2012 – Another “Massive” Credit Card Breach March 30, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: Chris Mark, data breach, fraud, InfoSec, mastercard, PCI DSS, security, visa
add a comment
According to Krebsonsecurity, the payment card industry has been wracked by yet another massive data breach. The story says that Visa and MasterCard are alerting companies to a US processor that was breached. This, according to reports, is a breach of Track1 and Track2 data. For those unfamiliar with credit cards, track1 and track 2 data is what is known as “magnetic stripe data” and is used to counterfeit cards as it contains the sensitive authentication data necessary for retail (card present) transactions. This is the most dangerous and valuable data to criminals.
As stated on the site: “In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012.”
“A Failed State of Security”; Deterrence Theory & CyberCrime (Research Brief) March 5, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, data security, deterrence theory, markconsultinggroup.com, PCI DSS, security
add a comment
Expanding on the concept of Rational Deterrence and its effect on crime, we have published a research brief on Deterrence Theory and Its Effect on CyberCrime. The brief outlines the failing strategy of compelling companies to prevent breaches without deterring those who commit the crimes. You download the brief (all 25 pages) here. Below is a short excerpt:
“At RSA’s annual security convention, the head of the Federal Bureau of Investigation, Mr. Robert Mueller stated, on February 28th, 2012, ominously: “There are only two types of companies. Those that have been hacked and those that will be.”[1] At the same event, the CEO of RSA, told the audience: “Our networks will be penetrated. We should no longer be surprised by this.” He further stated: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”[2] The comments, while accurate, are late in coming. RSA, one of the worlds’ largest security vendors, was breached in 2011. The breach was more than a simple theft of customer data. The breach was a theft of intellectual property that compromised the infrastructure of RSA’s 2-factor authentication system known as SecureID. This potentially exposed thousands (if not more) of companies to a bypass of their own access control mechanism.
RSA’s CEO then continued: (more…)
“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, hashing, InfoSec, mark consulting group, MD5, security, zappos
1 comment so far
On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts. According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”. The report on MSNBC then states: “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.” Unfortunately, this article is somewhat misleading.
The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’. A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output. If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input. Why would you want a ‘one way hash’ to secure passwords? (more…)
Nortel Network Compromised for a Decade; Chinese Suspected February 14, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.Tags: armed security, Chris Mark, cybersecurity, data breach, InfoSec, InfoSec & Privacy, mark consulting group, markconsultinggroup.com, nortel breach
1 comment so far
According to MSNBC, Nortel’s network was open to hackers since at least 2000. It is suspected that the hackers are Chinese. The data thieves appear to have had nearly “unfettered access” to the network and were able to download: ” “technical papers, research-and-development reports, business plans, employee emails and other documents.” How did they access the network? Simple. (more…)
Global Security, Privacy, & Risk Management 