Franchises and Reputation

There are reports from the financial industry that Dairy Queen may be the latest company to be the victim of cybercrime.  DQ says that they have no reports of this, however, most of there stores are franchises and there is no established process in place to report a security breach.  So it is possible several of the franchises are the source of this activity by thieves.

This story demonstrates a problem with national or franchise brands.  If the above story ends up being true the franchisee will not be named in the headline of the story, rather the parent company Dairy Queen even though they were not directly responsible in this case.

I am not trying to call out DQ specifically, rather I think this demonstrates an issue with franchises.  If I go to a McDonalds in Orangeburg, SC and get a bad meal I say that McDonalds was terrible, not the local guy who owns it.  It may change my opinion on the whole company.  I went to an Applebee’s years ago and they gave my son moldy applesauce, we have not been to another Applebee’s since.  You remember the experience you had with the parent brand not the franchise.  

You have to control your brand weather it is in food, hotels, coffee, or security.  Your brands name is on the line.  Starbucks does not franchise for this very reason, they want to protect their quality.  If you are a franchisor you have to establish clear security practices and subject each office to an assessment as part of the agreement.  The requirements for security need to come from the top down.  IT security is as important as any other area of the business as a breach will be very costly.


Rescue From CryptoLocker

For about a year now the CryptoLocker has caused chaos in the computer world.  This particular piece of malware, once installed, encrypts your personal files and demands ransom to unlock them. Users were faced with the decision to pay the ransom, restore from a backup, or lose the data.

Our team has worked to implement security measure to aid in the prevention of this infection.  Now, two security firms have teemed up and have figured out how to decrypt the data affected by this malware.  Users can go to decryptcryptolocker.com, enter their email address, and send them one of the encrypted files.  The site will then send you a program that can decrypt the data.  This service is free for anyone who needs to unlock the data.

Supporting Article:

http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocker-ransomware/


Not Responsible for Lost or Stolen Items

Have you ever walked into a hotel or your local gym and seen a sign that reads “Not Responsible for Lost of Stolen Items”? Businesses post these signs as a way to reduce their liability. By posting the signs the argument can be made that they warned you and you chose to proceed with staying at that establishment, therefore making you the negligent one. That logic has a fundamental flaw, however.

Having a sign that says they aren’t responsible is not enough and does not let them off the hook. Proper steps still have to be taken to ensure the security of the guests. Working locks, security guards, security camera’s, etc. all have to be installed and working. If you can prove negligence the hotel is very much on the hook for the damages. The sign should actually read “We have taken all necessary precautions into account and diligently tested all of our security and locks to ensure proper working order. We ask that you use these items in the proper way. If you choose to not use them as designed, you will be responsible for any loss”.

Physical security is more straight forward than cyber-security. A security guard can patrol, test access, and verify nothing suspicious is happening. If he sees something out of the ordinary he can immediately take action and resolve the situation. Cyber-security is more nebulous. There are many ways into a business thorough everyday usage than a single point of entry. Firewalls left with open holes, browsers not updated, users willing to give away personal data…the list goes on.

So when I get to my next hotel and hop on the free wireless internet, I most likely will be presented with a terms and conditions page that will basically say “Don’t use this for anything illegal and whatever you do will be your responsibility. We just provide the access”. That is not the case though. A hotel has a fiduciary responsibility to secure the wireless. They let me know when I booked my hotel that internet was included. Therefore they made it a selling point and a reason for me to stay at the hotel. They made it part of the transaction. What steps have they taken to ensure my safety? Is the wireless setup for isolation mode? When was it last tested? What is the name of the firm that tested the security?

If I were to make a reservation at the Bates Motel and they let me know there was a psycho working there and I chose to stay, it would be my fault. But if they advertise a safe room, with a soft bed, television, and showers anything that deviates from that plan violates our mutual agreement.

Free wi-fi is great and adds value to offer it to your guests. But you have a responsibility with that goes along with it.


Password Confusion

Recently a software leader published an article that discussed the possibility that maybe shorter passwords were better than longer ones. This goes directly against all research previously that longer passwords were the key to user security online.

I believe this just adds to the confusion users experience when trying to be more secure. It also can confuse the argument when businesses are considering what their password policies should be.

