Posted on 11/09/2014 11:48:07 PM PST by Swordmaker
Earlier this week, The Wall Street Journal published an in-depth look at The Home Depot’s recent security breach of its payment data systems, in which 56 million credit card accounts and 53 million email addresses of customers were compromised. A root cause of the security breach: a Windows vulnerability in the retailer’s main computer network.
“Once inside Home Depot’s systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft Corp.’s Windows operating system, the people briefed on the investigation said,” writes the WSJ’s Shelly Banjo.
The report claims that while Microsoft did issue a security patch after the breach began, which was installed by The Home Depot, the fix arrived too late. According to sources familiar with the investigation, the hackers already had the ability to move across The Home Depot’s systems, including its point-of-sale system, as if they were high-level employees.
The report unravels a lot of details related to how the security breach played out, with one anecdote that I found particularly interesting. Following the breach, an IT employee allegedly purchased two dozen new MacBooks and iPhones for senior executives at The Home Depot, indicating that the home-improvement retailer may have lost at least some confidence in its Microsoft-based systems.
MacBooks and iPhones have faced their fair share of security vulnerabilities (see below—Swordmaker) over the past few years, although recent studies conducted by Kaspersky Labs and similar firms have proven that both devices remain highly secure platforms in terms of protection against malware and other threats. But whether shiny new Macs and iPhones in The Home Depot’s boardroom will help it prevent another massive security breach remains to be seen.
> Microsoft could go belly up and it wouldn’t affect Gates much. He’s already got his.
Not if the stockholders and litigation got involved. I’ve seen miltimillionaires reduced to ashes when that happens.
I like Apple products - but not to the point of insanity.
> #2 Blaming MS for this security breach is absurd. And giving these people Macs won’t make up for these people’s stupidity. But I suppose it makes for classic swordmaker propaganda.
First, I’m not an “Apple” guy. Second, to say that Microsoft isn’t responsible for the security breach when it was their software that was hacked using an expolit an not knowing any real facts about the situation isn’t a stance I would take before looking into the matter. True I’m not a Gates fan because of the reason mentioned but I wouldn’t move to defend a man with a track record like that not that it matters anyway.
BTW Gates didn’t create DOS; he bought the rights to it from the guy who wrote it because he saw the potential and it made him a millionaire.
HD sent me a email two days ago warning me that, with the recent breach, the bad guys had accessed a file that contained my email address...and to be careful of nefarious offers from strangers.
I replied...”You guys are really on the ball. The breach occurred over two months ago and you’re just now sending me an email. Thanks a lot.”
Forget Apple or Windows, the only way to secure a network from a careless employee (appears to be someone in executive in this case) is to take away their computer and replace it with an etch-a-sketch.
Remember, (Manning, Snowden, etc.) were guys who passed and were awarded security clearances, who were already in a connected facility, already inside the firewall, already on the network with authorized, elevated privilege user accounts, who had full access to the data they stole and any manager who casually glanced at them would likely be able to spot what they were doing.
Due to the need for some acceptable level of productivity, security technology will only take you so far. At some point you have to expose your data to humans, which is when you start rolling the data-spillage dice despite the best efforts of the info-assurance security-nazi’s. Regardless of the platform, some human will usually — intentionally or accidentally — open a door or forget to lock-up when they are done.
My point of view is that systems can’t be hardened beyond a certain point if you still want to use the systems to “get work done”. I.T. security needs to focus more on the human side of the equation, than the technical side.
Are you familiar with the OSI model?
I don’t mean to be a smart ass but, I am going to come off that way by virtue if the challenge and tenor of your response.
I get paid big bucks to do this for many corporations and most of the people on these threads are fairly familiar with me.
If you are not, then I excuse you.
Further, if you aren’t at least familiar with the OSI model, then my response require more words than I might usually employ.
Let me know.
If you’re not familiar with the OSI, mouse trapping, white hatting, encryption, various software strategies for firewalling, etc then I’ll have to give a fairly complete and fulsome response which I probably don’t have time to construct.
I did write something on this subject a year or two ago and it might be useful.
Sincerely,
Your nOOb.
This seems to be a little beside the point. The hackers would have gained access through cracking Windows SERVERS on the network, not somebody’s personal PC.
It is not that they necessarily have access, they are just on the network and have a route to the server IP. You can set up your network topology differently if you want, but it has nothing to do with what OS the executives have.
When I was working, I worked at a major bank. They set up a network for executives and vendors that was completely separate from the main network. They had their own set of IP addresses and were completely isolated from the main processing network of the bank.
Looks like others agree and bringing IPhone into the discussion is very much a non-sequitur.
Good point in your post #21.
Right in one. Execs aren't carrying around 55 million CC #s on their laptops. If they are, they need to be fired, not have their laptop replaced.
This is just a misdirection play, that's all. Either that, or the CIO needs to look like he's doing something.
Or both.
I always pay in CASH wherever I shop,including Home Depot, Costco,Lowes....No electronic Transactions, Pay bills by writing checks.
Am I worried?? NOPE
Abstinence works every time it is tried!!!
Bingo!
Its cool to be pedantic. I’ve no problem with it either.
LOL.
My email address is so simple that I get spam from everyone on the planet. I'd never know if HD gave my address to someone because the programs that auto-generate addresses comes up with mine in about 2 seconds.
I have great spam filters. Sometimes they are a little too aggressive. Even after dropping several hundred a day, I still end up getting a few a week that make it through to the quarantine level that I glance at before deleting.. Not enough to worry about though.
And if they were smart, their DNS servers couldn't even resolve the internal production back-end systems in the first place.
I like pedantic
Gates was not rags to riches. He was riches to even greater riches. His father was (maybe still is) a very influential lawyer in the Seattle area.
I’m a fan of Apple products, but I don’t worship Apple or Steve Jobs or hate Gates. To the best of my knowledge, Gates was mostly an intellectual property thief or at least a slick swindler while Jobs was a tyrannical control freak.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.