From the WP series on Zero Day:
In recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.
One came in 2009, targeting Google, Northrop Grumman, Dow Chemical and hundreds of other firms. Hackers from China took advantage of a flaw in Microsoft’s Internet Explorer browser and used it to penetrate the targeted computer systems. Over several months, the hackers siphoned off oceans of data, including the source code that runs Google’s systems.
Another attack last year took aim at cybersecurity giant RSA, which protects most of the Fortune 500 companies. That vulnerability involved Microsoft Excel, a spreadsheet program. The outcome was the same: A zero-day exploit enabled hackers to secretly infiltrate RSA’s computers and crack the security it sold. The firm had to pay $66 million in the following months to remediate client problems.
Makes one wonder how organizations are to develop their websites and applications and keep the secure.
This article from the Winnipeg Free Press discusses how everyone may play an unwitting role in cyber spy attempts to do damage.
Consumers are also vulnerable, said Parry Aftab, chairwoman of anti-virus software maker McAfee’s consumer advisory board.
Software on their computers may allow others to steal information, she said.
“Many of us who may casually download pictures or songs or videos or screen savers . . . may be downloading malicious coding that’s designed to sit dormant on our computers until whoever it is arming them activates them,” Aftab said.
The US goverment spent much educating citizens in WWII to be aware of spying activities and to mind the information within their possession — perhaps a cyber oriented campaign is needed here.
Lots of tangents from the story on new FTC study on industry policing and advertising their privacy policies:
- FTC has two votes for regulation or legislation (doubts cast upon self regulation as a tool – public failure)
- Study thinks companies make the information regarding their privacy policies too difficulty for the average person to find/comprehend (market failure = information assymetry)
Points of interest here:
- Center for Digital Democracy
- Future of Privacy Forum
Interesting difference in headlines:
Note to self: Start an inventory of policy tools in each category of cyber policy
From DHS today:
Cyber Security. Given the increasingly sophisticated number of threats to all areas of national cyberspace and considering the authorities provided by the Homeland Security Act, the Post-Katrina Emergency Management Reform Act, and Homeland Security Presidential Directive 23/National Security Presidential Directive 54, what are the authorities and responsibilities of DHS for the protection of the government and private sector domains, what are the relationships with other government agencies, especially the departments of Defense, Treasury, and Energy, and the National Security Agency, and what are the programs and timeframes to achieve the department’s responsibilities and objectives? An oral report is due by Feb. 3, with a final report due Feb. 17.
An update to the Heartland breach:
The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable. All this is happening after credit card companies and merchants spent over $2 billion on establishing the Payment Card Industry standards, Ms. Litan said. “And yet the breaches continue and they get more serious.”
Standards are promoted by both industry and DHS as the means to manage the issue. So, what do you do when standards are not enough?
More from the Post on how long it took to discover how the breach was made:
Robert H.B. Baldwin Jr., president and chief financial officer of Heartland Payment Systems, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports from MasterCard and Visa in October.
Heartland called the U.S. Secret Service, which investigates financial crimes, and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software on the company’s processing network was recording payment card data as it was being sent to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how the software got there, how long it was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
According to the WSJ:
More than 40 states have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were reported, according to the nonprofit Identity Theft Resource Center, up from 446 in 2007.
This post by the Post needs unpacking…
A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, the company said today.
The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. On December 23, RBS Worldpay, a subsidiary of Citizens Financial Group Inc., said a breach of its payment systems may have affected more than 1.5 million people.
In March 2008, Hannaford Brothers Co. disclosed that a breach of its payment systems — also aided by malicious software — compromised at least 4.2 million credit and debit card accounts.
In early 2007, TJX Companies Inc., the parent of retailers Marshalls and TJ Maxx said a number of breaches over a three-year period exposed more than 45 million credit and debit card numbers.
In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts.