Posts Tagged ‘security’

Why Implementing End-to-End PCI Security is a Good Idea: The Subway Franchise Caper

Three lessons jump out at me from this story:

  1. If you are dealing with credit card data, actually getting the PCI done end-to-end seems like a very good idea.  Don’t forget the field offices, Jarad!
  2. No remote access software tools anywhere near servers that house credit card data (part of PCI)
  3. Using easy-to-guess passwords is still the #1 dumb thing to do in data security, and one of the easiest to fix (also in PCI, and see my recent post here as well).

Check out the excerpted story from Gallagher below, and read it in full at:  http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

——————

 

How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Ars Technica

… In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

… the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

“… the hackers gained access to the remote desktop software by guessing or “cracking” the passwords they were configured with. Fellmann isn’t surprised, based on his experience with retailers. Weak passwords, such as “password,” are one of the most common things he discovers during POS penetration testing, he said. “Some people, you tell them what’s required, and they’d rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. ” But, he said, “these people weren’t thinking about point of sale security—they were just thinking about making a sandwich…”

Read the full story here.

 

Tags: , , ,

This entry was posted on Wednesday, December 21st, 2011 at 11:39 am and is filed under IT Service Management, PCI, security, Standards. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Some really poor password choices…

For better or worse, passwords are the basis of much of the security we use in the cloud.

SplashData put out there “worst password of 2011” report, based on a blind review of their database of common passwords.  If you use any of these on any accounts you wish to protect, clearly a good idea to think about changing them soon.

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

A few simple guidelines for good passwords, from around the web:

  • Use at least eight characters
  • Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  • Don’t use a word found in any dictionary, English or foreign.

 

Stuff that just doesn’t work well, at least not anymore, because common hacker tools know them well:

  • Don’t merely add a single digit or symbol before or after a word. e.g. “password1″
  • Don’t double a single word. e.g. “kittykitty”
  • Don’t just reverse a word. e.g. “drowssap”, or just remove the vowels. e.g. “psswrd”
  • Avoid Keyboard sequences that can easily be repeated. e.g. “qwerty”,”zxcvf” etc.
  • Don’t garble letters into numbers as the only thing between you and the dictionary, e.g. converting e to 3, L or i to 1, o to 0. as in “z3r0-10v3″

Read more about the Splashdata report in full here: http://splashdata.com/splashid/worst-passwords/index.htm

Tags: , , ,

This entry was posted on Wednesday, December 7th, 2011 at 9:58 am and is filed under cloud, privacy, Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Cyber Security Gets the DOD Cloud Treatment

eWeek.com did a nice piece, quoting extensively from recent NSA public statements, on how both cloud and data security strategies in general are starting to move into extended pilot modes.  Here is a link to the General’s presentation - below is an except from the eWeek summary.

 

U.S. Counts on the Cloud to Boost Cyber–Security

 By: Fahmida Y. Rashid, eWeek.com

Army Gen. Keith Alexander, head of the National Security Agency (NSA), discussed the cloud and how to defend against increasingly sophisticated cyber-threats at a recent Information Systems Security Association conference in Baltimore and in a follow-up interview with eWEEK. As commander of U.S. Cyber Command, he also discussed rules of engagement for the military in cyberspace.

The cloud is a key part of the intelligence community’s IT strategy, Alexander said, because cloud computing gives defense and intelligence agencies more visibility over hackers who are trying to breach government networks.

Within the NSA and Department of Defense (DoD), there are more than 7 million pieces of IT infrastructure and systems and 15,000 different network enclaves, according to numbers provided by the general. With each enclave protected by its own firewall, network administrators have little to no insight into what is happening in isolated and segmented networks, he said.

“Collapsing the enclaves” would provide administrators with a better end-to-end view of their networks and situational awareness, said Alexander. He added that it’s not a perfect solution, but “it is more defensible.”

In a pilot program, the NSA has reduced the number of applications it is running from 5,000 to 250 cloud applications and slashed the number of help desks from 900 to 450, according to Alexander. The agency plans to keep shrinking the infrastructure to just two help desks and 20 data centers, as well as adopt more open-source software, he said, noting that the military is already using Apache Hadoop and OpenStack.

Read the full piece here.

