breach

Why every breach is different

Dave Farquhar security , , , , , ,

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.

I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.

Read more

Retracing the Home Depot attackers’ steps

Dave Farquhar security , , , , ,

New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.

Read more

More Home Depot details emerge

Dave Farquhar security , , , , , , , , , , , , , ,

Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.

The breach involves about 56 million cards, making it a bigger breach than Target.  Read more

Home Depot: A security pro’s dilemma

Dave Farquhar security , , ,

I was listening to podcasts about the Home Depot breach, and something occurred to me.

Home Depot isn’t talking much about the breach. And it’s driving security pros nuts.

But the general public takes silence as a sign that everything’s going great. So their silence is winning the PR battle in the court that matters, which is public opinion at large. Read more

I’m pretty sure my card’s been breached again, so here’s what I’m doing

Dave Farquhar security ,

So it’s starting to look like Home Depot got breached. Nobody knows yet how bad it is. I decided to be proactive and call my credit card company because I shop at Home Depot a lot, and they just read me a canned script. OK, they don’t want to know if I think my card was among those breached.

Here’s what I’m doing in the meantime. Read more

Why Chinese hackers would be interested in U.S. healthcare data

Dave Farquhar security ,

About a year ago, a vendor mentioned kind of offhand that Chinese companies are extremely interested in U.S. healthcare data. Then he added, “I don’t understand why Asian people are interested in American health.” Then he questioned the appropriateness of the comment.

Appropriate or not, it’s an example of something that, on the face of it, doesn’t make a lot of sense until you dig deeper. Read more

Another breach, more credit-card advice

Dave Farquhar security , ,

So Minnesota-based Supervalu, an operator of grocery stores, had a data breach in the midwest last week. If you’ve shopped at Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save, Shoppers Food and Pharmacy, or former Supervalu chains Albertsons and Jewel-Osco between the dates of June 22 and July 17, and you paid with a credit or debit card, call your credit card company or bank.

If you need a new card, it’s much faster to let them know than for them to try to figure it out. And in the meantime, continue to use the card for everyday purchases to establish normal behavior. Don’t run up debt, but you want to establish where you are, so if someone buys the card info and tries to use it, it will stick out. And if their small transaction did happen to go through and they tried a larger one, it’s a little less likely to go through if you’ve run the balance up a little. These are little things you can do to make things harder for the criminals and easier for the banks, and potentially make it easier for the authorities to find the criminals.

Why don’t they just hire some hackers to stop the other hackers?

Dave Farquhar security

After Ebay got hacked, someone asked Rob O’Hara why they don’t just hire hackers to stop the hackers.

That’s a more complicated question than it sounds like. The simple answer is that most companies do, but their hackers don’t find everything. The more complicated question is one of ethics. Read more

Why the Target data breach news keeps getting worse, and what you need to do

Dave Farquhar security , , , , , , , , ,

As you probably know, last year some still-unknown criminals stole a whole bunch of credit and debit card data from Target. And the story keeps changing. First there weren’t any PINs. Then they got the PINs, but no personally identifiable data. Well, the latest news indicates they got credit card numbers, names, addresses, phone numbers, e-mail addresses, and for a whole lot more people, and probably from a longer length of time than just late November to mid-December.

There are a few things you ought to do if you shop at Target, which many people do. Read more

Cutting through the fluff around the Target PIN breach

Dave Farquhar security , , , , , , ,

OK, so Target is back in the news, and it’s nowhere nearly as bad this time but there’s some posturing and some fluff in the news, so I’ll take it upon myself to demystify some of it. Some of it’s PR fluff, and some of it’s highly technical, so I’ll cut through it.

I’m just glad–I guess–to be talking about this stuff outside of a job interview. Like I said, this time the news isn’t nearly as bad as it could be. Read more