Monthly Archives: April 2018

Five million customer credit and debit cards offered for sale by the JokerStash hacking syndicate, also known as Fin7, likely came from records stolen from Saks Fifth Avenue and Lord & Taylor sometime between May 2017 and their March 28 release.

“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations [has] been compromised” and the majority of cards were “obtained from New York and New Jersey locations,” according to a Gemini Advisory report, which states that approximately 125,000 records were for sale, with the remainder of the cache, advertised on the dark web as BIGBADABOOM-2, expected to be rolled out in the coming months.

“While locale-specific attacks like these aren’t uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection,” said Terry Ray, CTO of Imperva, noting that organizations often struggle to identify a breach or infection in a reasonable time-frame. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common,” Ray added.

Gemini expressed “a high level of confidence” that the stolen cards came from Saks Fifth Avenue, its discount outlet Saks Fifth Avenue OFF 5TH, and Lord & Taylor Stores, all operated by Hudson’s Bay Company (HBC), a Canadian firm.

“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America,” reads a company statement from Saks Fiftht Avenue. “We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.  While the investigation is ongoing, there is no indication at this time that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe.”

The company added that it is coordinating with law enforcement authorities and payment card companies and assured customers that there is no evidence that Social Security and Social Insurance numbers, driver’s license numbers, and PINs were affected.

Fin7 has successfully hacked hotel chains like Trump Hotels and Omni Hotels & Resorts, as well as retailers like Whole Foods, Jason’s Deli and Chipotle. The group last year also launched spearphishing campaigns targeting Securities and Exchange Commission (SEC) filings using a fileless attack framework.

“This incident shows once again merchants still need to protect themselves against POS system infiltration attacks targeting cardholder data. A multi-layer security strategy is necessary,” including segmenting POS networks and upping monitoring and threat detection capabilities, said Mark Cline, vice president at Netsurion. “If nothing else, dwell time of such an attack would be reduced to hours or days. After all, the report is that this attack has persisted for almost a year, just as we have seen in previous massive card breaches.”

via:  scmagazine

Skinners’ Academy introduces government-backed Cyber Discovery programme to find cyber security professionals of the future.

Skinners’ Academy in Woodberry Grove, London, has been testing its students with the government-backed Cyber Discovery initiative to find any with a particular aptitude for cyber security.

The scheme uses several game-like stages to assess whether students aged between 14 and 18 might have the talent to become cyber security professionals.

Alex Holmes, deputy director of cyber security at the Department for Digital, Culture, Media and Sport, said that to ensure the UK becomes the “world’s leading digital economy”, it also must be secure.

Holmes said cyber attackers can try to cause harm to the UK as a whole using various methods, such as attempting to sabotage the nation’s energy supply or transport infrastructure, and that the best way to prevent such attacks is to have the appropriate protection in place.

But the UK needs more young people to take an interest in cyber security as a career and “help to defend the country”, he said.

“We don’t have enough skilled professionals in the UK to protect the country right now,” said Holmes. “The game you’re playing [Cyber Discovery] is to help you understand and potentially help you become the cyber security experts of tomorrow.”

Cyber Discovery is part of the government’s Cyber Schools Programme, which was launched in early 2017 with the aim of reaching at least 5,700highly skilled teenagers by 2021, teaching them a cyber security curriculum through a mixture of online and offline teaching.

The £20m funding available for the programme will go towards extra-curricular clubs and activities, as well as the Cyber Discover online game.

The game has four stages: cyberstart assess, cyberstart game, cyberstart essentials and cyberstart elite, each of which involves puzzles and challenges that will improve students’ cyber security knowledge and pick out those who might make good cyber security specialists in the future.

James Lyne, head of research and development at SANS Institute, said 23,000 people across the UK took part in the first stage, cyberstart assess, and 12,000 of those showed the talent to progress to the next stage, cyberstart game.

“Everything you’ll do here today will help secure the technology that will become important in the future.” he told Skinners’ Academy students.

The game gives students access to both knowledge and tools similar to those used in the industry, and students face problems based on real-world examples, such court cases, software flaws or activity by criminal gangs.

Since more headline stories about cyber attacks and cyber crime have hit the media in recent years, there is now more awareness of cyber security among the general public, said Lyne, but this can have both a positive and negative impact.

In some cases, people feel disengaged because they think there is nothing they can do to prevent attacks, but others have become more aware of potential cyber careers, he said.

“I have had more conversations with kids recently where they have context of why cyber is important,”said Lyne.

Many young people, especially girls, make decisions about whether or not to study science, technology, engineering and maths (Stem) subjects at a very early age, which means that if they are not introduced to these concepts early on, they are less likely to pursue them in the future.

Although new security problems arise every day, Lyne said that if people are introduced to the basic concepts of cyber security from an early age, it will be easier to encourage them into careers in cyber and get them up to speed later.

But some teachers say they don’t have the skills to teach Stem subjects, and those who do cannot have the breadth of knowledge about Stem careers that those in industry have.

Nazleen Rao, head of the IT department at Skinners’ Academy, said the Cyber Discovery initiative helped to give depth to material on cyber security as part of the curriculum.

“I couldn’t teach the students what they’ve been learning during this programme – this just makes what I’ve been teaching that much more exciting for them,” she said.

“When I have been teaching cyber security to our students, it’s usually one part of the course you teach and it can seem like a small part.”

Skills in demand

Demand is increasing for professionals with cyber security skills, but there are too few workers in the UK with the skills needed to fill current roles.

Rao said cyber security can be “very challenging” to teach, but it is important not just to fill the cyber skills gap, but also to ensure young people who will grow up to be technology users are aware of the risks.

“Some of the students actually said they didn’t realize there was a need for cyber experts out there,” she said.“Even if they’re not interested in being cyber professionals, it’s just raising awareness among them.”

Like many male-dominated sectors, there is a lack of women in the cyber security space, and it has been suggested that recruiting more women into the sector could be the key to closing the skills gap.

But Rao said very few girls choose to take computer science, and getting them interested in such subjects is a “constant struggle”.

“They have got so much to give and they have so many amazing ideas,” she added.

The girls who did choose to take part in both computer science as part of their year nine GCSE options and in the Cyber Discovery challenge were “nervous” at first, said Rao, but having a female teacher helps to build their confidence.

She also said that for those who did not want to study computer science, Skinners’ Academy also offers digital media and creative iMedia as subjects, which are slightly less technology-focused.

“If they don’t want to go into the computer science field, they can go into creative iMedia, which allows them to be more free with their creative skills,” said Rao.

As automation begins to make some jobs redundant, creative skills in the technology industry have been emphasized as a future necessity.

via:  computerweekly