IDG News Service (Boston Bureau) — Target has confirmed that hackers obtained customer debit card PINs (personal identification numbers) in the massive data breach suffered by the retailer during the busy holiday shopping season, but says customers should be safe, as the numbers were encrypted.
Some 40 million customer debit and credit cards were affected by the breach, but until now it wasn't clear that PINs were part of the hackers' massive haul.
"While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed," Target said in a statement on its website Friday. "We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
When Target customers use their debit cards, the PIN is secured with Triple DES encryption at the checkout keypads, according to the statement. "Target does not have access to nor does it store the encryption key within our system," it adds. "The PIN information is encrypted within Targets systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Targets system and could not have been taken during this incident."
The company didn't reveal how many PINs were taken, or whether it even knows the total at this point in its probe.
Target is still in the early stages of its investigation into the breach, according to Friday's statement. The company previously said it was working alongside the U.S. Secret Service and Department of Justice on the investigation.
U.S. lawmakers have called for an immediate investigation into Target's security practices. The retailer has said customers will not be forced to pay for any fraudulent charges on their card, and are also eligible to receive credit monitoring at no charge.
Chris Kanaracus covers enterprise software and general technology breaking news forThe IDG News Service. Chris' email address is Chris_Kanaracus@idg.com
The phrase “perfect storm” is overused in our field; only “digital Pearl Harbor” is more overused in my experience. This is a problem because when the conditions that merit this phrase do occur, we can be slow to respond appropriately because we tune out the phrase. As we outlined in our predictions for 2014,“Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond”, when it comes to Windows XP and Java 6, we really do have unprecedented conditions coming together for a perfect storm for attacks against these legacy platforms. The coming end of support for Windows XP combined with Java 6 (which is already out of support) and the issue of how broadly these legacy platforms are deployed means we are likely looking at the largest number of unpatched and attackable vulnerabilities in history. If that doesn’t describe a perfect storm, I don’t know what does.
To understand why this situation is so serious, we should look first at Java 6. Oracle stopped providing updates to address security issues in Java 6 in February 2013. By August 2013 we were seeing widespread, active attacks against unpatched vulnerabilities on Java 6. By September we saw additional attacks and increased sophistication in those attacks. Because there is never another security update coming for Java 6, the effect of each new attack is cumulative in terms of the risk to those running Java 6. It’s appropriate to think of Java 6 now as platform that is becoming ever more riddled with holes as each day goes by. In August we said that 50 percent of users were still using Java 6 and there’s no indication that number has changed significantly. This creates a huge pool of vulnerable users and systems, all the more so when we remember that Java is present in a whole host of devices that can’t ever be updated. Java 6 helped power some of the first stages of the “Internet of Everything” (IoE). And now that part of the Internet of Everything is permanently vulnerable to attack.
The Java 6 situation is a harbinger of what we can expect will start to happen on April 12, 2014, the day after the last security updates for Windows XP are released. On that day, Windows XP will be subject to the same problem of the cumulative effects of new vulnerabilities being found as we see with Java 6. Each new vulnerability found will permanently damage the soundness of the operating system. We can expect the situation to worsen regularly month-by-month as attackers use the security fixes for the supported versions of Windows as a roadmap to possible vulnerabilities in Windows XP. Given that nearly every vulnerability affecting all versions of Windows released since Windows XP also affects Windows XP, it’s a sure thing that the roadmap will lead attackers to attackable vulnerabilities. As of today, about 20 percent of computers, or 500 million people, are running Windows XP. An informal survey by me shows restaurants, doctors’ offices, small businesses all happily running Windows XP today. And, unfortunately, the broad resistance to (or outright rejection of) of Windows 8 by users only makes this situation worse: people are choosing to stay on an increasingly dangerous operating system because, to them, the new version is perceived as unusable and is a greater risk than abstract security risks. As we approach April 2014, we have more people running a version of Windows that’s about to go out of support than we’ve ever seen before (I should know, I dealt with this for 10 years at Microsoft). This situation is truly unprecedented in that regard.
