Skip to main content

Obama's exercise in can kicking the NSA down the road is today's focus of attention. It doesn't seem to me to have enough substance to warrant a serious discussion. One thing that is significant about Snowden's highly specific and detailed revelations about the activities of the NSA has accomplished is to make it impossible for the public to go on pretending that the internet and all of its associated technology is a benign tool that gives them instant access to sports scores and celebrity gossip. The power that provides such convenience also clearly has the potential to invade the most private and personal aspects of their lives and to cause them direct personal harm.

Various people have been expressing concerns about internet privacy issues for sometime. These are matters not just about the activities of the government but also about the personal data that we entrust to private companies. Most Americans have typically been willing to shrug it off as long as nothing was happening to them. The recent mass data breech at Target that impacted about 70M costumers, should be a big enough deal to penetrate the fog. The real story about Target is that it really is nothing new. While there are indications that cyber criminals are getting more technologically sophisticated, it has all happened before.

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again  

A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team were eventually caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it possible that nearly a decade after the Gonzalez gang pulled off their heists, little has changed in the protection of bank card data?  

The information that is coming out about the latest Target attack that the hackers were able to gain access to the corporate network and plant a piece of custom designed of malware on the point of sale terminals where you swipe your credit card. The type of POS terminals that are presently in use in most large retailers have a significant security flaw. While the card data is encrypted when it is sent out to the credit card companies, it is stored on the actual terminal in plain text. This made it possible for the hackers to capture it and store in on a server in the Target network that they had commandeered and to eventually to transfer it to a string of other systems that were operating under their control. For anybody who is interested in a technically detailed description of what is known about the attack at this point Brian Krebs has two very useful articles here and here.

People are inclined to assume that a large profitable company like Target would take the necessary precautions to install the best possible security protections. This massive breech is going to cost them a great deal of money in fines and legal settlements. However, there are already several indications of steps that they could have taken and did not. For example there are POS terminals available that encrypt all data at every step of the process. However, that requires new hardware features, not just a software upgrade. It would mean ripping out the existing network and installing new terminals. They appear to have made a decision to run the risk of the breech that did occur rather  than undergo the certain expense of a system conversion. There are other important questions under investigation as to how the hackers got access to the network to begin with.

At this point the NSA is likely the world's leading developer of hacker technology. I plan on exploring those activities in more detail looking at their potential for causing collateral damage. Meanwhile the Dept. of Homeland Security which has a brief for dealing with cybersecurity has taken a very hands off attitude when it comes to imposing security standards on private companies. What we hear is that recurring neoliberal refrain, regulation stifles innovation.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Having been following this story about (10+ / 0-)

    the Target security breach and others including Neiman Marcus, I have more than a few thoughts, but I'll keep them limited…

    A few notes on updated numbers and information not in the linked articles.

    First, Target is now saying that as many as 110 million customers (one-third the population of the US) have been swept up in their security breach.

    Second, Neiman Marcus announced today that they think that their security breach started as early as July of this year.

    While the author of the diary is thinking about the fact that the NSA spends its time creating ways to hack into systems, my thoughts today especially with the backdrop of the Obama Administration comments on the NSA are focused on the fact that the NSA has provided us with ZERO security from these sorts of threats as far as I can tell.  

    Identity theft doesn't seem to concern them at the NSA all that much even though the fact is that someone could assume another person's identity in order to facilitate terrorist activity, for instance.

    Why can the NSA track all of our phone calls, but can't find our stolen cell phones?

    As far as protection systems for retailers and really anyone who accepts credit and debit cards go, we are currently behind Europe where they have adopted the digital chip technology.  The Dodd Frank bill mandates that it start to be adopted in 2015 - long past its introduction as a more secure option - but the mandate isn't all that strong and the move from the current magnetic strip technology to the chip technology is going to take a few years.  Those are a few years that one wonders may offer plenty of time to crack the chip code.

    I think, Richard Lyon, that the NSA is fine with the porous nature of our financial security in this country as it seems you might also think, but I'd go a step farther in my assessment of the situation and say that I think that it is yet another example of how poorly the agency is handling our national security.

    Did you see this story yesterday about people hacking smart televisions and refrigerators?

    A friend of mine and I agree that people may well be going back to US mail and cash if this sort of thing keeps up.  That trend would create a severe economic slowdown that even the 1 percent could not abide.

