Information Security News
On Saturday, security journalist Brian Krebs reported on what looks to be yet another security breach at a big-name national retailer. This time, the craft store Michaels is in the crosshairs. It seems that after being used at Michaels-owned locations, fraudulent purchases were made on at least “hundreds” of customer cards.
While Michaels has not yet confirmed a data breach, it published a press release (PDF) on Saturday saying “The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.” The US Secret Service has confirmed that it is investigating the matter.
The news of a potential hack follows similar reports starting late November that Target suffered a data breach that lost the credit card numbers of over 40 million customers and the personal information of over 70 million customers. Earlier this month, luxury retailer Nieman Marcus also admitted that malware on its systems had exposed 1.1 million payment cards to hackers.
The report highlight the fact that now "[...] the cybercrime network has become so mature, far-reaching, well-funded, and highly effective as a business operation that very little in the cybersecurity world can—or should—be trusted without verification."
I don't think this is really a huge surprise. However, the report identifies three attack methods that are of concerns: 99% of all mobile malware in 2013 targeted Android devices, 91% of web exploit targeted Java and last is 64% of malware are Trojans. Taking this into account, if you own an Android device, you need to be vigilant about the content you view or access. That doesn't exclude other mobile devices from being a target.
The attack surface is no longer limited to just PCs and servers but to any mobile devices. They have been growing in numbers at a rapid pace and need to be part of all enterprise security models. This change in the security landscape means securing a network is even more difficult now because the front door isn't just the Internet gateway your network is connected too. It now includes all the mobile devices accessing your network either via a wireless AP or directly attached via a USB cable or Bluetooth to a PC or laptop. If you want to take a look at the survey, it can be downloaded here (need to register). Now I encourage you to take part in our survey about What is going to trouble you the most in 2014?
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While the rest of us were fretting about the Gmail outage on Friday, lawyers and those involved in the United States judicial system were concerned that uscourts.gov and other federal courts’ sites had been hit by a distributed denial-of-service (DDOS) attack.
Also suffering an outage was pacer.gov, the “Public Access to Court Electronic Records” (PACER), a common way for lawyers and journalists to access court documents online. (That site, which normally charges $0.10 per page for documents, also has a free online mirror, known as RECAP.)
Initially, a spokesperson for the Administrative Office of the US Courts told Politico on Friday that it was indeed a denial-of-service attack. A group calling itself the “European Cyber Army” initially also claimed responsibility on Twitter.
On Friday, Microsoft admitted that “a select number” of employees fell victim to a successfully-executed highly-targeted spear phishing attacks via social media and e-mail accounts. The company says the attackers went after “documents associated with law enforcement.”
“While our investigation continues, we have learned that there was unauthorized access to certain employee e-mail accounts, and information contained in those accounts could be disclosed,” Adrienne Hall, general manager of the Trustworthy Computing Group at Microsoft, wrote on Friday.
“It appears that documents associated with law enforcement inquiries were stolen. If we find that customer information related to those requests has been compromised, we will take appropriate action. Out of regard for the privacy of our employees and customers—as well as the sensitivity of law enforcement inquiries—we will not comment on the validity of any stolen e-mails or documents.”