Come April 2014, the pool of no-longer-supported Windows XP systems will combine with the pool of unsupported Java 6 systems. These will combine to create the largest collective pool of unpatched vulnerabilities. And it will only get worse over time.
At Trend Micro, we are working to help mitigate this situation. Our products Deep Security and OfficeScan with the Intrusion Defense Firewall module will provide some protections for unpatched vulnerabilities on Java 6 and Windows XP. But that’s only a mitigation: the best solution for everyone is to remove Java 6 and Windows XP as soon as possible. Because, come May 2014, things may get very, very ugly.
A National Security Agency (NSA) data gathering facility is seen in Bluffdale, about 25 miles (40 km) south of Salt Lake City, Utah, December 16, 2013. Jim Urquhart/
(Reuters) - As a key part of a campaign to embed encryptionsoftware that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).
Kevin Igoe, who in a 2011 e-mail announcing his appointment was listed as a senior cryptographer with the NSA's Commercial Solutions Center, is one of two co-chairs of the IETF's Crypto Forum Research Group (CFRG). The CFRG provides cryptographic guidance to IETF working groups that develop standards for a variety of crucial technologies that run and help secure the Internet. The transport layer security (TLS) protocol that underpins Web encryption and standards for secure shell (SSH) connections used to securely access servers are two examples. Igoe has been CFRG co-chair for about two years, along with David A. McGrew of Cisco Systems.
BitTorrent, Inc. is developing a serverless instant messaging system that relies on public key encryption to protect the privacy of communications, identifying users not with traditional usernames but with cryptographic key pairs.
The company, which develops the BitTorrent peer-to-peer protocol as well as the BitTorrent and μTorrent file sharing software, announced the forthcoming chat software in September and revealed some details on how it will work in a blog post today. It reads:
With BitTorrent Chat, there aren’t any “usernames” per se. You don’t login in the classic sense. Instead, your identity is a cryptographic key pair. To everyone on the BitTorrent Chat network at large, you ARE your public key. This means that, if you want, you can use Chat without telling anyone who you are. Two users only need to exchange each other’s public keys to be able to chat.
Using public key encryption provides us with a number of benefits. The most obvious is the ability to encrypt messages to your sender using your private key and their public key. But in public key encryption, if someone gains access to your private key, all of your past (and future) messages could be decrypted and read. In Chat, we are implementing forward secrecy. Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated. Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever.
Underlying this system is a Distributed Hash Table (DHT) which finds IP addresses, removing the need for a central server to route messages, the company explained.
The emerging Internet of Everything is set to heighten the security burden for device makers, software vendors and the numerous organizations that will rely on an interconnected network of smart devices to support operations and serve customers. While tablets and smartphones rule the roost for now in terms of consumer and business attention, new technological frontiers are already being opened up by devices such as wristband trackers and networked thermostats and automobiles.
It's not just about the next hit product. Apple is preparing for a future beyond phones, tablets, watches and TVs, in which it's the premium brand for life in a fully digital age.
Hundreds of people await the iPhone 5S and 5C launch at Apple's Fifth Avenue store in Manhattan.
(Credit: Sarah Tew/CNET)
As 2013 draws to a close, Tim Cook is feeling good. The holiday quarter once again proved that Apple's products and stores can draw a crowd. Pent-up demand for new iPhones and iPads was satisfied once again, and Apple's reputation as a purveyor of objects of desire was reaffirmed. As a reward, Apple' stock price hit a 52-week high this month.
Apple's precision-engineered, meticulously designed, mass-produced objects of desire are not the most advanced or clever computing machines. Many Android devices are tricked out with more pixels and features. Nor is Apple the undisputed market share leader, which is not the company's first priority.
After its initial breakthrough product and domination of the market, Apple cedes share to followers and carves out a highly profitable niche. Like BMW in the automotive industry, Apple is not trying to blanket the market. The Android platform now maintains the majority market share by far, especially outside the US, but for contestants other than Samsung the profits are slim or none. And, Apple's mobile platform, iOS, accounts for more than 50 percent of mobile Internet usage, according to Net Market Share research.