    •  It is Homeland Security (6+ / 0-)

      that is charged with dealing with cybersecurity protection. They have been generally passive in their effort in that direction while NSA is moving very aggressively in the direction of exploiting the internet for what is likely a variety of purposes. None of them are concerned with the protection and security of the public. I think it's pretty clear where the government's priorities are.  

      •  Well, actually it is Treasury where it (4+ / 0-)
        Recommended by:
        Richard Lyon, maryabein, nchristine, koNko

        comes to financial security, but you sort of make my point in that we have what Obama and many others claim to be this fabulous apparatus in the NSA which isn't being used to protect the nation - or worse is being used in ways that make the nation less safe through their own hacking projects.

        I just find it really disturbing that the NSA is supposedly tracking all of the data going in and out of the country, but that they did not spot data of about 110 million people being funneled out to servers in other countries.  Don't you?

        •  There are various responsibilities (2+ / 0-)
          Recommended by:
          inclusiveheart, koNko

          for security in specific areas such and the financial system and the health care system. Homeland Security is supposed to be addressing it in a broad and general manner. Nobody ever claimed that NSA had responsibility for improving cybersecurity. However, I think that some of the things they are doing with the planting of malware may well be creating opportunities for ordinary types of criminals.

    •  Awesome point n/t (2+ / 0-)
      Recommended by:
      Richard Lyon, koNko

      Fry, don't be a hero! It's not covered by our health plan!

      by elfling on Fri Jan 17, 2014 at 02:53:32 PM PST

      [ Parent ]

    •  I hadn't heard that Neiman Marcus hack had (2+ / 0-)
      Recommended by:
      inclusiveheart, koNko

      gone back as far as July and didn't detect it until December.  Wow!!  Talk about lax cyber security.

      I agree with you that making 2015 the date to start implementing chips is just giving 'them' more time to crack the system.   I completely agree that companies are weighing the risk of costs for security vs costs of breach and being reckless with the decisions.  Doesn't surprise me that "they've" figured out how to hack the refrigerators and smart tvs.

      •  Word is that some other companies (1+ / 0-)
        Recommended by:

        have also been hacked by this but aren't disclosing it. They are legally bound to do so, at least for CA residents.

      •  Well, the thing about how the system is (2+ / 0-)
        Recommended by:
        nchristine, kurt

        set up is that the retailers actually don't have access to the data that would indicate that they've been hacked.  

        It is the credit card companies, banks, the Secret Service under Treasury, and other cybersecurity firms that see the activity that starts to indicate breaches.

        Those are the entities that actually see the effects of the hacking and they are the ones who usually inform the retailer that they have a problem.

        Basically how it works is that consumers start calling about fraudulent activity and generally they are talking to their banks and credit card companies.  The credit card and bank companies make reports to Treasury where the patterns are analyzed to find the source of a big uptick in fraudulent activity.  

        So, companies like Target really aren't all that aware that anything is going on until the circle is completed when they are told by Treasury or the credit card companies that something seems to be happening in their system to allow hackers to steal data or make fraudulent charges.

        Richard Lyon's point about the fact that Target is still using a system with unencrypted data is still totally valid - but the retailer's ability to spot these problems themselves when their system is hacked is really limited.

        The other consideration is the fact that retailers do business with a myriad of credit card companies and banks when they process their transactions - their security and encryption systems also vary in integrity.

        It is pretty interesting if you thing about it.  It is vast web of data traffic that retailers especially on the scale of Target push their customers information through.  Any weak points across that web can be exploited.  

        It is my belief that the the government, the credit card companies and the banks that issue debit cards really should be the focus, though if you are pissed off. Target has no power to change the magnetic strip technology on the back of credit cards or debit cards - only Congress, the credit card and banking industry have that power.  As with everything having to do with making it as easy as possible for consumers to spend money at a retail store, the retailers would adjust if new technology were to be introduced.

        The new chip and pin pads that will have to be rolled out are going to be built with both mag strip and chip slots which is a total waste of money for retailers.  Seems to me that credit card and debit card issuers could just switch to chip and pin cards and that would be cheaper overall for retailers, but that is not the plan according to Dodd Frank.  It will be a slow rollout.  

