A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

This Week InSecurity - Son of Target, Dumb Breach Responses, Not Again Korea, Phone Death Comes to California

Call it Son of Target, but the malware that took down Target and turned it into the biggest data breach in history (so far) didn't stop at the big box. Investigators now say the same malware was used to attack the point of sale systems at more than 1,000 other businesses.

Fingers of blame are quickly settling on a small group of half a dozen vendors of retail POS systems who apparently haven't been doing a very good job at protecting their systems. Poor passwords and sloppy admins take the most blame, as they do with many if not most hacks.

Speaking of hacks, here's a perfect example of the kind of brick-headed thinking that leaves so many businesses exposed. When Community Health Systems, a massive healthcare company based in Franklin Tennessee, announced that Chinese hackers had managed to break into the hospital's networks and steal the personal information, including Social Security Numbers, of more than 4.5 million patients, the hospital put out a statement that included the comment "we have no reason to believe that this data would ever be used."


This Week InSecurity - Russian Hackers, Bored Teenagers, Global Credit Card Fraud

bored teenagerIt will undoubtedly go down as one of the most spectacular data heists ever. Or at least until the next big one. Which is probably not far off. I'm talking about how researchers in Milwaukee discovered a treasure trove of more than 1.2 billion stolen passwords and usernames, along with half a billion email addresses, on the servers of a group of Russian hacking buddies.

While many focused on the need for almost everyone on the planet to immediately change their passwords, I found a couple of things in the story to be even more troubling. It was all about how easy the entire heist was. The hackers were apparently able to break into more than 400,000 websites around the world because security on those websites was just so lax.

And the hackers were able to find and target all those websites by using a botnet – a network of thousands of hijacked personal computers. And how were they able to hijack so many personal computers? Because security on those computers was just as lax as the security on the exploited websites.


1.2 Billion Password Hacker Haul Exposes The Creepy Side Of Consumer Security

creepyBy now you've probably heard about the massive haul of 1.2 billion user credentials discovered on the servers of a group of young Russian hackers (if you haven't heard of it, then welcome to the planet and sorry for the mess).

Just to remind you, a tiny and virtually unknown security company in Milwaukee Wisconsin called Hold Security gained instant global fame when they announced in early August that for months they had been monitoring a young group of hackers that had amassed more than 1.2 billion stolen usernames and passwords, and nearly half a billion email addresses, that they were using for spamming and other crimes.

Even more disturbing, the hackers had stolen the information from nearly half a million compromised websites. And the hackers had attacked those websites by hijacking thousands of poorly protected personal computers.


The Top 10 Most Common Identity Theft Myths

giftEvery year around this time we see the same experts dole out the same identity theft prevention tips. And yet, identity theft keeps getting worse. Maybe it's because we have to take a step back, and start by exposing some of the myths that can lead to consumer apathy about identity theft. If we help consumers to better understand the reality of identity theft, they might better appreciate these tips and apply them more often.

So here goes:


2 Million Hacked Passwords and the Troubling Truth About Keyloggers

safesurfingAs security researchers uncovered a stash of more than 2 million hacked passwords on a hacker's server in the Netherlands last week, from users of Facebook, Google, LinkedIn and Twitter, most of the focus was on just how many people are still using awful, and awfully weak passwords. But did all the commentators miss an even bigger story connected to the hack?

Researchers from security firm Trustwave revealed how they discovered the kidnapped passwords on a hacker server in the Netherlands, and how a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we're not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there's a good chance that your antivirus software won't catch it. While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that's the stuff that can do the most harm.

But there was more relevant news. On the very day that media oulets around the world were railing at how bad the passwords were, a security firm in San Francisco called OPSWAT quietly revealed even worse news. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers won't.

Subscribe to this RSS feed