Other News

Update: Retail Breaches Spread. Point of Sale Malware A Suspect.

January 13, 2014 11:39Comments Off
Update: Retail Breaches Spread. Point of Sale Malware A Suspect.

Reuters is reporting on Monday that the recently disclosed hack of box store retailer Target Inc. was just one of a series of attacks against U.S. retailers, including Target, the luxury department store Neiman Marcus and other, as-yet-unnamed companies.* The story adds to other, recent revelations, including the breach at Neiman Marcus, which was first disclosed by the security blog Krebsonsecurity.com on Friday. Also on Monday, Target CEO Gregg Steinhafel confirmed that his company was the victim of malicious software installed on point of sale (PoS) systems at the store. According to the Reuters report, Target Corp and Neiman Marcus are just two retailers whose networks were breached over the holiday shopping season. The story cites unnamed sources “familiar with attacks,” which have yet to be publicly disclosed. Breaches of “at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target,” according […]

Read more ›

Week In Security: More Target Woes and CES

January 12, 2014 10:53Comments Off
Week In Security: More Target Woes and CES

It was another eventful week in security, with another big revelation in the story of a hack of box retailer Target Inc. That update – which accompanied Target’s fourth quarter earnings guidance – nearly doubled the number of known victims of that attack. It also revealed that credit card data was not the only information stolen by hackers, who also made off with customer names, mailing addresses and emails. In this latest installment of Security Ledger’s Security Week in Review, we spoke with Jody Brazil, the President of the security firm FireMon about the week’s events. Jody is a seasoned security professional who works day-in-day-out with companies that are trying to manage their risk. He said that even large companies like Target can fall victim to sophisticated attacks, but the IT security may be too quick to give up on traditional defensive technologies. Jody and I had an interesting chat about […]

Read more ›

Target: Hack Exposed Data On 70 Million

January 10, 2014 12:38Comments Off
Target: Hack Exposed Data On 70 Million

Target provided some guidance on its fourth quarter earnings on Friday and, not incidentally, dropped another bombshell in the long-running story about the November data breach that exposed credit card information on some 40 million customers. It turns out that the credit card numbers were just the tip of a much larger iceberg. The box store retailer now claims that its investigation of that incident revealed that data on around 70 million customers was exposed, including e-mail addresses, phone numbers, mailing addresses and more. In a statement, Target said that much of the stolen data was “partial in nature,” but that it will reach out to customers whose e-mail addresses were stolen to warn them about potential fraud, including “phishing” e-mails that purport to come from Target. “I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are […]

Read more ›

Wolfram Floats Common Language For Internet Of Things

09:16Comments Off
Wolfram Floats Common Language For Internet Of Things

Amid all the “connected device” hoopla coming out of the Consumer Electronics Show (CES) this week, one of the most interesting announcements came from an unexpected corner: Wolfram Research, a maker of high-end software that is used in scientific research. On Monday, the company’s CEO, Stephen Wolfram, announced The Wolfram Connected Devices Project – an initiative that will comprise both a common catalog of connected devices and a common language to connect them. “Connected devices are central to our long-term strategy of injecting sophisticated computation and knowledge into everything,” Wolfram said. “With the Wolfram Language we now have a way to describe and compute about things in the world. Connected devices are what we need to measure and interface with those things.” Wolfram’s short-term goal is to begin cataloging IoT devices and making those devices ‘searchable’ via its Wolfram Alpha web portal – what the company describes as a ‘computational […]

Read more ›

Siemens Patches Holes In Industrial Control Switch

January 9, 2014 12:03Comments Off
Siemens has issued fixes for two serious vulnerabilities in its SCALANCE 200 series ICS switches.

A security researcher discovered two, serious security holes in a switch by Siemens that could allow an attacker to hijack industrial control system hardware that is heavily used by energy and transportation firms, among others. IOActive, a security consulting firm in Seattle, Washington, said on Thursday that Eireann Leverett, a senior security consultant, discovered two vulnerabilities in Siemens’ SCALANCE X-200 Switches. The vulnerabilities were in a web server component that provided administrators with access to features needed to configure the switches. If exploited, they would have allowed an attacker who had access to the same network as the SCALANCE switch to perform administrative actions on the devices, including updating the switch firmware and hijack active web sessions – all without needing to first log in to the device. SCALANCE is a family of Ethernet switches that connect to industrial control system (ICS) devices including programmable logic controllers (PLCs) and Human […]

Read more ›

Cars Become Gadget-ized, Govt. Warns On Privacy Risk

January 8, 2014 14:00Comments Off
Cars Become Gadget-ized, Govt. Warns On Privacy Risk

