Category Archives: Privacy

If you’ve ever bought from Target (NOT online)…

(Correction: the original title of this post indicated that online shoppers were affected. In fact, according to Target, only customers who used credit cards for in-store purchases are at risk.)

… then you should consider cancelling the credit card you used. Data for as many as 40,000 credit cards, stolen from Target servers in early December, is already appearing on black market sites. Target says card numbers, names and expiry dates were taken, not the associated security codes, so the numbers can’t be used just anywhere. But they will be used, since not all retailers use the security code.

Update 2013Dec29: Brian Krebs of krebsonsecurity.com did some digging and has almost certainly identified one specific individual who is selling card data stolen from Target. His name is Andrey Hodirevski, and he’s been in this shady business for a while in the Ukraine. It’s not clear whether he stole the card data from Target, but he’s selling it so he probably knows who did. It will be interesting to see how this plays out…

Update 2014Jan01: Now Target is saying that PIN codes were stolen along with the rest of the card data. They insist that since the PINs are encrypted, they are of no use, but Target should not have been storing PINs in any form.

Update 2014Jan11: Target now says that additional personal information on 70 million customers was also stolen by the same attackers. This information includes names, mailing addresses, phone numbers and/or e-mail addresses.

Update 2014Mar29: Trustwave, the company that provides PCI compliance services to Target, is being sued by two banks that suffered losses in relation to the Target breach.

Additional information from Ars Technica:

Ouch! newsletter: How to shop online securely

The latest installment of the Ouch! newsletter (PDF) from SANS provides tips for safely and securely shopping on the web. Learn how to identify shady web stores and avoid them, how to keep your credit card information secure, and what to do if you suspect fraud.

The Ouch! newsletter is aimed at regular users and the security challenges they face daily. Highly recommended, but if you’re a computing professional, you may not find much there you didn’t already know.

Adobe systems breach

On October 3, 2013, Adobe announced that their network and some of their servers had been breached. Their investigation continues, and the full scope and impact of the breach has yet to be determined.

However, we do know the following:

  • The intruders obtained Adobe customer data, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. According to Adobe, “At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.” Adobe reset the passwords for all affected user accounts, and has been sending out alerts to those users. If you have never purchased software from Adobe directly, you should be safe. If you receive an alert from Adobe, follow their instructions to change your password.
  • The intruders also obtained source code for at least one product: Acrobat/Reader. Reader is already a popular target for malware perpetrators, and having access to the source code can only make things easier for them. Stay tuned for a fresh new crop of Reader security issues.

Ars Technica has additional details, as does the SANS ISC Diary.

Update 2013Nov02: Ars Technica explains exactly what Adobe did wrong and why we should all be worried about it. Adobe now says that as many as 38 million users were affected by the breach.

Update 2014Oct10: Duo Security reviews the fallout from this breach, and warns of the dangers of password hints.

NSA-Themed Ransomware

Any time something catches the attention of huge numbers of Internet users, there’s a possibility that nefarious persons will try to make money from it. A famous actor has their phone hacked, a celebrity dies, or a whistleblower exposes the extent of NSA snooping, and the spam in your inbox suddenly has a new flavour… or worse.

Zscaler and other security researchers are reporting an increase in ransomware threats that are built on recent revelations of the NSA’s activities.

Ransomware works like this: you visit a web site that has been compromised and is serving malicious code. The code infects your computer, after which it becomes impossible to use your computer. Instead you see a full page threat from what appears to be the NSA, claiming that you have participated in unlawful activities (usually downloading copyrighted materials). You are told that you can pay up or face legal action.

If this happens to you, do not follow any of the instructions shown by the ransomware. Hire a professional to remove the malware or reinstall your operating system.

How to determine whether a warning is fake and ransomware:

  • No legitimate agency would use this tactic (at least not yet).
  • Awkward language and spelling mistakes in the warning.
  • Payment methods use third-party services.

Techdirt has additional details.

Microsoft says “your privacy is our priority” (unless the NSA is involved)

Over at TechDirt, a post by Tim Cushing details a recent leak published by The Guardian, showing that Microsoft values your privacy, unless the NSA comes calling. When the NSA asks for your ‘private’ information, Microsoft is happy to hand it over. This means that nothing you say on Skype, Outlook.com, Skydrive or Hotmail is safe from prying eyes.

Microsoft is quick to point out that nothing they’ve done is illegal, but that’s really the problem, isn’t it?