Author Archives: Cheryl Biswas

Unknown's avatar

About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

Putting a Price Tag on Trust: The Home Depot Data Breach

Posted on by
Reply

homedepot

In a year of huge data breaches, The Home Depot security breach is proving to be the biggest yet. Upwards of 60 million users in both Canada and the United States could be affected. Yet, Home Depot took too long to officially confirm the news once the story broke, and when they did, the damage was already done. Now, they are facing a lawsuit which will become precedent-setting because how do you put a price tag on trust?

Welcome to the pitfalls of retail responsibility in the age of data insecurity. No matter how businesses may try to spin them, data breaches mean trouble somewhere down the line, and given the money to be made they aren’t going away. Cybercrime is booming beyond anyone’s expectations. Hackers halfway around the globe are constantly upping the game in their quest for information to sell on the black market. That information happens to be a digital summation of our lives: where we live, what we’re worth, who we are. Those little plastic cards that run our lives can also ruin them in one stroke.

The technical details of how cybercriminals lift card numbers, usercodes, and passwords have been well documented over the past year. Infact, the US Department of Homeland Security issued a security advisory in late August warning businesses of the threat of Point of Sale or POS malware, in particular one called “Backoff”  that stole information from credit cards (http://t.co/WiOpgp6c6M). It all comes down to a little piece of equipment we use every day. POS card readers are where we shop, eat, buy gas, withdraw money. And the scary truth is how easily they are tampered with. Crime rings buy or extort their way into fixing the actual hardware to mine data. Cybercriminals have figured out a less obvious route using remote access to command and control the devices so they transmit the data without detection. It’s enough to make anyone paranoid.

pii

Instead of being scared into action, however, businesses seem to have pulled the ostrich hiding its head routine, hoping it would all go away.  But it hasn’t gone away, and the lag time has only afforded the hackers more time to perfect their skills while we struggle to catch up.  A full week passed before The Home Depot officially confirmed the real extent of the breach. The scope of those potentially caught in the net of hackers is still being determined, with 60 million users a conservative estimate.

So just how do you tell 60 million users that their credit card data and other valuable personal information has just been released to the global criminal black market? There is no good way to spin that much bad news, not following recent announcements that Target, UPS, Supervalu Grocery stores,several major US banks, and Dairy Queen had also been breached. Brian Krebs had revealed the hack attack on Target.  On September 2, he broke the news on his website, KrebsOnSecurity, that “a massive batch of stolen credit and debit card information went on sale.” At the outset of the data breach, Home Depot shared dropped. Per an article in The Globe and Mail (trib.al/e8RZclg) , shares in trading fell 3.4%. Now, they face a class-action lawsuit.

The reported costs of a data breach vary, but according to Alcott HR Group, is starts at $5 million for one incident, and another source claims that has now doubled.  But the real loss is in what we cannot truly measure, and that is the very heart of retail business. How do you put a price tag trust, consumer confidence and lost customers?  Taking responsibility for your POS devices means taking the necessary actions to safeguard your customers. The rest of retail is about to learn an invaluable lesson at Home Depot’s considerable expense.

Passwords: The Keys to Your Digital Kingdom

Posted on by
Reply

PasswordChalkBoard

Fortress Security is all about keeping you and your data safe. When your home is your castle, you don’t let the drawbridge down for just anyone, but it’s amazing how cavalier we are about securing our digital fortress. Passwords are what keep the barbarians from storming the gates – literally and figuratively. Your online security begins – and ends – with what you choose.

They are your first defense and they can be one of your best defenses when used properly. How so? Typically, the most that we are asked for is something longer than 6 characters, sometimes with a number. If that’s easy for us to come up with, think of how easy that is for a hacker to break.  It takes only 10 minutes to hack a typical 6-character password in lowercase but if we were to extend that password by 3 characters, making it a total of 9 characters in length, and then made it a mix of numbers and letters, alternating the cases of the letters, we just made the job harder by 44530 years. So, the lesson here is: longer is better, numbers and cases are stronger. Easy.

Easy except that the truth is most of us make passwords we can remember. After all, what good is it if we have to write them down someplace or keep forgetting them?  So, we fall into the trap of using names we know, dates, addresses, favourite foods or places or even celebs. These our things our friends and families already know about us. Guess what? We’ve put all this same personally identifiable information up on the social media sites we frequent, as we chat about lives, our jobs, our interests. Hackers know to go straight to these sites first and find their keys into our digital kingdoms. But now you know, too. Yahoo put together a list of passwords, 500 of them actually, that we shouldn’t be using. (here is the link: https://www.yahoo.com/tech/here-are-500-passwords-you-probably-shouldnt-be-using-96467697789.html). Yes, password is one, and butterfly is another. Along with every common name I’ve ever heard. Lesson learned: no pain, no gain. Making it inconvenient for ourselves makes it hard for hackers. That 9 character nonsense password will be deterrent enough.

So once we’ve gone to the trouble of making that impenetrable password, it should be good enough to use on everything, right? Wrong. So very, very wrong. And yet, that is a mistake most of us make. And almost as bad is when we alternate or recycle passwords. Oh, the inconvenience. Yes, it is a royal pain to manage up to a dozen different passwords, never mind we can’t remember them now.  But that pales in comparison to cancelling all your credit cards, then carefully reviewing your bank and card statements from now on. There are ways to manage your passwords, including third party software. While I can’t say what works best, what I can say is this: if you haven’t already been hacked, you are about to be. This is how you won’t become another data breach statistic on the nightly news.

Welcome to Fortress Security

Posted on by
Reply

imagesYour home is your castle. It’s filled with pictures and memories, set up just the way you like, more than just the money you paid for it. You buy insurance to cover the cost of replacing it lest anything should ever happen to it but the truth is – it’s irreplaceable. Nobody wants to go through the heartache or headache of massive loss or damage.  But that’s exactly what happens when our computers crash or phones go missing. We put the equivalent of our entire lives on tech devices. We have become a mobile society.

Most people know about anti-virus software and backups. A percentage use these to safeguard their tech and their data. But the reality is that most people have no idea just how vulnerable they are and what their actual exposure to damage and loss is.  Today, the real risk isn’t dropping a phone into a puddle or circuits frying. It’s something lurking in the shadows, waiting for you to swipe your credit card, visit a website, or open an email attachment. Cybercrime has become a significant player in the new global economy, and it’s here to stay.

If only hackers were those sharply savvy caricatures dressed in black we enjoy in movies. But there is nothing charming or funny about gangs of thugs whose sole motivation is to get rich by ruining the lives of others. And that is the true essence of cybercrime. Our personally identifiable information, or PII, is the new currency of the blackmarket. Usercodes, passwords, drivers licence numbers, home addresses -we are broken down to bits and pieces, sold to the highest bidder, who will then recreate a whole new identity at our cost.

As it stands, the black hats are keeping more than  one step ahead.  For those of us in information security, or InfoSec, it’s a frustrating game of catch-up.  Which means damage control more than damage prevention.  The stakes are high, the payoffs are huge, and the playing field is global. But knowledge is power in this fight. As malware evolves and data breaches make nightly news, for the average user that really will mean an ounce of prevention is worth a pound of cure.