Sunday, February 21st, 2016 (No comments yet
When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.
Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.
What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:
One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.
Tags: Account Security
, Big Business
, Utter Failure
Tuesday, March 26th, 2019 (No comments yet
Data breaches are about negligence; every time
Details of how to access the information - which included home addresses, place of employment and credit card details - were sold through an underground network operated by the Russian mafia.
And, again, if these companies would stop holding our credit card numbers far past the date that we used them, we wouldn't be having this problem.
Best Western is contradicting the story saying that it's exaggerated
. More importantly this:
Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.
If this is true, then how did they lose anything? Did they? The details are unclear.
Tags: Best Western
, Data Breaches
Sunday, April 28th, 2019 (No comments yet
If you've been following this breach, the key problem here is two part:
1) TJX is the parent company of several other companies including TJ Maxx. Each of those companies shared data with TJX creating a massive database (and a single target for the hackers).
2) TJX (and others) shouldn't have stored the credit card data in the first place and when they did, they should have used better security.
Though they'll blame "clever hackers" for the breach, the fault instead lies squarely with TJX who's business practice of storing credit cards against people's will along with negligent use of outdated wireless encryption (WEP) first created a giant target and then then left a gaping hole for the bad guys to be able to go and get it.
Tags: Big Business
, Data Brokering
, Identity Theft
, TJ Maxx
, Wireless Security
Friday, March 15th, 2019 (No comments yet
How does a sex offender get hired to do contracting work that could put him in close personal contact with potential victims? Aren't they required to report that they're a sex offender?
It wasn't like this guy was a one-time offender either. The article states that he had an "extensive history of violent attacks".
Though Niki was in no way harmed, you gotta be careful who you open your door to, even if they're coming from a brand-name store
Tags: Home Depot
Wednesday, March 6th, 2019 (No comments yet
Schneier writes about a recent attack against home routers that takes advantage of the fact that most people never change the default passwords on their equipment.
One of his commenters said it best:
It has long been standard security practice that when logging in to a new system with a default password, the first required step is to have the user create a new password. If routers did this and refused to function until a customized password was set, none of these problems would occur.
Or more simply put, it's a problem that would never exist and would disappear tomorrow if router manufacturers would bother to make a simple and practically free programming change before shipping them out.
Tags: Bad Design
Sunday, March 3rd, 2019 (No comments yet
Oops. Sorry about all your data gosh golly wilikers!
Consumer Affairs writes:
A laptop containing the personal information of 328,000 current and former employees of Boeing was stolen in Chicago, according to the company. The laptop theft was the third to befall Boeing in the past twelve months. Boeing is contacting the affected employees by mail and has promised to set up free credit monitoring for them through the Experian credit bureau.
, Identity Theft
, Lost Laptops
, Security Theater