jump to navigation

“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , , ,
add a comment

For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system.  According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days.  It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.  This effectively renders the encryption useless as the keys (the passwords) are not secure.  While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger.  Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.”    Key management and password security continue to be the weakest link in most encryption implementations.

(UPDATE)-“Interesting” Logic & Analysis – Verizon’s 2012 Data Breach Report April 17, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, terrorism.
Tags: , , , , , , , ,
2 comments

I received a very insightful comment from one of the Verizon authors and thought it prudent to share. I think this explanation is very helpful for companies looking at infosec controls.  Here it is, in part(emphasis added): “You make a valid point about the fact that a determined attacker would simply try again if the first attempt failed. However, our finding that most breaches are avoidable through relatively simple controls doesn’t overlook this as you suggest. Our data show that most criminals aren’t determined to breach a particular victim and likely won’t try again if met with decent resistance. In fact, the extreme opportunistic nature of target selection means they likely won’t even be attacked w certain controls in place because automated probes will skip on down the street after jiggling the door handle a bit.  You can read the full comment, in ‘comments’.  The entire post is you continue reading. (more…)

What to do if your card was compromised and used… April 1, 2012

Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

I have already read 5 different articles where experienced and well known security evangelists are discussing how their credit card data was exposed and how it exposed them to danger.  Here are some things to understand about credit card theft and liability.  First, credit card theft is NOT identity theft.  Certainly, criminals can make fraudulent transactions but they cannot assume your identity to buy a boat, house, or get further credit.

Second, Under Federal law, consumers are limited to $50 for fraudulent credit card transactions.  The major card brands (Visa, MC, Amex, JCB, Discover) all have “Zero” liability clauses.  This means that if your card was used fraudulently…you have no liability for transaction that run over their networks. If it is a PIN based transaction (debit, for example) there are other considerations.  You can read more on this post. “Signature or PIN? Credit or Debit?…the answers”  If the Global Payments breach was limited to track 1 or track 2 data as reports indicate, then the PIN issue is not relevant.

Here is what you should do…

1) check your credit and debit card accounts. Debit cards can be processed as an ‘offline’ transaction which means they run over credit networks.  The criminals can use them just like stolen credit cards.  If you see unauthorized transactions take the next step.

2) call your issuing bank (bank listed on your card) and inform them of the fraudulent transactions.  They will require you to complete an affidavit stating it was not your charge, etc. etc.  If you have unauthorized charges on your bank account from the debit card being compromised, read the post here as it is a bit more complex from time to time. Understand that your bank will CANCEL the card and reissue a new card.  Make sure you have taken steps to update your bills etc.

3) continue to monitor your accounts for fraudulent activity…that simple.

Hopefully this helps assuage some concerns

Global Issues Press Release Confirming Breach March 30, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , , ,
add a comment

Thank you to a person for pointing this out to me via LinkedIn.  GlobalPayments, Inc. has issued a press release confirming it was their system that was compromised.  You can read it here.  They have disabled cutting and copying so here is a screenshot.

Chinese MalWare Attacks Tracked to Individual March 30, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

According to a report on Foxnews today, TrendMicro has traced a MalWare attack aimed at Tibetan activists in Japan and India to a Chinese graduate of Sichuan University. The LuckyCat campaign has been active for about a year and compromised over 230 computers in 90 separate attacks.  You can read the TrendMicro report here.    According to TrendMicro: “The Luckycat campaigns targets include the aerospace, military, energy, shipping and engineering industries, as well as Tibetan activists and organizations. Given its technical similarities, Luckycat is believe to be a continuation of ShadowNet, also known as GhostNet, a Chinese cybercrime campaign that has been targeting Tibetan activists as well as the Indian government since 2009, Trend Micro said.”