Research

It’s funny how certain data points get manipulated to bolster the corporate message. At least how the trade press portrays they anyway. If you read infosecurity-magazine.com’s coverage of Veracode’s State of Software Security report, you will see the subhead that the CISO is really the Chief Information Scapegoat Officer. CISOs are often the first victim following a major security breach. Given the prevalence of such breaches, the average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn’t improve. That’s true. CISOs have been dealing with little to no job security since, well, forever. What’s curious is how the article goes on to discuss software security as a big problem, and a potential contributor to the lack of job security for CISOs everywhere. The problem, suggests Chris Wysopal, co-founder and CTO of Veracode, is that “A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible.” The need for speed over security is what creates the buggy software that threatens the CISO. These are all true statements. But as math people all over the world like to say, correlation is not causation. There are many contributing factors making CISOs scapegoats when the finger-pointing starts after a breach. And it is much simpler than poor software coding practices. I can sum it up in 3 words: SH*T FLOWS DOWNHILL You think the CEO is going to take the fall? The CFO? The CIO? Yeah, right. That leaves the CISO holding the bag and getting run over by the bus. The article does mention some new training materials from the SAFECode alliance, which are good stuff. Education is good. But that only addresses one of many problems facing CISOs. Photo credit: “Didn’t get to try any of this unfortunately” originally uploaded by Jen R Share:

Websense announced today that they are being acquired by Vista Equity Partners and will be going private when the transaction closes. From the press release: Under the terms of the agreement, Websense stockholders will receive $24.75 in cash for each share of Websense common stock they hold, representing a premium of approximately 29 percent over Websense’s closing price on May 17, 2013 and a 53 percent premium to Websense’s average closing price over the past 60 days. The Websense board of directors unanimously recommends that the company’s stockholders tender their shares in the tender offer. Let’s be honest – Websense needed to do something, and John McCormack was elevated to the CEO position to get some sort of deal done. They have been languishing for the last few years under serious execution failures, predominantly in sales, and their channel strategy. The competition basically wrote them off, and has spent the last few years looting the Websense installed base. But unlike most companies which end up needing rescue from a private equity firm, Websense still has a decent product and technology. I have heard from multiple competitors over the past couple years that they have been surprised Websense hasn’t been more of a challenge given the capability of their rebuilt product line. TRITON is a good platform, combining email and web security with DLP – available on-premise, in the cloud, or as a hybrid deployment. That cloud piece holds the potential to save this from being a total train wreck for Vista. The on-premise web filtering market is being subsumed by multiple perimeter security vendors. Email security has substantially moved to the cloud, and is a mature market with highly competitive products from larger competitors. DLP isn’t enough to support a standalone company. Even combining these three pieces isn’t enough when the UTM guys advertise it all on one box for the mid-market, particularly because large enterprises look for best-of-breed components rather than for bundles. We assume Vista wants to break out the standard private equity playbook, focusing on sales execution and rebuilding distribution channels to generate cash by leveraging the installed base. Then they can sell Websense off in 2-3 years to a strategic acquirer. Thoma Bravo has proven a few times that if you can execute on the PE playbook in the security market, it’s great for the investors and remaining management, who walk away with a big economic win. TRITON has the potential to drive a positive exit, but only because of the cloud piece. On-premise they won’t be able to compete with the broader UTM and NGFW boxes. But Security as a Service bundles for email, web, and DLP are a growing market – especially in the mid-market, and even some enterprises are moving that way. Think ZScaler, not Check Point. Unlike the box pushers Websense is already a legitimate SecaaS player. We are not fortune tellers but if Vista expects a return similar to the SonicWALL deal, that is a stretch. Acquiring Websense is certainly one place to start in the security market, and there is a reasonable chance they won’t lose money – especially when they recapitalize the debt in a few quarters and take a distribution to cover their equity investment. The PE guys aren’t dumb. But in order to create a big win they need to inject some serious vision, rebuild the product teams, and streamline around TRITON with an emphasis on the cloud and hybrid options, all while stopping the bleed-off of the installed base. We hope internally they have a sense of urgency and excitement, as they step away from the scrutiny of the public market – not one of relief that they can hide for a few more years. As far as existing customers, it’s hard to see a downside unless Vista decides to focus on sales and channels while totally neglecting product and technology. They would be idiots to take that approach, though, so odds are good for the product continuing to improve and remaining competitive. Websense isn’t dead in the water by any means – if anything this deal gives them a chance to make the required changes without worrying about quarterly sales goals. But there will be nothing easy about turning Websense around. Vista and Websense have a lot of work in front of them. Photo credit: “Private” originally uploaded by Richard Holt Share:

