Zappos Hacked

January 16th, 2012 by - No Comments »

From CNN Money – 24 million accounts accessed. CEO states no credit card data exposed. They state the hack gave access to part of their internal network and systems, yet the server that was hacked was based in Kentucky. I thought Zappos operated out of Nevada?

The article detracts from the fact that they were hacked, period. Regardless of whether customer data or credit card data was taken, they were vulnerable enough to be hacked. Does that give the customers a vote of confidence that they are secure?

Was that last statement a little harsh? Depends on which side of the fence you are looking. I see it as a good thing that the attackers didn’t get further, but I can’t help but think that it was a starting point. We all know it only takes one person inside the company to make us vulnerable, and that chances are it isn’t malicious, but that the vulnerability that person unwittingly creates allows the hack to occur.

Was a patching / maintenance window pushed for some reason or other? Or – were bad practices involved? We don’t know the answers, we just see the headline “Zappos Hacked”. The hackers got to the last four digits of credit card numbers – perhaps that is a staged database used for testing? Again, who knows right?

You have to wonder where the fine line is for giving out information about being hacked. Not the method, just what, when etc. Since the damage is done, how do you negate that and recover?

I’m guessing there’s a lot of work going on in Zappos right now – forensics – rebuilding – double checking. It’s sad, since they have done so well up to now. How bad is the fallout going to be? I’m keeping an eye out but my thought is they will recover, since their reputation has always been good and valued.

Posted in: Tech |
Tags: ,

BIND 9 Resolver crashes after logging an error in query.c

November 18th, 2011 by - No Comments »

Here’s a some news – CVE-2011-4313 with a CVE rating of 7.8 – BIND 9 Resolver crashes after logging an error in query.c. Here is the original post: http://www.isc.org/software/bind/advisories/cve-2011-4313.

Here’s the description:
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

Easy fix? Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1

Posted in: Tech |
Tags: , , , ,

Twitter and Legal Hacking

November 11th, 2011 by - No Comments »

I’ll admit I haven’t read through the whole article in the link below, but the government legally hacked someone? The fact that “legal” and “hacked” appear in the same sentence is a little concerning.

That being said, it is feasible that there are times when something like this might need to happen – National Security etc – and this was with reference to Wikileaks …but, what rights do we really have? Are liberties taken, or do we even believe that the liberties should be taken.

My thought is it can go either way, but if you are going to take away someone’s right to privacy, there had better be a darn good reason. That being said, I’ve heard talk of traffic traveling over and IP (what a concept) doesn’t belong the the person that is using the IP, therefore, can be intercepted. Really? That’s a little low don’t you think?

Soap box aside, like I said this conversation could go either way, here’s the link. See what you think about it – here, courtesy of the Guardian, UK.

Posted in: Tech |
Tags: , , , , ,

Adobe 0Day Update Tomorrow

September 20th, 2011 by - No Comments »

It appears Adobe is releasing an emergency update to Flash Player to fix a 0Day vulnerability. Announcing it tells more people about it – catch 22 perhaps?

Here’s the release from Adobe: http://blogs.adobe.com/psirt/2011/09/prenotification-security-update-for-flash-player.html

…it never ends!

UPDATE: It appears Google patched Flash for Chrome before Adobe patched their own! Interesting since those that want to know what the vulnerability is could analyze the differences between pre and post patched. Here’s the post from Larry Seltzer on PC Mag Security Watch.

Posted in: Tech |
Tags: , , , ,

2011 – Information Security Breaches

August 21st, 2011 by - No Comments »

2011 is turning out to be a bad year when it comes to the amount of ‘records’ lost through security breaches. Searching around the web for information I’ve found a lot of resources that give details, but this article from networknewz.com, posted by Joe Purcell, puts it into perspective on the first couple of paragraphs, and has links to details on the breaches. Here are some of breaches from 2011, from the post. For the entire list, with links to the details go to the source of the article here:

1.29 million Sega accounts

100 million or more Sony accounts

Potentially, the email accounts of over 2,500 companies serviced by Epsilon

360,083 bank accounts at Citigroup

280,000 accounts at Honda

1.2 million accounts at the Texas Comptroller’s office

114,000 accounts of iPad 3G owners

40 million or more RSA SecurID tokens issued by EMC to over 30,000 companies and government agencies, including half of US banks that use SecurID tokens

It’s quite scary to not only how many user accounts are compromised, but also (not mentioned in this article), how long it has taken certain entities to get their infrastructure back online. One has to assume that the issues were massive for it to have taken so long, perhaps? (supposition)

You also have to ask if these were preventable. By nature it’s almost impossible to stay one step ahead of attackers. With undisclosed vulnerabilities, let alone Zero-day vulnerabilities it is all you can do to follow the flow. Bearing in mind the human factor is a huge influence on this field, and it almost feels like herding cats while chasing your own tail.

Readiness – Red Teams – constant self assessments – audits – reaction drills – forensics – so much to be done with probably little budget, and sometimes little concern. I’ve said it a few times here, if we (security leaders) cannot convince senior leadership of the risk, should we be in that role? The variables are things like – it doesn’t matter how good you are, they still won’t listen – I guess then it’s time for a career change, if not at least a company change? Do we (you) have the balls to escalate your fears to the board? Should you?

For fear of rambling on, suffice it to say 2011 has been a bad year for breaches. Perhaps companies will notice now, that you really do need to be aware and in control of information security to stand any chance of staying secure.

Posted in: Tech |
Tags: , , , , ,

« Older Entries