Jimmy Johns Breach Affects Others

As Brian Krebs reported late last week, the Jimmy Johns breach has a larger impact than previously reported.  In a nutshell, here are the details:

  • The attack affected 216 Jimmy Johns stores nationwide
  • The hackers compromised the username and password used for remote administration
  • The POS or cash register software was created by Newtown, PA based Signature Systems, whom, it appears, also manages those systems, remotely.
  • According to the PCI Security Standards Council, Signature’s core product PDQ POS was not approved for installations after October 28, 2013, meaning that restaurants who installed it after that date could face fines.
  • According to the notice on Signature’s web site, there are many, many other companies affected besides Jimmy Johns.

So what does this mean for retailers.

The first answer is obvious.  As a business, you are going to take the heat if a vendor fails you.  The business MUST validate that a vendor’s security procedures are adequate before signing a contract and periodically (at least annually) after signing a contract.  The agreement should detail who is financially responsible for breaches.   It would be interesting to see whether Jimmy Johns or Signature will bear the financial cost – including lost business and reputation – of this breach.

Next, businesses need to be more proactive in managing vendors.  Does the vendor need to have 24×7 access?  How is that restricted?  Where does the vendor need access from (can you restrict access to a particular subnet?).  This requires more work on the part of the business, but the business has the most to lose.

Finally, businesses need to perform a periodic security risk assessment as part of their normal business practices.  I assume that most of the Jimmy Johns locations were franchisees.  That means that they and not Jimmy Johns are responsible for any risk assessment.  Healthcare businesses are now required by law to conduct this kind of risk assessment periodically.  All businesses should be doing this purely to protect their rear ends.

Remember, no matter who’s fault a breach is, the name that will show up in the news (Target, Home Depot, Jimmy Johns) is yours.

How many vendors do you have with access of some sort to your systems?  When was the last time you audited their security procedures?  Who is financially responsible for a breach?  Good questions to ponder.  And act on.

Mitch Tanenbaum

Phishing Attacks – How would your firm score?

McAfee Labs reported that 80% of the participants in its online phishing test failed at least one of the seven parts of the test.

Combine this with a reported 250,000 new phishing URLs in the last quarter, 1,000,000 in the last year, and think about the likelihood that one of your employees will fall victim to an attack.

Also consider that it is not just your employees that you have to worry about.  Vendors and customers often have access to your systems and at a minimum might send you phishing laced emails.  Are your employees likely to click on a phishing link from a customer?

The McAfee phishing quiz is available at this link.  If you take it, knowing that it is a test and don’t pass it, consider what your employees might do when it is not a test.

Mitch Tanenbaum

More News About Home Depot Breach

According to an article in ARS technica this past weekend, Home Depot has some interesting factoids in their security background.

Just to be clear, this is only one side of the story, and I suspect they are neither the best nor the worst when it comes to security – but I don’t have any insider knowledge.

First, the article says that their senior IT security architect had been fired from his previous job and that he sabotaged his former employer’s network in revenge.  You might think this is hearsay, but he was indicted and pleaded guilty, which would tend to confirm those facts.  He continued to work in security at Home Depot for a year after his indictment.  There may be HR issues if they fired him at that point (innocent till proven guilty) but they are a big company – move him or put him on paid leave.  Under those circumstances don’t leave him in that position.

Again, according to the article, Home Depot ran out of date AV software (from 2007) and the company did not perform network behavior monitoring to detect unusual traffic to its POS system.   Assuming these facts and others in the article are true, Home Depot has a lot of explaining to do if they wind up getting sued (at least one suit has been filed and it is seeking class action status).

Maybe I don’t understand things well, but my thought is the POS system should be sandboxed and it should be locked down with respect to IP addresses that it can talk to.  Seems to me that it should be able to only talk to its service providers and those should come from known IPs.  Support should come over a VPN as an additional layer of defense.  That would reduce the likelihood that even if the bad guys get in, that they would be able to get data out.

Security usually shows up as a cost and not a profit center so you can usually do more that you can afford, but Target, Home Depot and others should be a clear message that the bad guys are out there and likely after you.

I think it is a story of pay me now or pay me later.

Mitch Tanenbaum

Home Depot Credit Card Breach – Good News (sort of)

Home Depot released a press release today providing some more details on the recent and until now ongoing credit card breach.

The good news is that the breach primarily affected self checkout stations between April and September of this year.  Home Depot likely has a pretty good security department which means that this malware must have been pretty sophisticated.  Home Depot also says that the means of entry for the malware has been closed and a security update has been installed to encrypt the data earlier in the process.

The rest of the good news is that because the breach primarily affected self checkout stations, far fewer cards were affected.  Home Depot says that only around 56,000,000 cards were affected.

If you used your credit card between April and September at Home Depot, free identity protection is available at this link.  The link includes details, a way to sign up and a tool free number to call in case you need assistance with fraud.



Oracle’s Patch – Where Does A Vendor’s Responsibility End?

According to CNN, Oracle discovered an issue in 2012 that allowed hackers to compromise Oracle systems with this weakness.  Some white hat hackers were wandering around the internet recently (in 2014) and discovered that some systems had not had this patch applied.

These hackers were able to access children’s school records, arrest records, the real names and numbers of intelligence agents, social security numbers and other private stuff.  You get the idea –  stuff that should not be public.

CNN asked Oracle about the issue and they said:

“We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure.

So basically, what Oracle is saying – and in their defense, this is no different from what most software vendors say – is that we issued a patch – for something which is not even a bug in the traditional sense – and it is up to our customers to install these patches.  Our responsibility is over.

Legally, this is probably true – assuming that Oracle, given the typical software license agreement language, had any responsibility in the first place.

Maybe this bug is no worse than the hundred other bugs that Oracle patched last quarter.  Likely it is worse than some and not as bad as others.

However, these customers are storing very sensitive information and it sounds like that at least some of them are government customers.  The article provides some details on the customers and the type of information, but since these systems are not patched, the article is not naming organizations.

There is no easy answer to how to handle this, but it is certainly a topic worthy of public discussion.  Some people would say the existing rules are too stringent; others would say they are too lax.  I would say that the patchwork of state based laws is impossible to manage compliance with.

Lets see what happens.

Mitch Tanenbaum


Small Businesses Face Big Cyber-Risks

Is your business prepared for a cyber breach?  Besides the cost, there is the potential for damage to your reputation , loss of customers, distraction while dealing with it and the potential for lawsuits, which can go on for years.

An article at AZCentral.com talks about the subject and the fact that hundreds of small businesses have been hacked recently.  The challenge with cyber-breaches is that the bad guy gets your data but you still have it too, so you might not even be aware that you have been attacked.

Sometimes you are never aware that you have been attacked.  Other times, the media catches it and announces it – like with Home Depot.  Still other times, law enforcement pays you a visit and lets you know.

Don’t think that because you are a small business that you are immune.  In fact, hackers assume that small businesses likely have less defenses and are less likely to discover an attack.  Statistics indicate that about a third of all data breaches are against organizations with less than 100 employees.

Cyber-insurance may help with the costs and your defense in court if it goes there (there are over 50 lawsuits pending against Target right now), but that won’t help with the distraction and the damage to your reputation.

Cyber-insurance is a non-standard product meaning that the exclusions and limitations vary from policy to policy.  Assuming you don’t have cyber liability insurance, you should consider it.  If you do, you should review it to understand what is covered and what is not covered.  This is a case where surprises are not a good thing.

For many businesses, cyber risk mitigation is an area where bringing in outside expertise is a good idea.

Mitch Tanenbaum