In the sad but true files, the industry has become focused on advanced malware, state-sponsored attackers, and 0-day attacks, to the exclusion of everything else. Any stroll around a trade show floor makes that obvious. Which is curious because these ‘advanced’ attackers are not a factor for the large majority of companies. It also masks the fact that many compromises start with attacks against poorly-coded brittle web sites. Sure many high-profile attacks target unsophisticated employees with crafty phishing messages, but we can neither minimize nor forget that if an attacker has the ability to gain presence via a website, they’ll take it. Why would they burn a good phishing message, 0-day malware, or other sophisticated attack when they can pop your web server with a XSS attack and then systematically run roughshod over your environment to achieve their mission? We wrote about the challenges of deploying and managing WAF products and services at enterprise scale last year. But we kind of jumped to Step 2, and didn’t spend any time on simpler approaches to an initial solution for protecting websites. Even today, strange as it sounds, far too many website have no protection at all. They are built with vulnerable technologies and without a thought for security, and then let loose into a very hostile world. These sites are sitting ducks for script kiddies and organized crime alike. So we are taking a step back to write a new series about protecting websites using Security as a Service (SECaaS). We will use our Quick Wins structure to keep focus on how web protection services can make a difference in protecting web properties, and can be deployed quickly without fuss. To be clear, you can achieve these goals using on-premise equipment, and we will discuss the pros & cons of that approach vis-a-vis web protection services. But Mr. Market tells us every day that the advantages of an always-on, simple-to-deploy and secure-enough service win out over yet another complex device to manage in the network perimeter. Before we get going we would like to thank to Akamai for agreeing to potentially license this content on completion, but as with all our research we will write the series objectively and independently, guided by our Totally Transparent Research Methodology. That allows us to write what needs to be written and stay focused on end user requirements. Website Attack Vectors Although the industry has made strides toward a more secure web experience it rarely takes long for reasonably capable attackers to find holes in any organization’s web properties. Whether due to poor coding practices, a poorly configured or architected technology stack, or change control issues, there is usually a way to defeat an application without proper protections in place. But even when proper security protections make it hard to compromise an application directly, attackers just resort to knocking down the site using a denial of service (DoS) attack. Let’s dig into these attack vectors and why we haven’t made much progress addressing them. SDLC what? The seeming inability of most developers to understand even simplistic secure coding requirements continues to plague security professionals, and leaves websites unprepared to handle simple attacks. But if we are honest that may not be fair. It is more an issue of developer apathy than inability. Developers still lack incentives to adopt secure coding practices – they are evaluated on their ability to ship code on time … not necessarily secure code. For “A Day in the Life of a CISO”, Mike wrote poems (in pseudo iambic pentameter, no less!). One was about application security: Urgent. The VP of Dev calls you in. A shiny new app. Full of epic win. Customers will love it. Everyone clap. We launch tomorrow. Dr. Dre will rap. It’s in the cloud. Using AJAX and Flash. No time for pen test. What’s password hash? Kind of funny, eh? It would be if it weren’t so true. Addressing this issue requires you to look at it creatively two perspectives. First you must be realistic and accept that you aren’t going to fundamentally change developer behavior overnight. So you need a solution to protect the website without rebuilding the code or changing developer behavior. You need to be able to stop SQL injection and XSS today, which is actually two days late. Why? Look no further than the truth explain by Josh Corman when introducing HD Moore’s Law. If your site can be compromised by anyone with an Internet connection, so long as they have 15 minutes to download and install Metasploit, you will have very long days as a security professional. Over time the right answer is to use a secure software development lifecycle (SDLC) to build