Are You Smarter Than a Hacker? [CONTEST]

They’ve broken into the largest retailers, key government agencies, and major social media companies, stealing tens of millions of credit card numbers, email addresses, and sensitive data. They’re experts at cracking codes, penetrating firewalls, and placing stealthy malware on our most guarded servers. Can the hackers be stopped? Maybe, but it helps if you can…

ebook-credential

New Varonis eBook Helps You Hacker-Proof Passwords and Other Credentials

Are you really who you claim to be? That’s the key question that authentication tries to solve. NTLM, Kerberos, one-way hashing, challenge-response protocols, and two-factor authentication are just some of the technologies that have been developed to prove user identities and foil intruders. In recent years though, hackers have become far cleverer about getting around…

SL-Access_card

PoS Malware Mitigation Advice from the Pros

There’s still much we don’t know about the attacks that targeted retailers’ PoS systems over the last year. We do know for certain that Backoff, BlackPos, and its variants were used as the RAM scraping software, and the hackers had considerable time to remove or exfiltrate the data. But there are still questions about how…

dhs - backoff

Driving a Stake through Backoff and other PoS Malware

Despite a US CERT warning and several well-publicized hacking incidents over the summer, Backoff malware continues to add new corporate victims. Krebs has been on the case and has more details on the most recent attacks against two well-known brands. The government warning pointed out that anti-virus vendors may not have the latest signatures for…

creepometer

How to Avoid Being Known as a Creepy Company

While data breaches have been driving news headlines this year, privacy concerns have been riding shotgun. Unfortunately, for lack of a better word, “creepy” has been the word often used to describe the way companies have been leveraging our personal data, whether it is with passive location tracking, apps secretly absorbing your personal address book,…

money

What’s Your Reputation Worth?

During this past year, we’ve been reminded (too) many times that data breaches are costly and damaging to a company’s reputation. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average total cost of a data breach—which can include credit monitoring, legal fees, remediation, and customer loss—for the companies who participated in…

privacy ftc

FTC Says Do the Reasonable Security Thing

Metadata Era readers know the FTC has become the de facto enforcer of data privacy and security protection. When there aren’t specific laws to apply, it uses the broad powers given to it by Congress—back in the earlier part of the last century—to prohibit “unfair or deceptive acts or practices” in the digital realm.  A…

399px-Golden_North_Samon_Derby_Winner_1955_Meyer

Phishing Attacks Classified: Big Phish vs. Little Phishes

The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the CERT team was able to categorize phishing attacks into two broader types: single- versus multi-stage. What’s the difference? Think of single-stage as catching lots of…

pos attack

Point-of-Sale Cyber Attacks Are Back With Backoff

Point-of-Sale attacks are back in the news. But they never really left us. In the wake of the Target attack, the FBI issued a bulletin in January warning about future incidents. They identified the malware type (RAM scrapers) and the infection vector (phish mails, and compromised websites or “watering holes”). And they even pointed out…

Ticket_example

In Search of Kerberos’s Golden Ticket

In a Kerberos environment, all users get tickets, or more specifically TGTs (Ticketing Granting Tickets). It’s the starting point for gaining access to services—network files, email, apps, etc.  In Windows, there’s one user who stands out, the all-powerful domain administrator. They have access to the keys of the kingdom, literally—the Domain Controller on which the…