Infosec links January 6, 2015

Chip & PIN vs. Chip & Signature - Brian Krebs - Krebs on Security

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

Banks' Lawsuits Against Target for Losses Related to Hacking Can Continue - Nicole Perlroth - The New York Times

The ruling is one of the first court decisions to clarify the legal confusion between retailers and banks in data breaches. In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.

Banks: Card Breach at Some Chick-fil-A's - Brian Krebs - Krebs on Security

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.


Brian Krebs InfoSec Links May 7, 2014

Cause Brian Krebs is awesome.

Phishers Divert Home Loan Earnest Money - Brian Krebs - Krebs on Security

In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company’s bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters.

Emails are being intercepted and the account information changed so that the home buyers send the money to the criminal and not the loan agency. That's really scary and shows that if it's financially profitable criminals will find a way to exploit the system.

Adobe Update Nixes Flash Player Zero Day - Brian Krebs - Krebs on Security

Update Adobe Flash Player on your computers. Do it. Do it NOW!

The Target Breach, By the Numbers - Brian Krebs - Krebs on Security

Krebs breaks down some of the numbers involved in the Target breach that took place from November 27 to December 15, 2013. The most glaring one is the number of Chief Information Security Officers (CISO) or Chief Security Officers (CSO), which was zero, according to the AP. If true, that's pretty sad for the second-largest discount retailer in the United States. And it's not that a CISO or CSO would have stopped the breach, but does give us a peek into Target's thoughts on information security.


InfoSec Links April 2, 2014

Banks Drop Suit Against Target, Trustwave - Brian Prince - Security Week

A day after linking articles that talk about how ridiculous it was to sue Target and Trustwave we learn that both banks have put in for dismissals of their lawsuit. Coincidentally, news of this comes on April Fool's day, which makes it just an elaborate April Fool's day joke.

Analyzing the Target Break "Kill Chain Analysis" Report - Rafal Los - Following the Wh1t3 Rabbit

Excellent in-depth analysis and discourse of the Target breach and how it happened.

The Continuing Public/Private Surveillance Partnership - Bruce Schneier - Schneier on Security

What's really happening between the government and the companies that are handing over your data.