all your code. We have written extensive about this Web app security program so we won’t rehash the details here. Suffice it to say that without proper incentives, a mandate from the top to develop and launch secure code, and a process to ensure it, you are unlikely to make much strategic progress. Brittle infrastructure It is amazing how many high profile websites are deployed on unpatched components. We understand the challenge of operational discipline, the issues of managing downtime & maintenance windows, and the complexity of today’s interlinked technology stacks. That understanding and $4 will buy you a latte at the local coffee shop. Attackers don’t care about your operational challenges. They constantly search for vulnerable versions of technology components, such as Apache, MySQL, Tomcat, Java, and hundreds of other common website components. Keeping everything patched and up to date is harder than endpoint patching, given the issues around downtime and the sheer variety of components used by web developers. Everyone talks about how great websites and SaaS are because the users are no longer subjected to patching and updates. Alas, server components still need to be updated – but you get to take care of them so end users don’t need to. Now you are. And if you don’t do it correctly – especially with open source components – you leave low-hanging fruit for attackers, who can easily weaponize exploits and search for vulnerable sites

The Washington Post says US Officials claimed Chinese hackers breached Google to determine who the US wanted Google to spy on. In essence the 2010 Aurora attack was a counter-counter-espionage effort to determine who the US government was monitoring. From the Post’s post: Chinese hackers who breached Google’s servers several years ago gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, according to current and former government officials. The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies. … and … Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company’s servers about the same time Google’s system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by U.S. national security and law enforcement agencies. Wow. Like it or not, the US government ensnared US companies to spy on their customers and users. If the Chinese motivation is as claimed, Google was targeted because it was known to be collecting data on suspected spies. It will be interesting to see whether this announcement generates some pushback, either by companies refusing to cooperate, or – as many companies have done – by removing infrastructure that tracks specific users. Paining a target on your back and placing yourself in a situation where your servers could be seized is a risk most firms can’t afford. Share:

Trustwave’s Nicolas Percoco wrote an interesting article at boardmember.com describing a targeted attack at a senior executive. Who’dathunk sites catering to board members (and other mahogany row folks) would publish stuff from security folks. Oh, how the times have changed, eh? Let’s dissect this attack starting from before you received the email early this morning. One of your competitors hired a hacker to obtain business plans, financial statements, price lists, etc. from your company. This activity is known as corporate espionage and has been going on since businesses started competing, just not in the same way it is happening today – through the click of a mouse. The post runs through a plausible scenario. Targeted email from a spoofed account. Zero-day attack in the attachment. Total compromise and full access to the entire filesystem, allowing the theft of pretty much anything. Yup. When you opened that resume, the Zero Day exploited a problem in your document reader. It installed a custom piece of malware written by the hacker that scoured your computer for the types of documents he was being paid to steal. Once the malware gathered those files, it then sent them over the Internet to the hacker’s system. Of course the language is overly simplistic – it needs to be. This type of piece is for executive readers, who don’t understand Adobe exploits, egress filtering, or advanced malware. But the here tends to get lost in day-to-day security firefighting. You must spend time educating executives on these kinds of attacks. You also need to implement controls that more highly value the devices they use, and protect them accordingly in light of their extensive access to important things. The post ends with a number of high-level suggestions. Start with email security and then monitor for unusual activity. Ensure the devices of executives are updated. Yup, yup, and yup. But even these high-level recommendations will be over the heads of many executives. This kind of piece is more about making sure that, when security comes in and demands behavioral changes and additional protections that impair the executive user experience, executives are receptive. Or perhaps not receptive – but at least they understand why it is important. Photo credit: “CEO – Tiare – Board Meeting – Franklin Canyon” originally uploaded by tiarescott Share:

In our recent little ditty on Network-based Threat Intelligence, we mentioned how resilience has become a major focus for command and control networks. The Pushdo botnet’s recent rise from the ashes (for the fourth time!) illustrates this perfectly. Four times since 2008, authorities and technology companies have taken the prolific PushDo malware and Cutwail spam botnet offline. Yet much like the Energizer Bunny, it keeps coming back for more. It seems the addition of DGA (domain generating algorithms) to the malware makes it more effective at finding C&C nodes, even if the main set of controllers is taken down. The added domain generation algorithm capabilities enable PushDo, which can also be used to drop any other malware, to further conceal itself. The malware has two hard-coded command and control domains, but if it cannot connect to any of those, it will rely on DGA to connect instead. This kind of resiliency is bad news for the folks trying to cut the head off the snake. But we have seen this movie before. It reminds us of music pirates shifting from Napster’s central (vulnerable) store of stolen music, to today’s distributed networks of P2P clients/servers that has so far been impossible to eliminate. Disrupting C&C operations is a good thing. But it’s not a solution, which is the issue with the malware we deal with. As we mentioned in Network-based Malware Detection 2.0 post yesterday, you may get to a point where you’re forced to just accept that endpoints cannot be trusted. And you will need to be okay with that. Share:

It was simpler back then. You know, back in the olden days of 2003. Viruses were predictable, your AV vendor could provide virus signatures to catch malware, and severe outbreaks like Melissa and SQL*Slammer depended on brittle operating systems and poor patching practices. Those days are long gone, under an onslaught of innovative attacks which leverage professional software development tactics and take advantage of the path of least resistance – generally your employees. We have written extensively about battling advanced attackers – the top issue facing many security organizations today. From the original Network-based Malware Detection paper, through Evolving Endpoint Malware Detection, and the most recent Early Warning arc: Building an Early Warning System, Network-based Threat Intelligence, and Email-based Threat Intelligence. Finally we took our message to executives with the CISO’s Guide to Advanced Attackers. But in the world of technology change is constant. Attacks and defenses change, so as much as we try to write timeless research, sometimes our stuff needs a refresh. Detecting advanced malware on the network is a market that has changed very rapidly over the 18 months since we wrote the first paper. Compounding the changes in attack tactics and control effectiveness, the competition for network-based malware protection solutions has dramatically intensified, and every network security vendor either has introduced a network-based malware detection capability or will soon. This makes a confusion situation for security practitioners who mostly need to keep malware out of their networks, and are less interested in vendor sniping and badmouthing. Accelerating change and increasing confusion usually indicate that it is time to wade in again, to document the changes to ensure you understand the key aspects – in this case, of detecting malware on your network. So we are launching a new series: Network-based Malware Detection 2.0: Assessing Scale, Security, Accuracy, and Blocking, to update our original paper. As with all our blog series we will develop the content independently and objectively, guided by our Totally Transparent Research methodology. But we have bills to pay so we are pleased that Palo Alto Networks will again consider licensing this paper upon completion. But let’s not pt the cart before the horse – it is time to go back to the beginning, and consider why advanced malware requires new approaches, for both detection and remediation. Gaining Presence with New Targets Cloppert’s Kill Chain is alive and well, so the first order of attacker business is to gain a foothold in your environment, by weaponizing and delivering exploits to compromise devices. Following the path of least resistance, it is far more efficient to target your employees and get them to click on a link they shouldn’t. That is not new, but their exploitation targets are. Attackers go after the most widely deployed software, for the greatest number of potential victims and the hest chance of success. This has led them to unpatched operating system vulnerabilities. With recent versions of Windows this exploitation has gotten much harder, which is good thing – for us. So attackers went after the next most widely distributed software: browsers. Their initial success compromising browsers forced all browser providers to respond aggressively and better lock down their software. Of course we still see edge case problems with older browsers requiring out-of-cycle patches, but browsers have now largely escaped being the path of least resistance. The action/reaction cycle continues, with attackers shifting their attention to other widely used software – particularly Adobe Reader and Java. And once Oracle and Adobe progress there will be a new target. There always is. The only thing we can count on is that attackers will find new ways to compromise devices. The Role of the Perimeter Once attackers establish a presence in your network via the first compromised device, they move laterally and systematically toward their target until they achieve their mission. Defensive is the attempt to detect and block malicious software – optimally before it wreaks havoc on your endpoints. Because once malware establishes itself on the device you can no longer rely on endpoint defenses to stop it. We talk to many larger organizations that basically treat every endpoint as a hostile device. If it isn’t already compromised, it will be soon enough. They use preemptive measures, such as extensive network segmentation, to make it harder for attackers to access their targeted data. But what these organizations want is to stop malware from reaching endpoints in the first place. There is clear precedent for this approach. Years ago anti-spam technology ran on email servers. But blocking technology evolved out to the perimeter, and eventually into the cloud, to shift the flood (and bandwidth cost) of bad email as far away from your real email system as possible. We expect a similar shift in the locus of advanced malware protection, from endpoints to the perimeter. But that begs the question: how can you detect malware on the perimeter? With a network-based malware detection device (NBMD), of course. As described in the original paper, these devices have emerged to analyze files passing on the wire, and identify questionable files by executing them in a sandbox and observing their behavior. Our next post will revisit that research to delve into how these devices work and how they compliment other controls designed to detect malware elsewhere in your environment. Insecurity by Obscurity In the olden days you could just check a file by matching it against a list of signatures from bad files; matches were viruses and blocked. This endpoint-centric blacklist approach worked well … until it didn’t. Today it is largely ineffective – so endpoint protection vendors have shifted focus to a combination of heuristics, cloud-based fuel repositories, IP and file reputation, and a variety of other intelligence-based mechanisms to identify attacks. But attackers are smart – they have figured out how to defeat blacklists, reputation, and most other current anti-malware defenses. They send out polymorphic files that change randomly – your blacklist is dead. They hijack system files normally exempted from analysis by anti-malware

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office. Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW. The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year. But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago. …application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers. But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often. That’s a good thing – port and protocol policies don’t provide much protection against current attacks. Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds Share:

They say you can’t go home. What a load of garbage. You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time. You can always go home – what you can’t do is go back in time. It doesn’t matter if you live within 15 miles of where you grew up, or run off to distant lands like me – time marches on. People leave, restaurants change, and even culture evolves and adapts. The point isn’t how much home changes, but how much you change – or don’t. I am not the same person I was when I arrived in Boulder back in 1989, and that’s a good thing. I’m not the same person I was 8 years ago when I left for a girl in Arizona. Among other things I have 3 kids and can’t spend my free time running off for mountain rescues. I had an awesome life back then, but it isn’t the life I want now. There is nothing wrong with nostalgia, but there is a fine line between reminiscing for days on the past and trying to live in the past. We all have friends stuck in their own personal glory days, making themselves miserable by refusing to move on. I may miss my kid-free freedom back then, but I am living the life I want now, and I would be missing out on the constant stream of amazing experiences my family gives me. Some stores have changed, some bars have changed, and some buildings were updated, but it’s still Boulder. As much as I miss Tulagis, Potters, and Pearls, I would be pathetic if I tried to hang there now, over 40. There seems to be more money in town, but this was always the national headquarters of the Limousine Liberals of the People’s Republic. It’s just as intolerantly tolerant as ever, and after spending time in Phoenix I really do notice the hippies more. (And the hippies still suck). I’m home and loving it. I may not be hanging with my old friends at the old places but I get to take my kids on my favorite hikes, enjoy the surprising number of local restaurants still here, and sneak off for some favorite rides and runs. I am also learning how much better a place this is to be with children than I thought when living here – there are an amazing range of activities, even without popping down to Denver. On that note, I need to take my bike in for service, pick up a new bike trailer for the baby, decide which organic, sustainably fed and ‘humanely’ slaughtered ground bird I will grill for dinner, and arrange a few post-hike microbrew excursions. Yeah, my life is hard. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian presenting next week on Tokenization vs. Encryption. Favorite Securosis Posts Adrian Lane: Bloomberg Pulls a News Corp on Goldman. We have hypothesized about this type of thing happening for a few years – this is the greatest fear of enterprises about cloud services. Mike Rothman: $45M Heist Used a 5 Year Old (at least) Technique. Rich nails it: what’s old is new. Rich: The Onion hack brings tears to my eyes. What’s not to love? Other Securosis Posts Boundaries won’t help GRC. Incite 5/15/2013: Fraud Hits Close to Home. Favorite Outside Posts Adrian Lane: A Saudi Arabia Telecom’s Surveillance Pitch. “What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.” < That. Governments and enterprise often place more value on your social media communications than you do. Mike Rothman: Warren Buffett: The three things I look for in a person. Adrian and Gunnar are card-carrying Buffett fanboys so I expect them to like this. I love this way to evaluate people: “Intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two.” Rich: Ricky Gervais on the difference between US and UK humor. Actually, there is a lot in here about how we approach writing about security, and the difference between analytical humor and pure trolling. Dave Lewis: Hear Ye, Future Deep Throats: This Is How to Leak to the Press. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Indian companies at center of global cyber heist. Update on last week’s $45M theft. Bloomberg reporters allegedly used financial terminals to spy on Wall Street. Larry Page I/O keynote: Google CEO blasts Microsoft, Oracle, laws, and the media. Chinese internet: ‘a new censorship campaign has commenced’. Apple deluged by police demands to decrypt iPhones. Skype with care – Microsoft is reading everything you write. Boston judge limits access to Aaron Swartz court records < wagons circling. Blog Comment of the Week This week’s best comment goes to Andrew, in response to Boundaries won’t help GRC. I mischievously ask GRC vendors “who is the intended budget holder, G, R or C?” And often as not, the benefits of GRC tools go to audit. Business lines, as we all know, love to make audit more powerful …. Share:

We are in the school year endgame right now. The kids will be done for the year in 10 days, and then summer officially begins. It is a frantic time in our house – the kids head off for camp in mid-June and we take family vacations before then. There is a lot of stuff to buy, a lot of packing to do, and a lot of quality time to squeeze in before The Boss and I become empty nesters for 7 weeks. One of those tasks is haircuts. It turns out the Boy has my hair. And that means he needs to get it cut. Frequently. I’m not complaining but it requires some planning. If they leave in mid-June we need to get his hair trimmed mid-May, which gives it a month before we get the short camp cut. Yes, we actually have to think about stuff like this. So I took the Boy for a haircut on Saturday afternoon, and my phone rang with a number I didn’t recognize from South Florida. Normally I would let it go to voicemail, especially on a Saturday, but my paranoia kicked in because Mom is in South Florida. When you get to my age you dread calls from numbers you don’t know in South Florida. So I picked up the phone for my friends in Office Depot’s fraud department. No, they aren’t really my friends, but they did me a huge solid by catching a strange transaction. Evidently someone used my credit card and address (with cellphone number) to buy a laptop for delivery to a store in California. They asked if I had bought a computer for $519 that day. I had to laugh because everyone knows you can’t buy a Mac for $519, and I wouldn’t be caught dead with a Windows laptop. Kidding aside, they quickly canceled the transaction and kindly suggested I call MasterCard to shut down my clearly compromised card. Yeah, I was already 2-3 steps ahead. Card was shut down, new card ordered, and fraud investigation underway within 5 minutes. Then came the damage assessment. I checked my personal email account to ensure no funkiness (2FA for the win) and also reviewed transactions on my other financial accounts in case of a larger compromise on my end. All clean, for now. But then I got thinking – which of the zillion online merchants I use got popped? They had my cell phone, so it wasn’t a skimming attack. This involved both card number and address/phone, so it was full-on total pwnage of some merchant. But I never expect to learn which. I can’t be too pissed – I had a pretty good run with that MasterCard number. It lasted 18 months, which sadly is a long time between card credential compromises. I could be angry, but it’s just the way it is. When my new card comes in I will need to spend a couple hours wading through my bills and changing all the automatic charges for monthly stuff. I need to monitor that account much more closely until I am confident everything is clean. In 12-18 months I will need to do it again. At least the merchant didn’t give me a hard time – unlike last time this happened, when someone bought auto parts and had them delivered to an address in my town. Of course it wasn’t my address, but those are pesky details. AmEx did good work on that situation, fortunately. And with that, let me tip my hat to Office Depot once again. Once attackers get a working card the fraud transaction come fast and furious, so they saved me a bunch of angst. Now I need to go by some office supplies from Amazon. Come on, man, you didn’t think this would buy any office supply loyalty, did you? –Mike Share: