Yawn.....Another multi-million dollar data breach
 

From here

I thought that the TJX/T.J. Maxx/ Marshall's breach would be the worst ever, but it looks like I was wrong.

The TJX breach occurred with a WEP wireless crack. It will be interesting to see how Heartland was compromised since they obviously don't use cash registers and scanners.

I'm no IT guy, but spyware anyone? It took over 18 months to recognize there was malicious software in their system? There should be a few openings very soon if any of you are looking for a job.

These were likely mainframes or unix systems -- so finding black hats is a whole 'nother level of geekiness. Not to be found by a simple McAfee check.

But, yeah. You'd expect processors like this to have the right people and software on the job.

I was being facetious, but still it took over 18 months to do find the problem. I may be naive here, but isn't that like at least 17 1/2 months too long?

Let's see 171 divided by 2 equals 85.5. No that's way too long. They should have found in a half a month at most.


(Just funnin ya)

Thanks dar.

Definitely bad, but unless they release a list of who they clear cards for, I don't know if it's "ohshitohshitohshit" bad or "doesn'tdirectlyinvolveme" bad.

I still want to know which breach caused citibank to replace all of their cards a couple of months back ... they refused to tell me where the breach occurred. I've been suspecting paypal, since that was one of only two places where that particular card number was in use (the other was AOL, but who the heck gives a crap about AOL anymore ...)

WEP? It takes about 2 minutes to crack a WEP password.

We are all so screwed.

They did? :eek:

Mine was replaced after the TJ Maxx thing. I'm not referring to that. There was a data breach that they admitted to, but even when I called to speak to the security division, they wouldn't reveal the source, so I figured it was pretty big. I think they may have replaced it twice within a short period of time, based on what shows on their website and active/past accounts.

I'm no longer using my Citibank card ... not because of this stuff, just part of my debt reduction strategy.

Mine hasn't been replaced.

I remember the TJ Maxx/Marshalls breach. I don't recall another one. Details update - anyone?

Hi, I do InfoSec for a living
 

Hello,

I can tell you that they wanted to bury this under the Obama-mania.

This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems.

In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that:

1. Every piece of data coming into the network needs to be examined.
2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that.
3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this.
4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there.
5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't.
6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems.
7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done.
8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against.
9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process.

If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business.

I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte).

A breech has occurred when they send you a new credit card with a new number; the old card has not yet expired. I assume everyone has seen this at least once. I have seen it multiple times AND have few credit cards.

Of course, the breech was rarely reported.

This can be done with credit card numbers. This is not routinely possible with social security numbers. Just another reason why we still have near zero identity protection.

Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?

My card was not replaced. I was not notified of any breach or possible breach. Additionally, when I called there was no admission by them either.

I don't see the necessary statement, "The security of my card was breeched". Without that fact, the entire post is meaningless. How do you know a security breech of your card even existed?

So I suppose mine is meaningless also? And Wolf's was meaning less because she was only speculating hers was replaced because of the security breech?

I think both
 

Bruce,

I think both, with an emphasis on lazy IT people, because systems like this are very hard to set up, and are why InfoSec people make a lot of money.

You just don't cut the budgets for this unless you're very stupid. It makes no sense.

Then again, knowing some of the middle managers I deal with in IT, nothing they do makes sense to anyone but themselves.

Mitch

The funny thing is that this is 2 years after the TJX computer intrusion, which cost that company 256 million dollars!! So with all of that history, and considering that, unlike TJX, their entire company is built around computer data, one would think that they would be hyper-secure.

Well, it appears that there is significant progress in the Heartland case. The company has created a website to inform the public. Note the use of the word unencrypted. They are not saying that PIN numbers weren't taken, just that if they were they were encrypted.

I am so glad that California and then Congress passed a law requiring notification in cases like this. Does anyone want to bet on whether TJX and Heartland would have announced the breach if they weren't forced to by law?

They didn't say how they were encrypted
 

They didn't say what method was used to encrypt the data. ROT-13 doesn't count :).

Then again, PIN numbers are encrypted at the keypad level these days, at least that is good for ATM cards. Credit cards are a whole other deal. That provides these people little comfort. What other data do they have?

TJX and Heartland would have said nothing unless they had to legally. You and I know that some middle management type looking to save a buck and make himself look good by either screwing other people, his subordinates, consultants, or even his bosses was probably the genesis.

And you know that in many places in Corporate America, such behavior would be rewarded positively for innovation. Other places would find such a manager mysteriously "resigning" and ending up at another place, or quietly "out of the industry". Dilbert is a documentary in this regard.