Tags: , , , , , ,

This entry was posted on Monday, November 28th, 2011 at 3:07 pm and is filed under Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Feds idea seekers can advance their cloud stragegy with FedPlatform.org

The federal government continues to take a leading role in promoting and adopting cloud strategies.
Kevin L. Jackson did a nice blog piece of Fedplatform.org, worth a look here.  It’s a commercial site, but pulls together some useful pieces, like Amazon’s government specific cloud, the Federal Cloud Computing Strategy and the Federal CIO’s 25-Point Federal IT Reform Plan, and some other cool stuff

There will be lots more stuff out there, as the federal moves to the cloud continue, I suspect.

Tags: , , , , , ,

This entry was posted on Saturday, August 27th, 2011 at 4:00 pm and is filed under cloud, IT Service Management, Project Management, Risk Management, security, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Coyboy Data Doggies Ground Zero Moves to Google Apps

Wyoming Completes Google Apps Migration

Days prior to Microsoft’s Office 365 launch, the first state government to drop its in-house software in favor of Google’s cloud-computing offering announced that all 10,000 employees have made the move.

By Elizabeth Montalbano InformationWeek

June 22, 2011 04:16 PM

Wyoming has completed a migration of 10,000 employees to Google Apps for Government for collaboration and unified communications, the first state government to drop its in-house software in favor of Google’s cloud-computing offering.

“Our entire state government has gone Google,” Wyoming Governor Matt Mead said in a guest appearance on the Google Enterprise Blog. “Wyoming is the first state in the country to make this transition.”

Read the full story here.

 

Tags: , , , ,

This entry was posted on Thursday, June 23rd, 2011 at 2:46 pm and is filed under cloud, Cost Cutting, Disaster Recovery, Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Briefing the CEO About Cloud Computing: Some CIO Guidelines

Getting the upstream message right is a big part of the CIO’s job description.

Jeanne Harris and Allan Alter of the Accenture Institute for High Performance do a nice job in this piece describing some of the key things to focus on, especially when it comes to ROI analysis.

Excerpt below.

 

 

What You Should Tell Your CEO About Cloud Computing

By Jeanne G. Harris, Allan E. Alter
2011-03-28

…At a time when companies’ use of clouds is just getting started, the chief information officer’s judgment and store of knowledge are invaluable assets. These are especially important when the CIO sets out to educate that most important stakeholder of all, the chief executive officer.

First Requirement: Master the Facts

One place where you can begin this all-important dialogue is by demonstrating a balanced, clear-minded understanding of the business case for cloud computing. That includes a realistic view of the savings from clouds. Moving to the cloud always means automatic savings. In fact, one study of those who adopt software-as-a-service found that only about half get a positive return on their investment; a quarter end up spending more than they expect.

A discussion like this with the CEO has the advantage of signaling that you are attuned to business issues and of demonstrating a predisposition to facts over hype.

Indeed, if the CIO is to be the IT person who leads the cloud charge at a company, this is really the first requirement: Knowing the facts.

Knowing the facts means developing a dossier about what some leading companies are doing with the cloud. The activities of competitors and business partners should be included as part of that intelligence…

Read the whole piece here: http://www.cioinsight.com/c/a/Expert-Voices/What-You-Should-Tell-Your-CEO-About-Cloud-Computing-795154/

 

About the authors

Jeanne G. Harris is a senior executive research fellow with the Accenture Institute for High Performance, and is based in Chicago. Allan E. Alter is a research fellow with the Accenture Institute for High Performance and a former executive editor of CIO Insight.  He is based in Boston.

Tags: , , , , , ,

This entry was posted on Wednesday, March 30th, 2011 at 6:24 pm and is filed under cloud, IT Service Management, security, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

IBM making moves towards private cloud with Tivoli Updates

Carl Brooks of searchCloudComputing.com just put out an interesting piece on IBM’s updating as Tivoli as a complement and perhaps a replacement for VMware in the building of private clouds. The industry seems to be taking some notice of IBM’s approach to the cloud, finally.

IBM

 

Did IBM just change the game in private cloud?

By Carl Brooks, Senior Technology Writer

02 Mar 2011 | searchCloudComputing.com

Does IBM have the wherewithal to compete in the commodity hardware cloud?

Say “IBM” and “cloud computing” in the same breath and many IT managers will roll their eyes. The IT leader’s cloud strategy has been seen by many as a mess.

But that may be about to change. IBM recently revealed a beta program of updates to its Tivoli software that may breathe new life into the company’s private cloud ambitions.

