You Get Hacked. Why Wait a Month to Notify People?

This hack hit Sears, Delta and Best Buy through a subcontractor they all use. The breach hit in October, 2017. They were “informed” last month. So why wait a month to tell people? (Give the execs time to sell stock? That’s the cynic in me.) Best Buy says it was hit by same data breach as Sears and Delta

Best Buy said on Friday that some of its customers’ credit card information may have been compromised in a data breach that also hit Sears and Delta Air Lines.

The breach at a 3rd party company – [24] – that supports chat, occurred between late September and mid October of last year. That 3rd party waited until last month to inform their customers and they have waited until this month to inform their customers. And it looks like Best Buy only came clean because Sears and Delta went public yesterday. (So how long would they have waited?)

So I understand that shit happens. But why does everyone wait and wait and wait to tell the public? At this point in the 21st Century you should have a PR plan in place for when you get hacked. That should be in place now. You should be able to alert the public the day you have the breach closed. But the corporate “cover-your-ass” culture seems too ingrained for that. In at least 1 instance (memory fails me, but I would bet on Equifax, though that may just be because that breach still pisses me off) the execs sold shares before they announced the hack. (And before the stock fell.)

So tell me, is there ANY company in the world that can be trusted with customer data?


Tech News Roundup. Tesla, Hacking 911, Another Data Breach

There is too much insanity for individual posts….

First we have Tesla. Someone conducted a very unscientific test, but was able to reproduce some of the behavior reported prior to the latest crash.

They want you to believe it was the driver, or a broken part. I think the real reason is that auto-driving cars are not quite ready for prime time. Video shows Tesla Model S Autopilot veering towards barrier where fatal crash occurred – SlashGear

Unfortunately the part that seems to be broken in this video is the autopilot. Not a scientific test, but with 2 data points that line up….

Will be interesting to see if anyone else does something similar.

This is an easy prediction: Attacks on cities and on 911 infrastructure will continue for the foreseeable future.

Cities remain a tempting target for hackers. Cities continue to be vulnerable. (They love to put stuff on the intertubes, but they don’t love to pay for security.) Hackers have taken down dozens of 911 centers. Why is it so hard to stop them?

There have been 184 attacks on cities in the past 2 years.

911 centers have been directly or indirectly attacked in 42 of the 184 cases on SecuLore’s list, the company says. Two dozen involved ransomware attacks, in which hackers use a virus to remotely seize control of a computer system and hold it hostage for payment.

It doesn’t say how many of those attacks were WannaCry, or one of the variants patched by Microsoft last year, but I think it probably fair to say that at least some of those attacks were the result of city managers ignoring pleas from their IT staff to upgrade old systems. Some of them are denial of service and some of them like the hack of Atlanta are newer problems.

As long as managers and people responsible for paying the bills don’t think security is important, we will have more attacks on 911 centers, more retailers will have their systems hacked, and more people who want to buy something or schedule a vacation or get help in an emergency will pay the price.

And finally, the latest retailer to prove that they shouldn’t be trusted with your credit card (or other) information is Panera.

Continue reading

Yet Another Data Breach at a Retailer

This is getting to be too frequent an occurrence. Saks, Lord & Taylor Hit With Data Breach – WSJ

Saks Fifth Avenue and Lord & Taylor had their credit card system hacked.

Hackers claim they have five million credit card and debit card numbers from the stores and have been releasing them for sale on the “dark web,” a network of websites used by hackers and others to anonymously share information, according to Gemini Advisory LLC, a New York-based cybersecurity firm. The hackers began stealing the card numbers in May 2017, the firm estimates.

They aren’t even the only company this week.

On Friday, Under Armour Inc. disclosed that someone illegally accessed data from its MyFitnessPal fitness-tracking app in late February, affecting some 150 million users. Personal data such as emails, usernames and passwords were exposed, but credit-card information and driver’s license numbers weren’t compromised, the athletic-wear company said.

So why is there always so much time between incident and disclosure?

Atlanta Hit By Cyber Attack

Another city gets hacked. With paper and phones, Atlanta struggles to recover from cyber attack

Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.

More cities get targeted because they are tempting targets to people who want to make a name, and they are not taking security seriously. Or at least not putting the money into security.

The attack is by the SamSam virus. It is slightly more sophisticated than WannaCry.

First identified in 2015, SamSam’s advantages are conceptual as well as technical, and hackers make hundreds of thousands, even millions of dollars a year by launching SamSam attacks. Unlike many ransomware variants that spread through phishing or online scams and require an individual to inadvertently run a malicious program on a PC (which can then start a chain reaction across a network), SamSam infiltrates by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems, and then uses mechanisms like the popular Mimikatz password discovery tool to start to gain control of a network.

In this day of readily-available of password-managers, that will generate as complex a password as the system can handle, there is NO Reason that a public-facing system should have “weak passwords.” Though it is a little more complicated than that. The way people administer groups of employees is, in all too many cases, flawed. (Problems with Windows Don’t Help.) And if anything is immune to change, it a bureaucrat in a .gov department who can’t be bothered about those stupid folks in IT who have NO IDEA what they do to run the city.

WannaCry Ransomware Hits Boeing

At this late date, it is sad, that WannaCry is an issue. WannaCry ransomware reportedly reappears to strike Boeing – CNET

Boeing is denying early reports that it is a widespread problem. It should not be any kind of problem because the patches have been available for a very long time.

“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems,” Linda Mills, vice president of Boeing commercial airplanes communications, said in a statement. “Remediations were applied and this is not a production or delivery issue.”

The big attack was in May of last year, and I although can’t find the info right now, I’m fairly certain that Microsoft released patches for everything (including at least 1 “unsupported” version of windows) in March of last year.

Why, in the face of everything that happened to Maersk Lines (it cost them at least $200million) or the TNT division of FedEx (I can’t find numbers on that) would anyone NOT update their damned Windows systems?

Baltimore’s 911 System Hacked – They Won’t Say How

They love to put information and systems on the web. They don’t love to spend the time and money to secure them. Baltimore 911 dispatch system hacked, investigation underway, officials confirm – Baltimore Sun

Baltimore’s 911 dispatch system was hacked by an unknown actor or actors over the weekend, prompting a temporary shutdown of automated dispatching and an investigation into the breach

So they had to do things the old fashioned way, they had to talk to the person on the phone to get some critical information. Can be a problem if the person on a cell phone doesn’t know exactly where they are.

“News reports of successful government website hacks appeared frequently over the past year, with several hacktivist groups openly targeting cities and local government for political reasons,” read the alert from the Emergency Management and Response Information Sharing and Analysis Center, which falls under the U.S. Fire Administration and the Federal Emergency Management Agency.

And while they don’t have credit card info, they do have some data, and whether they are spending adequately on security is anybody’s guess.

City of Atlanta Hit By Ransomware Attack

If it turns out that it is due to software that should have been updated years ago, someone should lose their job. Officials: Atlanta working with feds to address cyberattack | News | But it is civil service, so there will be no consequences.

Chief Operating Officer Richard Cox said the city’s information management officials were made aware of the hack at about 5:40 a.m. (today) of “an outage of internal and customer-based applications such as the website where people pay their bills or the website where people access court-related information.” In a ransom note, the hacker(s) are asking for thousands of dollars be sent via Bitcoin.

Public safety (911, Police and Fire) are not impacted. So is that good planning or just dumb luck?

I doubt they will release any meaningful info about the attack, because it will just make them look bad.