Like I said, I deal with middle management a lot. Never before have I seen people so willing to screw each other blind and bitch over petty little things instead of working to get things done. I thought things were bad when I spent most of my time working on the tech side of the house instead of management.

I've seen enough of this to believe that petty infighting and the blame game had a significant contribution to this unfortunate incident. Now a company is probably going to go under because some middle manager in charge of network security had a grudge with the DBAs.

Classicman said his card was not replaced. Completely different from wolf whose card was replaced.

Wolf said a card was replaced due to a security breech. classicman suggested his card was not replaced due to no security breech. classicman is invited correct his post to make it relevant. For example, he could add the missing sentence "My card security was breeched". Obviously his post is currently ambiguous.

Sometimes, infighting was observed as a symptom of management that did not know how the work got done. Had no idea what employees were doing; no clue as to how to provide the necessary attitude and knowledge; did not even know employees were not doing security.

Not only could the boss not provide necessary management support. But his technical ignorance also made cooperation impossible. If he cooperated, then others might realize how little he really knew about what his employees did and could do.

Well, the reporter can only ask the president and company spokesperson why failures happened. Obviously the reporter cannot get an answer. If they knew, then the problem would not have existed in the first place. So we are left to only speculate or await the employee blogs.

No, Wolf said her card was replace and she SUSPECTED is was because of the publicized security breach, but they wouldn't confirm it.

I said my card was not replaced after the publicized security breach.

Classic said his card was not replaced and although they wouldn't confirm whether his card was breached or not, he was assuming it wasn't because it was not replaced.

If you didn't tail post you would have know that.

Which is exactly what I posted. So your complaint is what? That you did not comprehend what was posted? Or that you now admit classicman's post as ambiguous?

Oh stop it. None of the posts were ambiguous, you're just stirring shit. :eyebrow:

To clarify ...

My card was replaced after the 12/06 TJ Maxx breach. Citibank admitted that it was because of TJ Maxx that they were replacing the cards. Funny thing was, that I pretty much NEVER shop at TJ Maxx, except that was just after momwolf came home from the nursing home and in the midst of making Christmas extraspecial for her, I bought two nightgowns at TJ Maxx, which I then had to return. So ... had I not done a good deed, I wouldn't have exposed that particular card to that particular store.

So anyway ... it was just about three or four months ago that I received two new Citibank cards on that same account in fairly quick succession. The explanatory letter admitted to a security breach on the part of a large vendor. They did not, in the content of that letter, reveal the name of the vendor. They also would not, when I contacted the Citibank Security Department directly, reveal the name of the vendor, but they did confirm that a breach had occurred.

Then where ever it was, it's someplace that Classic and myself don't shop, so he was right in assuming his card had not been compromised*.




*That they know of.

Where does classicman say security was or was not breeched? He says neither. You keep pouring that shit on the floor. It's no longer just ambiguous. It's a downright slippery slope.

Meanwhile, many have probably seen a credit card number changed without comment. It suggests how widespread these security problems may be (or that security is actually working). Card numbers changed without comment suggests a loophole may exist in those laws. For example, if they change your card number and claim a security breech was not yet known (only suspected), then they need not report the breech? If so, how many such breeches have actually existed unreported?

New cards on the same account - or new account numbers?

1) Posted here was an apparent breach at a bank where I have a card.
2) Individual posted that their card was replaced.
3) I questioned the bank whether the apparent breach included me and why my card was not replaced.
4) Another poster jumped to conclusion due to a personal inability to comprehend and again attacked the poster not the post.

What, you can't read? You're fucking with the wrong person, Tom.

Uggg. I wonder how an individual will ever know if they have had their data compromised until some damaging event occurs?

New account numbers, otherwise it wouldn't have been of interest, or of relevance to the thread.

Come to think of it we did get new Visa cards with new numbers, I wondered why, we have had the same number for many years. But our replacement coincided with the regular exploration dates. Maybe they are just going to do the replacement numbers as normal exploration dates come around. Maybe not to cause so much alarm or raise a flag.

Your assumption is that new account numbers are the only security method. By not making that assumption, I asked if they changed the account; or used some other security method to maintain the same account number. Apparently changing account numbers remain the only solution to a security breech.

Meanwhile, both TheMercenary and I have seen account numbers changed without any notification. According to CA law as assumed, we should be notified if a security breech was detected. If no security breech was detected, then why change the account numbers even before the existing card was to expire? This inverse exposes a question. Does the law have loopholes? Apparently nobody here knows.