        •  The actual fraudulent credit card charges (4+ / 0-)
          Recommended by:
          nchristine, inclusiveheart, koNko, kurt

          don't occur until the hackers have found buyers for their data. People who operate on this scale are in the wholesale business. I have been following the security sites on this, much of which is above my pay grade. However, the people who are analyzing the malware are suggesting that means of early detection are possible.  

          •  Indeed it is, but when you start with (1+ / 0-)
            Recommended by:

            the magnetic strip technology which is completely unencrypted and insecure, you're fighting a losing battle - or maybe better stated, the fortification is vulnerable no matter what.  Next question is whether or not encryption is that useful given the fact that a bunch of people are breaking incredibly long encryptions - but that sort of proves the point of how behind we are compared to Europe, etc.  We know that this stuff isn't happening to this degree in Europe at the moment.  The cybercrime community has moved here because we are easy targets comparatively.  

            •  From what I have read about it (1+ / 0-)
              Recommended by:

              strong encryption is still possible. The basic reality that has prevailed since way back in WW II is that it is much easier to encrypt than to decrypt. The great breakthroughs that were made in the war all came about by capturing the code.

              •  Well, strong encryption is currently (0+ / 0-)

                the only option which goes to my point about magnetic strips basically not providing that kind of encryption technology.  The pin and chip technology apparently uses tokens - which means that full swaths of data are not transferred in one transaction and that the transaction end to end is considered unique.  It is really conceptual and based on my tutor's description of the process, I think that I get it.  What I think I understand from the description I've heard is that all data is encrypted, but it is also segmented in such a way that there is no complete picture transferred in a single shot.  So, it is encryption plus.  The way that I envision it is tearing a check into multiple pieces and putting the shreds in multiple garbage cans, but with blacked out data as well.

                Anyway, one way to avoid all of this is to use cash - and some people may decide that that is the smart way to go - which will drive retailers and other money folks mad because they don't like dealing with cash and the delays that transferring it to their banking institution cause.

        •  Some comments (1+ / 0-)
          Recommended by:
          Richard Lyon

          It's my understanding that when fraud is reported to Credit Card companies it would eventually pass back up-stream to retailers, so the question is whether either is doing an adequate job of analytics to detect such incidents.

          From what I know, credit card companies do use fairly powerful analytics to spot trends and also use consulting companies specializing in forensics to isolate and locate credit card hackers, in some cases, buying back in bulk the credit card information to prevent the accounts from being used because the going rate for the account data is far less than the average cost of stolen accounts to the card issuers.

          Retailers are another story. Um ... live and learn, Target.

          IC (SmartCards) are commonly used in Europe and Asia, however, these cards typically have both magnetic stripes (PIN protected) and SmartCard contacts because (a) the deployment of readers takes years, and; (b) merchants need readers to handle the transactions of people using magnetic stripe cards only, so you have kind of a chicken/egg problem to solve. So I don't think the Dodd-Frank case is worse than the reality in Europe and Asia, where few systems seem to be exclusively IC or PIN locked, most I have seen will also process an unlocked mag stripe card.

          And the same problem holds true for ATMs, at best they have both types of readers and the mag stripe readers can be hacked by taking remote control of the ATM networks by hacking banking servers (hard) or simply tapping into an ATM at a given location with a wired or wireless device (both have been done).

          Both POS and ATM devices have be hacked using the sort of RAM scrapers I refer to above and this is also referenced in the Wired story Richard cites.

          So I actually don't think there is a simple way to solve the problem of credit card hacking by anyone, it is such a big business and has so many bots under control that even the benevolent General Alexander cannot held us.

          Ultimately, big data may be a useful tool to spot and isolate such credit card gangs, but the shear number of devices and transactions as well as the prevalence of this type of fraud makes this another needle in a haystack problem.

          And a certain fraction of it is probably undetectable by transaction data because it involves more isolated cases of account data scrapped off of a single terminal and sold piecemeal after a suitable waiting period, making tracing back to the source of the original fraud quite difficult.

          Card scrappers and cookbooks are freely available on the internet, and much of it on botnet sites hosted by innocent people/organizations.

          Clever crooks sometimes keep 2 steps ahead of the law.

    •  It is not for a lack of trying the NSA has failed (2+ / 0-)
      Recommended by:
      Richard Lyon, inclusiveheart

      In fact, before the Snowden disclosures slowed him down, Keith Alexander was pitching to anyone that would listen the expansion of the NSA in it's new Cyber Command role to become the national internet security provider with all commercial internet services in the US subordinating their gatekeeper roles to the NSA.

      Not sure how that would work out for business or democracy, but his sales pitch seeded with cyberwar doomsday scenarios made the rounds of the administration, Congress and the IT industry including presentations to DEFCON where he tried his best to romance and recruit white hats to join the NSA.

      Don't under-estimate the man's ambition, he spent more than a decade inside the military pitching the tools he finally built inside the NSA and is not referred to as "The Emperor"  inside the organization for no reason.

      Buy the way, the US mAil is a great source of metadata for the NSA, CIA and FBI, and if they have their way it will continue to log all mail transactions into their database.

      However, as Richard states, responsibilities for domestic security are fragmented and maybe that's a good thing. In China, we have no such problem.

  •  It's a new world (0+ / 0-)

    Advanced persistent threats, like the one Target apparently faced, can happen to anyone these days. The scary thing is that they're more or less impossible to defend against. If a bad guy wants into your network and has enough time, money, and patience, he's going to get in... period.

    The defense is to design your network to limit the amount of access they can gain and damage they can do once they're in.

  •  The Traget breach numbers have been (1+ / 0-)
    Recommended by:

    increased to as many as 110 million people/accts affected.

    Completely agree that the companies are being jackasses about the costs to secure data.  Penny wise, pound foolish.

    •  That is a subject that really needs more (1+ / 0-)
      Recommended by:

      exploration. A major company like Target has people who do very elaborate risk analysis about all sorts of things. You can be sure that IT security is one of them. I think that they have likely included considerations in their calculations about their ability to beat the rap.

      •  Target is going to try to stay competitive (0+ / 0-)

        especially in this really bad retail environment - and they, like you and I, are completely at the mercy of government regulation and the credit card/bank card industry standards which are demonstratively insecure at present.

        Not at all trying to defend their failing on this subject, but it is really important to understand what the powerful levers are here and retailers are at the bottom of the food chain in this financial ecosystem - just above individual consumers.

        Government regulators; credit card companies; and banks call the shots in this arena.  The rest of us, for the most part, just have to adjust to and navigate their systems whether or not they are secure.

        Of course, I have rejected debit cards and read the bank the riot act when they sent me one unsolicited.  Banks will cover losses on debit cards out of courtesy - there is no force of law requiring that they do it - for the moment the "free market" concept that it is in their interest to protect debit card customers is working…  Credit card companies that the real hit with the consumer by law only being on the hook for $50 if their card is stolen.  They have serious security departments as a result.  But the big picture is that the "free market" is not working - risk assessments are made.  The difference in this story is that the risk assessors sorely underestimated the potential.

        Target, Nieman Marcus and actually a number of other retailers have been targeted this year - probably many more than we will ever know because these retail attacks have been rumored to have started early 2013 as the hackers started to design their larger attacks. The attacks originate from the former Soviet Union and Asia these days - which brings me back to the NSA - where the fuck were they?  lol (but not).

        •  Not Quite (0+ / 0-)

          The USA actually surpassed Russia in the number of internet hacks in 2013, with China a distant 3rd. Surprising perhaps, but given the role of social engineering and inside information some of these hacks entail, maybe not so.

          More of the internet fraud originating in China is targeting web based transaction sites particularly online stores and the reasons are (a) most Chinese cards are PIN protected so better hacked using card scrapers, which localizes the card business (and makes your case for IC/PIN protected cards); (b) commercial sites are typically easier to hack than banks and many are linked to cash or value based accounts with less rigorous authentication.

          For example, iTunes (USA store) was hacked by a Chinese gang about 3 years ago and Apple is still issuing credits to customers now because this gang was smart enough to parcel out the accounts slowly to avoid detection, i.e., they mock the "Retail" business model of the companies they hack with a lot of small transactions to avoid detection.

          In contrast, Russian and American gangs appear to operate more on a wholesale model; they have well-organized websites where they sell the accounts in bulk and usually to repeat customers they trust engaged mainly in internet frauds such as travel bookings.

          I have seen some of these dark sites a couple of years ago and they are a virtual marketplaces of hacks, password dictionaries, credit card numbers, etc., pretty amazing shit.

          And as I understand it, most are hosted on bot nets. Clever bastards.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site