOS 8 and can be triggered via manipulated SSL certificates sent to a device over a Wi-Fi network. What’s more, a previous iOS bug disclosed by Skycure, dubbed WiFiGate, enables attackers to create their own Wi-Fi network and “force external devices to automatically connect to it.” Taken together, attackers can effectively create what is referred to as a “No iOS Zone.”

Skycure writes:

Envision a small device, which automatically captures any iOS device in range and gets it to join a fake network. Then, it issues the attack and crashes attacked iOS devices again and again. Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.

The research firm adds that even when a victim knows that an errant Wi-Fi connection is wreaking havoc on their device, they can’t exit out of the reboot loop to even turn it off. A video demonstration of what the hack looks like on an affected device can be seen below.

As it stands now, Skycure has disclosed the attack to Apple, but won’t provide any more “how-to” details as to keep it out of malicious hands.

via: networkworld

Target is still cleaning up after its disastrous data breach of December 2013, and recovery costs continue to climb for the US retail giant.

Target says it reached a $19 million settlement with MasterCard to cover some of the damages to financial institutions that issue MasterCard credit and debit cards.

Although there have been a lot of smaller data breaches since, at Neiman Marcus, Michael’s,P.F. Chang’s and others – the Target breach and the even bigger breach at Home Depot have put an intense focus on the problem of credit card data theft.

As we reported at the time, Target was breached by cybercriminals who planted malware on credit card terminals in its stores during the Christmas shopping season, stealing unprotected data as customers swiped their cards to pay.

The sophisticated cybercriminals behind the Target breach haven’t been identified, and they disappeared after selling the stolen account details to other crooks who used them to make fraudulent purchases.

It took a lot of skullduggery and even luck for the cybercrooks to pull off what they did – they managed to steal credentials to Target’s network from a plumbing company working for it, and used them to move freely about the network, steal the credit card data, and then exfiltrate it to a server in Russia.

Target might have prevented the data theft if it had listened to its own security team – a special security group noticed the malware and tried to warn Target, but the company didn’t act on the team’s warnings.

Home Depot was victimized by the same type of malware as Target, a malware called Backoff that stole credit card information from its point-of-sale terminals, affecting 56 million customers whose accounts were exposed in the breach.

Around the same time as Home Depot was hit, the FBI warned retailers about Backoff, which it estimated had breached over 1000 businesses.

Target said it has updated all of its terminals to accept modern credit cards with an embedded chip, which are more secure than magnetic stripe cards.

Home Depot said it too has updated its terminals – installing 85,000 new pin pads in 2200 stores in North America – but there are more retail merchants that haven’t spent the money to upgrade all their point-of-sale equipment.

How many millions of machines will need to be replaced in all the retail businesses in the US?

It’s a big job but one that needs to be done.

Via: sophos