Mobile and tablet worldwide market share of operating system usage for November 2013. Net Market Share collects browser data from a worldwide network of over 40,000 websites. (Credit: Net Market Share)
In the coming year, Apple will continue its wash, rinse, repeat cycle, incrementally refreshing the iPads, iPhones, and Macs with more speed, less weight, longer battery life, additional sensors, and improved apps.
There are also hints that 2014 won't be another year of just incremental improvements like 2013. Apple could reveal something more dramatic and groundbreaking than adding a fingerprint sensor to an iPad or delivering iPhones and iPads with bigger screens and better cameras, or finally shipping the powerful R2-D2- looking Mac Pro.
It's been four years since the company's last market-defining product, the iPad, was unveiled. Here's what Steve Jobs said at the time: "iPad is our most advanced technology in a magical and revolutionary device at an unbelievable price. iPad creates and defines an entirely new category of devices that will connect users with their apps and content in a much more intimate, intuitive and fun way than ever before."
Apple is rumored to be working on several products that could be eventually pitched as the "most advanced technology in a magical and revolutionary device at an unbelievable price." According to reports, Apple has in excess of 100 people working on an "iWatch." The company has trademarked the iWatch name around the world, and has filed 79 patents containing the word "wrist."
Energy Department Breach Years In Making, Investigators Say
July data breach that affected up to 150,000 employees traces back to a string of managerial and technical failures, investigators conclude.
13 CIOs Share: My Big Mistakes
(click image for larger view)
The July 2013 Department of Energy breach happened because of an ongoing number of managerial and technological failures, some of them stretching back years.
That's the top-level takeaway from a 28-page report, released Wednesday, by Gregory H. Friedman, the inspector general (IG) of the Department of Energy. The IG's report is a result of an investigation that was launched, in part at the request of the DOE's CIO, after an attacker hacked into the DOE Employee Data Repository (aka DOEInfo), which is accessed via a gateway provided by the agency's management information system (MIS).
In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, andstandardizingdemanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has an interesting discount based system, offering $10 discounts for every feedback from those who’ve already taken the course.
It’s fair to say that big data has experienced more than its share of hype over the past year. According to Gartner’s 2013 Hype Cycle for Storage Technologies, big data is approaching its peak of inflated expectations, which means that it will soon be headed for the inevitable plunge into the trough of disillusionment.
But what caused these inflated expectations? Here’s my big-data year-in-review, plus four top tips for IT success in 2014.
Adobe Photoshop is the market leader when it comes to photo retouching, image editing, or even creating new images from scratch. However, for most people's uses, it may just be too many features to wade through, too much money to spend, or too complicated to use. Thankfully, there are plenty of powerful alternatives that also have tons of features. Here's a look at five of the best. P
Earlier this week we asked you which Photoshop alternatives you thought were the best, or which ones you preferred when you needed to do image editing or photo editing. You responded with a ton of great suggestions, but here are your top five, in no particular order. P
The GNU Image Manipulation Program, aka GIMP, is well known and well loved for more than a few reasons. It's incredibly powerful, packing as many features as Photoshop itself, the fact that it's cross platform and supports Windows, OS X, and Linux machines with ease (and with feature parity across all devices), and of course, because it's completely free. It has a completely modular and customizable interface, so you can keep your most oft-used tools front and center. It also features image correction utilities that make photo manipulation and retouching easy. P
Those of you who nominated GIMP praised it for coming in at the low low price of $0, but many of you also reported issues with its interface and usability. It's true, the interface certainly leaves more than a few things to be desired, and it can be difficult to get used to if you're more accustomed to other image editing tools. Some people love it, some people hate it, but everyone acknowledges that it's difficult to find a comparable feature-packed utility for free. P
Pixelmator is a richly featured image editor for OS X. It'll set you back $30, but it often appears in bundles and app packs along with other useful utilities, so it can be had at a bargain. Pixelmator is remarkably powerful; packing a flexible, customizable interface that's designed for OS X, multiple layer styles and filtering/editing tools, and an adaptive engine that switches to the right tools or features when you need them. It's packed with photo and image editing and retouching features, so if you're looking to clean up photos before posting them to the internet, or getting them printed and framed, this app comes at a fraction of Photoshop's price and offers a ton of useful features. P
There's a reason that we said that Pixelmator is a seriously good replacement for Photoshop, and while some people will always have a use case that requires Photoshop specifically, (eg, you need non-destructive editing, channel support, or adjustment layers) for the rest of us, Pixelmator is worth a look. Those of you who nominated it praised its RAW file support, and its depth of features, not to mention its price tag. Of course, it's Mac only, so those folks doing image editing on Windows or Linux machines don't have it as an option. P
Paint.NET is one of our favorite image editing tools. Part of it is because the app is feature packed, offering layer editing, a customizable interface with plenty of room to work but also plenty of tools at your disposal, unlimited undo, tons of effects and filters, and a community of passionate users. Part of it is because Paint.NET is completely free, and for the vast majority of people looking to touch up a photo before they post it to the web, resize or crop an image, or do basic image editing, it's more than enough, and it's completely free. It doesn't have the same features as more advanced tools like Photoshop or even GIMP, but not every Photoshop alternative needs to have the same breadth of features—just the ones that matter. P
Those of you who nominated Paint.NET noted this explcitly. Advanced users may run up against its limitations after a while, but advanced users probably already know the tools that have the features they need. The rest of us though, who just need to open a tool to do some basic work here and there and want a fast, flexible, and free utility to do it, Paint.NET Is the way to go. P
Adobe Lightroom stands out from a number of the alternatives here partially because it's designed specifically for photographers, and has the broad variety of tools and features they need to get their photos edited, retouched, updated, and corrected before they're printed, framed, posted online, or even professionally judged. Color correct your images, remove objects or people, straighten images, and more. Lightroom is part of Adobe's Creative Cloud suite, so you have the option of buying access to it alone, or making it part of a larger subscription to Adobe's other utilities as well. The full version is $149, but it's frequently available with discounts. P
We were initially surprised that another Adobe product, much less Lightroom, got the nominations for the top five. However, it makes sense if you're a photographer looking for a great image editing tool that's not quite Photoshop, and it looks like a number of you are doing just that—editing photos specifically, not just images, and not necessarily creating images from scratch. P
Pixlr Editor is actually part of a suite of Pixlr apps, including the previously mentioned mobile appPixelr Express, and photo filter and tweaking app, Pixlr-O-Matic. Pixlr Editor on the other hand is a richly featured webapp that offers a healthy dose of features for editing photos and images. It packs adjustments, layers, filters and effects, basic features like rotation, resizing, cropping and editing, area selection, and so on. It's not as feature-packed or as streamlined as a lot of other tools, but the fact that it's free and runs in your browser alone makes it worth your attention, and your use if you're away from a computer with a tool you already know installed.P
Those of you who nominated Pixlr highlighted that fact as well; it does just about everything the average user needs, and while professionals will likely find it lacking, amateurs and everyday users have a lot to like here. Plus, the fact that it's a webapp means it runs in any browser, on any OS, with the same features. Sign up for an account and you can save images for future work. P
There you have it, your top five. Now it's time to put them to an all-out vote. P
Not much in the way of honorable mentions this week, with the exception possibly of Google Picasa, which some of you noted you use to touch up your images, do some light image editing before sharing them or posting them to the web, and also to organize and manage your photo library. Similarly, we should give a nod to SumoPaint, another free, cross-platform tool that's web-based and offers a ton of useful tools and features. P
Have something to say about one of the contenders? Want to make the case for your personal favorite, even if it wasn't included in the list? Remember, the top five are based on your most popular nominations from the call for contenders thread from earlier in the week. Don't just complain about the top five, let us know what your preferred alternative is—and make your case for it—in the discussions below.P
The Hive Five is based on reader nominations. As with most Hive Five posts, if your favorite was left out, it didn't get the nominations required in the call for contenders post to make the top five. We understand it's a bit of a popularity contest. Have a suggestion for the Hive Five? Send us an email attips+hivefive@lifehacker.com!P
