Breach at Target Stores Affect 40 Million Customer Card Accounts

Target suffered a major data breach losing credit, debit and Red card numbers for as many as 40 million customers across 1900 stores in US and Canada. This will go down as one of the largest breaches in recent history and it comes at the worst possible time.  Consumers may have to cancel their cards just they are trying to finish Christmas shopping.  Target says the issue has been resolved. Keep an eye on your accounts and if you see any suspect activity, cancel your card right away.

Are you doing everything you can to prevent a breach like this at your company?

Talk to PathMaker Group about our 16 domain security assessment.

https://www.pathmaker-group.com/services/security/assessments/

Learn more about the Target breach at their corporate website

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

 

Have you had your Security Wellness Check?…

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

CUNA website attacked and user data exposed

Team GhostShell has released the data acquired through more successful attacks against a wide variety of websites. Victims include the Credit Union National Association (CUNA) and several other companies and government organizations. Initial estimates put the total number of leaked CUNA website usernames and MD5 hashed passwords at around 46,500. Many of the hashed passwords have already been cracked and were included in the release. The data released also included full names and physical addresses as well as individual names tied to phone numbers.

This attack was just the latest example of what can occur when your website has not been tested thoroughly for SQL injection (SQLi) and other vulnerabilities on a regular basis. SQLi occurs when an attacker finds a vulnerable or poorly protected website and passes commands directly to the backend database. When an attack is successful the effect can be a devastating disclosure of personal information. This type of attack has been documented time and time again and remains one of the top vulnerabilities listed in the OWASP top ten. (https://www.owasp.org/) Any company that maintains sensitive information on individuals should regularly have trusted third party security firms review the current security status of their websites through penetration tests.

Best practices recommend a penetration test be conducted at least annually to ensure security of your website has not been compromised by any changes that have occurred since the last test. Many of today’s websites utilize content management system like WordPress, Drupal, Joomla, etc. Content management systems (CMS) like this are regularly tested by both users and developers to ensure their security. However many vulnerabilities found on websites today will actually stem from plugins or software add-ons installed by the end user to the CMS platform. Unfortunately not all plug-ins are properly tested for security by their developers. We at PathMaker Group have found that even after being notified of a security vulnerability many customers will not implement a fix for some time leaving their website vulnerable to attack.

Another issue that stands out from this latest attack is the ability for users to set weak, dictionary based passwords on their accounts. Many of the cracked passwords were comprised of a single lower case word found in any standard English dictionary. This is not a recommended security best practice configuration. User account passwords must be administratively required by the system to be strong in nature. For example, a reasonably strong password should contain at least 12 characters comprised of UPPERcase, lowercase, numb3rs, and $pecial characters. By allowing your users to store weak passwords, you may be allowing attackers authenticated access to your systems. This can lead to a PR nightmare for both you and your client.

PathMaker Group can provide professional security testing of your current security controls including penetration testing of your websites. Talk to us about becoming your partner in defending your most valuable assets. Click the “Contact Us” button on the right to get in touch with a security expert who can assist with your annual security testing and provide guidance on securing your business from outsider attack.

We have not included link to the data exposed by Team GhostShell due to the sensitivity of the included data and respect for those who have been affected.

Update:
CUNA has now confirmed the attack via press release: http://www.cuna.org/newsnow/12/system121012-8.html

Included is a statement from CUNA President/CEO Bill Cheney.“We do not believe any sensitive personal information from our web site was accessed, however, we are contacting all users of our website to advise them of the breach. Further, we will continue to analyze the information posted online by the (hackers) group, as well as continue to validate that no other risks exist. We will also continue to monitor our website and take increased security measures to ensure it is safeguarded.”

Security and PCI-DSS Compliance

The question of whether compliance makes your networks secure often comes up when performing Payment Card Industry (PCI) Data Security Standard (DSS) remediation and audit work. Many believe that compliance with the PCI-DSS means their networks are secure from exploitation. Unfortunately this is not the case. Passing an independent PCI audit usually indicates reduced vulnerability for those PCI related areas tested, however the PCI segments are usually a small portion of the overall networks.