The new capabilities include support for VMware’s VIM APIs in a variety of Tivoli tools, including image repositories, automated provisioning, application deployment and Tivoli Storage Manager (integrating TSM and VMware heretofore has not been pretty). Enhancements to Tivoli Provisioning Manager may include booting VMware images directly from block storage instead of having them preloaded into memory. IBM claims that images can be booted in seconds.

Read the rest here.

Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com. Contact him at cbrooks@techtarget.com.

 

Tags: , , , , , , ,

This entry was posted on Thursday, March 10th, 2011 at 1:17 am and is filed under application virtualization, cloud, Linux, Open Source, security, virtualization, VMware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Forbes: 2011 CC’s Predictions

R “Ray” Wang writing for the Forbes CIO Network this week postulates some impressive psychological and business next steps for cloud computing in 2011.  Saying we are “past the tipping point” already on all 4 major layers in 2010, Wang writes as follows about what 2011 holds in store:

  • Replace most new procurement with cloud strategies. Preference in deployment options and lack of availability of innovative solutions in on-premises options will result in a huge shift for 2011. Add capex swap out for opex, and most CFO’s will be singing the praises of Cloud along with the business and IT leaders.
  • Start with private clouds as a stepping stone to public clouds. Conservative CIO’s looking to dip their toes into cloud computing will invest into private cloud while evaluating the public cloud at the same time.
  • Get real about security. Customers will move from “the cloud is not secured” to “how can security be achieved in the cloud?”. They will start asking real questions about security. The result — cloud vendors must further showcase various industry-specific compliance approaches.
  • Move to private clouds as a back up to public clouds.

And thus SaaS shall rule the world of new apps, it would seem, if that first one comes to pass.  Very big deal.

Read his full essay here.

Tags: , , , ,

This entry was posted on Monday, December 27th, 2010 at 12:17 pm and is filed under cloud, Disaster Recovery, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Office 365 – Lookin’ Darn Good So Far…

Office 365

Once they add CRM to this in late 2011, it would be a hard matter most any mid-sized Microsoft shop to resist Office 365.   Who wants to own a bunch of servers and run them for office stuff, if they don’t have to? Office 365 gets you out of hosting a whole bunch of messy complex products and keeping up with patches and hardware, like CRM/SharePoint/OfficeLive/Exchange/Online VideoConfonference-GoToMeerting (Lynx).  But you still get to use the really good clients tools, like Word and Excel.  Powerful stuff, if they do no screw up the implementation of it (like too many cute IE dependencies).  I think this might be a good beta to join in 2011.  Google apps, watch out.

http://office365.microsoft.com/en-US/online-services.aspx

Tags: , , , , , , , ,

This entry was posted on Saturday, December 11th, 2010 at 6:20 am and is filed under application virtualization, cloud, cool & from redmound, IT Service Management, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Like Sergeant Phil Esterhaus Used to Say…

Srg. Phil

Some of you may remember an TV sow made in the 80′s, I am sure still in repeats somewhere, where each episode would have Sergeant Phil Esterhaus telling the crew before they hit the mean streets of Chicago: “Hey, let’s be careful out there.”

The same idea holds true for computing on the web and in the cloud, especially this time of year. Here is a nice piece from McAfee on some classic Xmas time web scams. People, they do this because it works, stay on your toes.   Read it all here.

McAfee Warns of “The Twelve Scams of Christmas”

SANTA CLARA, Calif., November 15, 2010 – Consumers would be wise to beware of the most commons scams of the season before heading online to book travel and do holiday shopping. McAfee (NYSE: MFE) today revealed the “Twelve Scams of Christmas” – the 12 most dangerous online scams that computer users should be cautious of this holiday season.

“Scams continue to be big business for cybercriminals who have their sights set on capitalizing on open hearts and wallets this holiday season,” said Dave Marcus, director of security research for McAfee Labs. “As people jump online to look for deals on gifts and travel, it’s important to recognize common scams to safeguard against theft during the busy season ahead.”

Twelve Scams of Christmas

1) iPad Offer Scams

With Apple products topping most shopping lists this holiday season, scammers are busy distributing bogus offers for free iPads. McAfee Labs found that in the spam version of the scam consumers are asked to purchase other products and provide their credit card number to get the free iPad. Of course, victims never receive the iPad or the other items, just the headache of reporting a stolen credit card number.

