Security

Major retailer suffers data breach

When it comes to security, 2007 has started off with a bang—a major data breach that could potentially make history, a Trojan horse following an epic storm, and a Swedish bank losing millions. Get the details in this edition of the IT Locksmith, and get some resources to make sure your company isn't the next one to make headlines.

2007 has started off with some serious security breaches and some really scary reports from security vendors. On the bright side, you can use these reports to improve corporate security procedures.

Details

Let's start off with the bad news: If you know anyone who shops at any of the 2,300 T.J. Maxx or Marshalls stores in the United States or Canada (as well as HomeGoods, HomeSense, Winners, A.J.Wright, TK Maxx, and Bob's Stores), tell them to start watching their credit. Last week, the company announced that a hacker had potentially compromised tens of millions of credit and debit cards.

According to the International Herald Tribune, this could possibly be the biggest retail security breach to date. Then again, it could have far less impact. The company is still investigating, and no one apparently knows yet if hackers merely saw a database or downloaded it in its entirety, which would have included checking account information and even some driver's license info.

This is potentially a gigantic hit, and the facts are still unfolding. Even more important is the fact that the corporation relied on its bank to secure the data—who's supposed to be securing your clients' financial data?

Stormy weather

Don't ever say that attackers don't know how to take advantage of a natural disaster. "Storm Worm," one of the larger Trojan horse attacks in recent years, is raging across Europe on the heels of a disastrous real-time storm.

Sporting the subject line of "230 dead as storm batters Europe," the malicious e-mail turns computers into spam zombies. The attack started during the height of the deadly storm in Central Europe.

In addition, reports have surfaced that a rootkit Trojan has hit Swedish bank Nordea in a big way—resulting in the theft of almost eight million krona (up to $1.1 million U.S.) over the past year. Phishing e-mails sent to bank clients encouraged at least 250 customers to download an antivirus application containing a Trojan.

Reading list

On Viruslist.com, Kaspersky Lab has published an analysis of criminal malware activity—"The Virtual Conflict—Who Will Triumph?"—which I consider essential reading for IT managers. The report examines the relationship between malware developers, antivirus and other security companies, and largely ineffective government action to counter the criminals. For example, the latest tactic employed to defeat antivirus efforts is the sandwich approach, which uses multiple code packers in an attempt to hide the true nature of the attack code.

In addition, McAfee has published the "McAfee Virtual Criminology Report 2007: Organized Crime and the Internet." According to one chilling part of this white paper, criminal groups are taking a page from mob movies in which the Mafia grooms lawyers and even FBI moles, paying for their education in the process. But even more sinister are the tactics these groups employ to "turn" young IT students before their moral compass solidifies. Check out the free report for more details.

There are several lessons you can take from this study. One example is to add some ostensibly innocent questions to your interviewing process. Right out of school, many newly minted IT professionals don't always grasp the seriousness of such actions as trying to guess someone's password, phone phreaking, or playfully hacking someone's homework file.

Case in point: Just last summer, Purdue University asked computer science students about common student hacker practices, and more than 75 percent admitted to them. Would you rather hire one of the 75 percent or one of the 25 percent—presuming those respondents were telling the truth?

You could slip some such questions into your interview process under the guise of determining the applicant's skill level. What you do with such knowledge about an applicant is obviously up to you and upper management.

Open source

In what could be a significant move affecting all Linux managers, news has surfaced that two Linux consortia are merging together to join standards and guide the development of Linux. The newly formed Linux Foundation is a joint effort of the Open Source Developer Labs (for which Linux founder Linus Torvalds works) and the Free Standards Group (overseer of the Linux Standards Base).

OSDL has focused on high-end servers and Linux itself (hence Torvalds' association), while FSG has worked to integrate Linux with applications and standardize the interfaces. Since the two groups were mostly working on different aspects of Linux, they could integrate well—and potentially provide a powerful, centralized group.

Final word

Even if this latest security debacle doesn't turn out all that bad, it once again highlights how weakly companies secure financial data. Don't let your company be the next one to make headlines. And while you're at it, don't forget to read that Kaspersky Lab report.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

8 comments
WebTrainer
WebTrainer

I've been following this story closely, and looking for more information. I'm very careful when it comes to my personal data (as a lot of you are), which is why I was surprised to get a call from my credit card company to say that someone had manufactured a credit card with my number and attempted to use it in another state. I have used that card around the country as I travel for work, so who knows how the data was lifted. I suppose a credit card generator could have come up with a number like mine. Well, I have definitely shopped at some of those stores in the last year, and manufacturing a credit card suggests a larger project for a hacker group than someone attempting to use a single ID online. Makes me wonder if my data was part of that breach (or one of several others). The investigation just started for me, so no confirmation yet.

Warco
Warco

As of January 2nd 2007 another major compromise was detected. PayPal security had been breached and was not discovered by PayPal until customers started calling in with unknown charges on their credit cards and money transfers from their checking accounts. Most if not all of the charges were converted into Euro dollars which leads authorities to beleive that the hackers are in Europe. Thousands of dollars per customer had to be refunded and credit cards had to be canceled and renewed. Checking accounts had also been breached because these accounts are typically used as a backup for PayPal. PayPal is still investigating the breach and still refunding money to customer accounts that were breached. For those people that have used PayPal and have established accounts with them, it would be advisable to check your accounts monthly for activity and if there is suspicious activity, report it Immediately to PayPal security for investigation. PayPal has been very good about investigating the issues and resolving the problem, but not without a major inconvenience to the customer. Accounts have to be canceled and credit card companies have to be notified and cards renewed and checking accounts have to be closed and reopened with a new number. If you must shop online, then at least shop with a site that has a phone number and a Physical mailing address. Always make sure that the site is secure with the https:// in the URL. If the site your shopping with has a phone number then try to place your order over the phone, at least you will be able to speak with a real person. Even after doing all this, don't think you your safe, shopping online is and has always been hazardous to your health and security.

Tech Locksmith
Tech Locksmith

Most shopping anywhere (online or in person) is hazardous to your wealth.

tundraroamer
tundraroamer

I read the Kaspersky article. Don't do that until after lunch. It will make the indigestion that much better. Maybe it's time for the silver bullet. The cable industry long a go developed a tool to find illegal cable converters and electronically take them out. Maybe they really did, maybe not. Since government is to slow and cruise missiles are a little too messy to take out the cyper criminals, maybe we need to also send them a destructive payload. Think about a bot net of anti-bots that would work when a criminal based server is detected and the silver bullet ddos attack is launched. Maybe now they will have to go on the defense while the white hats continue to mount an offense. It's either that or we hack their bank accounts and post the information so everybody can go on a shopping spree with "their" money that they stole from us.

Jaqui
Jaqui

The Free Software Foundation's Linux Standards Base is not a BASE standard as they claim. they went far beyond a base standard when they started picking specific applications that are "required" for compliancy. [ who needs RPM if you have dpkg, or portage? both of which are far more capable than the LSB REQUIRED RPM ] The OSDL, is not actually an open source group, not since they stopped using open source technologies for thier websites [ flash powered ] and started advertising nothing but Microsoft on it. this news just shows the complete lack of understanding that both groups have for what they are supposed to be supporting.

Tech Locksmith
Tech Locksmith

I pretty much agree with Jaqui, however, the Locksmith doesn't do much editorializing, I mostly stick to the facts as companies report them. Just what I would have to say about these groups in a Blog entry is something else entirely. (GRIN)

Jaqui
Jaqui

I wasn't blaming you. I did pointedly pick on them. like geez, the LSB requires something as complex and powerful as vim for the "default cli text editor" then requires something as weak as RPM for package manager? get it right guys, you need a default text editor. with todays default systems being gui only, most people are using a cli text editor to fix the xserver only, pico, joe, or ed are far easier to use and fill the need perfectly. why is a package manger a required application? are you [ lsb group ] stupid or something? maybe a recommended bit of software, but not required. building from sources does not lend itself to using a package manager. I'm lucky, I can editorialise on the twits in response to the entry to the article. :D these two groups are about as brilliant as codeweavers for complaining that linux users don't buy crossover office.. which only runs apps that here are NATIVE linux apps for anyway. :D [ do I need MS Office, MS Visual Studio, Borland's Builder / Delphi on linux box when I have Open Office or K Office or Gnome Office, KDevelop, KStudio, Glade, Screem, Code Commander / Glimmer, Scite, Vim, Emacs that all run on linux without using crossover office? ] Codeweavers should have spent more time working on getting the graphics and 3d modelling / animation software to run than the software they chose to support. then linux users would have had a reasonable addition to their software options by buying crossover office.

Editor's Picks