I think this is an example of someone trying to get noticed and come up with an off the wall idea to get attention. In a world where some people want to be noticed by publishing their every move on Twitter, making their pictures public on Facebook, and videos of anything and everything cluttering the internet this isn’t a real surprise. The advice is to reduce your security and make access easier.

Businesses need to ignore this type of advice and focus on best practices for security. Access to corporate networks should never rely on a single password rather two-factor authentication needs to be deployed. Hard drives should be encrypted to deter theft and minimize the impact when a theft occurs. Wireless networks need to use the strongest standards possible and time should be taken to test the security.

I remember in the not to distant past when a prospect I was meeting with told me if they were to purchase a firewall it would only get the attention of a hacker so they chose to not purchase one. This was the advice of their IT professional.


Disney and Fingerprints

I have written on this topic before but after fresh from a week in Orlando it has renewed my aggravation.

While attempting to enter Disney World this week we were once again asked for our fingerprints. We refused of course but while entering one park we were told we could not enter without giving up our fingerprint. Only after a supervisor heard this did they let us in.

Do they not realize that our fingerprints are our identity? The only thing in this world that is all mine. Names, social security numbers, addresses, credit cards can all be changed. But not my DNA, I am stuck with it. Why would I want to turn that over. Newsflash, Disney security is not safe. No company is 100% secure and the fact that they even ask for this information bothers me. They are asking us to trust them with our identity. Here is a brief flow chart of how they want the transaction to enter Disney works to better demonstrate this.

Step 1 – Tickets Purchased at Gate with Credit Card – They now have my name, credit card, CVV code, and zip code.
Step 2 – Enter Park – Disney employee asks for my ticket that I purchased in step one then asks for my fingerprint to tie it to my ticket in a database.
Step 3 – Tie Ticket to Mobile App on Phone

These two steps take about 5 minutes from start to finish. Here is what Disney now has on me:

1. Name
2. Zip Code
3. Credit Card
4. Strip Data
5. CVV Code
6. Fingerprint
7. Mobile Phone Access

This is just absurd. Many unsuspecting tourists perform this same routine daily. I am afraid one day I will read Kreb’s one morning and hear that this database has been stolen. Can you imagine the fallout on that one?


Skimmers and Banks

A skimmer is a device placed on the swipe section or over the card entrance on an ATM machine or POS terminal.  The devices are so transparent that it is hard for anyone to personally see the difference without picking up and inspecting the unit.  If this was a checkout in the store it would look weird, grabbing it looking around.  Or if you started poking around an ATM machine to determine if one was there you may find yourself in trouble for suspicious activity.

Yet every day banks have to deal with these devices being installed.  After some research I learned no one is actually watching the camera’s unless there is an issue!  The message is clear, banks will not be proactive in protecting us.  They wait for us to report the problem.

Here is an example.  If I am using my debit card while in Florida and an hour later my card is use do withdraw cash in Greensboro, NC the bank will process the transactions.  No question asked.  This would be so simple to detect, yet they allow it to go through.

Target sales have not dropped off.  People still use PNC and Chase bank after they were hacked.  PF Changs was packed this weekend.  Most people will not change their behavior until it affects them.  

  • What are you going to change to proactively protect yourself from theft?
  • Still using the PIN you have had for years?
  • Using the same convenient password on multiple websites?
  • Still using your debit card as debit instead of credit?
  • Shop at Target lately?

Inflight Wireless Hole

I am writing this from about the great State of Arkansas on my return from Dallas. After we took off I immediately jumped on my iPad to make the most of my time and get some work done. I connected the wireless and opened my browser to pay the exorbitant fee for internet ($12 for 90 minutes).

My browser launched http://www.google.com and I was able to see the search engine page like normal…but I didn’t log in or pay. So my wife and I poked around it a bit and it turns out we were able to search in Google, view images, and a number of other things…all for free on Google. Now I understand the ability to surf on US Air’s website for free. But Google? Lot’s of stuff to do there.

This is a prime example of a small hole that will no doubt get abused. I wasn’t looking for it, but I found it. Imagine if I spent the rest of the flight finding other holes in the system?

You can never test your system enough. And by test I don’t mean test to see if it works, I mean test to make sure things don’t. Testing for failure is as important as making sure what you want to work does.


Follow

Get every new post delivered to your Inbox.