Black Hat Roundup: Goodwill, A Billion Passwords, and other “Hacker” News

Well, it’s time for the annual “Black Hat” conference in Las Vegas, which is actually a conference run by “white hats” to discuss security breaches in our wired world, and to share knowledge of any breaches or security lapses they’ve discovered before the real “black hats” do.

Part of what the Black Hatters discussed this year was security for the “Internet of Things,” that almost-here future where your thermostat, ‘fridge, oven, garage door opener (and of course TV, and more) are all “smart,” and interconnected.

One presenter found up to 70 percent of such devices currently have security vulnerabilities. One concern is that this could be a way in to the workings of a commercial enterprise, if public buildings with their “things” are equally vulnerable.

Concurrent to the conference, Milwaukee-based Hold Security announced that Russian hackers now have in their possession upwards of 1.2  billion passwords and email addresses, lifted from websites large and small — i.e., from Fortune 500 companies to smaller retailers and businesses across the country.

While this doesn’t mean credit card data has been stolen — at least not yet — according to a Wall Street Journal article “experts say breaches involving usernames and passwords are dangerous for consumers, who frequently use the same credentials for multiple sites.”

One thing the hackers are doing with the data now is using it “for sending spam on social-media accounts,” which they do for a fee — and which they can often hack into since, as noted, many users still have the same log-in credentials for multiple sites.

Don’t be one of them!

Be sure to have different log-ins for the different sites you use, both personally, and for business.

Meanwhile, in the days before the Black Hat gathering gathered, there was news of a breach at an unlikely target — Goodwill Industries.

As a Forbes article on the data breach recapped,  “Brian Krebs, who first broke the Goodwill breach story, has sources who claim that the pattern of fraud on cards previously used at Goodwill can be traced across at least 21 states.”

Details are still a little scant. As the piece continues, “until we get more information about how the breach occurred (and indeed if it occurred at all), it’s impossible to speak definitively about the state of Goodwill’s security system, but the potential attack is a sobering reminder that no business or organization is safe from cyber threats.”goodwill

In this instance, this particular malware/point-of-sale breach was brought to Goodwill’s attention by Federal authorities, and the charity has been working to find the extent of the damage (which, hopefully, isn’t overly-extensive…)

Meanwhile, for a company that definitely had another, unfortunately newsworthy breach, we turn to PF Chang’s, which is looking to be upfront with customers, and contain the damage, both on the publicity, and digital fronts. They have a public “breach information” page on their company website, which may provide an example for other companies caught in similar circumstances.

As with Goodwill, the specific extent of damage done by the Chang’s breach as yet to be determined. According to a recent LA Times item, “data may have been stolen from 33 restaurants in 16 states, including eight in California.

“The restaurant chain said Monday that credit card numbers, expiration dates and, in some cases, cardholder names were stolen over eight months. However, the chain has not yet determined if ‘any specific cardholder’s credit or debit card data was stolen by the intruder,’ according to Chief Executive Rick Federico.”

Part of the potential damage, or problem, is not even the extent of the branches affected, but the length of time; 8 months’ worth of logging credit and customer information.

So the lessons are not only to keep up everything updated, and have unique and discrete log-ins for different procedures along your own “payment chain” (with its associated equipment), but to doublecheck for anomalies, numbers-that-don’t-jibe, and more, on a fairly frequent basis, so problems can not only be discovered, but remedied.

For additional security remedies, equipment upgrades, or even an expansion allowing customers multiple options in how to pay you, be sure to contact your AVPS Rep today!

Here’s to a secure week!

Leave a Reply

Your email address will not be published. Required fields are marked *