Major Data Breach Makes the News

A few weeks ago news broke on several media sites about the huge data breach that occurred involving a major US retailer.  The retailer was Target.  According to reports including the one found on USA Today’s website at: http://www.usatoday.com/story/news/nation/2013/12/18/secret-service-target-data-breach/4119337/, there were up to 40 million credit cards potentially compromised from Nov 27 to 15 Dec 2013.  This is all at the peak of Christmas shopping season.  According to the article the type of information that was compromised was the actual data stored on the strip of a credit card and any pin numbers that were entered.  This means that the data stolen is the type of information that could be used to recreate physical credit cards and it is not believed that online purchases were affected by this data breach.  The article also noted that according to data breach experts businesses are usually unprepared for the breaches when they occur.  

This topic brings to mind the latest lesson that we have been covering in my CIS 608 course.  This week we have been learning about incident response plans.  With the magnitude of this data breach it begs the question as to why data was leaked for close to 3 weeks prior to being stopped.  With proper incident response comes incident detection.  What method of incident detection was in use by Target during this period of time?  If that much data is being moved away from Target you would think the retail giant would have measures in place to detect this.  It is easy to play Monday morning quarterback and state that this should have been detected sooner I also do not know what the indicators were that the breach had occurred. Once the detection is made the company should have a plan in place to cease the data breach and alert the appropriate authorities as quickly as possible.  

In any case, this type of breach reinforces the fact that having a good incident response plan in place is vital for a business.  I’m sure that a retailer like Target will make it out of this incident with no problem but that would likely not be the case for much smaller business operations.

Google Glass Back in the News

A couple of weeks ago I blogged about the controversy surrounding Google’s new Google Glasses.   I really hadn’t heard much about the glasses prior to finding the article and blogging about it but it seems that Google is once again back in the news with the new glasses.  I found this article by Heather Kelly of CNN at http://www.cnn.com/2013/12/10/tech/mobile/negative-google-glass-reactions/index.html?hpt=hp_bn5.  According to the article a couple of the beta testers were eating breakfast at a Panera in Florida when they were approached by an angry customer.  The man was quite upset and felt that they were invading his privacy by wearing the glasses in public.  He even asked them how they would feel if he were to record them while they ate.  This reaction is drastically different from what the beta testers were used to.  Typically they were approached by people that were curious and wanted to try on the glasses, take photos or ask questions.    Ironically the glasses were not on at the time of the incident.

The article also points out other negative feelings of the glasses.  There have been cases in Seattle of restaurants banning the wear of the glasses within their establishment.  There was an incident in San Diego where a driver was pulled over and issued a traffic violation for driving while distracted because the driver was wearing the glasses.  There is even a group that is called “Stop the Cyborgs” that are against the glasses and even offer free anti-glass art and icons to businesses to ban the wear of the device.  There is even a nickname for the wearers of the glasses used by its proponents.  It is “Glassholes” which is not very flattering but funny in my opinion.  There have even been federal lawmakers that have expressed concern over the glasses and their impact on privacy. 

According to the article, Google is trying to educate people about the glasses even though the negative reaction is not the norm that the wearers have experienced.  According to some of the wearers the concern that people are recording should be eased by the fact that the glasses cannot be in record all of the time because the battery would only last for about an hour while in record.  They also pointed out that the glass cube in the glasses is lit up when the device is in use.  In order to record with the device the user must either activate it with voice commands or by touching the glasses. 

All in all from what was presented, the glasses do not offer anything that a current smart phone offers other than the convenience of recording what you are looking at.  There are ways to look like you are texting or on the internet and be recording people.  I’m sure in a couple of years the technology will be more advanced and potentially of greater concern but as of now it really isn’t much greater than that of what already exists.  Either way the user of any technology will figure out a way to use it for evil if that is what they chose to do.

2M Login Credentials Stolen

While searching for a topic for my blog this week, I found the article titled “Researchers discover database with 2M stolen login credentials” by Charlie Osborne.  The article is about 1.58 million stolen user names and passwords.  The accounts that were stolen were from various online services.  The breakout according to the article was 318,121 Facebook accounts, 21,708 Twitter accounts, 54,437 Google-based accounts and 59,549 Yahoo accounts.  There were also about 320,000 stolen email account information.  There were also stolen FTP, remote desktop and secure shell credentials.  97% of the credentials came from the Netherlands.   There were only 2000 of the accounts that were stolen that were from the US.  The article also revealed that the majority of the passwords were 123456, 12345678, 1234 and password.  All of the information was gathered by a botnet controller called Pony Botnet.  This type of botnet is a key logging malware that captures passwords and users names when users try to access certain account types.  The final statement of the article was “Will we ever learn?”.

The article made me think of the many people in my life that I have to supply free tech support to such as my parents, family friends and friends.  In almost all cases they only come to me for advice when they have  a problem.  The typical issue they present me with is the fact that they are all of a sudden getting multiple pop-ups on their computer or the computer is running extremely slow.  This is usually caused by them taking someone else’s advice and installing “great” software to do whatever useless function that was recommended to them.  This all results in me spending a couple of hours on their computer fixing things to just repeat in the near future.

Typically when I’m working on their computer and I ask them what the password is for something it is usually either the default password provided by the device manufacturer or it is something like their family name (which by the way is the same name of their router).  I encourage them to change it but they usually do not like what I suggest.  I’m told that it is too inconvenient to type all of those characters in when they want to add an occasional device.  I try to educate them as to the right thing to do but in the end even when I get them to change the password they still continue to make the same mistake over and over.

Although it is frustrating to deal with, I always figure that my expose to people outside of IT tells me that at least for the next few years that there will be lots of work available for people who know how to work on home computers.  Of course, most of the same people that I assist, have no idea how much IT support costs.  Either way, I’m surprised that more information like what this article revealed are exposed more frequently than they are.

Osborne, C. (Dec 4, 2013). Researchers discover database with 2M stolen login credentials Retrieved from http://news.cnet.com/8301-1009_3-57614479-83/researchers-discover-database-with-2m-stolen-login-credentials/