Zappos Hacked

January 16th, 2012 by - No Comments »

From CNN Money – 24 million accounts accessed. CEO states no credit card data exposed. They state the hack gave access to part of their internal network and systems, yet the server that was hacked was based in Kentucky. I thought Zappos operated out of Nevada?

The article detracts from the fact that they were hacked, period. Regardless of whether customer data or credit card data was taken, they were vulnerable enough to be hacked. Does that give the customers a vote of confidence that they are secure?

Was that last statement a little harsh? Depends on which side of the fence you are looking. I see it as a good thing that the attackers didn’t get further, but I can’t help but think that it was a starting point. We all know it only takes one person inside the company to make us vulnerable, and that chances are it isn’t malicious, but that the vulnerability that person unwittingly creates allows the hack to occur.

Was a patching / maintenance window pushed for some reason or other? Or – were bad practices involved? We don’t know the answers, we just see the headline “Zappos Hacked”. The hackers got to the last four digits of credit card numbers – perhaps that is a staged database used for testing? Again, who knows right?

You have to wonder where the fine line is for giving out information about being hacked. Not the method, just what, when etc. Since the damage is done, how do you negate that and recover?

I’m guessing there’s a lot of work going on in Zappos right now – forensics – rebuilding – double checking. It’s sad, since they have done so well up to now. How bad is the fallout going to be? I’m keeping an eye out but my thought is they will recover, since their reputation has always been good and valued.

Posted in: Tech |
Tags: ,

PIN Pads Hacked at Michaels Stores Nationwide

May 14th, 2011 by - No Comments »

PIN Pads Hacked at Michaels Stores Nationwide

Here’s another example of hacking in plain sight. On reading this article though, you have to wonder how the terminals were hacked. These are the terminals where you swipe your debit card and enter a PIN number. In the original article there isn’t mention of how they were hacked, just that they were hacked. I’m even wondering if this was an inside job, or the POS vendor.

Suffice it to say there will always be risk, especially in public realms such as retail. Much as we say to be vigilant we can’t all be on the ball all of the time.

Posted in: Tech |
Tags: , , , , ,

Reading Into RSA’s “Responsible Disclosure”

March 20th, 2011 by - No Comments »

Reverse Engineering RSA’s “Statement”, posted on Steve Gibon’s (GRC) Blog on 3/19/11.

Like most others in the security industry I was taken aback by news that RSA had been compromised. I was a little dismayed at the lack of information but didn’t dive to far into it, thinking that was the first disclosure – more to come later.

In his blog post Steve draws attention to the language used by RSA to announce the compromise, and in that language is ambiguity. Is that because, as Steve says, they know that giving fulling disclosure will cost millions and they are trying to avoid that? Or is it because they don’t yet know the extent of the breach? Either way less is more in the eyes of those that are wondering if their serial numbers are still secure, let alone if someone now knows the method of encryption etc.

I will always err on the side of caution, since security in industry is about the assumption of risk, and knowing that you will never be 100% secure – but we are relying on technology such as RSA. If they are not secure then the assumption of risk just rose dramatically. Erring on the side of caution doesn’t seem to be enough now.

My eyes are on RSA to see what happens next.

Posted in: Tech |
Tags: , , , , ,

Keyless car entry systems can be hacked easily, elegantly

January 17th, 2011 by - No Comments »

This is a post on Engadget, with the title above. Scary at the outset, but is it totally true? I know there are blockers to not having the key, but is there more to this?

I don’t have those answers but I was interested enough to read the article. Literally taken, yes, it is possible but if you don’t have the key, once you stop the car how do you start it again? Most, if not all cars with keyless operation need the key in the vicinity to at least start it – not to continue running apparently.

Anyway, I’m interested in anyone’s opinion / thoughts / ideas on this one. I think there is more to this than meets the eye!

Posted in: Tech |
Tags: , , , , ,

Computer consultant accused of hacking into Houston Healthcare database

October 21st, 2010 by - No Comments »

Computer consultant accused of hacking into Houston Healthcare database – Crime & Courts – Macon.com.

This is a classic example of what not to do to get a job. A talented information security person no doubt, but stuck in an encapsulated thought process. It may have been an ‘innocent’ attempt at impressing IT to get a job but the maturity of his thought process is just not there, and that is dangerous, especially in the information security world.

This is where I’ve seen other failures in the past. I’ve even seen security analysts sabotage interviews for potential managers because they wanted the role and were told they were not ready for it. Again, not thinking about the process involved in that scenario meant the analyst got into some deep water.

There’s the train of thought of weeding these things out at interview, but sometimes that’s not enough time to see the personality play out. There is risk in all areas of information security, staffing being one of them.

Posted in: Tech |
Tags: , , , , , ,

« Older Entries