Why every breach is different

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more

The Sony breach and why every company should be worried

To me, the Sony breach is noteworthy not just because of its magnitude, but because it doesn’t appear to be driven by profit, unlike the other big breaches in recent memory. Instead, it’s a return of vigilante hacktivism, and entertainment companies are particularly vulnerable because, the Washington Post argues, all movies have an element of politics in them.

That’s a problem for U.S. companies in an interconnected world, because much of the world doesn’t value free speech as the United States does. The plot of the movie “Red Dawn” was changed–China, not North Korea, was the original aggressor–to avoid offending the Chinese government, for example. Search Google for “movies that offended foreign governments” sometime. It’s amazing how many you’ll find.

Read more

Retracing the Home Depot attackers’ steps

New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.

Read more

More Home Depot details emerge

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target.  Read more

Home Depot: A security pro’s dilemma

I was listening to podcasts about the Home Depot breach, and something occurred to me.

Home Depot isn’t talking much about the breach. And it’s driving security pros nuts.

But the general public takes silence as a sign that everything’s going great. So their silence is winning the PR battle in the court that matters, which is public opinion at large. Read more

I’m pretty sure my card’s been breached again, so here’s what I’m doing

So it’s starting to look like Home Depot got breached. Nobody knows yet how bad it is. I decided to be proactive and call my credit card company because I shop at Home Depot a lot, and they just read me a canned script. OK, they don’t want to know if I think my card was among those breached.

Here’s what I’m doing in the meantime. Read more

Why Chinese hackers would be interested in U.S. healthcare data

About a year ago, a vendor mentioned kind of offhand that Chinese companies are extremely interested in U.S. healthcare data. Then he added, “I don’t understand why Asian people are interested in American health.” Then he questioned the appropriateness of the comment.

Appropriate or not, it’s an example of something that, on the face of it, doesn’t make a lot of sense until you dig deeper. Read more

Another breach, more credit-card advice

So Minnesota-based Supervalu, an operator of grocery stores, had a data breach in the midwest last week. If you’ve shopped at Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save, Shoppers Food and Pharmacy, or former Supervalu chains Albertsons and Jewel-Osco between the dates of June 22 and July 17, and you paid with a credit or debit card, call your credit card company or bank.

If you need a new card, it’s much faster to let them know than for them to try to figure it out. And in the meantime, continue to use the card for everyday purchases to establish normal behavior. Don’t run up debt, but you want to establish where you are, so if someone buys the card info and tries to use it, it will stick out. And if their small transaction did happen to go through and they tried a larger one, it’s a little less likely to go through if you’ve run the balance up a little. These are little things you can do to make things harder for the criminals and easier for the banks, and potentially make it easier for the authorities to find the criminals.

Why don’t they just hire some hackers to stop the other hackers?

After Ebay got hacked, someone asked Rob O’Hara why they don’t just hire hackers to stop the hackers.

That’s a more complicated question than it sounds like. The simple answer is that most companies do, but their hackers don’t find everything. The more complicated question is one of ethics. Read more

Why the Target data breach news keeps getting worse, and what you need to do

As you probably know, last year some still-unknown criminals stole a whole bunch of credit and debit card data from Target. And the story keeps changing. First there weren’t any PINs. Then they got the PINs, but no personally identifiable data. Well, the latest news indicates they got credit card numbers, names, addresses, phone numbers, e-mail addresses, and for a whole lot more people, and probably from a longer length of time than just late November to mid-December.

There are a few things you ought to do if you shop at Target, which many people do. Read more