Your car is a lot more than just a car these days. Forget about the in-car entertainment system with the USB port and the iPhone jack. If you drive a late-model vehicle, it has been tricked out with hundreds of wireless sensors to monitor everything from tire pressure to braking and acceleration. These sensors communicate over a VAN – or Vehicle Area Network – that’s not all that different from the LAN that connects the computers, servers, printers and other peripheral devices in your office. Beyond that, automakers are taking their cue from mobile device makers- and for good reason. Apple booked $10 billion in sales through its AppStore in 2013 alone. That’s not too shabby, when you consider that much of that revenue came in $.99 increments! But, as Jessica Naziri (@jessicanaziri) noted in yesterday’s Los Angeles Times, cars are the new gadgets. After all, the Detroit Auto Show is still […]

Read more ›

IoT Hackers Await Their Killer App

January 7, 2014 10:57Comments Off
IoT Hackers Await Their Killer App

The next year will see the continued blurring of lines between the worlds of IT security and what we’ve come to think of as the ‘rest of our lives.’ But those who expect to see a large shift in malicious activity to the Internet of Things in 2014 will be disappointed.   That, according to a report from the security firm Trend Micro, which argues that Internet of Things malware and attacks are still a ways off – as cyber criminals await a “killer app” that will boost adoption and provide a common platform to attack. The prediction is part of “Blurring Boundaries,” a 2014 outlook report from Trend that argues IoT threats are mostly future-tech. “While we certainly think that attacks on IoT devices and the underlying architecture will be a major area of attack in the future, that future will not be until 2015 and beyond” writes Robert McArdle, […]

Read more ›

CES: The Security Questions Nobody Wants You To Ask

January 6, 2014 17:20Comments Off
Smart TVs - some of them obscenely large -will be a big draw at CES 2014. But does 'smart' mean 'secure'?

A note that CES – the Consumer Electronics Show – is once again upon us. Prepare yourself for three or four days of tipsy reporting from the mainstream media about all the gee whiz gadgets that will soon be yours…or not. Let’s face it: a lot of what’s shown at CES is proof of concept stuff and some of it is just too downright silly to ever catch on. Remember HAPIFork? The “smart” fork that would warn you when you were shoveling grub into your maw too quickly? Right. Product security and data privacy are almost always lost in the excitement over the new gadgets and the TUSs. (Televisions of Unusual Size? I don’t think they exist!) That’s why, over on the Veracode blog, I put together a quick list of impertinent questions that every security-minded CES attendee should have at their fingertips. The questions cover a wide range of […]

Read more ›

Welcoming A New Sponsor: Duo Security

11:29Comments Off
Welcoming A New Sponsor: Duo Security

Those of you who pay close attention to The Security Ledger may have noticed some new artwork gracing our home page in recent days. It is with great pleasure that I note the addition of our newest sponsor: Duo Security Inc., a maker of two-factor authentication technology. I followed Duo from its earliest days, but my interactions with the company picked up after last year’s RSA Conference in San Francisco, when I had the chance to get briefed by CEO Dug Song about the company’s technology and how Duo was leveraging consumer-driven trends like BYOD (bring your own device) to solve vexing enterprise identity and authentication problems. Duo, which is based in Ann Arbor, Michigan, sells a hosted two-factor authentication service that leverages the cloud and mobile devices to provide a secure login experience using something you know (a password) and something you hold (a mobile phone). The Duo platform […]

Read more ›

Famed Hacker Barnaby Jack Died Of Accidental Overdose

January 3, 2014 22:26Comments Off
Jack was known for finding security holes in everyday objects. His 'jackpotting' demonstration caused ATM machines to spit out a cascade of money. (Photo courtesy of pauldotcom.com.)

Barnaby Jack, the world-renowned hacker who was found dead in his San Francisco apartment in July died of an accidental overdose of cocaine, heroin and prescription drugs, according to a report released by the San Francisco Medical Examiner’s office.  The news was first reported by the website theverge.com. Jack, a 36-year-old New Zealand resident was found unresponsive in bed, surrounded by bottles of pills, empty bottles of beer and champagne and evidence of “illicit drug use,” the Medical Examiner’s report states. Jack had traces of cocaine, heroin, Xanax, and Benadryl in his system at the time of death. Jack was one of the most gifted security researchers of his generation. The head of embedded device security at the firm IOActive, Jack electrified audiences with his demonstrations of vulnerabilities in devices such as ATMs and implantable insulin pumps. In a now-famous “Jackpotting” demonstration, he demonstrated a remotely exploitable hole affecting bank automated teller machines […]

Read more ›

Security Ledger Uses: