Home · Security

Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack

Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe, Wired.com has learned.

Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyberattacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005. The details of the breach, and the company’s challenges in reconstructing what happened, shed new light on the vulnerable state of retail security at the time, despite card-processing security standards that had been in place since 2001.

In response to inquiries from Wired.com, the company acknowledged the hack attack, which it calls an “internal issue.” Because no sensitive customer data was stolen, Wal-Mart had no obligation to disclose the breach publicly.

Wal-Mart had a number of security vulnerabilities at the time of the attack, according to internal security assessments seen by Wired.com, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form. Wal-Mart says it was in the process of dramatically improving the security of its transaction data, and in 2006 began encrypting the credit card numbers and other customer information, and making other important security changes. More...

10-13-2009 08:42

Cyberdefenses are misdirected, report says

Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization. As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.

The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.

It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."

The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and More...

09-15-2009 09:46

Virtualization Security in Spotlight During VMworld

With VMworld in full swing, virtualization security is at the tip of some people's tongues. Based on a new paper from RSA and some user surveys, IT pros are advised to keep security high on their list of concerns when it comes to virtualized environments.

In some ways, the virtualization security market may be in a good news, bad news situation.

The good news: More tools are appearing that focus on securing virtual environments. The bad news: Many may not be making their way into the IT infrastructure. A survey by Nemertes Research found that only 10 percent of organizations have deployed virtualization security technology, and 70 percent of respondents have no plans to do so in the next three years. More...

09-02-2009 13:26

<< First < Previous [8 / 10] Next > Last >>