Charles Wright

Breach Data For Sale on Dark Web

Breach Data For SaleEast Coast convenience store chain Wawa reported a breach of their credit card machines December 19th, now it is believed that data is for sale on the dark web.

The Pennsylvania based retail chain discovered the attack on December 10th, and had it contained by December 12th, but Wawa says the malware started on March 4th, meaning hackers had been collecting credit card information for nine months. The breach exposed the credit card number, the expiration date, and the cardholder’s name. Wawa says the breach did not expose PIN numbers or CVV codes (the three numbers on the back of the card).

At the end of January, a hacker on the dark web announced a stash of 30 million credit cards would be available for sale. Experts believe most of this credit card data is from the Wawa breach. This hacker is well known for selling credit card data, and is only releasing small batches at a time, so as not to inflate the black market.

Gas station scanner hacking is on the rise. Visa released this report with its findings on two recent gas station point of sale attacks. Visa found the hackers gained access through a phishing campaign and installed malware on the gas station network. Once the hackers had access, they could move laterally over the network to access credit card information. Visa cites the greatest reason for these attacks on gas station point of sale systems, are retailers’ slow move toward a chip or more secure system.

 

“…as long as the magnetic stripe readers are in place, fuel dispenser merchants are becoming an increasingly attractive target for advanced threat actors with an interest in compromising merchant networks to obtain this payment card data.”

 

Wawa has teamed up with Experian to offer identity protection to potentially impacted customers.

Steps you can take if you believe your credit card number was compromised:

  • If you shopped at a Wawa retail location between March 4th, 2019 and December 12th, 2019, review your credit card statements for any unauthorized charges.
  • Read the security statement from Wawa here.
  • Now that we know the credit card information is being sold, it may be a good time to request a new card from your cardholder to head off any future issues.

At Quanexus data security is our highest priority for our clients. Is your business in a position where you are questioning the security of your data? Give us a call today to talk through your needs, and how we may be of service.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Physical Security, Recent Posts, Small Business, Wireless

What We Learned From Equifax

What We Learned from EquifaxMonday, February 10th, the US government charged four members of China’s People’s Liberation Army who they say are responsible for the attack on Equifax in September 2017. With these charges the event is categorized as one of the largest state-sponsored thefts of personal identifiable data on record. The charging documents also give us more information on the attack than we had before. There are basic IT security steps we can now see were not followed by Equifax in the lead up to the breach. As small business owners we can learn a lot from the way customers’ data was mishandled, and how it was stolen.

Lessons we can learn from Equifax Update:

The original breach occurred because Equifax did not keep up with patches and updates. Apache Software Foundation found a vulnerability in its software which gave hackers the opportunity to access systems from anywhere in the world. As part of the announcement, Apache released a patch and instructions on how to fix the issue. Equifax ignored the announcement, did not patch their systems, and the Chinese hackers were inside Equifax’s systems within weeks, the DOJ report states.

Once inside Equifax’s systems, the hackers explored the databases looking for sensitive material. The investigation also revealed Equifax was storing personal information, including social security numbers, in an unencrypted manor. The DOJ report shows clients’ personal information stored in plaintext format. This means once the hackers were able to breach the systems, there were no other obstacles in their way once they found the data they wanted.

Along with these two blunders are a laundry list of missteps by Equifax making the data easier for the hackers to access. The FTC found Equifax stored administrative credentials on their servers in plaintext format, easily accessible if found. They were using long expired security certificates, another offense going back to patching and updating. They also failed to segment the databases, which would have limited the damage in the event they were hacked.

Once inside the database, the hackers had no trouble finding the data in easy to access formats, break it into small packages so it wouldn’t be noticed by network security, and extricate the data from the servers.

Equifax was a very large hacking event with a lot of publicity, but it follows the same pattern we see in the small to medium sized business world. It normally takes more than one thing to go wrong for hackers to be able to access private data. Adhering to a simple security framework would have prevented the attack altogether. At Quanexus, we use our Q-Stack as our security framework. As you can see, Patches and Updates are the second level in the security framework.

We released the first in a video series on ‘Getting Started in IT Security.’ The video series covers some of this basic framework to secure your company’s and customers’ data. Please subscribe and follow along to understand the first steps in securing your business data.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization

Getting Started with IT Security

How secure is your customers’ data? Today we start a four part series on the basics of IT Security. Often the task of data security seems overwhelming, and business owners end up doing nothing to improve their resistance to an attack. This video series will help to break that stigma, and give actionable tasks to get started. Subscribe to our Youtube channel to stay up-to-date with new IT Security information!

 

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Wireless

Annual Security Awareness Training

Security Awareness TrainingWe just completed our annual Security Awareness Training here at Quanexus. This is an important reminder for all our employees of the security standards we maintain to keep our data, and in turn, our clients’ data safe. Even though we work in this industry every day, we follow our layered security approach and conduct an annual training. Below are some high level points to think about in IT Security this year. As always, users can be your biggest asset or your biggest liability when keeping data safe.

  1. Hacking: In the small to medium sized business sector, hackers are not seeking out companies to attack. Instead, they have automated tools scanning the web looking for vulnerabilities. When a vulnerability is found by one of these tools, the hacker is notified and gets to work on stealing data. Our job is to put tools in place to not be the low hanging fruit for these hackers.
  1. Connectivity: We are experiencing many aspects of our life connected to the internet in some way. Computers in cars, wireless power meters, and in home virtual assistants like Amazon Alexa or Google Home. These tools are making it easier to access information, but they are also creating new vulnerabilities that we haven’t had to deal with before. We need to continue to be aware of the risks this new technology presents to keep our data safe.
  1. Passwords: Password management has never been more important. Passwords should be 25 characters long and contain at least one letter, one number, and one symbol. The words used in passwords should not be in the dictionary. Users should not re-use passwords for other platforms. We know password management is a pain and, in some cases, can reduce productivity in companies. There are password management tools we can advise you on to help.
  1. Phishing: This year we saw some high profile data breaches that originated from Phishing. We also saw the rise of Spear Phishing, the act of targeting a single user instead of blanketed email attacks. As always, we remind users not to click on links in emails. Instead go to the source of the email by typing the site into your web browser, call the person on the phone, or talk to them in person if they work in your office. Issues to look for in a Phishing email are bad grammar, a call to action that plays on your emotions, and the senders email address. If it is coming from a free email address, or something that looks suspect, it’s probably a Phishing email.

Security Awareness Training is one of the layers in our Q-Stack. Quanexus uses a layered security approach to protect our clients’ data. We abide by our own system and conduct training annually as we advise our clients to do. Contact us today if you have questions on how you can implement our layered security approach.

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization