Michaels Stores, Inc. says that their point-of-sale (POS) PIN pads at 90 stores in 20 states were tampered with. The craft store chain is replacing PIN pads at most of its 964 U.S. Stores. According to BankInfoSecurity.com, the breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]
Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday [May 10, 2011] the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.
Michaels’ statement includes a list of the stores they determined were actually affected, but decided to be extra cautious and said this about the incident:
Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total
devices) in its 964 US stores that showed signs of tampering. Suspicious PIN pads were
disabled and quarantined immediately. Out of an abundance of caution, Michaels has
removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads
from its US stores.
The company has commenced replacing these PIN pads in all US stores and expects the
replacement to be completed within the next 15 days. Until the new upgraded PIN pads are
installed, customers may have their credit and signature debit transactions processed on the
store register. As an additional precaution, Michaels is screening all PIN pads in Canadian
It is highly likely that this is a very carefully targeted organized crime effort, given the scope and level of effort needed to accomplish the physical tampering of the POS devices.
Just received this email from LastPass which gives further information about the security incident.
Dear LastPass User,
On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.
As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.
Please visit https://lastpass.com/status for more information.
The LastPass Team
As I said before, I am very impressed by their response to this incident. Here is their latest update on the blog:
Update 9, ~11am 05/09 EST:
Many users are changing their password and then determining they can’t remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revertIt allows you to either roll back your last password change or revert your account to the 4th. You must prove access to your email again to use it.
The LastPass network anomaly incident (it’s still not known whether an actual data breach occurred) once again underscores the importance of using strong, unguessable passwords. Using dictionary words or short, simple, easy-to-crack passwords for a master password that protects all of your other passwords is just not smart. I have spent years educating my clients and their employees on the use of strong passwords and giving them simple solutions for coming up with them. This short video from Sophos Naked Security is a good resource.
[kml_flashembed movie="http://www.youtube.com/v/VYzguTdOmmU" width="425" height="350" wmode="transparent" /]
Earlier this week, I noticed errors from LastPass when I fired up my browser and was unable to log in manually with my normal master password. I didn’t pay much attention to this at first since the email address I used to log in was one I shut down recently. I figured that was the reason and made a mental note to go change it later. But, when I tried to log in to LastPass to change my account settings (using a one-time password that I had previously created), I got a notice saying that the LastPass servers were overloaded and that I should try again later. That’s when I began to take a deeper look and discovered what others already knew: LastPass had noticed an “anomaly” in their network traffic and as a precaution had begun to force users to change their master passwords.
According to LastPass’s blog, May 4th, 2011, here’s what happened:
LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
LastPass posted ongoing updates to the situation as it developed. The second update explained why I couldn’t get in properly.
Update 2, 2:15pm EST:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.
We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).
As it stands right now, I was able to log in with my original master password (which is very strong) and make account change settings, so everything seems to be back to normal. As of 9 am 5/7/2011, this the posted status on the blog:
Update 8, ~9am 05/07 EST:We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.We’re asking any users that have current issues with a password change to contact us — we will restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.We appreciate your patience, we’ll continue to update with any changes.
So, back to normal it seems. And even though LastPass’s response over a mere “oddity” caused some major inconvenience for many of its users, I am even more confident in their security than I was before. Think about it. They saw something odd in their network traffic that they couldn’t explain. They saw a risk that sensitive information was getting into the wrong hands and they immediately took action, keeping users updated with detailed information about what they were doing and why and told users what to do about it.
Kudos to LastPass for being a good example of how to do security the right way.
As always happens around big disasters and news events, the miscreants are using the event to attempt to infect PCs with malware and are sending phishing emails. Apparently Facebook is being targeted with video. Got this note from a friend on Skype:
“PLEASE READ AND REPOST!
WARNING: there is a video circulating around Facebook of a BBC video of the killing of Osama Bin Laden, supposedly made by US troops. It is a Virus!!!!! Spread the news because it’s circulating fast!!”
Here’s a video showing one of the virus attempts:
[kml_flashembed movie="http://www.youtube.com/v/D5CRARPMaeU" width="640" height="390" wmode="transparent" /]
Be aware that NO photos or videos have been released officially. The only official video is the one of President Obama announcing Bin Laden’s death.
I haven’t seen any phishing spam related to the event yet, but you can bet it will be on its way before you know it.
If you pay attention to mainstream media, you can easily get the wrong idea about online attacks. The press usually only covers the sensational data breaches like the recent Epsilon and Sony fiascoes. Truth is, there are far more people at risk than the press leads you to believe.
Consider the case of Rogelio Hackett, Jr., a 26-year-old hacker from Georgia who recently pleaded guilty to the theft of more than 675,000 credit cards. More than $36 million in damages resulted from his crime. Hackett targeted smaller organizations that had not coded their websites properly, leaving them open to SQL injection attacks. “He exploited SQL vulnerabilities,” say Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. “And despite the fact that SQL injections are well documented, we’re still seeing companies that are getting hit and compromised by that kind of attack.”
This article on the Bank Information Security (BIS) blog gives further details:
According to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. “These SQL injections are allowing someone in through the side fence, not the front door,” Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. “That’s why we need to look at application-level security,” Corman says. “Firewalls need to be augmented, with things like web-application firewalls.”
If you are a small business with an e-commerce site that stores transaction information in a SQL database, I would suggest you perform an immediate security audit to reveal any potential vulnerabilities in your system. You just don’t know where an attack may come from. It’s not like it used to be, with high-profile hackers and Eastern European crime syndicates leading they way. These days, it’s more like “disorganized crime.” Smaller, less spectacular crimes are able to stay under the law enforcement and card companies’ radars for longer periods.
Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett’s case highlights how widespread and diverse hacking has become. “For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more ‘Hacketts’ or ‘hackers’ that are not,” Litan says. (Source: BIS blog)
Yikes! Indeed, it has happened again but this time the leak was completely preventable. A season ticket sales representative for the New York Yankees inadvertently emailed a spreadsheet to 2,000 of his contacts. The spreadsheet contained account numbers, names, addresses, phone numbers, email addresses, and other information like their seat numbers and which ticket packages they purchased. .
Part of the notification sent to the victims from the Yankees’ office said this:
NO OTHER INFORMATION WAS INCLUDED IN THE DOCUMENT THAT WAS ACCIDENTALLY ATTATCHED (sic) TO THE APRIL 25TH E-MAIL. THE DOCUMENT DID NOT INCLUDE ANY BIRTH DATES, SOCIAL SECURITY NUMBERS, CREDIT CARD DATA, BANKING DATA OR ANY OTHER PERSONAL OR FINANCIAL INFORMATION.
Apparently, the data contained information only on holders of season tickets for the “non-premium” seats that make up the vast majority of Yankee Stadium; those holding tickets for suites and the first few rows in the infield were not listed. So the high rollers and celebrities aren’t in there. That certainly lessens the value of the data somewhat (no big, juicy targets), but It’s a good bet that the victims are going to spammed and phished to death at some point.
This is yet another piece of evidence in support of my continual assertion that there is absolutely no such thing as private information. Once you have given anything to a third party, you might as well have advertised it on lighted freeway billboard.
Your information is not safe and probably never will be.
WordPress is pretty secure out of the box. Nevertheless, there are always going to be individuals who want to crack into accounts for nefarious purpose or inject hidden spam links. Just as with any other application software, it’s important to make sure that your WordPress installation is as secure as you can possibly make it.
While these tips may seem like the same old over-used advice I give to everyone, they are still relevant. They are even more relevant to many of my marketing friends, business clients and colleagues who base their businesses in whole or in part on their blogs.
