Over the Independence Day weekend, I took my family to the Bonne Terre Mine, about 50 miles south of St. Louis on Highway 67. It was once one of the world’s largest active lead mines, and the area around Bonne Terre is still known as the Lead Belt. Mining is still the major industry in southeast Missouri, and the area is dotted with big piles of mining waste, which the locals refer to as “chat.”
Mining in the area started way back in 1720 by French settlers; Bonne Terre Mine opened in 1860. It closed in 1962.
New details emerged on the Home Depot attack that left 56 million consumers with compromised credit cards. The interesting thing in the new details is that it could have been much worse, but maybe not for reasons immediately obvious.
About a year ago, a vendor mentioned kind of offhand that Chinese companies are extremely interested in U.S. healthcare data. Then he added, “I don’t understand why Asian people are interested in American health.” Then he questioned the appropriateness of the comment.
Appropriate or not, it’s an example of something that, on the face of it, doesn’t make a lot of sense until you dig deeper. Read more
I found a story today stating that the attackers who stole millions of credit cards from Target didn’t have to try very hard to hide. I wish I could say I was surprised.
My boss says it this way: Amateurs hit as hard as they can. Professionals hit as hard as they have to.
Why? Because if they only hit as hard as they have to, they can save the hard hit for another day. And it really boils down to simple economics. If I can buy off-the-shelf malware for $1,000 and use it to steal millions of dollars, then use the same malware again somewhere else and steal another few million, why not do that? The alternative is to buy a sophisticated attack that costs five or six figures. Then what happens? I use it, get my money, and then the victim can’t figure it out, so the victim calls in Mandiant. Mandiant discovers the zero-day attack, then tells the world about it. Mandiant looks good because they discovered something nobody else has ever seen before. The victim looks a lot better too, because they got mowed down by something that was unstoppable. But then the vendor moves heaven and earth to release an emergency out-of-band patch as quickly as possible, closing down a very brief window of opportunity to use it.
Cyber criminals may be crooked and unethical, but they aren’t stupid. And that’s why this is an uphill battle: A cheap attack can go up against defenses that cost an order of magnitude more, and still win. Read more
Yesterday I read, via Ars Technica, that the malware resided on cash registers (which I’d heard elsewhere before), and that the first step to getting there was via a compromised web server.
And that led to a question in the comments, that sounds like it came from an IT professional:
don’t they have their network segregated into zones!!!? It shouldn’t be possible for a web server to touch a POS system in a store….
The commenter right, it shouldn’t be. But it doesn’t need to be, either. Read more
As you’ve probably heard, Target had a bad month. Between the days of 27 November and 15 December, about 40 million credit card numbers were stolen, making it one of the biggest breaches of its kind in history. As far as we know, the card number and security code were stolen, but debit-card PINs and addresses were not.
Target says they have contained the breach and are cooperating with credit card companies and authorities. Cringely has some analysis, but it has more for people like me to think about how we do things at work than it does for consumers.
And, well, as luck would have it, I shopped a lot at Target between the days in question. And I used both my credit and debit card during that time. Here’s what I’m doing, some of which may be counter-intuitive.
I’ve seen plenty of news stories of how the government shutdown is affecting 800,000 or so government employees. What the news stories fail to mention is a large number of contractors are out of work too, until this passes. I can only guess on that number, but there’s no doubt it numbers in the millions, and little doubt it’s in the tens of millions.
As a former government contractor myself, I dealt with losing my job unexpectedly earlier this year, so some tips on dealing with an unexpected loss of a paycheck, even if it’s temporary, are fresh in my mind. There are five things you have to do.
I’m not here to gloat about anything. I’m here to try to help. Some of these things won’t be pleasant, but they’ll reduce pain in the long run if this lasts longer than a week. Keep in mind that everything I’m advocating is something I’ve done myself.
Lifehacker asked what a first-time credit card owner needs to know. As someone who first got a credit card at the age of 20 and is still reaping the benefits of using one correctly from the start, I have some advice to give on that.
Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?
The first question is easier than the second. So I’ll tackle that one first. Read more
“Dave, you need to look at this.”
Those aren’t my favorite words to hear first thing Monday morning. I went outside to see, and there, I found a lot of debris scattered on the ground. At first, it looked like some animal had torn open a garbage bag. But then I got closer and saw it wasn’t garbage and trash. I saw coupons, credit cards, some change, and other personal effects.
Around that time, one of our next-door neighbors came out to let her dogs do their morning ritual. She and my wife waited while I went inside to call the police.