The payment card industry has one goal in mind and it is not to protect or provide security for your network. Their goal is to protect credit card and card holder data. They do this to limit their potential liability and transfer responsibility for that liability to the entities that provide, accept, use, store or transfer credit card and card user information. That is almost all businesses and many institutions here and around the world. Read more

The Importance of Hiring an Experienced, Qualified Security Assessor for Your PCI-Compliance Audit

With the stiff penalties associated with failure to meet standards set by the PCI Security Council, ensuring that your company remains compliant and avoids security breaches requires regular PCI compliance audits. Hiring qualified security assessors can help you avoid a number of potential pitfalls associated with audits. Opting to hire the most experienced candidates offers a number of benefits, including:

  • Getting it Done Right
    In 2004, CardSystems Solutions was hacked, resulting in 263,000 stolen credit cards and roughly 40 million compromised. This breach occurred despite their security auditor giving them a clean audit just three months prior. Hiring experienced PCI compliance auditors to perform your audits lessens the likelihood of potentially costly mistakes.
  • Continued Security
    Experienced PCI compliance auditors not only understand current standards, but they understand the areas in which the current standards fall short. This allows you to proactively anticipate security risks and protect your customers’ data. Understanding the current problems, as well as the next generation of threats, allows you to remain in compliance and prevent costly security breaches. Read more

Different Types of Incidents that Can Result in Compromised Network Security and Information

Network security is an important consideration for any business that is connected to the internet, but especially for businesses entrusted with sensitive customer information. Penetration testing and PCI compliance are important safeguards for protecting customer data, but what are the ways in which customer data might become compromised?

  • Malware
    Malware is one of the most pervasive network security threats these days. Malware is a comprehensive term to describe viruses, worms, Trojan horses, tracking cookies, and many other types of threats that include malicious code or software that aims to breach your confidentiality. They can be detected and removed with most software security suites.
  • Cybercrime
    While malware attempts to breach your security from inside your computer, cyber criminals attempt to breach your security from afar. Hacking and cyber crime causes tens of millions of dollars in losses every year. One way to prevent cybercrime is to have an IT security professional perform penetration testing on your system to find loopholes and close them. Read more

Leveraging Centralized Log Management in a PCI DSS Environment

Enterprise environments generate vast amounts of log data on their own before even being required to meet PCI DSS section 10 logging requirements. When taking into account the volume of logs from the large variety of sources across a network it is important to find an effective and efficient manner to address this data. IT departments could easily dedicate one full time employee to this task alone when logs are decentralized across the organization and need to be reviewed, at times, on a daily basis. Admins also face the daunting task of having a working knowledge of the vast array of system interfaces used to access and review this data where it is stored by default. Obviously this configuration is highly inefficient as well as impractical. The only logical solution to meet the PCI DSS required logging volume as well as the review requirements is a centralized log management system. PathMaker Group offers such a solution, built on a SaaS platform, that can provide the necessary functionality, usability, and reporting that PCI DSS requires. Read more

PCI Updates

I thought i would take a few minutes to wish everyone happy holidays and a very prosperous 2011. I also noticed that I hadn’t blogged in a while so I thought I do a little of that…

This blog provides a few updates and observations related to the following:

  • PCI DSS v1.2.1 to PCI DSS v2.0 transition – very well defined, except for the cut-over date. The bottom line is that the PCI SSC is encouraging all merchants and service providers to convert as soon as possible, but at the same time saying everyone has until New Years Eve 2011 (one year).
  • PCI DSS and PA-DSS v2.0 Scoring Templates – QSAs can’t plan their projects without the new Scoring Templates. This will stall migrations.
  • Sampling And ASV Scanning Do Not Mix – this wasn’t a like a free lunch but some still manage to screw it up…
  • PCI DSS Timeline Clarification Read more