I’m not going to recommend a bunch of WordPress add-ons and plugins in this post (I’m still researching), but I am going to give some general advice on how to secure your installation. Here is how to secure WordPress in five easy steps:
- Update regularly – As with any other application, hackers find vulnerabilities and attempt to exploit them. WordPress developers are very conscientious when it comes to fixing security holes and WordPress is regularly upgraded. If you are in your administration panel and see a notice about a new version, upgrade immediately. As of the date of this post, the current version is 3.1.2.
- Use strong passwords – It goes without saying that if you use your pet’s name or some other simple, easy to guess password, you’re inviting hackers to hack you. I recommend no fewer than 8 characters that include both upper and lower case letters, numerals and punctuation. Example (don’t use this!): Th3Qu&(!
- Use Secret Keys – The WordPress config.php file that contains the name, address and password of the MySQL database for your blog allows you to use secret keys. In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. You don’t have to remember these. You can generate them at this link: https://api.wordpress.org/secret-key/1.1/salt/.
- Use .htaccess file properly – This can get complex, so I won’t go into details here, but you must be aware of what your .htaccess file contains and make sure it doesn’t allow access to files and directories you don’t want people to see. WordPress won’t do anything insecure to it, but it never hurts to be sure. A good tutorial is The Ultimate Htaccess. Warning: if you are not a techie, skip this and as a friendly Geek!
- Set proper file permissions – This is the first line of attack for a hacker, and the biggest problem is when you have file permissions set so that anyone can list a directory’s contents. Just go to WordPress Codex and do what it says. Again, if you’re not a techie, find a friendly Geek (like me) to help you.
Good luck, and if you need help, just ask!
Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of video game players.
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.
Sony says that hackers were able to access a variety of users’ personal information including:
- Address (city, state, zip code)
- Email address
- Date of birth
- PlayStation Network/Qriocity password and login
- Handle/PSN online ID
Seems it’s time to implement the response I mentioned 2011 April 16 in “Data Breaches — Steps to Take if You Are Notified.” In particular, I would assume that identity theft is about to occur and take the following steps as recommend in the FTC guide: Take Charge: Fighting Back Against Identity Theft. Refer to that guide for complete information, but here’s what you should do if you are one of the affected users:
- Place a fraud alert on your credit reports, and review your credit reports.
- Close the accounts that you know, or believe, have been tampered with or opened fraudulently.
Imagine a way to intentionally fragment files on a hard disk so that it appears to be just a normal disk that has had files written, deleted and rewritten, i.e., nothing to indicate any encryption has taken place. No red flags raised; nothing to indicate there is anything on the disk to hide, yet the data is effectively hidden.
It’s steganography applied to hard drives and the inventors, Hassan Khan at the University of Southern California in Los Angeles and colleagues at the National University of Science and Technology in Islamabad, Pakistan, claim that it hides data so well as to be “unreasonably complex” to detect. They have already managed to encode a 20-megabyte message on a 160-gigabyte portable hard drive.
The technique relies on the way hard drives store file data in numerous small chunks, called clusters. The drive controller stores these clusters all over the disc, wherever there is free space and keeps track of the positions of the clusters using a special database on the disk.
The software that Khan and his colleagues have developed overrides the disk controller chip and positions the clusters according to a code. On the other end, the person needs to know the code in order to read the data. The researchers intend to make their software open source.
But what if a forensic investigator gets hold of a disk that has hidden data on it?
“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan.
Tests show that the technique works fine as long as none of the files on the hard disk are modified before the disk is passed onto the recipient. SANS NewsBites editor, John Pescatore, is skeptical.
“Everyone of these schemes always has a “code” involved, and tends to smell very much like encryption – just done in a non-standard way. There are a lot of examples of home-grown approaches being about as secure as paper mache,” Pescatore said.
Doesn’t seem to me like the researchers are at the level of “home-grown,” but judge for yourself. You can read the entire research paper at Computers and Security, DOI: 10.1016/j.cose.2010.10.005.