Black Hat Roundup: Goodwill, A Billion Passwords, and other “Hacker” News

Indeed, the annual “Black Hat” conference in Las Vegas is upon us. Interestingly, this conference is organized by “white hats” who convene to discuss security breaches in our interconnected world. They also collaborate to identify any potential vulnerabilities or security lapses before the genuine “black hats” can exploit them.

Security for the “Internet of Things”

Part of what the Black Hatters discussed this year was security for the “Internet of Things,” that almost-here future where your thermostat, ‘fridge, oven, garage door opener (and of course TV, and more) are all “smart,” and interconnected.

One presenter found up to 70 percent of such devices currently have security vulnerabilities. One concern is that this could be a way in to the workings of a commercial enterprise, if public buildings with their “things” are equally vulnerable.

Russian Hackers and Stolen Passwords

Concurrent to the conference, Milwaukee-based Hold Security announced that Russian hackers now have in their possession upwards of 1.2 billion passwords and email addresses, lifted from websites large and small — i.e., from Fortune 500 companies to smaller retailers and businesses across the country.

As pointed out in a Wall Street Journal article, experts caution that breaches involving usernames and passwords pose significant risks to consumers. This is especially concerning since many individuals tend to reuse the same credentials across multiple sites.

One thing the hackers are doing with the data now is using it “for sending spam on social-media accounts,” which they do for a fee — and which they can often hack into since, as noted, many users still have the same log-in credentials for multiple sites.

Don’t be one of them!

Be sure to have different log-ins for the different sites you use, both personally, and for business.

Goodwill Industries Data Breach

Meanwhile, in the days before the Black Hat gathering gathered, there was news of a breach at an unlikely target — Goodwill Industries.

As a Forbes article on the data breach recapped, “Brian Krebs, who first broke the Goodwill breach story, has sources who claim that the pattern of fraud on cards previously used at Goodwill can be traced across at least 21 states.”

Details are still a little scant. As the piece continues, “until we get more information about how the breach occurred (and indeed if it occurred at all), it’s impossible to speak definitively about the state of Goodwill’s security system, but the potential attack is a sobering reminder that no business or organization is safe from cyber threats.”

In this case, Federal authorities alerted Goodwill to the malware/point-of-sale breach. Consequently, the charity has been actively investigating the scope of the damage, hoping that it isn’t too extensive.

PF Chang’s Breach Response

Meanwhile, for a company that definitely had another, unfortunately newsworthy breach, we turn to PF Chang’s, which is looking to be upfront with customers, and contain the damage, both on the publicity, and digital fronts. They have a public “breach information” page on their company website, which may provide an example for other companies caught in similar circumstances.

Indeed, similar to the situation with Goodwill, we have yet to determine the full impact of the Chang’s breach. A recent LA Times article highlighted that potential data theft occurred at 33 restaurants across 16 states, with eight of those establishments located in California.

On Monday, the restaurant chain announced that over eight months, intruders stole credit card numbers, expiration dates, and occasionally, cardholder names. Yet, according to Chief Executive Rick Federico, the chain is still determining whether the intruder specifically stole any individual cardholder’s credit or debit card data.

Indeed, one significant concern isn’t just the number of branches impacted, but also the duration. For a full 8 months, there was logging of credit and customer information, which intensifies the potential damage or issue.

Indeed, the takeaways emphasize the importance of maintaining updated systems and creating distinct log-ins for various steps in your “payment chain” and its associated equipment. Additionally, it’s crucial to consistently monitor for discrepancies, mismatched numbers, and other potential issues. By doing so, you can not only detect problems but also address and rectify them promptly.

For additional security remedies, equipment upgrades, or even an expansion allowing customers multiple options in how to pay you, be sure to contact your AVPS Rep today!

Here’s to a secure week!