In the social media version of the scam, users take a quiz to win a free iPad and must supply their cell phone number to receive the results. In actuality they are signed up for a cell phone scam that costs $10 a week.

2) “Help! I’ve Been Robbed” Scam

This travel scam sends phony distress messages to family and friends requesting that money be wired or transferred so that they can get home. McAfee Labs has seen an increase in this scam and predicts its rise during the busy travel season.

3) Fake Gift Cards

Cybercrooks use social media to promote fake gift card offers with the goal of stealing consumers’ information and money, which is then sold to marketers or used for ID theft.

One recent Facebook scam offered a “free $1,000 Best Buy gift card” to the first 20,000 people who signed up for a Best Buy fan page, which was a look-a-like. To apply for the gift card they had to provide personal information and take a series of quizzes.

4) Holiday Job Offers

As people seek extra cash for gifts this holiday season, Twitter scams offer dangerous links to high-paying, work-at-home jobs that ask for your personal information, such as your email address, home address and Social Security number to apply for the fake job.

5) “Smishing”

Cybercrooks are now “smishing,” or sending phishing SMS texts. These texts appear to come from your bank or an online retailer saying that there is something wrong with an account and you have to call a number to verify your account information. In reality, these efforts are merely a ruse to extract valuable personal information from the targets. Cybercrooks know that people are more vulnerable to this scam during the holiday season when consumers are doing more online shopping and checking bank balances frequently.

6) Suspicious Holiday Rentals

During peak travel times when consumers often look online for affordable holiday rentals, cybercrooks post fake holiday rental sites that ask for down payments on properties by credit card or wire transfer.

7) Recession Scams Continue

Scammers target vulnerable consumers with recession related scams such as pay-in-advance credit schemes. McAfee Labs has seen a significant number of spam emails advertising prequalified, low-interest loans and credit cards if the recipient pays a processing fee, which goes directly into the scammer’s pocket.

8) Grinch-like Greetings

E-cards are a convenient and earth-friendly way to send greetings to friends and family, but cybercriminals load fake versions with links to computer viruses and other malware instead of cheer. According to McAfee Labs, computers may start displaying obscene images, pop-up ads, or even start sending cards to contacts that appear to come from you.

9) Low Price Traps

Shoppers should be cautious of products offered at prices far below competitors. Cyber scammers use auction sites and fake websites to offer too-good-to-be-true deals with the goal of stealing your money and information.

10) Charity Scams

The holidays have historically been a prime time for charity scams since it’s a traditional time for giving, and McAfee Labs predicts that this year is no exception. Common ploys include phone calls and spam e-mails asking you to donate to veterans’ charities, children’s causes and relief funds for the latest catastrophe.

11) Dangerous Holiday Downloads

Holiday-themed screensavers, jingles and animations are an easy way for scammers to spread viruses and other computer threats especially when links come from an email or IM that appears to be from a friend.

12) Hotel and Airport Wi-fi

During the holidays many people travel and use free wi-fi in places like hotels and airports. This is a tempting time for thieves to hack into networks hoping to find opportunities for theft.

McAfee advises Internet users to follow these five tips to protect their computers and personal information:

  • Stick to well-established and trusted sites that include trust marks (icons or seals from third parties verifying that the site is safe), user reviews and customer support. A reputable trust mark provider will have a live link attached to its trust mark icon, which will take visitors to a verification Web site of the trust mark provider.
  • Do not respond to offers that arrive in a spam email, text or instant message.
  • Preview a link’s web address before you click on it to make sure it is going to an established site. Never download or click anything from an unknown source.
  • Stay away from vendors that offer prices well below the norm. Don’t believe anything that’s too good to be true.
  • Make sure to use trusted wi-fi networks. Don’t check bank accounts or shop online if you’re not sure the network is safe.

If you think you may be a victim of cybercrime, visit the McAfee Cybercrime Response Unit to assess your risks and learn what you can do next at www.mcafee.com/cru.

About McAfee

McAfee, headquartered in Santa Clara, California, is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee secures your digital world. http://www.mcafee.com

McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. © 2008 McAfee, Inc. All rights reserved.

Tags: , , , , , ,

This entry was posted on Thursday, December 2nd, 2010 at 5:02 pm and is filed under Disaster Recovery, Risk Management, security, Web 2.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.